From 55caf42a1f458eac3a0f825fef36e37032fd8b61 Mon Sep 17 00:00:00 2001 From: Aaron Brezel <35546183+aaronbrezel@users.noreply.github.com> Date: Thu, 21 Mar 2024 14:51:53 -0400 Subject: [PATCH 1/2] CRX-518: remove deployment files (#121) --- buildspec.yml | 68 --- .../dev/us-east-1/config.yml | 70 --- .../image/us-east-1/config.yml | 8 - .../prod/us-east-1/config.yml | 70 --- cfn/configs/klaxon/dev/us-east-1/config.yml | 541 ----------------- cfn/configs/klaxon/image/us-east-1/config.yml | 8 - cfn/configs/klaxon/prod/us-east-1/config.yml | 547 ------------------ cfn/manifest.yml | 4 - cfn/templates/ecs-task.template.yml | 168 ------ 9 files changed, 1484 deletions(-) delete mode 100644 buildspec.yml delete mode 100644 cfn/configs/klaxon-scheduled-task/dev/us-east-1/config.yml delete mode 100644 cfn/configs/klaxon-scheduled-task/image/us-east-1/config.yml delete mode 100644 cfn/configs/klaxon-scheduled-task/prod/us-east-1/config.yml delete mode 100644 cfn/configs/klaxon/dev/us-east-1/config.yml delete mode 100644 cfn/configs/klaxon/image/us-east-1/config.yml delete mode 100644 cfn/configs/klaxon/prod/us-east-1/config.yml delete mode 100644 cfn/manifest.yml delete mode 100644 cfn/templates/ecs-task.template.yml diff --git a/buildspec.yml b/buildspec.yml deleted file mode 100644 index cc907a71..00000000 --- a/buildspec.yml +++ /dev/null @@ -1,68 +0,0 @@ -version: 0.2 - -env: - shell: bash - variables: - # APP_NAME must match that of the ecr image repo - # see cfn/configs/image/us-east-1/config.yml context.name - APP_NAME: klaxon - DOCKERFILE_SERVER_PATH: ./Dockerfile.server # For the klaxon server - DOCKERFILE_RAKE_PATH: ./Dockerfile.rake # For the ECS task that will run rake check:all - -phases: - install: - runtime-versions: - docker: 18 - pre_build: - commands: - - which docker - - docker ps - - echo $CODEBUILD_RESOLVED_SOURCE_VERSION > commit_hash - - echo "Building commit `cat commit_hash`" - - $(aws ecr get-login --no-include-email --region $AWS_DEFAULT_REGION) - - docker pull $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$APP_NAME:$DEPLOYMENT_ENV-latest || true - - build: - on-failure: ABORT - commands: - - | - docker build \ - --cache-from $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$APP_NAME:$DEPLOYMENT_ENV-latest \ - -t $APP_NAME:$DEPLOYMENT_ENV-`cat commit_hash` \ - -f $DOCKERFILE_SERVER_PATH . - - | - docker build \ - --cache-from $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$APP_NAME-rake:$DEPLOYMENT_ENV-latest \ - -t $APP_NAME-rake:$DEPLOYMENT_ENV-`cat commit_hash` \ - -f $DOCKERFILE_RAKE_PATH . - - - post_build: - commands: - # For each valid region, need to push to ECR in each region - - export REGIONS=${REGIONS_LIST:-`aws ssm get-parameter --name "/bootstrap/account-regions" --query Parameter.Value --output text`} - - | - - # Push only to current region and let it replicate - eval $(aws ecr get-login --no-include-email --region $AWS_DEFAULT_REGION) - IFS="," - FULL_VERSIONS=`cat commit_hash`,"latest" - for VERSION in $FULL_VERSIONS; do - # main app server image - docker tag $APP_NAME:$DEPLOYMENT_ENV-`cat commit_hash` $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$APP_NAME:$DEPLOYMENT_ENV-$VERSION - docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$APP_NAME:$DEPLOYMENT_ENV-$VERSION - # ecs task that checks all pages image - docker tag $APP_NAME-rake:$DEPLOYMENT_ENV-`cat commit_hash` $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$APP_NAME-rake:$DEPLOYMENT_ENV-$VERSION - docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$APP_NAME-rake:$DEPLOYMENT_ENV-$VERSION - done - - IFS="," - for REGION in $REGIONS; do - IFS="," - STORE_VERSIONS="latest" - for VERSION in $STORE_VERSIONS; do - aws --region $REGION ssm put-parameter --overwrite --name "/deployments/$APP_NAME-$DEPLOYMENT_ENV/latest" --value `cat commit_hash` --type String - done - - done - - | diff --git a/cfn/configs/klaxon-scheduled-task/dev/us-east-1/config.yml b/cfn/configs/klaxon-scheduled-task/dev/us-east-1/config.yml deleted file mode 100644 index fe91cc8c..00000000 --- a/cfn/configs/klaxon-scheduled-task/dev/us-east-1/config.yml +++ /dev/null @@ -1,70 +0,0 @@ -_globals: - # This section is used to accumulate the YAML Anchors for use in the config to DRY the configs - # This is done to reduce errors due to copying configs from one env/region to another - - - &CLUSTER_PREFIX newsroom - - &DEBUG false - - # Assuming a config file is named as follows - # e.g. cfn/config/MyFirstService/dev/us-east-1/config.yml - - # The following two lines extract information from the stackjack config file being executed - - &FILEPATH "{{ config_file_name }}" - - !_split &FILENAME [!_split [*FILEPATH, "/", 0, -1], ".", 0, 0] - - # Other information including service name, environment and region are further extracted from the file path - - !_split &SERVICE_NAME [*FILEPATH, "/", 0, 2] - - !_split &ENVIRONMENT [*FILEPATH, "/", 0, 3] - - !_split ®ION [*FILEPATH, "/", 0, 4] - - # Or can be statically defined - #- &SERVICE_NAME MyFirstService - #- &ENVIRONMENT dev - #- ®ION us-east-1 - - # Lastly we assemble the ClusterName and StackName based on data collected above - # - - !_join &CLUSTER_NAME ["-", *CLUSTER_PREFIX, *ENVIRONMENT] - - !_join &STACK_NAME ["-", *CLUSTER_NAME, *SERVICE_NAME] - -template: cfn/templates/ecs-task.template.yml -stack_name: *STACK_NAME # newsroom-dev-klaxon-scheduled-task -region: *REGION # us-east-1 - -context: - debug: *DEBUG # false - name: *SERVICE_NAME # klaxon-scheduled-task - cluster_name: *CLUSTER_NAME # newsroom-dev - family: klaxon-scheduled-task-dev - container_name: klaxon-dev - image: ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/klaxon-rake:dev-latest - schedule_expression: "0/10 * * * ? *" - klaxon_events_rule: klaxon-events-rule-dev - awslogs_group: /service/klaxon/dev - awslogs_stream_prefix: rake-page-check-dev - task_execution_role: klaxon-page-check-task-execution-role-dev - cluster_arn: arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/newsroom-dev - cluster_id: newsroom-dev - event_execution_role: klaxon-scheduled-event-execution-role-dev - environment: - DATABASE_URL: "{{resolve:secretsmanager:/klaxon/aurora-postgresql-dev/app:SecretString:database-url}}" - ADMIN_EMAILS: "admin@news.org" - PORT: 3001 - APP_HOST: klaxon-dev.news-engineering.aws.wapo.pub. - RACK_ENV: production - RAILS_ENV: production - HOST_URL: "klaxon-dev.news-engineering.aws.wapo.pub" - SECRET_KEY_BASE: "{{resolve:secretsmanager:/klaxon/prod/secret-key:SecretString:secret_key_base}}" - KLAXON_COMPILE_ASSETS: false - SMTP_PROVIDER: SES - SES_ADDRESS: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:address}}" - SES_DOMAIN: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:domain}}" - SES_PORT: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:port}}" - MAILER_FROM_ADDRESS: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:mailerFromAddress}}" - SES_USERNAME: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:username}}" - SES_PASSWORD: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:password}}" - - # Datadog env configuration - DD_ENV: dev - DD_SERVICE: klaxon-rake - DD_AGENT_HOST: 172.17.0.1 \ No newline at end of file diff --git a/cfn/configs/klaxon-scheduled-task/image/us-east-1/config.yml b/cfn/configs/klaxon-scheduled-task/image/us-east-1/config.yml deleted file mode 100644 index 7acf055d..00000000 --- a/cfn/configs/klaxon-scheduled-task/image/us-east-1/config.yml +++ /dev/null @@ -1,8 +0,0 @@ -# This generates an ECR repository -# `name` here must be the same as the `APP_NAME`-rake in the build step - -template: v1/cfn/shared/clusters/simple-ecs/service/image.template.yml -stack_name: klaxon-rake-image -region: us-east-1 -context: - name: klaxon-rake diff --git a/cfn/configs/klaxon-scheduled-task/prod/us-east-1/config.yml b/cfn/configs/klaxon-scheduled-task/prod/us-east-1/config.yml deleted file mode 100644 index bca88302..00000000 --- a/cfn/configs/klaxon-scheduled-task/prod/us-east-1/config.yml +++ /dev/null @@ -1,70 +0,0 @@ -_globals: - # This section is used to accumulate the YAML Anchors for use in the config to DRY the configs - # This is done to reduce errors due to copying configs from one env/region to another - - - &CLUSTER_PREFIX newsroom - - &DEBUG false - - # Assuming a config file is named as follows - # e.g. cfn/config/MyFirstService/dev/us-east-1/config.yml - - # The following two lines extract information from the stackjack config file being executed - - &FILEPATH "{{ config_file_name }}" - - !