SHolzhauer/main_stack.yml

## main_stack.yml
Parameters:
  imagerepository:
    Type: String
    Default: docker.elastic.co/beats/elastic-agent
  elasticversion:
    Type: String
    Default: 8.11.1
  clustername:
    Type: String
    Default: MyECSCluster

Resources:
  cloudtrail:
    Type: AWS::CloudFormation::Stack
    DependsOn:
      - taskexecutionrole
      - taskrole
    Properties:
      TemplateURL: !Sub "https://example-bucket.s3.eu-west-1.amazonaws.com/aws/templates/ecs_template.yml"
      Parameters:
        taskexecutionrole: !GetAtt taskexecutionrole.Arn
        taskrole: !GetAtt taskrole.Arn
        image: !Sub "${imagerepository}:${elasticversion}"
        EnrollToken: "<ennrollmenttoken>"
        desiredcontainers: 2
        Name: awsCloudtrail
        ecscluster: !Ref clustername

  taskexecutionrole:
    Type: AWS::IAM::Role
    Properties:
      Policies:
        - PolicyName: apitask
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "ecr:GetAuthorizationToken"
                  - "ecr:BatchCheckLayerAvailability"
                  - "ecr:GetDownloadUrlForLayer"
                  - "ecr:BatchGetImage"
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                Resource:
                  - "*"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              Service:
                - "ec2.amazonaws.com"
                - "ecs-tasks.amazonaws.com"
                - "ecs.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      RoleName: ecs-apiexecutiontask

  taskrole:
    Type: AWS::IAM::Role
    Properties:
      Policies:
        - PolicyName: apitask
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "s3:Get*"
                Resource:
                  - "*"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Effect: "Allow"
            Principal:
              Service:
                - "ec2.amazonaws.com"
                - "ecs-tasks.amazonaws.com"
                - "ecs.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      RoleName: ecs-apitask

## template.yml

Parameters:
  taskexecutionrole:
    Type: String
  taskrole:
    Type: String
  image:
    Type: String
    Default: docker.elastic.co/beats/elastic-agent:8.10.1
  EnrollToken:
    Type: String
  desiredcontainers:
    Type: Number
  Name:
    Type: String
  ecscluster:
    Type: String
  memres:
    Type: Number
    Default: 80

Resources:
  container:
    Type: AWS::ECS::TaskDefinition
    Properties:
      NetworkMode: bridge
      ExecutionRoleArn: !Ref taskexecutionrole
      TaskRoleArn: !Ref taskrole
      Tags:
        - Key: Name
          Value: !Ref Name
      ContainerDefinitions:
        - MemoryReservation: !Ref memres
          Image: !Ref image
          Name: !Ref Name
          Environment:
            - Name: FLEET_ENROLL
              Value: 1
            - Name: ELASTIC_AGENT_TAGS
              Value: !Sub "${Name},container"
            - Name: FLEET_URL
              Value: "<fleet_url>"
            - Name: FLEET_ENROLLMENT_TOKEN
              Value: !Ref EnrollToken

  service:
    Type: AWS::ECS::Service
    Properties:
      Cluster: !Ref ecscluster
      DesiredCount: !Ref desiredcontainers
      TaskDefinition: !Ref container
      Tags:
        - Key: Name
          Value: !Ref Name
	Parameters:
	imagerepository:
	Type: String
	Default: docker.elastic.co/beats/elastic-agent
	elasticversion:
	Type: String
	Default: 8.11.1
	clustername:
	Type: String
	Default: MyECSCluster

	Resources:
	cloudtrail:
	Type: AWS::CloudFormation::Stack
	DependsOn:
	- taskexecutionrole
	- taskrole
	Properties:
	TemplateURL: !Sub "https://example-bucket.s3.eu-west-1.amazonaws.com/aws/templates/ecs_template.yml"
	Parameters:
	taskexecutionrole: !GetAtt taskexecutionrole.Arn
	taskrole: !GetAtt taskrole.Arn
	image: !Sub "${imagerepository}:${elasticversion}"
	EnrollToken: "<ennrollmenttoken>"
	desiredcontainers: 2
	Name: awsCloudtrail
	ecscluster: !Ref clustername

	taskexecutionrole:
	Type: AWS::IAM::Role
	Properties:
	Policies:
	- PolicyName: apitask
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: Allow
	Action:
	- "ecr:GetAuthorizationToken"
	- "ecr:BatchCheckLayerAvailability"
	- "ecr:GetDownloadUrlForLayer"
	- "ecr:BatchGetImage"
	- "logs:CreateLogStream"
	- "logs:PutLogEvents"
	Resource:
	- "*"
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	-
	Effect: "Allow"
	Principal:
	Service:
	- "ec2.amazonaws.com"
	- "ecs-tasks.amazonaws.com"
	- "ecs.amazonaws.com"
	Action:
	- "sts:AssumeRole"
	RoleName: ecs-apiexecutiontask

	taskrole:
	Type: AWS::IAM::Role
	Properties:
	Policies:
	- PolicyName: apitask
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: Allow
	Action:
	- "s3:Get*"
	Resource:
	- "*"
	AssumeRolePolicyDocument:
	Version: "2012-10-17"
	Statement:
	-
	Effect: "Allow"
	Principal:
	Service:
	- "ec2.amazonaws.com"
	- "ecs-tasks.amazonaws.com"
	- "ecs.amazonaws.com"
	Action:
	- "sts:AssumeRole"
	RoleName: ecs-apitask