twasink/nexus.yaml

## nexus.yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Nexus ECS Service
# This configures a Sonatype Nexus 3 instance, running as a container on Amazon's ECS.

# This particular version is part of an ecosystem where other resources,
# such as a DNS zone and load balancer, are already created.
# These are referred to with !ImportValue statements

Parameters:
  AvailabilityZone:
    Type: AWS::EC2::AvailabilityZone::Name
    Default: us-east-1a

Resources:
  NexusDomainName:
    Type: AWS::Route53::RecordSet
    Properties:
      HostedZoneId: !ImportValue PublicHostedZone
      Name: !Sub
        - "nexus.${DNS}"
        - DNS: !ImportValue DNS
      AliasTarget:
        DNSName: !ImportValue WebLoadBalancerDnsName
        HostedZoneId: !ImportValue WebLoadBalancerZoneId
      Type: "A"

  NexusTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: IesNexusService
      Port: 80
      Protocol: HTTP
      TargetType: ip    # Fargate tasks are mapped by IP address/network interface
      VpcId: !ImportValue "VPC-VPCID"

  NexusListenerRule:
    Type: AWS::ElasticLoadBalancingV2::ListenerRule
    Properties:
      Actions:
        - Type: forward
          TargetGroupArn: !Ref NexusTargetGroup
      Conditions:
        - Field: host-header
          HostHeaderConfig:
            Values:
              - !Ref NexusDomainName
      ListenerArn: !ImportValue WebListener
      Priority: 40000

  # EFS File System
  NexusEFSFileSystem:
    Type: AWS::EFS::FileSystem
    Properties:
      AvailabilityZoneName: !Ref AvailabilityZone
      BackupPolicy:
        Status: ENABLED
      Encrypted: false
      LifecyclePolicies:
        - TransitionToIA: AFTER_90_DAYS
      PerformanceMode: generalPurpose

  NexusMountPoint:
    Type: AWS::EFS::MountTarget
    Properties:
      FileSystemId: !Ref NexusEFSFileSystem
      SecurityGroups:
        - !ImportValue "EFSSecurityGroup"
      SubnetId: !ImportValue 'VPC-PublicSubnet1ID'

  NexusEFSAccessPoint:
    Type: AWS::EFS::AccessPoint
    Properties:
      FileSystemId: !Ref NexusEFSFileSystem
      PosixUser:
        Gid: 200
        Uid: 200  # the group and user id are what are used by the Nexus docker image
      RootDirectory:
        CreationInfo:
          OwnerGid: 200
          OwnerUid: 200
          Permissions: 700
        Path: /nexus-data

  NexusSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: "Nexus_ServerSecurityGroup"
      GroupDescription: Security group for the IES Servers. Allows SSH, HTTP in, anything out.
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 8081
          CidrIp: !ImportValue "VPC-VPCCIDR"
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: !ImportValue "VPC-VPCCIDR"
      VpcId: !ImportValue "VPC-VPCID"

  NexusLogs:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: DevServers/Nexus
      RetentionInDays: 90

  NexusTaskRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: "NexusServerTaskRole"
      Description: "Role used to run the IES team Nexus server"
      AssumeRolePolicyDocument:
        Version: "2008-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ecs-tasks.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Policies:
        - PolicyName: SessionManager # Allows the use of System Session Manager to connect to the instances; e.g. AWS Exec
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "ssmmessages:CreateControlChannel"
                  - "ssmmessages:CreateDataChannel"
                  - "ssmmessages:OpenControlChannel"
                  - "ssmmessages:OpenDataChannel"
                Resource: "*"

  NexusTaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      Family: "IesNexusTask"
      Memory: 4096
      NetworkMode: awsvpc
      ExecutionRoleArn: !Sub 'arn:aws:iam::${AWS::AccountId}:role/ecsTaskExecutionRole' # created via the console; deal with it.
      TaskRoleArn: !Ref NexusTaskRole
      RequiresCompatibilities:
        - FARGATE
      Volumes:
        - Name: nexusDataVolume
          EFSVolumeConfiguration:
            FilesystemId: !Ref NexusEFSFileSystem
            AuthorizationConfig:
              AccessPointId: !Ref NexusEFSAccessPoint
            RootDirectory: /
            TransitEncryption: ENABLED
      ContainerDefinitions:
        - Name: "NexusServer"
          Image: "sonatype/nexus3"
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-region: us-east-1
              awslogs-group: !Ref NexusLogs #will need to make this.
              awslogs-stream-prefix: nexus
          MountPoints:   # TBD with the EFS configuration
            - ContainerPath: /nexus-data
              ReadOnly: false # needs to be able to write to it, after all
              SourceVolume: nexusDataVolume
          PortMappings:
            - ContainerPort: 8081 # The Nexus3 image runs on port 8081
              Protocol: tcp
          Ulimits:
            - Name: nofile  # Nexus likes to open lots of files...
              SoftLimit: 65536
              HardLimit: 65536
          StartTimeout: 600 # ten minutes to start
          StopTimeout: 120 # two minutes to stop.

  NexusService:
    Type: AWS::ECS::Service
    Properties:
      ServiceName: NexusService
      TaskDefinition: !Ref NexusTaskDefinition
      Cluster: DevCluster
      DesiredCount: 1
      LaunchType: FARGATE
      EnableExecuteCommand: true
      HealthCheckGracePeriodSeconds: 3600 # Allow up to an hour for the service to start; shouldn't take more than a few minutes, but gives time to debug
      LoadBalancers:
        - ContainerName: NexusServer # Link this to the task definition
          ContainerPort: 8081
          TargetGroupArn: !Ref NexusTargetGroup
      NetworkConfiguration:
        AwsvpcConfiguration:
            AssignPublicIp: ENABLED
            SecurityGroups:
              - !Ref NexusSecurityGroup
            Subnets:
              - !ImportValue "VPC-PublicSubnet1ID"
	AWSTemplateFormatVersion: 2010-09-09
	Description: Nexus ECS Service
	# This configures a Sonatype Nexus 3 instance, running as a container on Amazon's ECS.

	# This particular version is part of an ecosystem where other resources,
	# such as a DNS zone and load balancer, are already created.
	# These are referred to with !ImportValue statements

	Parameters:
	AvailabilityZone:
	Type: AWS::EC2::AvailabilityZone::Name
	Default: us-east-1a

	Resources:
	NexusDomainName:
	Type: AWS::Route53::RecordSet
	Properties:
	HostedZoneId: !ImportValue PublicHostedZone
	Name: !Sub
	- "nexus.${DNS}"
	- DNS: !ImportValue DNS
	AliasTarget:
	DNSName: !ImportValue WebLoadBalancerDnsName
	HostedZoneId: !ImportValue WebLoadBalancerZoneId
	Type: "A"

	NexusTargetGroup:
	Type: AWS::ElasticLoadBalancingV2::TargetGroup
	Properties:
	Name: IesNexusService
	Port: 80
	Protocol: HTTP
	TargetType: ip # Fargate tasks are mapped by IP address/network interface
	VpcId: !ImportValue "VPC-VPCID"

	NexusListenerRule:
	Type: AWS::ElasticLoadBalancingV2::ListenerRule
	Properties:
	Actions:
	- Type: forward
	TargetGroupArn: !Ref NexusTargetGroup
	Conditions:
	- Field: host-header
	HostHeaderConfig:
	Values:
	- !Ref NexusDomainName
	ListenerArn: !ImportValue WebListener
	Priority: 40000

	# EFS File System
	NexusEFSFileSystem:
	Type: AWS::EFS::FileSystem
	Properties:
	AvailabilityZoneName: !Ref AvailabilityZone
	BackupPolicy:
	Status: ENABLED
	Encrypted: false
	LifecyclePolicies:
	- TransitionToIA: AFTER_90_DAYS
	PerformanceMode: generalPurpose

	NexusMountPoint:
	Type: AWS::EFS::MountTarget
	Properties:
	FileSystemId: !Ref NexusEFSFileSystem
	SecurityGroups:
	- !ImportValue "EFSSecurityGroup"
	SubnetId: !ImportValue 'VPC-PublicSubnet1ID'

	NexusEFSAccessPoint:
	Type: AWS::EFS::AccessPoint
	Properties:
	FileSystemId: !Ref NexusEFSFileSystem
	PosixUser:
	Gid: 200
	Uid: 200 # the group and user id are what are used by the Nexus docker image
	RootDirectory:
	CreationInfo:
	OwnerGid: 200
	OwnerUid: 200
	Permissions: 700
	Path: /nexus-data