_split &FILENAME [!_split [*FILEPATH, "/", 0, -1], ".", 0, 0] - - # Other information including service name, environment and region are further extracted from the file path - - !_split &SERVICE_NAME [*FILEPATH, "/", 0, 2] - - !_split &ENVIRONMENT [*FILEPATH, "/", 0, 3] - - !_split ®ION [*FILEPATH, "/", 0, 4] - - # Or can be statically defined - #- &SERVICE_NAME MyFirstService - #- &ENVIRONMENT dev - #- ®ION us-east-1 - - # Lastly we assemble the ClusterName and StackName based on data collected above - # - - !_join &CLUSTER_NAME ["-", *CLUSTER_PREFIX, *ENVIRONMENT] - - !_join &STACK_NAME ["-", *CLUSTER_NAME, *SERVICE_NAME] - -template: cfn/templates/ecs-task.template.yml -stack_name: *STACK_NAME # newsroom-prod-klaxon-scheduled-task -region: *REGION # us-east-1 - -context: - debug: *DEBUG # false - name: *SERVICE_NAME # klaxon-scheduled-task - cluster_name: *CLUSTER_NAME # newsroom-prod - family: klaxon-scheduled-task-prod - container_name: klaxon-prod - image: ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/klaxon-rake:prod-latest - schedule_expression: "0/10 * * * ? *" - klaxon_events_rule: klaxon-events-rule-prod - awslogs_group: /service/klaxon/prod - awslogs_stream_prefix: rake-page-check-prod - task_execution_role: klaxon-page-check-task-execution-role-prod - cluster_arn: arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/newsroom-prod - cluster_id: newsroom-prod - event_execution_role: klaxon-scheduled-event-execution-role-prod - environment: - DATABASE_URL: "{{resolve:secretsmanager:/klaxon/aurora-postgresql-prod/app:SecretString:database-url}}" - ADMIN_EMAILS: "admin@news.org" - PORT: 3001 - APP_HOST: klaxon-prod.news-engineering.aws.wapo.pub. - RACK_ENV: production - RAILS_ENV: production - HOST_URL: "klaxon-prod.news-engineering.aws.wapo.pub" - SECRET_KEY_BASE: "{{resolve:secretsmanager:/klaxon/prod/secret-key:SecretString:secret_key_base}}" - KLAXON_COMPILE_ASSETS: false - SMTP_PROVIDER: SES - SES_ADDRESS: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:address}}" - SES_DOMAIN: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:domain}}" - SES_PORT: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:port}}" - MAILER_FROM_ADDRESS: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:mailerFromAddress}}" - SES_USERNAME: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:username}}" - SES_PASSWORD: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:password}}" - - # Datadog env configuration - DD_ENV: prod - DD_SERVICE: klaxon-rake - DD_AGENT_HOST: 172.17.0.1 \ No newline at end of file diff --git a/cfn/configs/klaxon/dev/us-east-1/config.yml b/cfn/configs/klaxon/dev/us-east-1/config.yml deleted file mode 100644 index 94f2da09..00000000 --- a/cfn/configs/klaxon/dev/us-east-1/config.yml +++ /dev/null @@ -1,541 +0,0 @@ -_globals: - # This section is used to accumulate the YAML Anchors for use in the config to DRY the configs - # This is done to reduce errors due to copying configs from one env/region to another - - - &CLUSTER_PREFIX newsroom - - &DEBUG false - - # Assuming a config file is named as follows - # e.g. cfn/config/MyFirstService/dev/us-east-1/config.yml - - # The following two lines extract information from the stackjack config file being executed - - &FILEPATH "{{ config_file_name }}" - - !_split &FILENAME [!_split [*FILEPATH, "/", 0, -1], ".", 0, 0] - - # Other information including service name, environment and region are further extracted from the file path - - !_split &SERVICE_NAME [*FILEPATH, "/", 0, 2] - - !_split &ENVIRONMENT [*FILEPATH, "/", 0, 3] - - !_split ®ION [*FILEPATH, "/", 0, 4] - - # Or can be statically defined - #- &SERVICE_NAME MyFirstService - #- &ENVIRONMENT dev - #- ®ION us-east-1 - - # Lastly we assemble the ClusterName and StackName based on data collected above - # - - !_join &CLUSTER_NAME ["-", *CLUSTER_PREFIX, *ENVIRONMENT] - - !_join &STACK_NAME ["-", *CLUSTER_NAME, *SERVICE_NAME] - -template: v1/cfn/shared/apps/ecs-v2/service.template.yml -stack_name: *STACK_NAME -region: *REGION - -context: - debug: *DEBUG - name: *SERVICE_NAME - environment: *ENVIRONMENT - cluster_name: *CLUSTER_NAME - - # vpc_environment: - # Used if the "Environment" string does not match a known VPC label. An example is where - # dev2 is a seperate infrastructure but placed within the dev vpc. - # - # only relevant when the config is creating an ALB - # - # vpc_environment: dev - - description: Klaxon enables reporters and editors to monitor scores of sites on the web for newsworthy changes. - - # The "service" block is used to describe elements for the ECS Service definition. It is a combination - # settings directly related to the AWS::ECS::Service object, along with some controls and objects related - # to the Service/Task definition - - service: - # default_scale: int - # Define the number of service-instances that should be run within the cluster - # Note: coordinate this with your auto-scaling behavior in the scaling section - default_scale: 1 - - # network_mode: string - # controls how Docker exposes the service to the network - # bridge: performs port translation - # host: disabled port translation, any "listeners" within application bind to ports on host - network_mode: bridge - - # strategy: string - # controls how ECS deploys the service - # DAEMON: deploys one service-instance to every node within ECS cluster - # REPLICA: deploys "default_scale" copies of service-instance within the cluster - strategy: REPLICA - - #UpdateReplacePolicy: string - # Cloudformation by default 'Delete' it resources if not specififed the UpdateReplacePolicy. - # Delete: Deletes the resources by default - # Retain: keeps the resource without deleting the resource or its contents - # We have added this parameter to TaskDefinition - UpdateReplacePolicy: Retain - - # service_name: string - # defines the name ECS will know the service as. - # If undefined, service_name dynamic_service_name will be set to true - - # dynamic_service_name: bool - # controls how the ECS service name is defined. - # default: based on existance of service.service_name - # false: the ecs service name is specified completely by the service.service_name value - # true: the ECS service name will be global.name - global-environment - dynamic_service_name: true - - # task_role: dictionary - # used to control aspects of the IAM role which the tasks execute with - # - # task_role: - # import_role: string - # specifies previously defined IAM role for executing service-instances with - # If import_role begins with arn: its assumed to be a fully qualified IAM Role ARN - # otherwise, its used in an !ImportValue statement to use a value defined from another CFN stack - - # policies: list of dictionaries - # used to define a IAM::Role object - # - # - effect: (ALLOW / DENY) - # - # sid: IAM SID as defined by IAM::Role - # - # actions: list of strings - # # used to define privledges - # - ec2:DescribeInstances - # not_actions: list of strings - # # used to exclude privledges - # - ec2:TerminateInstance - # - # conditions: dictionary - # # used to define conditions to this policy - # StringEqualsIgnoreCase: - # "aws:username": "johndoe" - # - # principals: dictionary - # # used to define principals - # AWS: - # - arn:aws:iam::123456789012:root - # - 123456789012 - # not_principals: dictionary - # # used to exclude principals - # AWS: - # - arn:aws:iam::123456789012:root - # - 123456789012 - # - # not_resources: list of strings - # # used to exclude resources from consideration - # - i-12345678 - # resources: list of strings - # # used to include resources from consideration - # - i-98765432 - # - # # If neither resources or not_resources is provided then the default is - # resources: - # - * - # - - # execution_role: dictionary - # The role ECS uses to launch the task (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html) - # By default a minimal one is created that allows pulling from ECR and injecting secrets via the Parameter Store and SecretsManager - # execution_role: - # import_role: string - # specifies previously defined IAM role for executing service-instances with - # If import_role begins with arn: its assumed to be a fully qualified IAM Role ARN - # otherwise, its used in an !ImportValue statement to use a value defined from another CFN stack - - # policies: list of dictionaries - # used to define a IAM::Role object - # For a full options, see above `task_role` - - # volumes: - # - name: shared - # DockerVolumeConfiguration: - # Driver: local - # Autoprovision: true - # Scope: shared - # Labels: - # com.arc.usage: local - - # volumes: list of dictionaries - # There are two types of volumes that can be created through this process. - # - Host Bindings. allows access to specific filesystems on the EC2 host. - # - Docker Volumes. allows access to storage resources both "locally" and "network" based resources. - # When creating Docker Volumes, you can use the "local" driver for storage based on host disks or - # other drivers such as RexRay for persistent storage - # - # All entries require a "name" which becomes the sourceVolume as specified in the mount_points stanza - # - name: my_tmp - # - # host: dictionary, used for "Bind-Mounts" - # source_path: string, specifies the volume path on the EC2 instance - # - # DockerVolumeConfiguration: see AWS::ECS::TaskDefinition/DockerVolumeConfiguration - # Autoprovision: bool - # Driver: string - # DriverOpts: - # Key : Value - # Labels: - # Key : Value - # Scope: string (task / shared) - # - - ################# - # - # routing: list of dictionaries - # This section provides the ability to create or reference xLB objects for the purpose of exposing - # the service-instances to the network - - routing: - - alias: http - allow_destroy: false - destroy: false - - # alias: string - # alias is used in the naming of the CFN resources so that we do not have to use the numerical - # position in the array to identify the objects. This facilitates re-organizing the objects in the - # routing list - - # allow_destroy: bool - # this allows the xLB object to be destroyed/recreated by CFN/StackJack by disabling the - # StackJack protection afforded to xLB's. This does NOT force destruction, it only disables the - # protection. - # - # Typically this is acceptable when the target xLB is referenced through a cname or other dynamic - # object in another CFN stack - - # destroy: bool - # this forces the destruction of the associated resources. This is to facilitate disabling the - # StackJack protections for the xLB object - - ################### - # - # A Routing object allows for three modes of operation allowing for aspects of the routing to be - # established outside of the service definition. - # - # These include: - # - # import_target_group: CFN Export name of the Target Group - # When target_group_arn is defined no objects are created, the referenced TG is supplied as the - # "LoadBalancer" object for the ECS::Service - # Attributes affecting the imported target_group include: - # - # import_listener: CFN Export name of the Listener to attach the TG to - # When import_listener is defined the template will create a new Target Group and apply the - # TG to the listener. Attributes affecting the TG include - # - # priority: int - # controls placement within the listener - # container_port: int - # container_protocol: string - # perform_health_check and health_check object - # target_group_attributes: dictionary (see AWS::ElasticLoadBalancingV2::TargetGroup/TargetGroupAttributes) - # dns.domain: string - # Applies a host-header condition to the listener rule to control access based on DNS name - # - # If neither of the above conditions is met then no_load_balancer is tested to determine if an ALB should be created - # no_load_balancer: bool (default False) - # - # The parameters below influence the creation of the xLB and TargetGroup - - is_public: False - is_private: True - - # is_public: bool (default True) - # is_private: bool (default False) - # These two are mutually exclusive. When is_public is True and is_private is False - # the xLB will be placed into the subnets identified by vpc-(vpc)-PublicSubnetIds-Group0 - # otherwise the xLB will be placed into the vpc-(vpc)-PrivateSubnetIds-Group0 - # - # Accordingly, the SecurityGroup protecting the xLB will either be 0.0.0.0/8 or 10.0.0.0/8 - - subnet_group: group0 - - # subnet_group: string (default group0) - # this allows the user to specify a subnet group other than the default "Group0" value. - # useful for utilizing expansion_cidrs - - ################### - # - # Before discussing protocol and port designations, we need to cover several legacy aspects to the - # configuration. Historically the Protocol/Port was inherited from the container specification, but - # the router had the ability to override those params. With the addition of 1 or more Routers and - # 1 or more "containers" this became a bit outdated. - # - # protocol: string (default HTTP) - # port: int (default 80) - - public_protocol: HTTPS - public_port: 443 - certificate: arn:aws:acm:us-east-1:912288704264:certificate/c1ff8358-9b24-4e68-9d38-28caf63c0fde - - # public_protocol: HTTP / HTTPS / TCP / UDP / TCP_UDP / TLS (default router.protocol) - # this defines the Listener Protocol - # if HTTP or HTTPS then an ALB (Application Load Balancer) is created - # otherwise a NLB (Network Load Balancer) is created - - # public_port: int (default router.port) - # this defines which TCP port the Listener attached to the ALB is accessable on - - # certificate: ARN - # if protocol is HTTPS then specifies the TLS certificate to reference, Must be FQ ARN - - # http_to_https_redirect: bool - # if TRUE, then will setup an additional listener HTTP/80 on the ALB redirecting to HTTPS/443 - # on the ALB being defined. - - # container_name: main - # container_port: 8080 - # container_protocol: http - - # container_name: string (default container.name) - # This is used to associate the TargetGroup with a specific container defined as part of the - # service task. If undefined it references the main "container" by name - - # container_port: int (default