Migrate 2017 API ECS services Budget and Emergency Services from EC2 to Fargate

services/budget-service/service.yaml → fargate-services/2017-budget-api.yaml

@@ -1,9 +1,29 @@
+### This template is based on the reference architecture developed or documented by Paul Lewis of AWS
+### https://github.com/pjlewisuk/fargate-refarch-cloudformation
+
 Description: >
     ECS Service - HackOregon 2017 Budget API
-    Last Modified: 15 July 2018
-    By Ian Turner ([email protected]), Mike Lonergan ([email protected])
+Parameters: 
+
+## ALB configuration parameters
+
+    Listener:
+        Description: The Application Load Balancer listener to register with
+        Type: String
+
+    ListenerTls:
+        Description: The 443 Application Load Balancer listener to register with
+        Type: String
 
-Parameters:
+    Host:
+        Description: The host path to register with the Application Load Balancer
+        Type: String
+
+    Path: 
+        Description: The path to register with the Application Load Balancer
+        Type: String
+
+## ECS configuration parameters
 
     VPC:
         Description: The VPC that the ECS cluster is deployed to
@@ -13,17 +33,35 @@ Parameters:
         Description: Please provide the ECS Cluster ID that this service should run on
         Type: String
 
-    DesiredCount:
+    DesiredCount: 
+        Default: 2
         Description: How many instances of this task should we run across our cluster?
         Type: Number
 
-    Listener:
-        Description: The Application Load Balancer listener to register with
+    ECSTaskExecutionRole:
+        Description: The ECS Task Execution Role
         Type: String
 
-    ListenerTls:
-        Description: The 443 Application Load Balancer listener to register with
-        Type: String
+    TaskCpu:
+        Default: 512
+        Description: How much CPU to give the ECS task, in CPU units (where 1,024 units is 1 CPU) or vCPUs
+        Type: Number
+
+    TaskMemory:
+        Default: 1024
+        Description: How much memory to give the ECS task in megabytes
+        Type: Number
+
+    SecurityGroup:
+        Description: Select the Security Group to use for the ECS cluster hosts
+        Type: AWS::EC2::SecurityGroup::Id
+
+    Subnets:
+        Description: Choose which subnets this ECS cluster should be deployed to
+        Type: List<AWS::EC2::Subnet::Id>
+    # Use !Select to choose 0 and 1 from subnet array, e.g. !Select [ 0, !Ref Subnets ]
+
+# Container-specific configuration
 
     ConfigBucket:
         Description: The configuration bucket we want to use
@@ -37,34 +75,29 @@ Parameters:
         Description: the relative directory path where we keep the app config
         Type: String
 
-    Host:
-        Description: The host path to register with the Application Load Balancer
-        Type: String
-
-    Path:
-        Description: The path to register with the Application Load Balancer
-        Type: String
-
 Resources:
 
-    Service:
+## This service definition introduces NetworkConfiguration and lacks PlacementStrategies and Role
+    Service: 
         Type: AWS::ECS::Service
         DependsOn: ListenerRule
-        Properties:
+        Properties: 
             Cluster: !Ref Cluster
-            Role: !Ref ServiceRole
+            DeploymentConfiguration:
+                MaximumPercent: 200
+                MinimumHealthyPercent: 100
             DesiredCount: !Ref DesiredCount
+            LaunchType: FARGATE
+            NetworkConfiguration:
+                AwsvpcConfiguration:
+                    AssignPublicIp: ENABLED
+                    SecurityGroups:
+                      - !Ref SecurityGroup
+                    Subnets:
+                      - !Select [ 0, !Ref Subnets ]
+                      - !Select [ 1, !Ref Subnets ]
             TaskDefinition: !Ref TaskDefinition
-            DeploymentConfiguration:
-              MaximumPercent: 200
-              MinimumHealthyPercent: 50
-            PlacementStrategies:
-              - Type: spread
-                Field: attribute:ecs.availability-zone
-              - Type: spread
-                Field: instanceId
-
-            LoadBalancers:
+            LoadBalancers: 
                 - ContainerName: "budget-service"
                   ContainerPort: 8000
                   TargetGroupArn: !Ref TargetGroup
@@ -73,11 +106,22 @@ Resources:
         Type: AWS::ECS::TaskDefinition
         Properties:
             Family: budget-service
+            Cpu: !Ref 'TaskCpu'
+            Memory: !Ref 'TaskMemory'
+            NetworkMode: awsvpc
+            RequiresCompatibilities:
+              - FARGATE
+            ExecutionRoleArn: !Ref ECSTaskExecutionRole
+            TaskRoleArn: !Ref TaskRole
             ContainerDefinitions:
                 - Name: budget-service
                   Essential: true
                   Image: 845828040396.dkr.ecr.us-west-2.amazonaws.com/integration/budget-service
-                  Memory: 100
+                  ## NOTE: this is probably duplicative of the Cpu/Memory defined just a few lines above...
+                  # CPU and Memory reservations are set to 50% of the default values specified above
+                  Cpu: 256
+                  Memory: 512
+                  MemoryReservation: 512
                   Environment:
                     - Name: CONFIG_BUCKET
                       Value: !Ref ConfigBucket
@@ -92,27 +136,29 @@ Resources:
                     Options:
                         awslogs-group: !Ref AWS::StackName
                         awslogs-region: !Ref AWS::Region
+                        awslogs-stream-prefix: !Ref AWS::StackName
 