	NexusSecurityGroup:
	Type: AWS::EC2::SecurityGroup
	Properties:
	GroupName: "Nexus_ServerSecurityGroup"
	GroupDescription: Security group for the IES Servers. Allows SSH, HTTP in, anything out.
	SecurityGroupIngress:
	- IpProtocol: tcp
	FromPort: 80
	ToPort: 8081
	CidrIp: !ImportValue "VPC-VPCCIDR"
	- IpProtocol: tcp
	FromPort: 22
	ToPort: 22
	CidrIp: !ImportValue "VPC-VPCCIDR"
	VpcId: !ImportValue "VPC-VPCID"

	NexusLogs:
	Type: AWS::Logs::LogGroup
	Properties:
	LogGroupName: DevServers/Nexus
	RetentionInDays: 90

	NexusTaskRole:
	Type: 'AWS::IAM::Role'
	Properties:
	RoleName: "NexusServerTaskRole"
	Description: "Role used to run the IES team Nexus server"
	AssumeRolePolicyDocument:
	Version: "2008-10-17"
	Statement:
	- Effect: Allow
	Principal:
	Service:
	- ecs-tasks.amazonaws.com
	Action:
	- 'sts:AssumeRole'
	Policies:
	- PolicyName: SessionManager # Allows the use of System Session Manager to connect to the instances; e.g. AWS Exec
	PolicyDocument:
	Version: "2012-10-17"
	Statement:
	- Effect: "Allow"
	Action:
	- "ssmmessages:CreateControlChannel"
	- "ssmmessages:CreateDataChannel"
	- "ssmmessages:OpenControlChannel"
	- "ssmmessages:OpenDataChannel"
	Resource: "*"

	NexusTaskDefinition:
	Type: AWS::ECS::TaskDefinition
	Properties:
	Family: "IesNexusTask"
	Memory: 4096
	NetworkMode: awsvpc
	ExecutionRoleArn: !Sub 'arn:aws:iam::${AWS::AccountId}:role/ecsTaskExecutionRole' # created via the console; deal with it.
	TaskRoleArn: !Ref NexusTaskRole
	RequiresCompatibilities:
	- FARGATE
	Volumes:
	- Name: nexusDataVolume
	EFSVolumeConfiguration:
	FilesystemId: !Ref NexusEFSFileSystem
	AuthorizationConfig:
	AccessPointId: !Ref NexusEFSAccessPoint
	RootDirectory: /
	TransitEncryption: ENABLED
	ContainerDefinitions:
	- Name: "NexusServer"
	Image: "sonatype/nexus3"
	LogConfiguration:
	LogDriver: awslogs
	Options:
	awslogs-region: us-east-1
	awslogs-group: !Ref NexusLogs #will need to make this.
	awslogs-stream-prefix: nexus
	MountPoints: # TBD with the EFS configuration
	- ContainerPath: /nexus-data
	ReadOnly: false # needs to be able to write to it, after all
	SourceVolume: nexusDataVolume
	PortMappings:
	- ContainerPort: 8081 # The Nexus3 image runs on port 8081
	Protocol: tcp
	Ulimits:
	- Name: nofile # Nexus likes to open lots of files...
	SoftLimit: 65536
	HardLimit: 65536
	StartTimeout: 600 # ten minutes to start
	StopTimeout: 120 # two minutes to stop.

	NexusService:
	Type: AWS::ECS::Service
	Properties:
	ServiceName: NexusService
	TaskDefinition: !Ref NexusTaskDefinition
	Cluster: DevCluster
	DesiredCount: 1
	LaunchType: FARGATE
	EnableExecuteCommand: true
	HealthCheckGracePeriodSeconds: 3600 # Allow up to an hour for the service to start; shouldn't take more than a few minutes, but gives time to debug
	LoadBalancers:
	- ContainerName: NexusServer # Link this to the task definition
	ContainerPort: 8081
	TargetGroupArn: !Ref NexusTargetGroup
	NetworkConfiguration:
	AwsvpcConfiguration:
	AssignPublicIp: ENABLED
	SecurityGroups:
	- !Ref NexusSecurityGroup
	Subnets:
	- !ImportValue "VPC-PublicSubnet1ID"