PrzemekMalak/ecs-fargate-spot.yaml

## ecs-fargate-spot.yaml
AWSTemplateFormatVersion: 2010-09-09

Parameters:
  Prefix:
    Type: String

  VPCCIDR:
    Type: String
    Default: 10.0.0.0/16
    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'

  PublicSubnet1CIDR:
    Type: String
    Default: 10.0.1.0/24
    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'

  PublicSubnet2CIDR:
    Type: String
    Default: 10.0.2.0/24
    AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$'

Resources:

###################################################################
# NETWORK
###################################################################
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref VPCCIDR
      EnableDnsHostnames: true
      EnableDnsSupport: true
      Tags:
        - Key: Name
          Value: !Sub "${Prefix}-VPC"

  PublicSubnet1:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: !Ref PublicSubnet1CIDR
      AvailabilityZone:
        Fn::Select:
          - 0
          - Fn::GetAZs: !Ref AWS::Region
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: !Sub "${Prefix}-Public-Subnet-1"

  PublicSubnet2:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: !Ref PublicSubnet2CIDR
      AvailabilityZone:
        Fn::Select:
          - 1
          - Fn::GetAZs: !Ref AWS::Region
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: !Sub "${Prefix}-Public-Subnet-2"

  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: !Sub "${Prefix}-IGW"

  GatewayAttachement:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway

  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Sub "${Prefix}-Public-RT"

  PublicRoute:
    Type: AWS::EC2::Route
    DependsOn: GatewayAttachement
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway

  PublicRouteTable1Association:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicRouteTable
      SubnetId: !Ref PublicSubnet1

  PublicRouteTable2Association:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref PublicRouteTable
      SubnetId: !Ref PublicSubnet2

  LoadBalancerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Load balancer security group
      GroupName: !Sub "${Prefix}-Load-Balancer-SG"
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - CidrIp: 0.0.0.0/0
          IpProtocol: -1
      Tags:
        - Key: Name
          Value: !Sub "${Prefix}-Load-Balancer-SG"

###################################################################
# LOAD BALANCER
###################################################################

  LoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: !Sub "${Prefix}-Load-Balancer"
      Scheme: internet-facing
      LoadBalancerAttributes:
        - Key: idle_timeout.timeout_seconds
          Value: "30"
      Subnets:
      - !Ref PublicSubnet1
      - !Ref PublicSubnet2
      SecurityGroups:
        - !Ref LoadBalancerSecurityGroup

  LoadBalancerListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      LoadBalancerArn: !Ref LoadBalancer
      Port: 80
      Protocol: HTTP
      DefaultActions:
        - TargetGroupArn: !Ref LoadBalancerTargetGroup
          Type: forward

  LoadBalancerTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: !Sub "${Prefix}-Target-Group"
      HealthCheckIntervalSeconds: 7
      HealthCheckPath: "/health"
      HealthCheckProtocol: HTTP
      HealthCheckTimeoutSeconds: 6
      HealthyThresholdCount: 2
      TargetType: ip
      Port: 8080
      Protocol: HTTP
      UnhealthyThresholdCount: 2
      VpcId: !Ref VPC

###################################################################
# ECS
###################################################################

  ECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterName: !Sub "${Prefix}-ECS-Cluster"
      CapacityProviders:
      - FARGATE
      - FARGATE_SPOT
      Tags:
        - Key: Name
          Value: !Sub "${Prefix}-ECS-Cluster"

  ECSTaskSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: ECS task security group
      GroupName: !Sub "${Prefix}-ECS-Task-SG"
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
          IpProtocol: -1
      Tags:
        - Key: Name
          Value: !Sub "${Prefix}-ECS-Task-SG"

  ECSTaskExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${Prefix}-ECS-Task-Execution-Role"
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: [ecs-tasks.amazonaws.com]
            Action: ["sts:AssumeRole"]
      Policies:
        - PolicyName: !Sub "${Prefix}-ECS-Task-Execution-Role-Policy"
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - "ecr:GetAuthorizationToken"
                  - "ecr:BatchCheckLayerAvailability"
                  - "ecr:GetDownloadUrlForLayer"
                  - "ecr:BatchGetImage"
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                  - "secretsmanager:GetSecretValue"
                Resource: "*"
      Tags:
        - Key: Name
          Value: !Sub "${Prefix}-ECS-Task-Execution-Role"

  ECSTaskRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${Prefix}-ECS-Task-Role"
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: [ecs-tasks.amazonaws.com]
            Action: ["sts:AssumeRole"]
      Tags:
        - Key: Name
          Value: !Sub "${Prefix}-ECS-Task-Role"

  LogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub "${Prefix}"
      RetentionInDays: 14

  Service:
    Type: AWS::ECS::Service
    DependsOn: LoadBalancerListener
    Properties:
      Cluster: !Ref ECSCluster
      ServiceName: !Sub "${Prefix}"
      HealthCheckGracePeriodSeconds: 60
      TaskDefinition: !Ref TaskDefinition
      DesiredCount: 5
      CapacityProviderStrategy:
      - CapacityProvider: FARGATE
        Weight: 1
      - CapacityProvider: FARGATE_SPOT
        Weight: 4
      NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: ENABLED
          Subnets:
          - !Ref PublicSubnet1
          - !Ref PublicSubnet2
          SecurityGroups:
            - !Ref ECSTaskSecurityGroup
      LoadBalancers:
        - ContainerName: api
          ContainerPort: 8080
          TargetGroupArn: !Ref LoadBalancerTargetGroup

  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      ExecutionRoleArn: !Ref ECSTaskExecutionRole
      TaskRoleArn: !Ref ECSTaskRole
      Family: !Sub "${Prefix}"
      Cpu: "256"
      Memory: "512"
      NetworkMode: awsvpc
      RequiresCompatibilities:
        - FARGATE
      ContainerDefinitions:
        - Name: api
          Image: "przemekmalak/multitool"
          PortMappings:
            - ContainerPort: 8080
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-region: !Ref AWS::Region
              awslogs-group: !Ref LogGroup
              awslogs-stream-prefix: api

Outputs:

  LoadBalancerDNS:
    Description: Load balancer DNS
    Value: !GetAtt LoadBalancer.DNSName
	AWSTemplateFormatVersion: 2010-09-09

	Parameters:
	Prefix:
	Type: String

	VPCCIDR:
	Type: String
	Default: 10.0.0.0/16
	AllowedPattern: '^(([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\.){3}([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])(\/([0-9]\|[1-2][0-9]\|3[0-2]))$'

	PublicSubnet1CIDR:
	Type: String
	Default: 10.0.1.0/24
	AllowedPattern: '^(([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\.){3}([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])(\/([0-9]\|[1-2][0-9]\|3[0-2]))$'

	PublicSubnet2CIDR:
	Type: String
	Default: 10.0.2.0/24
	AllowedPattern: '^(([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\.){3}([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])(\/([0-9]\|[1-2][0-9]\|3[0-2]))$'

	Resources:

	###################################################################
	# NETWORK
	###################################################################
	VPC:
	Type: AWS::EC2::VPC
	Properties:
	CidrBlock: !Ref VPCCIDR
	EnableDnsHostnames: true
	EnableDnsSupport: true
	Tags:
	- Key: Name
	Value: !Sub "${Prefix}-VPC"

	PublicSubnet1:
	Type: AWS::EC2::Subnet
	Properties:
	VpcId: !Ref VPC
	CidrBlock: !Ref PublicSubnet1CIDR
	AvailabilityZone:
	Fn::Select:
	- 0
	- Fn::GetAZs: !Ref AWS::Region
	MapPublicIpOnLaunch: true
	Tags:
	- Key: Name
	Value: !Sub "${Prefix}-Public-Subnet-1"