container.port | router.port) - # This is used to identify the port the process within the container is bound to. When - # network_mode=bridge ECS uses this to identify the NAT'ed port - - # container_protocol: string (default container.protocol | router.protocol) - # This specifies the protocol accepted by the process in the ECS task. An example use-case allows - # the ALB to accept traffic using HTTPS and relay to a process only supporting HTTP - - dynamic_name: true - - # dynamic_name: bool - # If Undefined, then is based on existance of router.target_group_name - # - # If True, the name of the Load Balancer and TargetGroup will be left up to CFN to define - # If False then: - # target_group_name default will be stackname-alias - # Load Balancer will be named StackName - # Target Group will be named based on router.target_group_name - - # target_group_name: string - - perform_health_check: true - - # perform_health_check: bool - # If True, then a Health Check will be applied to the TargetGroup - - # health_check: dictionary - # this structure defines the parameters of a health check, the defaults are below - # - health_check: - path: "/klaxon/healthcheck" - interval_seconds: 30 - timeout_seconds: 10 - healthy_threshold_count: 2 - unhealthy_threshold_count: 6 - matcher: - HttpCode: "200-299" - - dns: - zone_apex: news-engineering.aws.wapo.pub. - domain: klaxon-dev.news-engineering.aws.wapo.pub. - # # If you are using either `import_listener` or `import_target_group`above, - # # you need to import the canonical hosted zone of the load balancer - # # and the dns name of the load balancer here - # load_balancer_zone_id: H1Z1234 - # load_balancer_dns: goodlb-111.eu-central-1.elb.amazonaws.com - - ############################# - # - # container: dictionary - # The container object is used to describe the "1st" container as part of an ECS Task Definition. - # ECS Tasks can have 1 or more containers associated with each service-instance deployment and there are - # Several reasons to utilize this approach. - # - # o_container: list of dictionaries - # Using the same "dictionary" object for container o_container is used to describe the 2..N docker containers - # to be associated with the ECS task definition. - - container: - name: !_join ["-", *SERVICE_NAME, *ENVIRONMENT] - essential: true - memory_reservation: 512 - logs: awslogs - - # name: string - # used to name the ECS Container within the task definition. - # Also used to name the Docker image if neither container.image or service.image are defined - - # essential: bool (default True) - # used by ECS to determine what action to take if the container terminates. - - # memory_reservation: int (default 512, expressed in MB) - # Used during task "placement" to determine how much memory the task (service-instance) will be consumed. - # Is not enforced in anyway, purely for planning purposes. - - # logs: string (default awslogs) - # This is used to define how logs are collected and processed by ECS. This is both a "generator" for - # "awslogs" and "fluentd", otherwise allows the user to pass parameters directly to the ECS::Task - # - # When "awslogs": - # All logs are forwarded to CloudWatch logs - # awslogs-group is StackName - # awslogs-region is Region - # awslogs-stream-prefix is environment - # - # When "fluentd": - # Logs are forwarded to FluentD process running on EC2 hosts as part of cluster 172.17.0.1:24224 - # fluent-tag is service.name-service.environment with the docker container ID appended - # Additional config object container.log_options is a dictionary allowing other params to be provided as options - # - # Otherwise: - # LogDriver = container.logs - # Options is dictionary based on container.log_options - - # By default, the image uses your container name and a parameter stored at /deployments/container_name/latest - # If you use the build process included in this repo, it will automatically store the latest version for you in that parameter - # - # image = container_name - - # If you are using a custom image version tag, put that here - # otherwise the default is via SSM is /deployments/app/latest/ - # If the string begins with a "/" it is expected to be a SSM param name, otherwise its a plain string - # - # image_version: /deployments/app/VERSION_NAME - # image_version: 0123897107860fed (Git Commit Hash) - - # If you need a custom image not managed in SSM - # If you do this, you will need to make sure to include code to authenticate with the provider - # - # image = provider/project/repo:tag - # In order for "image" to be reconized as raw_image_path, it must contain a "/" or a ":" - # - raw_image_path: !_join [":", "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/klaxon", "dev-{{resolve:ssm:/deployments/klaxon-dev/latest}}"] - - environment: - DATABASE_URL: "{{resolve:secretsmanager:/klaxon/aurora-postgresql-dev/app:SecretString:database-url}}" - ADMIN_EMAILS: "admin@news.org" - PORT: 3001 - APP_HOST: klaxon-dev.news-engineering.aws.wapo.pub. - RACK_ENV: production - RAILS_ENV: production - HOST_URL: "klaxon-dev.news-engineering.aws.wapo.pub" - SECRET_KEY_BASE: "{{resolve:secretsmanager:/klaxon/prod/secret-key:SecretString:secret_key_base}}" - KLAXON_COMPILE_ASSETS: false - SMTP_PROVIDER: SES - SES_ADDRESS: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:address}}" - SES_DOMAIN: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:domain}}" - SES_PORT: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:port}}" - MAILER_FROM_ADDRESS: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:mailerFromAddress}}" - SES_USERNAME: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:username}}" - SES_PASSWORD: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:password}}" - - # Datadog env configuration - DD_ENV: dev - DD_SERVICE: klaxon-server - DD_AGENT_HOST: 172.17.0.1 - - # environment: dictionary - # This allows environment values to be passed to the execution of the container at runtime - - # Environment also supports complex datatypes including dict and lists - - # secrets: - # For SSM Params the path to the value can simply be specified as the value for the secret - # The defined task will have an additional RequiredCapability added: - # ecs.capability.secrets.ssm.environment-variables - # - # SECRET_PASSWORD_IN_SSM: "/path/to/ssm/parameter/in/same/region" - - # For values from SecretsManager you need to specify the full ARN to the secret - # - # SECRET_PASSWORD_IN_SECRETS_MANAGER: !