to-do-api/iac.yaml.template at master · jsAhonen/to-do-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
AWSTemplateFormatVersion: "2010-09-09"
Description: ECS Fargate deployment for todo-api

# Before deployment:

# 1. Create the ECR repository and push your Docker image there. See README for details.

# 2. Create a copy of this file with the name `iac.yaml`

# 3. Replace the placeholder values in the Parameters section:
# <AWS_ACCOUNT_ID> - Your AWS Account ID
# <REGION_ID> - AWS Region (e.g., us-east-1)
# <DEFAULT_VPC_ID> - Your default VPC ID
# <DEFAULT_SUBNET_ID_1> - A subnet ID in your default VPC
# <DEFAULT_SUBNET_ID_2> - Another subnet ID in your default VPC
# <ECR_REPO_URI> - The URI of your ECR repository
# (e.g., 123456789012.dkr.ecr.us-east-1.amazonaws.com/todo-api:latest)
# <TODO_API_TARGET_GROUP_ARN> - The EC2 target group ARN. This is available only AFTER you have deployed `iac-alb.yaml`.

Parameters:
  ECRImageUri:
    Type: String
    Description: URI of the todo-api image in ECR (e.g., 123456789012.dkr.ecr.us-east-1.amazonaws.com/todo-api:latest)
    Default: <ECR_REPO_URI>
  ClusterName:
    Type: String
    Default: todo-api-cluster
  ServiceName:
    Type: String
    Default: todo-api-service
  ContainerPort:
    Type: Number
    Default: 8000
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: The default VPC ID where the ECS service will run
    Default: <DEFAULT_VPC_ID>
  SubnetIdOne:
    Type: AWS::EC2::Subnet::Id
    Description: A subnet ID in the default VPC
    Default: <DEFAULT_SUBNET_ID_1>
  SubnetIdTwo:
    Type: AWS::EC2::Subnet::Id
    Description: Another subnet ID in your default VPC
    Default: <DEFAULT_SUBNET_ID_2>
  TodoApiTargetGroup:
    Type: String
    Description: The ARN of the Target Group for the todo-api service
    Default: <TODO_API_TARGET_GROUP_ARN>


Resources:

  #######################################
  # IAM Roles
  #######################################
  ECSTaskExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: todo-api-task-execution-role
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: ecs-tasks.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
      # Not in use at the moment
      # Policies:
      #   - PolicyName: todo-api-ssm-access
      #     PolicyDocument:
      #       Version: "2012-10-17"
      #       Statement:
      #         - Effect: Allow
      #           Action:
      #             - ssm:GetParameters
      #             - ssm:GetParameter
      #             - secretsmanager:GetSecretValue
      #           Resource: "*"

  #######################################
  # ECS Cluster
  #######################################
  ECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterName: !Ref ClusterName

  #######################################
  # Security Group
  #######################################
  ECSSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow inbound traffic to Django API
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: !Ref ContainerPort
          ToPort: !Ref ContainerPort
          CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0

  #######################################
  # ECS Task Definition
  #######################################
  ECSTaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      Family: todo-api-task
      RequiresCompatibilities:
        - FARGATE
      NetworkMode: awsvpc
      Cpu: "256"
      Memory: "512"
      ExecutionRoleArn: !Ref ECSTaskExecutionRole
      ContainerDefinitions:
        - Name: todo-api
          Image: !Ref ECRImageUri
          PortMappings:
            - ContainerPort: !Ref ContainerPort
          # Not in use at the moment
          # Secrets:
          #   - Name: DJANGO_ALLOWED_HOSTS
          #     ValueFrom: arn:aws:ssm:<REGION_ID>:<AWS_ACCOUNT_ID>:parameter/todo-api/DJANGO_ALLOWED_HOSTS
          Command: ["gunicorn", "todo_api.wsgi:application", "--bind", "0.0.0.0:8000"]

  #######################################
  # ECS Service
  #######################################
  ECSService:
    Type: AWS::ECS::Service
    DependsOn: ECSTaskDefinition
    Properties:
      ServiceName: !Ref ServiceName
      Cluster: !Ref ECSCluster
      TaskDefinition: !Ref ECSTaskDefinition
      LaunchType: FARGATE
      DesiredCount: 1
      NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: ENABLED
          Subnets:
            - !Ref SubnetIdOne
            - !Ref SubnetIdTwo
          SecurityGroups:
            - !Ref ECSSecurityGroup
      LoadBalancers:
        - TargetGroupArn: !Ref TodoApiTargetGroup
          ContainerName: todo-api
          ContainerPort: !Ref ContainerPort

Outputs:
  ECSClusterName:
    Value: !Ref ECSCluster
    Description: Name of the ECS Cluster
  ECSServiceName:
    Value: !Ref ECSService
    Description: Name of the ECS Service
  ECSTaskDefinition:
    Value: !Ref ECSTaskDefinition
    Description: ECS Task Definition ARN