	PublicSubnet2:
	Type: AWS::EC2::Subnet
	Properties:
	VpcId: !Ref VPC
	CidrBlock: !Ref PublicSubnet2CIDR
	AvailabilityZone:
	Fn::Select:
	- 1
	- Fn::GetAZs: !Ref AWS::Region
	MapPublicIpOnLaunch: true
	Tags:
	- Key: Name
	Value: !Sub "${Prefix}-Public-Subnet-2"

	InternetGateway:
	Type: AWS::EC2::InternetGateway
	Properties:
	Tags:
	- Key: Name
	Value: !Sub "${Prefix}-IGW"

	GatewayAttachement:
	Type: AWS::EC2::VPCGatewayAttachment
	Properties:
	VpcId: !Ref VPC
	InternetGatewayId: !Ref InternetGateway

	PublicRouteTable:
	Type: AWS::EC2::RouteTable
	Properties:
	VpcId: !Ref VPC
	Tags:
	- Key: Name
	Value: !Sub "${Prefix}-Public-RT"

	PublicRoute:
	Type: AWS::EC2::Route
	DependsOn: GatewayAttachement
	Properties:
	RouteTableId: !Ref PublicRouteTable
	DestinationCidrBlock: 0.0.0.0/0
	GatewayId: !Ref InternetGateway

	PublicRouteTable1Association:
	Type: AWS::EC2::SubnetRouteTableAssociation
	Properties:
	RouteTableId: !Ref PublicRouteTable
	SubnetId: !Ref PublicSubnet1

	PublicRouteTable2Association:
	Type: AWS::EC2::SubnetRouteTableAssociation
	Properties:
	RouteTableId: !Ref PublicRouteTable
	SubnetId: !Ref PublicSubnet2

	LoadBalancerSecurityGroup:
	Type: AWS::EC2::SecurityGroup
	Properties:
	GroupDescription: Load balancer security group
	GroupName: !Sub "${Prefix}-Load-Balancer-SG"
	VpcId: !Ref VPC
	SecurityGroupIngress:
	- CidrIp: 0.0.0.0/0
	IpProtocol: -1
	Tags:
	- Key: Name
	Value: !Sub "${Prefix}-Load-Balancer-SG"

	###################################################################
	# LOAD BALANCER
	###################################################################

	LoadBalancer:
	Type: AWS::ElasticLoadBalancingV2::LoadBalancer
	Properties:
	Name: !Sub "${Prefix}-Load-Balancer"
	Scheme: internet-facing
	LoadBalancerAttributes:
	- Key: idle_timeout.timeout_seconds
	Value: "30"
	Subnets:
	- !Ref PublicSubnet1
	- !Ref PublicSubnet2
	SecurityGroups:
	- !Ref LoadBalancerSecurityGroup

	LoadBalancerListener:
	Type: AWS::ElasticLoadBalancingV2::Listener
	Properties:
	LoadBalancerArn: !Ref LoadBalancer
	Port: 80
	Protocol: HTTP
	DefaultActions:
	- TargetGroupArn: !Ref LoadBalancerTargetGroup
	Type: forward

	LoadBalancerTargetGroup:
	Type: AWS::ElasticLoadBalancingV2::TargetGroup
	Properties:
	Name: !Sub "${Prefix}-Target-Group"
	HealthCheckIntervalSeconds: 7
	HealthCheckPath: "/health"
	HealthCheckProtocol: HTTP
	HealthCheckTimeoutSeconds: 6
	HealthyThresholdCount: 2
	TargetType: ip
	Port: 8080
	Protocol: HTTP
	UnhealthyThresholdCount: 2
	VpcId: !Ref VPC

	###################################################################
	# ECS
	###################################################################

	ECSCluster:
	Type: AWS::ECS::Cluster
	Properties:
	ClusterName: !Sub "${Prefix}-ECS-Cluster"
	CapacityProviders:
	- FARGATE
	- FARGATE_SPOT
	Tags:
	- Key: Name
	Value: !Sub "${Prefix}-ECS-Cluster"