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:my_secret-AbCdEf" - - # secrets: dictionary - # This allows secrets to be securely inserted as environment variables into the container at runtime. - # For more information: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html - - # mount_points: - # - containerPath: /tmp - # sourceVolume: my_tmp - # readOnly: false - # - containerPath: /test - # sourceVolume: shared - # readOnly: false - - # mount_points: list of dictionaries - # This allows attaching HOST based file systems/resources to the ECS task container. - # - # containerPath: string - # defining the filepath within the container to mount the volume. - # readOnly: bool - # Docker resource flag allowing Read or Read/Write access to the files - # sourceVolume: string - # This is NOT the filepath on the EC2 instance, it is a logical resource that can be defined at the - # container or service level - - # volumes: - # - name: my_tmp - # host: - # source_path: /tmp - - port: 3001 - # protocol: tcp - - # port_mapping: - # 8080: tcp - # 7070: tcp - # 7071: udp - - # needs_ports: true - # no_ports: false - - # port: integer (default 8080) - # legacy approach to defining container port needing to be exposed - # protocol: string - # legacy approach to describing container port needing to be exposed - # - # In the case where 2 or more ports needs to be exposed the prefered method is to use a dictionary - # - # port_mapping: dictionary - # int: string - # - # no_ports: bool (default false) - # deprecated legacy flag - # - # needs_ports: bool - # default value as follows: - # If port_mapping contains an entry, then true - # Otherwise equal to NOT(no_ports) - # - # When port_mapping is undefined and needs_ports is true the port_mapping will be automatically created - # using container.port and container.protocol - - # Not required, additional cloudformation properties - container_properties: - ExtraHosts: - - Hostname: statsd - IpAddress: 172.17.0.1 - - # If using autoscaling, make sure it makes sense to scale - # your app based on its memory or cpu usage. Besides the - # settings here, the `service.default_scale` and the - # `container.memory_reservation` will impact scaling behavior. - scaling: - # Autoscaling is enabled by default. use `true` to turn it off - disable: false - - # default max is 12X the service.default_scale - max: 12 - # default min is the default_scale - min: 1 - - #Additional configurable properties with their defaults: - cpu_target: 50 - mem_target: 75 - scale_in_cooldown: 900 - scale_out_cooldown: 30 - disable_scale_in: false - - # Not required, other companion containers - # other_containers: - # - name: - # environment: - # cfn_properties: diff --git a/cfn/configs/klaxon/image/us-east-1/config.yml b/cfn/configs/klaxon/image/us-east-1/config.yml deleted file mode 100644 index 096750af..00000000 --- a/cfn/configs/klaxon/image/us-east-1/config.yml +++ /dev/null @@ -1,8 +0,0 @@ -# This generates an ECR repository -# `name` here must be the same as the `APP_NAME` in the build step - -template: v1/cfn/shared/clusters/simple-ecs/service/image.template.yml -stack_name: klaxon-image -region: us-east-1 -context: - name: klaxon diff --git a/cfn/configs/klaxon/prod/us-east-1/config.yml b/cfn/configs/klaxon/prod/us-east-1/config.yml deleted file mode 100644 index 302be352..00000000 --- a/cfn/configs/klaxon/prod/us-east-1/config.yml +++ /dev/null @@ -1,547 +0,0 @@ -_globals: - # This section is used to accumulate the YAML Anchors for use in the config to DRY the configs - # This is done to reduce errors due to copying configs from one env/region to another - - - &CLUSTER_PREFIX newsroom - - &DEBUG false - - # Assuming a config file is named as follows - # e.g. cfn/config/MyFirstService/dev/us-east-1/config.yml - - # The following two lines extract information from the stackjack config file being executed - - &FILEPATH "{{ config_file_name }}" - - !_split &FILENAME [!_split [*FILEPATH, "/", 0, -1], ".", 0, 0] - - # Other information including service name, environment and region are further extracted from the file path - - !_split &SERVICE_NAME [*FILEPATH, "/", 0, 2] - - !_split &ENVIRONMENT [*FILEPATH, "/", 0, 3] - - !_split ®ION [*FILEPATH, "/", 0, 4] - - # Or can be statically defined - #- &SERVICE_NAME MyFirstService - #- &ENVIRONMENT dev - #- ®ION us-east-1 - - # Lastly we assemble the ClusterName and StackName based on data collected above - # - - !_join &CLUSTER_NAME ["-", *CLUSTER_PREFIX, *ENVIRONMENT] - - !_join &STACK_NAME ["-", *CLUSTER_NAME, *SERVICE_NAME] - -template: v1/cfn/shared/apps/ecs-v2/service.template.yml -stack_name: *STACK_NAME -region: *REGION - -context: - debug: *DEBUG - name: *SERVICE_NAME - environment: *ENVIRONMENT - cluster_name: *CLUSTER_NAME - - # vpc_environment: - # Used if the "Environment" string does not match a known VPC label. An example is where - # dev2 is a seperate infrastructure but placed within the dev vpc. - # - # only relevant when the config is creating an ALB - # - # vpc_environment: dev - - description: Klaxon enables reporters and editors to monitor scores of sites on the web for newsworthy changes. - - # The "service" block is used to describe elements for the ECS Service definition. It is a combination - # settings directly related to the AWS::ECS::Service object, along with some controls and objects related - # to the Service/Task definition - - service: - # default_scale: int - # Define the number of service-instances that should be run within the cluster - # Note: coordinate this with your auto-scaling behavior in the scaling section - default_scale: 2 - - # network_mode: string - # controls how Docker exposes the service to the network - # bridge: performs port translation - # host: disabled port translation, any "listeners" within application bind to ports on host - network_mode: bridge - - # strategy: string - # controls how ECS deploys the service - # DAEMON: deploys one service-instance to every node within ECS cluster - # REPLICA: deploys "default_scale" copies of service-instance within the cluster - strategy: REPLICA - - #UpdateReplacePolicy: string - # Cloudformation by default "Delete" it resources if not specififed the UpdateReplacePolicy. - # Delete: Deletes the resources by default - # Retain: keeps the resource without deleting the resource or its contents - # We have added this parameter to TaskDefinition - UpdateReplacePolicy: Retain - - # service_name: string - # defines the name ECS will know the service as. - # If undefined, service_name dynamic_service_name will be set to true - - # dynamic_service_name: bool - # controls how the ECS service name is defined. - # default: based on existance of service.service_name - # false: the ecs service name is specified completely by the service.service_name value - # true: the ECS service name will be global.name - global-environment - dynamic_service_name: true - - # task_role: dictionary - # used to control aspects of the IAM role which the tasks execute with - # - # task_role: - # import_role: string - # specifies previously defined IAM role for executing service-instances with - # If import_role begins with arn: its assumed to be a fully qualified IAM Role ARN - # otherwise, its used in an !ImportValue statement to use a value defined from another CFN stack - - # policies: list of dictionaries - # used to define a IAM::Role object - # - # - effect: (ALLOW / DENY) - # - # sid: IAM SID as defined by IAM::Role - # - # actions: list of strings - # # used to define privledges - # - ec2:DescribeInstances - # not_actions: list of strings - # # used to exclude privledges - # - ec2:TerminateInstance - # - # conditions: dictionary - # # used to define conditions to this policy - # StringEqualsIgnoreCase: - # "aws:username": "johndoe" - # - # principals: dictionary - # # used to define principals - # AWS: - # - arn:aws:iam::123456789012:root - # - 123456789012 - # not_principals: dictionary - # # used to exclude principals - # AWS: - # - arn:aws:iam::123456789012:root - # - 123456789012 - # - # not_resources: list of strings - # # used to exclude resources from consideration - # - i-12345678 - # resources: list of strings - # # used to include resources from consideration - # - i-98765432 - # - # # If neither resources or not_resources is provided then the default is - # resources: - # - * - # - - # execution_role: dictionary - # The role ECS uses to launch the task (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html) - # By default a minimal one is created that allows pulling from ECR and injecting secrets via the Parameter Store and SecretsManager - # execution_role: - # import_role: string - # specifies previously defined IAM role for executing service-instances with - # If import_role begins with arn: its assumed to be a fully qualified IAM Role ARN - # otherwise, its used in an !ImportValue statement to use a value defined from another CFN stack - - # policies: list of dictionaries - # used to define a IAM::Role object - # For a full options, see above `task_role` - - - # volumes: - # - name: shared - # DockerVolumeConfiguration: - # Driver: local - # Autoprovision: true - # Scope: shared - # Labels: - # com.arc.usage: local - - # volumes: list of dictionaries - # There are two types of volumes that can be created through this process. - # - Host Bindings. allows access to specific filesystems on the EC2 host. - # - Docker Volumes. allows access to storage resources both "locally" and "network" based resources. - # When creating Docker Volumes, you can use the "local" driver for storage based on host disks or - # other drivers such as RexRay for persistent storage - # - # All entries require a "name" which becomes the sourceVolume as specified in the mount_points stanza - # - name: my_tmp - # - # host: dictionary, used for "Bind-Mounts" - # source_path: string, specifies the volume path on the EC2 instance - # - # DockerVolumeConfiguration: see AWS::ECS::TaskDefinition/DockerVolumeConfiguration - # Autoprovision: bool - # Driver: string - # DriverOpts: - # Key : Value - # Labels: - # Key : Value - # Scope: string (task / shared) - # - - - ################# - # - # routing: list of dictionaries - # This section provides the ability to create or reference xLB objects for the purpose of exposing - # the service-instances to the network - - routing: - - alias: http - allow_destroy: false - destroy: false - - # alias: string - # alias is used in the naming of the CFN resources so that we do not have to use the numerical - # position in the array to identify the objects. This facilitates re-organizing the objects in the - # routing list - - # allow_destroy: bool - # this allows the xLB object to be destroyed/recreated by CFN/StackJack by disabling the - # StackJack protection afforded to xLB's. This does NOT force destruction, it only disables the - # protection. - # - # Typically this is acceptable when the target xLB is referenced through a cname or other dynamic - # object in another CFN stack - - # destroy: bool - # this forces the destruction of the associated resources. This is to facilitate disabling the - # StackJack protections for the xLB object - - ################### - # - # A Routing object allows for three modes of operation allowing for aspects of the routing to be - # established outside of the service definition. - # - # These include: - # - # import_target_group: CFN Export name of the Target Group - # When target_group_arn is defined no objects are created, the referenced TG is supplied as the - # "LoadBalancer" object for the ECS::Service - # Attributes affecting the imported target_group include: - # - # import_listener: CFN Export name of the Listener to attach the TG to - # When import_listener is defined the template will create a new Target Group and apply the - # TG to the listener. Attributes affecting the TG include - # - # priority: int - # controls placement within the listener - # container_port: int - # container_protocol: string - # perform_health_check and health_check object - # target_group_attributes: dictionary (see AWS::ElasticLoadBalancingV2::TargetGroup/TargetGroupAttributes) - # dns.domain: string - # Applies a host-header condition to the listener rule to control access based on DNS name - # - # If neither of the above conditions is met then no_load_balancer is tested to determine if an ALB should be created - # no_load_balancer: bool (default False) - # - # The parameters below influence the creation of the xLB and TargetGroup - - is_public: False - is_private: True - - # is_public: bool (default True) - # is_private: bool (default False) - # These two are mutually exclusive. When is_public is True and is_private is False - # the xLB will be placed into the subnets identified by vpc-(vpc)-PublicSubnetIds-Group0 - # otherwise the xLB will be placed into the vpc-(vpc)-PrivateSubnetIds-Group0 - # - # Accordingly, the SecurityGroup protecting the xLB will either be 0.0.0.0/8 or 10.0.0.0/8 - - subnet_group: group0 - - # subnet_group: string (default group0) - # this allows the user to specify a subnet group other than the default "Group0" value. - # useful for utilizing expansion_cidrs - - ################### - # - # Before discussing protocol and port designations, we need to cover several legacy aspects to the - # configuration. Historically the Protocol/Port was inherited from the container specification, but - # the router had the ability to override those params. With the addition of 1 or more Routers and - # 1 or more "containers" this became a bit outdated. - # - # protocol: string (default HTTP) - # port: int (default 80) - - public_protocol: HTTPS - public_port: 443 - certificate: arn:aws:acm:us-east-1:912288704264:certificate/c1ff8358-9b24-4e68-9d38-28caf63c0fde - - # public_protocol: HTTP / HTTPS / TCP / UDP / TCP_UDP / TLS (default router.protocol) - # this defines the Listener Protocol - # if HTTP or HTTPS then an ALB (Application Load Balancer) is created - # otherwise a NLB (Network Load Balancer) is created - - # public_port: int (default router.port) - # this defines which TCP port the Listener attached to the ALB is accessable on - - # certificate: ARN - # if protocol is HTTPS then specifies the TLS certificate to reference, Must be FQ ARN - - # http_to_https_redirect: bool - # if TRUE, then will setup an additional listener HTTP/80 on the ALB redirecting to HTTPS/443 - # on the ALB being defined. - - # container_name: main - # container_port: 8080 - # container_protocol: http - - # container_name: string (default container.name) - # This is used to associate the TargetGroup with a specific container defined as part of the - # service task. If undefined it references the main "container" by name - - # container_port: int (default container.port | router.port) - # This is used to identify the port the process within the container is bound to. When - # network_mode=bridge ECS uses this to identify the NAT'ed port - - # container_protocol: string (default container.protocol | router.protocol) - # This specifies the protocol accepted by the process in the ECS task. An example use-case allows - # the ALB to accept traffic using HTTPS and relay to a process only supporting HTTP - - dynamic_name: true - - # dynamic_name: bool - # If Undefined, then is based on existance of router.target_group_name - # - # If True, the name of the Load Balancer and TargetGroup will be left up to CFN to define - # If False then: - # target_group_name default will be stackname-alias - # Load Balancer will be named StackName - # Target Group will be named based on router.target_group_name - - # target_group_name: string - - perform_health_check: true - - # perform_health_check: bool - # If True, then a Health Check will be applied to the TargetGroup - - # health_check: dictionary - # this structure defines the parameters of a health check, the defaults are below - # - health_check: - path: "/klaxon/healthcheck" - interval_seconds: 10 - timeout_seconds: 5 - healthy_threshold_count: 2 - unhealthy_threshold_count: 6 - matcher: - HttpCode: "200-299" - - dns: - zone_apex: news-engineering.aws.wapo.pub. - domain: klaxon-prod.news-engineering.aws.wapo.pub. - # # If you are using either `import_listener` or `import_target_group`above, - # # you need to import the canonical hosted zone of the load balancer - # # and the dns name of the load balancer here - # load_balancer_zone_id: H1Z1234 - # load_balancer_dns: goodlb-111.eu-central-1.elb.amazonaws.com - - ############################# - # - # container: dictionary - # The container object is used to describe the "1st" container as part of an ECS Task Definition. - # ECS Tasks can have 1 or more containers associated with each service-instance deployment and there are - # Several reasons to utilize this approach. - # - # o_container: list of dictionaries - # Using the same "dictionary" object for container o_container is used to describe the 2..N docker containers - # to be associated with the ECS task definition. - - container: - name: !