Initial commit via Backstage

Author: tmclaugh

.github/workflows/main.yml

@@ -0,0 +1,68 @@
+name: Main
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Setup job workspace
+        uses: ServerlessOpsIO/gha-setup-workspace@v1
+
+      - name: Assume AWS Credentials
+        uses: ServerlessOpsIO/gha-assume-aws-credentials@v1
+        with:
+          build_aws_account_id: ${{ secrets.AWS_CICD_ACCOUNT_ID }}
+
+      - name: Install AWS SAM
+        uses: aws-actions/setup-sam@v2
+
+
+      - name: Validate template
+        run: sam validate --lint
+
+      - name: Build artifact
+        run: sam build --parallel --template template.yaml
+
+      - name: Store Artifacts
+        uses: ServerlessOpsIO/gha-store-artifacts@v1
+        with:
+          use_aws_sam: true
+
+  deploy:
+    needs:
+      - build
+
+    environment: production
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Setup job workspace
+        uses: ServerlessOpsIO/gha-setup-workspace@v1
+        with:
+          checkout_artifact: true
+
+      - name: Assume AWS Credentials
+        uses: ServerlessOpsIO/gha-assume-aws-credentials@v1
+        with:
+          build_aws_account_id: ${{ secrets.AWS_CICD_ACCOUNT_ID }}
+          deploy_aws_account_id: ${{ secrets.DEPLOYMENT_ACCOUNT_ID }}
+
+      - name: Deploy via AWS SAM
+        uses: ServerlessOpsIO/gha-deploy-aws-sam@v1
+        with:
+          aws_account_id: ${{ secrets.DEPLOYMENT_ACCOUNT_ID }}
+          env_json: ${{ toJson(env) }}
+          vars_json: ${{ toJson(vars) }}
+          secrets_json: ${{ toJson(secrets) }}

.gitignore

@@ -0,0 +1,78 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+
+# Dev
+.mypy_cache/
+
+# pyenv / environments
+.python-version
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# IDE
+.settings/
+.project
+.pydevproject
+.vscode/
+*.code-workspace
+
+# Mac Cruft
+.DS_Store
+
+# Deploy
+codepipeline-config-*.yaml
+
+
+# AWS SAM
+.aws-sam/

README.md

@@ -0,0 +1,3 @@
+# tfe-ecs-cluster
+
+Development / Versant / tfe-ecs-cluster

catalog-info.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: tfe-ecs-cluster
+  description: Terraform Enterprise
+  namespace: default
+  annotations:
+    github.com/project-slug: ServerlessOpsIO/tfe-ecs-cluster
+    io.serverlessops/cluster-type: ecs
+spec:
+  type: container-cluster
+  lifecycle: production
+  owner: group:default/00gjdgxs1ur6lsu
+  system: system:default/versant
+  dependsOn:
+    - resource:default/aws-441198202749

cfn-parameters.json

@@ -0,0 +1,10 @@
+{
+  "VpcId": "/org/networking/VpcId",
+  "VpcSubnets": "/org/networking/VpcPublicSubnets",
+  "Hostname": "tfe",
+  "DnsZoneId": "/org/dns/ZoneId",
+  "Domain": "development",
+  "System": "versant",
+  "Component": $env.GITHUB_REPOSITORY_NAME_PART_SLUG_CS,
+  "CodeBranch": $env.GITHUB_REF_SLUG_CS
+}

cfn-tags.json

@@ -0,0 +1,5 @@
+{
+  "org:domain": "development",
+  "org:system": "versant",
+  "org:component": $env.GITHUB_REPOSITORY_NAME_PART_SLUG_CS
+}

samconfig.toml

@@ -0,0 +1,31 @@
+# More information about the configuration file can be found here:
+# https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-config.html
+version = 0.1
+
+[default]
+[default.global.parameters]
+stack_name = "tfe-ecs-cluster"
+
+[default.build.parameters]
+cached = true
+parallel = true
+
+[default.validate.parameters]
+lint = true
+
+[default.deploy.parameters]
+capabilities = "CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND"
+confirm_changeset = false
+#resolve_s3 = true
+
+[default.package.parameters]
+#resolve_s3 = true
+
+[default.sync.parameters]
+watch = true
+
+[default.local_start_api.parameters]
+warm_containers = "EAGER"
+
+[default.local_start_lambda.parameters]
+warm_containers = "EAGER"

