ECS-Cloudformation/vpc-subnets-stack.yml

AWSTemplateFormatVersion: "2010-09-09"

Resources:
  VPC:
    Type: AWS::EC2::VPC # or AWS::RDS::DBSubnetGroup
    Properties: # or Properties
      CidrBlock: 10.0.0.0/16 # this is the VPC CIDR block (CIDR = Classless Inter-Domain Routing, it means you can use 0.0.0.0/0 for all IPs)
      EnableDnsSupport: true # Enable DNS hostnames (EnableDnsSupport is true by default)
      EnableDnsHostnames: true # Enable DNS hostnames (EnableDnsHostnames is true by default)

  SubnetA:
    Type: AWS::EC2::Subnet # this subnet is for the ECS instances (webserver)
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.0.0/24 # this is the subnet CIDR block it means that you can use 10.0.0.0/24
      AvailabilityZone: eu-central-1a

  SubnetB:
    Type: AWS::EC2::Subnet # this subnet is for the RDS
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.1.0/24
      AvailabilityZone: eu-central-1b

  Nacl:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: !Ref VPC

  InboundRuleHttps:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref Nacl
      RuleNumber: "1"
      Protocol: 6
      RuleAction: allow
      PortRange:
        From: 443
        To: 443
      Egress: false # Egress means outbound
      CidrBlock: 0.0.0.0/0

  InboundRuleHttp:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref Nacl
      RuleNumber: "2"
      Protocol: 6
      RuleAction: allow
      PortRange:
        From: 80
        To: 80
      Egress: false # Egress means outbound
      CidrBlock: 0.0.0.0/0

  OutboundRuleHttps:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref Nacl
      RuleNumber: "3"
      Protocol: 6
      PortRange:
        From: 443
        To: 443
      RuleAction: allow
      Egress: true
      CidrBlock: 0.0.0.0/0

  OutboundRuleHttp:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref Nacl
      RuleNumber: "4"
      Protocol: 6
      PortRange:
        From: 80
        To: 80
      RuleAction: allow
      Egress: true
      CidrBlock: 0.0.0.0/0

  RDSInstance:
    Type: AWS::RDS::DBInstance
    Properties:
      AllocatedStorage: 20
      DBInstanceClass: db.t2.micro
      Engine: mysql # or postgres
      MasterUsername: root_user
      MasterUserPassword: root_password
      DBName: root_db
      MultiAZ: false

  ECSCluster:
    Type: AWS::ECS::Cluster # this ECSCluster is to run the ECS tasks

  ECSTaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      NetworkMode: awsvpc
      RequiresCompatibilities:
        - FARGATE
      ExecutionRoleArn: !Ref ExecutionRole
      TaskRoleArn: !Ref TaskRole
      Cpu: 256
      Memory: 0.5GB
      Family: !Ref ECSCluster
      ContainerDefinitions:
        - Name: commit-nginx
          Image: 539634357948.dkr.ecr.eu-central-1.amazonaws.com/commit-nginx:latest
          Memory: 512 # Specify memory here (in MiB)
          PortMappings:
            - ContainerPort: 80
            - ContainerPort: 443

  ECSService:
    Type: AWS::ECS::Service
    Properties:
      Cluster: !Ref ECSCluster
      LoadBalancers:
        - ContainerName: commit-nginx
          ContainerPort: 80
          LoadBalancerName: !GetAtt LoadBalancer.Name
      TaskDefinition: !Ref ECSTaskDefinition
      DesiredCount: 1
      LaunchType: EC2
      NetworkConfiguration:
        AwsvpcConfiguration:
          Subnets:
            - !Ref SubnetA
            - !Ref SubnetB
    DependsOn:
         - "LoadBalancer"


  LoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: "Commit-elb"
      LoadBalancerAttributes:
        # this is the default, but is specified here in case it needs to be changed
        - Key: idle_timeout.timeout_seconds
          Value: 60
      # "internal" is also an option
      Scheme: internet-facing
      Subnets:
        - !Ref SubnetA
        - !Ref SubnetB

  ExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: "Commit-ECSRole"
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: ecs-tasks.amazonaws.com
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"

  TaskRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: "Commit-TaskRole"
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: ecs-tasks.amazonaws.com
            Action: "sts:AssumeRole"

  MyInternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: stack
          Value: production

  MyVPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref MyInternetGateway
      VpcId: !Ref VPC



  ListenerHTTPS:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      DefaultActions:
        - TargetGroupArn: !Ref TargetGroup
          Type: forward
      LoadBalancerArn: !Ref LoadBalancer
      Port: 80
      Protocol: HTTP
      # Certificates:
      #   - CertificateArn: "arn:aws:acm:eu-central-1:539634357948:certificate/584cfb24-bc7a-431b-9150-16d47bdb8ea9"

  TargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      HealthCheckIntervalSeconds: 10
      # will look for a 200 status code by default unless specified otherwise
      HealthCheckPath: "/"
      HealthCheckTimeoutSeconds: 5
      UnhealthyThresholdCount: 2
      HealthyThresholdCount: 2
      Name: MyTargetGroup
      Port: 80
      Protocol: HTTP
      TargetGroupAttributes:
        - Key: deregistration_delay.timeout_seconds
          Value: 60 # default is 300
      TargetType: ip
      VpcId: !Ref VPC