_join ["-", *SERVICE_NAME, *ENVIRONMENT] - essential: true - memory_reservation: 512 - logs: awslogs - - # name: string - # used to name the ECS Container within the task definition. - # Also used to name the Docker image if neither container.image or service.image are defined - - # essential: bool (default True) - # used by ECS to determine what action to take if the container terminates. - - # memory_reservation: int (default 512, expressed in MB) - # Used during task "placement" to determine how much memory the task (service-instance) will be consumed. - # Is not enforced in anyway, purely for planning purposes. - - # logs: string (default awslogs) - # This is used to define how logs are collected and processed by ECS. This is both a "generator" for - # "awslogs" and "fluentd", otherwise allows the user to pass parameters directly to the ECS::Task - # - # When "awslogs": - # All logs are forwarded to CloudWatch logs - # awslogs-group is StackName - # awslogs-region is Region - # awslogs-stream-prefix is environment - # - # When "fluentd": - # Logs are forwarded to FluentD process running on EC2 hosts as part of cluster 172.17.0.1:24224 - # fluent-tag is service.name-service.environment with the docker container ID appended - # Additional config object container.log_options is a dictionary allowing other params to be provided as options - # - # Otherwise: - # LogDriver = container.logs - # Options is dictionary based on container.log_options - - # By default, the image uses your container name and a parameter stored at /deployments/container_name/latest - # If you use the build process included in this repo, it will automatically store the latest version for you in that parameter - # - # image = container_name - - # If you are using a custom image version tag, put that here - # otherwise the default is via SSM is /deployments/app/latest/ - # If the string begins with a "/" it is expected to be a SSM param name, otherwise its a plain string - # - # image_version: /deployments/app/VERSION_NAME - # image_version: 0123897107860fed (Git Commit Hash) - - # If you need a custom image not managed in SSM - # If you do this, you will need to make sure to include code to authenticate with the provider - # - # image = provider/project/repo:tag - # In order for "image" to be reconized as raw_image_path, it must contain a "/" or a ":" - # - raw_image_path: !_join [":", "${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/klaxon", "prod-{{resolve:ssm:/deployments/klaxon-prod/latest}}"] - - - environment: - DATABASE_URL: "{{resolve:secretsmanager:/klaxon/aurora-postgresql-prod/app:SecretString:database-url}}" - ADMIN_EMAILS: "admin@news.org" - PORT: 3001 - APP_HOST: klaxon-prod.news-engineering.aws.wapo.pub. - RACK_ENV: production - RAILS_ENV: production - HOST_URL: "klaxon-prod.news-engineering.aws.wapo.pub" - SECRET_KEY_BASE: "{{resolve:secretsmanager:/klaxon/prod/secret-key:SecretString:secret_key_base}}" - KLAXON_COMPILE_ASSETS: false - SMTP_PROVIDER: SES - SES_ADDRESS: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:address}}" - SES_DOMAIN: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:domain}}" - SES_PORT: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:port}}" - MAILER_FROM_ADDRESS: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:mailerFromAddress}}" - SES_USERNAME: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:username}}" - SES_PASSWORD: "{{resolve:secretsmanager:/klaxon/ses-prod/smtp-user-credentials:SecretString:password}}" - - # Datadog env configuration - DD_ENV: prod - DD_SERVICE: klaxon-server - DD_AGENT_HOST: 172.17.0.1 - - # environment: dictionary - # This allows environment values to be passed to the execution of the container at runtime - - # Environment also supports complex datatypes including dict and lists - - # secrets: - # For SSM Params the path to the value can simply be specified as the value for the secret - # The defined task will have an additional RequiredCapability added: - # ecs.capability.secrets.ssm.environment-variables - # - # SECRET_PASSWORD_IN_SSM: "/path/to/ssm/parameter/in/same/region" - - # For values from SecretsManager you need to specify the full ARN to the secret - # - # SECRET_PASSWORD_IN_SECRETS_MANAGER: !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:my_secret-AbCdEf" - - # secrets: dictionary - # This allows secrets to be securely inserted as environment variables into the container at runtime. - # For more information: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html - - - # mount_points: - # - containerPath: /tmp - # sourceVolume: my_tmp - # readOnly: false - # - containerPath: /test - # sourceVolume: shared - # readOnly: false - - # mount_points: list of dictionaries - # This allows attaching HOST based file systems/resources to the ECS task container. - # - # containerPath: string - # defining the filepath within the container to mount the volume. - # readOnly: bool - # Docker resource flag allowing Read or Read/Write access to the files - # sourceVolume: string - # This is NOT the filepath on the EC2 instance, it is a logical resource that can be defined at the - # container or service level - - # volumes: - # - name: my_tmp - # host: - # source_path: /tmp - - port: 3001 - # protocol: tcp - - # port_mapping: - # 8080: tcp - # 7070: tcp - # 7071: udp - - # needs_ports: true - # no_ports: false - - # port: integer (default 8080) - # legacy approach to defining container port needing to be exposed - # protocol: string - # legacy approach to describing container port needing to be exposed - # - # In the case where 2 or more ports needs to be exposed the prefered method is to use a dictionary - # - # port_mapping: dictionary - # int: string - # - # no_ports: bool (default false) - # deprecated legacy flag - # - # needs_ports: bool - # default value as follows: - # If port_mapping contains an entry, then true - # Otherwise equal to NOT(no_ports) - # - # When port_mapping is undefined and needs_ports is true the port_mapping will be automatically created - # using container.port and container.protocol - - - # Not required, additional cloudformation properties - container_properties: - ExtraHosts: - - Hostname: statsd - IpAddress: 172.17.0.1 - - # If using autoscaling, make sure it makes sense to scale - # your app based on its memory or cpu usage. Besides the - # settings here, the `service.default_scale` and the - # `container.memory_reservation` will impact scaling behavior. - scaling: - # Autoscaling is enabled by default. use `true` to turn it off - disable: false - - # default max is 12X the service.default_scale - max: 20 - # default min is the default_scale - min: 2 - - #Additional