template.yaml

@@ -0,0 +1,156 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Transform: AWS::Serverless-2016-10-31
+Description: >
+  Versant tfe Cluster
+
+  Terraform Enterprise
+
+Parameters:
+  Domain:
+    Type: String
+    Description: 'Application Platform'
+
+  System:
+    Type: String
+    Description: 'Application System'
+
+  Component:
+    Type: String
+    Description: 'Application Component'
+
+  CodeBranch:
+    Type: String
+    Description: "Name of deployment branch"
+
+  VpcId:
+    Type: AWS::SSM::Parameter::Value<String>
+    Description: Account VPC ID
+
+
+  VpcSubnets:
+    Type: AWS::SSM::Parameter::Value<CommaDelimitedList>
+    Description: Account subnets
+
+  Hostname:
+    Type: String
+    Description: Site FQDN
+
+  DnsZoneId:
+    Type: AWS::SSM::Parameter::Value<String>
+    Description: Route53 Hosted Zone ID
+
+
+
+Resources:
+
+  # ALB Resources
+  ## ALB networking
+  EcsAlbSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Access to ALB for Fargate
+      VpcId: !Ref VpcId
+      SecurityGroupIngress:
+        - IpProtocol: tcp
+          CidrIp: 0.0.0.0/0
+          FromPort: 443
+          ToPort: 443
+
+  # ALB DNS Record
+  SiteDnsRecord:
+    Type: AWS::Route53::RecordSet
+    Properties:
+      HostedZoneId: !Ref DnsZoneId
+      Name: !Ref Hostname
+      Type: A
+      AliasTarget:
+        DNSName: !GetAtt EcsAlb.DNSName
+        HostedZoneId: !GetAtt EcsAlb.CanonicalHostedZoneID
+
+  SiteCertificate:
+    Type: AWS::CertificateManager::Certificate
+    Properties:
+      DomainName: !Ref Hostname
+      ValidationMethod: DNS
+      DomainValidationOptions:
+        - DomainName: !Ref Hostname
+          HostedZoneId: !Ref DnsZoneId
+
+  ## ALB setup
+  EcsAlb:
+    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
+    Properties:
+      Type: application
+      Scheme: internet-facing
+      Subnets: !Ref VpcSubnets
+      SecurityGroups:
+        - !Ref EcsAlbSecurityGroup
+
+  EcsAlbListener:
+    Type: AWS::ElasticLoadBalancingV2::Listener
+    Properties:
+      DefaultActions:
+        - Type: fixed-response
+          Order: 50000
+          FixedResponseConfig:
+            ContentType: application/json
+            StatusCode: 200
+            MessageBody: '{ "healthy": true }'
+      LoadBalancerArn: !Ref 'EcsAlb'
+      Port: 443
+      Protocol: HTTPS
+      Certificates:
+        - CertificateArn: !Ref SiteCertificate
+
+
+  # ECS Resources
+  ## Cluster
+  EcsCluster:
+    Type: AWS::ECS::Cluster
+
+  ## ECS Network Access
+  ContainerSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Fargate container access
+      VpcId: !Ref 'VpcId'
+
+
+  ContainerAlbSecurityGroupIngress:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      Description: Ingress from ALBs
+      GroupId: !Ref ContainerSecurityGroup
+      # All TCP ports
+      IpProtocol: tcp
+      FromPort: 80
+      ToPort: 65535
+      SourceSecurityGroupId: !Ref EcsAlbSecurityGroup
+
+
+  # SSM Values
+  EcsClusterNameSsmParam:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Type: String
+      Description: Name of ECS Cluster
+      Name: !Sub /${Domain}/${System}/${Component}/${CodeBranch}/EcsClusterName
+      Value: !Ref EcsCluster
+
+  ContainerSecurityGroupIdSsmParam:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Type: String
+      Description: Name of ECS Cluster
+      Name: !Sub /${Domain}/${System}/${Component}/${CodeBranch}/ContainerSecurityGroupId
+      Value: !Ref ContainerSecurityGroup
+
+
+  EcsAlbListenerArnSsmParam:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Type: String
+      Description: ARN of cluster ALB
+      Name: !Sub /${Domain}/${System}/${Component}/${CodeBranch}/EcsAlbListenerArn
+      Value: !Ref EcsAlbListener
+