-
-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathcloudformation.yml
More file actions
148 lines (141 loc) · 4.47 KB
/
cloudformation.yml
File metadata and controls
148 lines (141 loc) · 4.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Parameters:
DatabasePassword:
Type: String
NoEcho: True
DatabaseUsername:
Type: String
NoEcho: True
AWSRegion:
Description: AWS Region
Type: String
Default: us-east-1
StaticStackName:
Description: Name of the Case Harvester static stack, for getting subnet details
Type: String
DockerRepoName:
Description: Name of docker repository
Type: String
Resources:
ECSCluster:
Type: AWS::ECS::Cluster
Properties:
ClusterName: !Sub caseexplorer_cluster
ExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: caseexplorer_ecs_execution_role
Description: IAM role used for executing ECS tasks and Cloudwatch rules
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
- events.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
- arn:aws:iam::aws:policy/CloudWatchFullAccess
Policies:
- PolicyName: execution_role_policies
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- ecs:RunTask
Resource: "*"
- Effect: Allow
Action:
- iam:PassRole
Resource: "*"
TaskRole:
Type: AWS::IAM::Role
Properties:
RoleName: caseexplorer_task_role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- sts:AssumeRole
DockerRepo:
Type: AWS::ECR::Repository
Properties:
RepositoryName: !Ref DockerRepoName
RepositoryPolicyText:
Version: "2012-10-17"
Statement:
- Sid: AllowPushPull
Effect: Allow
Principal:
AWS:
- !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action:
- "ecr:GetDownloadUrlForLayer"
- "ecr:BatchGetImage"
- "ecr:BatchCheckLayerAvailability"
- "ecr:PutImage"
- "ecr:InitiateLayerUpload"
- "ecr:UploadLayerPart"
- "ecr:CompleteLayerUpload"
CopCacherTask:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Name: caseexplorer_container
Command:
- flask
- cache-cops
Environment:
- Name: MJCS_DATABASE_URL
Value: !Sub
- postgresql://${db_user}:${db_pw}@db.openjusticebaltimore.org/mjcs
- db_user: !Ref DatabaseUsername
db_pw: !Ref DatabasePassword
Image: !Sub
- ${AWS::AccountId}.dkr.ecr.${AWSRegion}.amazonaws.com/${repo_name}
- repo_name: !Ref DockerRepo
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-create-group: true
awslogs-region: !Ref AWSRegion
awslogs-group: caseexplorer-cop-cacher
awslogs-stream-prefix: caseexplorer-cop-cacher-logs
RequiresCompatibilities:
- FARGATE
Cpu: 512
Memory: 1024
ExecutionRoleArn: !GetAtt ExecutionRole.Arn
NetworkMode: awsvpc
TaskRoleArn: !GetAtt TaskRole.Arn
CopCacherRule:
Type: AWS::Events::Rule
Properties:
Name: cop_cacher_rule
Description: Weekly cache cop-involved case numbers
ScheduleExpression: cron(0 4 ? * 1 *) # Sunday midnight ET
Targets:
- Id: cop_cacher_ecs_task_target
Arn: !GetAtt ECSCluster.Arn
RoleArn: !GetAtt ExecutionRole.Arn
EcsParameters:
LaunchType: FARGATE
TaskDefinitionArn: !Ref CopCacherTask
TaskCount: 1
NetworkConfiguration:
AwsVpcConfiguration:
AssignPublicIp: ENABLED
SecurityGroups:
- Fn::ImportValue: !Sub ${StaticStackName}-VPCDefaultSecurityGroupId
Subnets:
- Fn::ImportValue: !Sub ${StaticStackName}-VPCPublicSubnet1Id
- Fn::ImportValue: !Sub ${StaticStackName}-VPCPublicSubnet2Id