Cloudformation Template that will created below resources.
- IAM role for ECS Task execution
- ECS Task definition
Template
AWSTemplateFormatVersion: 2010-09-09
Description: |
ECS Task is responsible to fetch files from sftp location.
1. IAM Role to be used by ECS task and cloudwatch event rule.
2. ECS Task defination with container env variables, please note credential needs to be created first within parameter store.
Parameters:
ProductName:
Description: Parent Product name.
Type: String
Default: cyberkeeda
ProjectName:
Description: Project Name
Type: String
Default: cyberkeeda-report
Environment:
Description: The equivalent CN name of the environment being worked on
Type: String
AllowedValues:
- dev
- uat
- qa
Region:
Description: Ck Region specific parameter
Type: String
AllowedValues:
- mum
- hyd
ECSTaskDefARN:
Description: ARN for ECS Task defination
Type: String
SFTPHostFQDN:
Description: Remote SFTP Host FQDN.
Type: String
Default: 123.111.11.1
SFTPHostPort:
Description: Remote SFTP Host Port.
Type: String
Default: 22
SFTPUserName:
Description: Remote SFTP Host username.
Type: String
Default: sftpadmin
SFTPPasswordParameterStoreName:
Description: Remote SFTP Host Parameter store name.
Type: String
Default: sftppass
ContainerImageUrlwithTag:
Description: Container Image URL with tag.
Type: String
Default: docker.io/jackuna/sftpnew
ECSClusterARN:
Description: ECS Cluster ARN to schedule Task
Type: String
Default: arn:aws:ecs:ap-south-1:895678824142:cluster/sftp
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
-
Label:
default: CK Project Details
Parameters:
- ProductName
- ProjectName
- Environment
- Region
-
Label:
default: Remote SFTP Server details used as Container Environment Variables.
Parameters:
- SFTPHostFQDN
- SFTPHostPort
- SFTPUserName
- SFTPPasswordParameterStoreName
Resources:
ExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${ProductName}-${Region}-${Environment}-${ProjectName}-role"
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ 'ecs-tasks.amazonaws.com', 'events.amazonaws.com' ]
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
Policies:
- PolicyName: !Sub "${ProductName}-${Region}-${Environment}-${ProjectName}-role-inlinePolicy"
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- ssm:GetParameters
Resource:
- !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${Environment}.sftp-password"
- Effect: Allow
Action:
- ecs:RunTask
Resource:
- !Sub "${ECSTaskDefARN}:*"
- Effect: Allow
Action: iam:PassRole
Resource:
- "*"
Condition:
StringLike:
iam:PassedToService: ecs-tasks.amazonaws.com
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: !Sub "${ProductName}-${Region}-${Environment}-${ProjectName}-ecs-task"
Memory: 128
NetworkMode: bridge
ExecutionRoleArn: !Ref ExecutionRole
TaskRoleArn : !Ref ExecutionRole
ContainerDefinitions:
- Name: !Sub "${ProductName}-${Region}-${Environment}-${ProjectName}-container"
Image: !Ref ContainerImageUrlwithTag
Memory: 128
Cpu: 0
MountPoints:
-
SourceVolume: "ecs-logs"
ContainerPath: "/var/log/ecs"
Command:
- python
- sftp_python.py
WorkingDirectory: "/usr/local/aws-swa"
Secrets:
-
Name: SFTP_PASSWORD
ValueFrom: !Sub ${CNEnvironment}.sftp-password
Environment:
-
Name: APPLICATION_LOGS
Value: !Sub "/var/log/ecs/${ProductName}-${Region}-${Environment}-${ProjectName}-ecs-task.logs"
-
Name: SFTP_HOST
Value: !Ref SFTPHostFQDN
-
Name: SFTP_PORT
Value: !Ref SFTPHostPort
-
Name: SFTP_USERNAME
Value: !Ref SFTPUserName
RequiresCompatibilities:
- EC2
Volumes:
-
Host:
SourcePath: "/var/log/ecs"
Name: "ecs-logs"
Let me know, for any questions in comment box.