	ECSTaskSecurityGroup:
	Type: AWS::EC2::SecurityGroup
	Properties:
	GroupDescription: ECS task security group
	GroupName: !Sub "${Prefix}-ECS-Task-SG"
	VpcId: !Ref VPC
	SecurityGroupIngress:
	- SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
	IpProtocol: -1
	Tags:
	- Key: Name
	Value: !Sub "${Prefix}-ECS-Task-SG"

	ECSTaskExecutionRole:
	Type: AWS::IAM::Role
	Properties:
	RoleName: !Sub "${Prefix}-ECS-Task-Execution-Role"
	AssumeRolePolicyDocument:
	Statement:
	- Effect: Allow
	Principal:
	Service: [ecs-tasks.amazonaws.com]
	Action: ["sts:AssumeRole"]
	Policies:
	- PolicyName: !Sub "${Prefix}-ECS-Task-Execution-Role-Policy"
	PolicyDocument:
	Statement:
	- Effect: Allow
	Action:
	- "ecr:GetAuthorizationToken"
	- "ecr:BatchCheckLayerAvailability"
	- "ecr:GetDownloadUrlForLayer"
	- "ecr:BatchGetImage"
	- "logs:CreateLogStream"
	- "logs:PutLogEvents"
	- "secretsmanager:GetSecretValue"
	Resource: "*"
	Tags:
	- Key: Name
	Value: !Sub "${Prefix}-ECS-Task-Execution-Role"

	ECSTaskRole:
	Type: AWS::IAM::Role
	Properties:
	RoleName: !Sub "${Prefix}-ECS-Task-Role"
	AssumeRolePolicyDocument:
	Statement:
	- Effect: Allow
	Principal:
	Service: [ecs-tasks.amazonaws.com]
	Action: ["sts:AssumeRole"]
	Tags:
	- Key: Name
	Value: !Sub "${Prefix}-ECS-Task-Role"

	LogGroup:
	Type: AWS::Logs::LogGroup
	Properties:
	LogGroupName: !Sub "${Prefix}"
	RetentionInDays: 14

	Service:
	Type: AWS::ECS::Service
	DependsOn: LoadBalancerListener
	Properties:
	Cluster: !Ref ECSCluster
	ServiceName: !Sub "${Prefix}"
	HealthCheckGracePeriodSeconds: 60
	TaskDefinition: !Ref TaskDefinition
	DesiredCount: 5
	CapacityProviderStrategy:
	- CapacityProvider: FARGATE
	Weight: 1
	- CapacityProvider: FARGATE_SPOT
	Weight: 4
	NetworkConfiguration:
	AwsvpcConfiguration:
	AssignPublicIp: ENABLED
	Subnets:
	- !Ref PublicSubnet1
	- !Ref PublicSubnet2
	SecurityGroups:
	- !Ref ECSTaskSecurityGroup
	LoadBalancers:
	- ContainerName: api
	ContainerPort: 8080
	TargetGroupArn: !Ref LoadBalancerTargetGroup

	TaskDefinition:
	Type: AWS::ECS::TaskDefinition
	Properties:
	ExecutionRoleArn: !Ref ECSTaskExecutionRole
	TaskRoleArn: !Ref ECSTaskRole
	Family: !Sub "${Prefix}"
	Cpu: "256"
	Memory: "512"
	NetworkMode: awsvpc
	RequiresCompatibilities:
	- FARGATE
	ContainerDefinitions:
	- Name: api
	Image: "przemekmalak/multitool"
	PortMappings:
	- ContainerPort: 8080
	LogConfiguration:
	LogDriver: awslogs
	Options:
	awslogs-region: !Ref AWS::Region
	awslogs-group: !Ref LogGroup
	awslogs-stream-prefix: api

	Outputs:

	LoadBalancerDNS:
	Description: Load balancer DNS
	Value: !GetAtt LoadBalancer.DNSName