configurable properties with their defaults: - cpu_target: 50 - mem_target: 75 - scale_in_cooldown: 900 - scale_out_cooldown: 30 - disable_scale_in: false - - - # Not required, other companion containers - # other_containers: - # - name: - # environment: - # cfn_properties: \ No newline at end of file diff --git a/cfn/manifest.yml b/cfn/manifest.yml deleted file mode 100644 index dd0db286..00000000 --- a/cfn/manifest.yml +++ /dev/null @@ -1,4 +0,0 @@ -templates: - shared: - source: v1/cfn/shared - version: 78cde3a8ff9b5b14c11fc6f924fb86977ebffa8d diff --git a/cfn/templates/ecs-task.template.yml b/cfn/templates/ecs-task.template.yml deleted file mode 100644 index 56c1e569..00000000 --- a/cfn/templates/ecs-task.template.yml +++ /dev/null @@ -1,168 +0,0 @@ -# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html -# This is a custom template with some components derived from proper StackJack templates -# This template is not sufficiently modular to copy/paste into another project but could -# be used as a guide for creating scheduled ECS tasks ---- -AWSTemplateFormatVersion: 2010-09-09 - -Description: CloudFormation template for an ECS task definition - -Resources: - - # mostly a replica of the main app task definitions - # this task will run rake check:all to check all watched pages - KlaxonPageCheckTaskDefinition: - Type: AWS::ECS::TaskDefinition - DeletionPolicy: Retain - UpdateReplacePolicy: Retain - Properties: - Family: {{ family }} - Cpu: 256 - Memory: 512 - NetworkMode: bridge - ExecutionRoleArn: !GetAtt TaskDefintionExecutionRole.Arn - ContainerDefinitions: - - Name: {{ container_name }} - Image: !Sub "{{ image }}" - Essential: True - MemoryReservation: 512 - PortMappings: - - Protocol: TCP - ContainerPort: 3001 - LogConfiguration: - LogDriver: awslogs - Options: - awslogs-group: {{ awslogs_group }} - awslogs-region: !Ref AWS::Region - awslogs-stream-prefix: {{ awslogs_stream_prefix }} - ExtraHosts: [{'Hostname': 'statsd', 'IpAddress': '172.17.0.1'}] - # This jinja block covers mapping over environment vars from config - # copied in from v1/cfn/shared/apps/ecs-v2/service.template.yml stackjack template - {%- if environment is mapping %} - {# blankline #} - Environment: - {%- for k, v in environment.items() %} - {# blankline #} - - Name: {{ k }} - {#- - Deal with Map/List data Types - #} - {%- if v is mapping %} - {#- This feels brittle, https://arcpublishing.atlassian.net/browse/ST-1240 #} - {%- set vl = v.keys() | list %} - {%- if vl is iterable and vl|length > 0 and ("Fn::" == vl[0][0:4] or "Ref" == vl[0]) %} - {#- Map is a translated !Fn object #} - Value: {{ v | tojson }} - {%- else %} - {#- Convert from map to json string, wrap in singleQuotes #} - Value: '{{ v | tojson }}' - {%- endif %} - {%- elif v is sequence and v is not string %} - {#- Convert from list to json string, wrap in singleQuotes #} - Value: '{{ v | tojson }}' - {#- - Deal with non-string types - #} - {%- elif v is number or v is sameas true or v is sameas false %} - {#- Item is Number or Boolean #} - Value: '{{ v }}' - {%- elif v is not string %} - {#- Unknown datatype, to not tamper #} - Value: {{ v }} - {#- - Process AWS CFN Specials - #} - {%- elif v[0] == '{' and 'resolve:' in v %} - {#- Inline CFN Dynamic Reference, wrap in single quotes #} - {#- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html #} - Value: '{{ v }}' - {%- elif v[0] in '[{!' %} - {#- No Quotes for values which look like CFN/JSON #} - Value: {{ v }} - {%- elif '${AWS:' in v %} - {#- if ${AWS: in string then add CFN !Sub to allow inline substitutions #} - Value: !Sub '{{ v }}' - {#- - Process items with quotes - #} - {%- elif '"' in v or "'" in v %} - {#- No quotes for objects containing quotes #} - Value: {{ v }} - {#- - All others are singleQuoted - #} - {%- else %} - {#- Otherwise wrap in single quotes #} - Value: '{{ v }}' - {%- endif %} - {%- endfor %} - {%- endif %} - - # The role KlaxonPageCheckTaskDefinition will assume in order - # to execute the page checks (mostly needed for accessing secrets) - # This role was mostly copied from the main app server's task definition role - TaskDefintionExecutionRole: - Type: AWS::IAM::Role - Properties: - Path: / - ManagedPolicyArns: - - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Action: - - sts:AssumeRole - Principal: - Service: - - ecs-tasks.amazonaws.com - - events.amazonaws.com - Policies: - - PolicyName: {{ task_execution_role }} - PolicyDocument: - Version: '2012-10-17' - Statement: - - Effect: 'Allow' - Action: 'STS:GetCallerIdentity' - Resource: '*' - - Effect: Allow - Action: - - "ssm:GetParameters" - - "secretsmanager:GetSecretValue" - Resource: - - !Sub arn:aws:ssm:*:${AWS::AccountId}:parameter/* - - !Sub arn:aws:secretsmanager:*:${AWS::AccountId}:secret:* - - # The resource that executes KlaxonPageCheckTaskDefinition's task on - # a schedule (every 10 min) - KlaxonTaskSchedule: - Type: AWS::Events::Rule - Properties: - Description: Klaxon ecs task scheduler - Name: {{ klaxon_events_rule }} - ScheduleExpression: cron({{ schedule_expression }}) - State: ENABLED - Targets: - - Arn: !Sub {{ cluster_arn }} - Id: {{ cluster_id }} - RoleArn: !GetAtt EC2ServiceEventsExecutionRole.Arn #ecs events role - EcsParameters: - TaskCount: 1 - TaskDefinitionArn: !Ref KlaxonPageCheckTaskDefinition - - # Role that allows KlaxonTaskSchedule to execute KlaxonPageCheckTaskDefinition's task - EC2ServiceEventsExecutionRole: - Type: AWS::IAM::Role - Properties: - Description: A role for event to execute Klaxon ECS task - RoleName: {{ event_execution_role }} - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Principal: - Service: - - ecs-tasks.amazonaws.com - - events.amazonaws.com - Action: sts:AssumeRole - ManagedPolicyArns: - - arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole - \ No newline at end of file From e5b32395cc6582019602201a1ec1dd031658da92 Mon Sep 17 00:00:00 2001 From: Aaron Brezel <35546183+aaronbrezel@users.noreply.github.com> Date: Fri, 22 Mar 2024 09:43:30 -0400 Subject: [PATCH 2/2] Chore: cleanup klaxon docs (#122) --- .github/CODEOWNERS | 8 -------- documentation/local_setup_sans_docker.md | 10 ++-------- 2 files changed, 2 insertions(+), 16 deletions(-) delete mode 100644 .github/CODEOWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS deleted file mode 100644 index cbecc1ce..00000000 --- a/.github/CODEOWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# This is a comment. -# Each line is a file pattern followed by one or more owners. - -# These owners will be the default owners for everything in -# the repo. Unless a later match takes precedence, -# @global-owner1 and @global-owner2 will be requested for -# review when someone opens a pull request. -* @WPMedia/news-engineering-news-applications diff --git a/documentation/local_setup_sans_docker.md b/documentation/local_setup_sans_docker.md index 05d74cd3..77b70184 100644 --- a/documentation/local_setup_sans_docker.md +++ b/documentation/local_setup_sans_docker.md @@ -4,16 +4,10 @@ This guide is an adaptation of the original [Klaxon developing file](https://git We're assuming that git, homebrew, and [postgres](https://postgresapp.com/) are already installed on your machine. -Start by cloning our fork of the Klaxon repo. For HTTPS: +Start by cloning our fork of the Klaxon repo. ``` -git clone https://github.com/WPMedia/klaxon.git -``` - -For SSH: - -``` -git clone git@github.com:WPMedia/klaxon.git +git clone git@github.com:washingtonpost/klaxon.git ``` Then, see if you have xcode installed (`xcode-select -version`), and if not, run: