ECSクラスタを作成 #14

yutaro-sakamoto · 2024-10-05T08:26:47Z

概要

ApplicationLoadBalancedFargateServiceを使ってサンプルのALB+ECS+Fargateのサービスを作成

変更点

ApplicationLoadBalancedFargateServiceによるサービスの追加
VPCエンドポイントの追加
テストの改善

影響範囲

サンプルのサービスが稼働する

テスト

jestを使ったテストを追加

その他

なし

* add VPC endpoints of ECR, ECRDocker, CloudWatch, S3

github-actions · 2024-10-05T08:27:47Z

cdk diffの結果

[Warning at /StartCDKStack/Network/Vpc/ECREndpoint/SecurityGroup/Resource] CdkNagValidationFailure: 'AwsSolutions-EC23' threw an error during validation. This is generally caused by a parameter referencing an intrinsic function. You can suppress the "CdkNagValidationFailure" to get rid of this error. For more details enable verbose logging.' The parameter resolved to to a non-primitive value "{"Fn::GetAtt":["NetworkVpc7FB7348F","CidrBlock"]}", therefore the rule could not be validated.

[Warning at /StartCDKStack/Network/Vpc/ECRDockerEndpoint/SecurityGroup/Resource] CdkNagValidationFailure: 'AwsSolutions-EC23' threw an error during validation. This is generally caused by a parameter referencing an intrinsic function. You can suppress the "CdkNagValidationFailure" to get rid of this error. For more details enable verbose logging.' The parameter resolved to to a non-primitive value "{"Fn::GetAtt":["NetworkVpc7FB7348F","CidrBlock"]}", therefore the rule could not be validated.

[Warning at /StartCDKStack/Network/Vpc/CloudWatchEndpoint/SecurityGroup/Resource] CdkNagValidationFailure: 'AwsSolutions-EC23' threw an error during validation. This is generally caused by a parameter referencing an intrinsic function. You can suppress the "CdkNagValidationFailure" to get rid of this error. For more details enable verbose logging.' The parameter resolved to to a non-primitive value "{"Fn::GetAtt":["NetworkVpc7FB7348F","CidrBlock"]}", therefore the rule could not be validated.

Stack StartCDKStack
IAM Statement Changes
┌───┬────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────┬───────────────────────────────────┬───────────────────────────────────────────────────────────────────┬───────────────────────────────────────────────┐
│ │ Resource │ Effect │ Action │ Principal │ Condition │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼───────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────┤
│ + │ ${Custom::S3AutoDeleteObjectsCustomResourceProvider/Role.Arn} │ Allow │ sts:AssumeRole │ Service:lambda.amazonaws.com │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼───────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────┤
│ + │ ${Custom::VpcRestrictDefaultSGCustomResourceProvider/Role.Arn} │ Allow │ sts:AssumeRole │ Service:lambda.amazonaws.com │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼───────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────┤
│ + │ ${ECS/Bucket.Arn} │ Allow │ s3:GetBucketAcl │ Service:delivery.logs.amazonaws.com │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼───────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────┤
│ + │ ${ECS/Bucket.Arn} │ Deny │ s3:* │ AWS:* │ "Bool": { │
│ │ ${ECS/Bucket.Arn}/* │ │ │ │ "aws:SecureTransport": "false" │
│ │ │ │ │ │ } │
│ + │ ${ECS/Bucket.Arn} │ Allow │ s3:DeleteObject* │ AWS:${Custom::S3AutoDeleteObjectsCustomResourceProvider/Role.Arn} │ │
│ │ ${ECS/Bucket.Arn}/* │ │ s3:GetBucket* │ │ │
│ │ │ │ s3:List* │ │ │
│ │ │ │ s3:PutBucketPolicy │ │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼───────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────┤
│ + │ ${ECS/Bucket.Arn}/AWSLogs/${AWS::AccountId}/* │ Allow │ s3:PutObject │ AWS:arn:aws:iam::582318560864:root │ │
│ + │ ${ECS/Bucket.Arn}/AWSLogs/${AWS::AccountId}/* │ Allow │ s3:PutObject │ Service:delivery.logs.amazonaws.com │ "StringEquals": { │
│ │ │ │ │ │ "s3:x-amz-acl": "bucket-owner-full-control" │
│ │ │ │ │ │ } │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼───────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────┤
│ + │ ${ECS/Service/TaskDef/ExecutionRole.Arn} │ Allow │ sts:AssumeRole │ Service:ecs-tasks.amazonaws.com │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼───────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────┤
│ + │ ${ECS/Service/TaskDef/TaskRole.Arn} │ Allow │ sts:AssumeRole │ Service:ecs-tasks.amazonaws.com │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼───────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────┤
│ + │ ${ECS/Service/TaskDef/web/LogGroup.Arn} │ Allow │ logs:CreateLogStream │ AWS:${ECS/Service/TaskDef/ExecutionRole} │ │
│ │ │ │ logs:PutLogEvents │ │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼───────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────┤
│ + │ ${Network/VpcFlowLogGroup.Arn} │ Allow │ logs:CreateLogStream │ AWS:${Network/VpcFlowLogGroupRole} │ │
│ │ │ │ logs:DescribeLogStreams │ │ │
│ │ │ │ logs:PutLogEvents │ │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼───────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────┤
│ + │ ${Network/VpcFlowLogGroupRole.Arn} │ Allow │ sts:AssumeRole │ Service:vpc-flow-logs.amazonaws.com │ │
│ + │ ${Network/VpcFlowLogGroupRole.Arn} │ Allow │ iam:PassRole │ AWS:${Network/VpcFlowLogGroupRole} │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼───────────────────────────────────────────────────────────────────┼───────────────────────────────────────────────┤
│ + │ arn:aws:ec2:ap-northeast-1:${AWS::AccountId}:security-group/${NetworkVpc7FB7348F.DefaultSecurityGroup} │ Allow │ ec2:AuthorizeSecurityGroupEgress │ AWS:${Custom::VpcRestrictDefaultSGCustomResourceProvider/Role} │ │
│ │ │ │ ec2:AuthorizeSecurityGroupIngress │ │ │
│ │ │ │ ec2:RevokeSecurityGroupEgress │ │ │
│ │ │ │ ec2:RevokeSecurityGroupIngress │ │ │
└───┴────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────┴───────────────────────────────────┴───────────────────────────────────────────────────────────────────┴───────────────────────────────────────────────┘
IAM Policy Changes
┌───┬────────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────┐
│ │ Resource │ Managed Policy ARN │
├───┼────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${Custom::S3AutoDeleteObjectsCustomResourceProvider/Role} │ {"Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"} │
├───┼────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${Custom::VpcRestrictDefaultSGCustomResourceProvider/Role} │ {"Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"} │
└───┴────────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────┘
Security Group Changes
┌───┬─────────────────────────────────────────────────────────┬─────┬────────────┬──────────────────────────────────────────────┐
│ │ Group │ Dir │ Protocol │ Peer │
├───┼─────────────────────────────────────────────────────────┼─────┼────────────┼──────────────────────────────────────────────┤
│ + │ ${ECS/Service/LB/SecurityGroup.GroupId} │ In │ TCP 80 │ Everyone (IPv4) │
│ + │ ${ECS/Service/LB/SecurityGroup.GroupId} │ Out │ TCP 80 │ ${ECS/Service/Service/SecurityGroup.GroupId} │
├───┼─────────────────────────────────────────────────────────┼─────┼────────────┼──────────────────────────────────────────────┤
│ + │ ${ECS/Service/Service/SecurityGroup.GroupId} │ In │ TCP 80 │ ${ECS/Service/LB/SecurityGroup.GroupId} │
│ + │ ${ECS/Service/Service/SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
├───┼─────────────────────────────────────────────────────────┼─────┼────────────┼──────────────────────────────────────────────┤
│ + │ ${Network/Vpc/CloudWatchEndpoint/SecurityGroup.GroupId} │ In │ TCP 443 │ ${Network/Vpc.CidrBlock} │
│ + │ ${Network/Vpc/CloudWatchEndpoint/SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
├───┼─────────────────────────────────────────────────────────┼─────┼────────────┼──────────────────────────────────────────────┤
│ + │ ${Network/Vpc/ECRDockerEndpoint/SecurityGroup.GroupId} │ In │ TCP 443 │ ${Network/Vpc.CidrBlock} │
│ + │ ${Network/Vpc/ECRDockerEndpoint/SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
├───┼─────────────────────────────────────────────────────────┼─────┼────────────┼──────────────────────────────────────────────┤
│ + │ ${Network/Vpc/ECREndpoint/SecurityGroup.GroupId} │ In │ TCP 443 │ ${Network/Vpc.CidrBlock} │
│ + │ ${Network/Vpc/ECREndpoint/SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
└───┴─────────────────────────────────────────────────────────┴─────┴────────────┴──────────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See aws/aws-cdk#1299)

Parameters
[+] Parameter BootstrapVersion BootstrapVersion: {"Type":"AWS::SSM::Parameter::Value","Default":"/cdk-bootstrap/hnb659fds/version","Description":"Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"}

Resources
[+] AWS::EC2::VPC Network/Vpc NetworkVpc7FB7348F
[+] AWS::EC2::Subnet Network/Vpc/PublicSubnet1/Subnet NetworkVpcPublicSubnet1Subnet36933139
[+] AWS::EC2::RouteTable Network/Vpc/PublicSubnet1/RouteTable NetworkVpcPublicSubnet1RouteTable30235CE2
[+] AWS::EC2::SubnetRouteTableAssociation Network/Vpc/PublicSubnet1/RouteTableAssociation NetworkVpcPublicSubnet1RouteTableAssociation643926C7
[+] AWS::EC2::Route Network/Vpc/PublicSubnet1/DefaultRoute NetworkVpcPublicSubnet1DefaultRoute31EC04EC
[+] AWS::EC2::Subnet Network/Vpc/PublicSubnet2/Subnet NetworkVpcPublicSubnet2SubnetC427CCE0
[+] AWS::EC2::RouteTable Network/Vpc/PublicSubnet2/RouteTable NetworkVpcPublicSubnet2RouteTable0FACEBB2
[+] AWS::EC2::SubnetRouteTableAssociation Network/Vpc/PublicSubnet2/RouteTableAssociation NetworkVpcPublicSubnet2RouteTableAssociationC662643B
[+] AWS::EC2::Route Network/Vpc/PublicSubnet2/DefaultRoute NetworkVpcPublicSubnet2DefaultRoute0CF082AB
[+] AWS::EC2::InternetGateway Network/Vpc/IGW NetworkVpcIGW6BEA7B02
[+] AWS::EC2::VPCGatewayAttachment Network/Vpc/VPCGW NetworkVpcVPCGW8F3799B5
[+] Custom::VpcRestrictDefaultSG Network/Vpc/RestrictDefaultSecurityGroupCustomResource NetworkVpcRestrictDefaultSecurityGroupCustomResource491E144D
[+] AWS::EC2::SecurityGroup Network/Vpc/ECREndpoint/SecurityGroup NetworkVpcECREndpointSecurityGroup020CC810
[+] AWS::EC2::VPCEndpoint Network/Vpc/ECREndpoint NetworkVpcECREndpointE8ED42C2
[+] AWS::EC2::SecurityGroup Network/Vpc/ECRDockerEndpoint/SecurityGroup NetworkVpcECRDockerEndpointSecurityGroupEC751EE8
[+] AWS::EC2::VPCEndpoint Network/Vpc/ECRDockerEndpoint NetworkVpcECRDockerEndpoint0D3D650F
[+] AWS::EC2::SecurityGroup Network/Vpc/CloudWatchEndpoint/SecurityGroup NetworkVpcCloudWatchEndpointSecurityGroup6E307338
[+] AWS::EC2::VPCEndpoint Network/Vpc/CloudWatchEndpoint NetworkVpcCloudWatchEndpointF625B932
[+] AWS::EC2::VPCEndpoint Network/S3Endpoint NetworkS3EndpointDED08CEB
[+] AWS::Logs::LogGroup Network/VpcFlowLogGroup NetworkVpcFlowLogGroup782DD453
[+] AWS::IAM::Role Network/VpcFlowLogGroupRole NetworkVpcFlowLogGroupRoleF6875B51
[+] AWS::IAM::Policy Network/VpcFlowLogGroupRole/DefaultPolicy NetworkVpcFlowLogGroupRoleDefaultPolicyDA3C2D9D
[+] AWS::EC2::FlowLog Network/FlowLog/FlowLog NetworkFlowLog0C7D188B
[+] AWS::IAM::Role Custom::VpcRestrictDefaultSGCustomResourceProvider/Role CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0
[+] AWS::Lambda::Function Custom::VpcRestrictDefaultSGCustomResourceProvider/Handler CustomVpcRestrictDefaultSGCustomResourceProviderHandlerDC833E5E
[+] AWS::ECS::Cluster ECS/EcsCluster ECSEcsCluster331AD70F
[+] AWS::ElasticLoadBalancingV2::LoadBalancer ECS/Service/LB ECSServiceLBB8C98433
[+] AWS::EC2::SecurityGroup ECS/Service/LB/SecurityGroup ECSServiceLBSecurityGroup338826B7
[+] AWS::EC2::SecurityGroupEgress ECS/Service/LB/SecurityGroup/to StartCDKStackECSServiceSecurityGroupC4ABAEC6:80 ECSServiceLBSecurityGrouptoStartCDKStackECSServiceSecurityGroupC4ABAEC680D0FCD158
[+] AWS::ElasticLoadBalancingV2::Listener ECS/Service/LB/PublicListener ECSServiceLBPublicListener0D5AFD27
[+] AWS::ElasticLoadBalancingV2::TargetGroup ECS/Service/LB/PublicListener/ECSGroup ECSServiceLBPublicListenerECSGroupAE0D8C7E
[+] AWS::IAM::Role ECS/Service/TaskDef/TaskRole ECSServiceTaskDefTaskRoleDA8C6EA9
[+] AWS::ECS::TaskDefinition ECS/Service/TaskDef ECSServiceTaskDef79F7AD53
[+] AWS::Logs::LogGroup ECS/Service/TaskDef/web/LogGroup ECSServiceTaskDefwebLogGroup715C1949
[+] AWS::IAM::Role ECS/Service/TaskDef/ExecutionRole ECSServiceTaskDefExecutionRole4BF55744
[+] AWS::IAM::Policy ECS/Service/TaskDef/ExecutionRole/DefaultPolicy ECSServiceTaskDefExecutionRoleDefaultPolicyFA35610E
[+] AWS::ECS::Service ECS/Service/Service/Service ECSService8D71BA38
[+] AWS::EC2::SecurityGroup ECS/Service/Service/SecurityGroup ECSServiceSecurityGroup28D36F43
[+] AWS::EC2::SecurityGroupIngress ECS/Service/Service/SecurityGroup/from StartCDKStackECSServiceLBSecurityGroup32837B8B:80 ECSServiceSecurityGroupfromStartCDKStackECSServiceLBSecurityGroup32837B8B80458E5A99
[+] AWS::ApplicationAutoScaling::ScalableTarget ECS/Service/Service/TaskCount/Target ECSServiceTaskCountTarget20307D20
[+] AWS::ApplicationAutoScaling::ScalingPolicy ECS/Service/Service/TaskCount/Target/CpuScaling ECSServiceTaskCountTargetCpuScaling20408D93
[+] AWS::ApplicationAutoScaling::ScalingPolicy ECS/Service/Service/TaskCount/Target/MemoryScaling ECSServiceTaskCountTargetMemoryScalingA7DFACDB
[+] AWS::S3::Bucket ECS/Bucket ECSBucket6BE9F3CE
[+] AWS::S3::BucketPolicy ECS/Bucket/Policy ECSBucketPolicyA6B79E7B
[+] Custom::S3AutoDeleteObjects ECS/Bucket/AutoDeleteObjectsCustomResource ECSBucketAutoDeleteObjectsCustomResource3A788071
[+] AWS::IAM::Role Custom::S3AutoDeleteObjectsCustomResourceProvider/Role CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092
[+] AWS::Lambda::Function Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F

Outputs
[+] Output ECS/Service/LoadBalancerDNS ECSServiceLoadBalancerDNS9E417FBD: {"Value":{"Fn::GetAtt":["ECSServiceLBB8C98433","DNSName"]}}
[+] Output ECS/Service/ServiceURL ECSServiceServiceURL4F9DCC59: {"Value":{"Fn::Join":["",["http://",{"Fn::GetAtt":["ECSServiceLBB8C98433","DNSName"]}]]}}

✨ Number of stacks with differences: 1

yutaro-sakamoto added 5 commits October 5, 2024 15:35

[Add]: add ecs cluster

83848d6

[Fix]: resolve cdk-nag errors

d4e47e4

[Add]: vpc endpoints

5636687

* add VPC endpoints of ECR, ECRDocker, CloudWatch, S3

[Add]: add tests

b30d098

[Update]: improve tests

2c324cc

yutaro-sakamoto merged commit 2027dba into main Oct 5, 2024
5 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ECSクラスタを作成 #14

ECSクラスタを作成 #14

yutaro-sakamoto commented Oct 5, 2024

github-actions bot commented Oct 5, 2024

ECSクラスタを作成 #14

ECSクラスタを作成 #14

Conversation

yutaro-sakamoto commented Oct 5, 2024

概要

変更点

影響範囲

テスト

関連Issue

関連Pull Request

その他

github-actions bot commented Oct 5, 2024

cdk diffの結果