     CloudWatchLogsGroup:
         Type: AWS::Logs::LogGroup
-        Properties:
+        Properties: 
             LogGroupName: !Ref AWS::StackName
-            RetentionInDays: 365
+            RetentionInDays: 365  
 
     TargetGroup:
         Type: AWS::ElasticLoadBalancingV2::TargetGroup
         Properties:
             VpcId: !Ref VPC
             Port: 80
             Protocol: HTTP
-            Matcher:
-                HttpCode: 200-299
-            HealthCheckIntervalSeconds: 45
+            TargetType: ip
+            Matcher: 
+                # HttpCode: 200-299
+                HttpCode: 200-299,400 # Civic Devops issue #245
+            HealthCheckIntervalSeconds: 10
             HealthCheckPath: /budget/
             HealthCheckProtocol: HTTP
-            HealthCheckTimeoutSeconds: 40
-            HealthyThresholdCount: 4
-            UnhealthyThresholdCount: 5
+            HealthCheckTimeoutSeconds: 5
+            HealthyThresholdCount: 2
 
     ListenerRule:
         Type: AWS::ElasticLoadBalancingV2::ListenerRule
@@ -124,7 +170,7 @@ Resources:
                   Values:
                     - !Ref Host
                 - Field: path-pattern
-                  Values:
+                  Values: 
                     - !Ref Path
             Actions:
                 - TargetGroupArn: !Ref TargetGroup
@@ -146,10 +192,15 @@ Resources:
                 - TargetGroupArn: !Ref TargetGroup
                   Type: forward
 
-    # This IAM Role grants the service access to register/unregister with the
+    ## TODO: extract this role to a global role for all Fargate tasks
+
+    # This IAM Role grants the Fargate-based service access to register/unregister with the
     # Application Load Balancer (ALB). It is based on the default documented here:
     # http://docs.aws.amazon.com/AmazonECS/latest/developerguide/service_IAM_role.html
-    ServiceRole:
+    # 
+    # It also has the side-effect of allowing other parts of the stack to attach other IAM policies 
+    # such as allowing SSM access.
+    TaskRole:
         Type: AWS::IAM::Role
         Properties:
             RoleName: !Sub ecs-service-${AWS::StackName}
@@ -158,7 +209,7 @@ Resources:
                 {
                     "Statement": [{
                         "Effect": "Allow",
-                        "Principal": { "Service": [ "ecs.amazonaws.com" ]},
+                        "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]},
                         "Action": [ "sts:AssumeRole" ]
                     }]
                 }
@@ -183,3 +234,40 @@ Resources:
                                 "Resource": "*"
                         }]
                     }
+                - PolicyName: ssm-access
+                  PolicyDocument: 
+                    {
+                        "Version": "2012-10-17",
+                        "Statement": [
+                            {
+                                "Effect": "Allow",
+                                "Action": [
+                                    "ssm:DescribeParameters"
+                                ],
+                                "Resource": "*"
+                            },
+                            {
+                                "Sid": "Stmt1482841904000",
+                                "Effect": "Allow",
+                                "Action": [
+                                    "ssm:GetParameters"
+                                ],
+                                "Resource": [
+                                    "arn:aws:ssm:us-west-2:845828040396:parameter/staging/2018/*",
+                                    "arn:aws:ssm:us-west-2:845828040396:parameter/production/2018/*",
+                                    "arn:aws:ssm:us-west-2:845828040396:parameter/staging/2019/*",
+                                    "arn:aws:ssm:us-west-2:845828040396:parameter/production/2019/*"
+                                ]
+                            },
+                            {
+                                "Sid": "Stmt1482841948000",
+                                "Effect": "Allow",
+                                "Action": [
+                                    "kms:Decrypt"
+                                ],
+                                "Resource": [
+                                    "arn:aws:kms:us-west-2:845828040396:key/0280a59b-d8f5-44e0-8b51-80aec2f27275"
+                                ]
+                            }
+                        ]
+                    }