ECSクラスタを作成

infrastructure/bin/cobol4j-aws-web.ts

@@ -7,7 +7,11 @@ import { Aspects } from "aws-cdk-lib";
 
 const app = new cdk.App();
 Aspects.of(app).add(new AwsSolutionsChecks({ verbose: true }));
-const stack = new Cobol4JAwsWebStack(app, "StartCDKStack", {});
+const stack = new Cobol4JAwsWebStack(app, "StartCDKStack", {
+  env: {
+    region: "ap-northeast-1",
+  },
+});
 
 // 必要に応じて作成するリソース全体に共通のタグを追加
 // cdk.Tags.of(app).add("project", "StartCDKProject");

infrastructure/lib/constructs/ECS/index.ts

@@ -0,0 +1,91 @@
+import { Construct } from "constructs";
+import * as cdk from "aws-cdk-lib";
+import * as ecs from "aws-cdk-lib/aws-ecs";
+import * as ec2 from "aws-cdk-lib/aws-ec2";
+import { ApplicationLoadBalancedFargateService } from "aws-cdk-lib/aws-ecs-patterns";
+import { StackProps } from "aws-cdk-lib";
+import * as s3 from "aws-cdk-lib/aws-s3";
+import { NagSuppressions } from "cdk-nag";
+
+/**
+ * ECSのプロパティ
+ */
+export interface ECSProps extends StackProps {
+  /**
+   * ECSクラスタを作成するVPC
+   */
+  vpc: ec2.Vpc;
+}
+/**
+ * ECSクラスタ
+ */
+export class ECS extends Construct {
+  private logBucket: s3.Bucket;
+
+  constructor(scope: Construct, id: string, props: ECSProps) {
+    super(scope, id);
+
+    // ECSクラスタを作成
+    const cluster = new ecs.Cluster(this, "EcsCluster", {
+      vpc: props.vpc,
+      containerInsights: true,
+    });
+
+    // Fargateサービスを作成
+    const loadBalancedFargateService =
+      new ApplicationLoadBalancedFargateService(this, "Service", {
+        cluster,
+        memoryLimitMiB: 1024,
+        desiredCount: 1,
+        cpu: 512,
+        taskImageOptions: {
+          image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"),
+        },
+      });
+
+    const scalableTarget =
+      loadBalancedFargateService.service.autoScaleTaskCount({
+        minCapacity: 1,
+        maxCapacity: 2,
+      });
+
+    scalableTarget.scaleOnCpuUtilization("CpuScaling", {
+      targetUtilizationPercent: 50,
+    });
+
+    scalableTarget.scaleOnMemoryUtilization("MemoryScaling", {
+      targetUtilizationPercent: 50,
+    });
+
+    this.logBucket = new s3.Bucket(this, "Bucket", {
+      removalPolicy: cdk.RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+      bucketName: "my-alb-bucket",
+      enforceSSL: true,
+    });
+
+    loadBalancedFargateService.loadBalancer.logAccessLogs(this.logBucket);
+  }
+
+  /**
+   * NAGのチェックを抑制する
+   */
+  public addCdkNagSuppressions(parentStack: cdk.Stack) {
+    NagSuppressions.addResourceSuppressionsByPath(
+      parentStack,
+      "/StartCDKStack/ECS/Service/LB/SecurityGroup/Resource",
+      [
+        {
+          id: "AwsSolutions-EC23",
+          reason: "Security groups of web services allow large port ranges.",
+        },
+      ],
+    );
+    NagSuppressions.addResourceSuppressions(this.logBucket, [
+      {
+        id: "AwsSolutions-S1",
+        reason: "ロギング用のバケットのアクセスログは不要",
+      },
+    ]);
+  }
+}

infrastructure/lib/constructs/Network/index.ts

@@ -18,17 +18,35 @@ export class Network extends Construct {
     // VPCを作成
     this.vpc = new ec2.Vpc(this, "Vpc", {
       natGateways: 0,
-      createInternetGateway: false,
+      createInternetGateway: true,
       maxAzs: 2,
       subnetConfiguration: [
         {
           cidrMask: 24,
-          name: "Private",
-          subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
+          name: "Public",
+          subnetType: ec2.SubnetType.PUBLIC,
         },
       ],
     });
 
+    // VPCエンドポイントを作成
+    this.vpc.addInterfaceEndpoint("ECREndpoint", {
+      service: ec2.InterfaceVpcEndpointAwsService.ECR,
+    });
+
+    this.vpc.addInterfaceEndpoint("ECRDockerEndpoint", {
+      service: ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,
+    });
+
+    this.vpc.addInterfaceEndpoint("CloudWatchEndpoint", {
+      service: ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS,
+    });
+
+    new ec2.GatewayVpcEndpoint(this, "S3Endpoint", {
+      service: ec2.GatewayVpcEndpointAwsService.S3,
+      vpc: this.vpc,
+    });
+
     // VPC Flow Logsを作成
     const vpcFlowLogGroup = new logs.LogGroup(this, "VpcFlowLogGroup", {
       retention: logs.RetentionDays.THREE_DAYS,

infrastructure/lib/main.ts

@@ -1,21 +1,28 @@
 import * as cdk from "aws-cdk-lib";
 import { Construct } from "constructs";
 import { Network } from "./constructs/Network";
+import { ECS } from "./constructs/ECS";
 
 /**
  * スタック
  */
 export class Cobol4JAwsWebStack extends cdk.Stack {
+  private ecsCluster: ECS;
+
   constructor(scope: Construct, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
 
-    new Network(this, "Network");
+    const network = new Network(this, "Network");
+
+    this.ecsCluster = new ECS(this, "ECS", {
+      vpc: network.vpc,
+    });
   }
 
   /**
    * NAGのチェックを抑制する
    */
   public addCdkNagSuppressions() {
-    // 必要に応じてNag suppressionsを追加
+    this.ecsCluster.addCdkNagSuppressions(this);
   }
 }

infrastructure/test/cobol4j-aws-web.test.ts

@@ -0,0 +1,32 @@
+import * as cdk from "aws-cdk-lib";
+import { Template } from "aws-cdk-lib/assertions";
+import { Cobol4JAwsWebStack } from "../lib/main";
+
+const app = new cdk.App();
+const stack = new Cobol4JAwsWebStack(app, "StartCDKStack", {
+  env: {
+    region: "ap-northeast-1",
+  },
+});
+const template = Template.fromStack(stack);
+
+test("No NAT Gateway", () => {
+  template.resourcePropertiesCountIs("AWS::EC2::NatGateway", {}, 0);
+});
+
+test("Internet Gateway", () => {
+  template.hasResource("AWS::EC2::InternetGateway", {});
+  template.resourcePropertiesCountIs(
+    "AWS::EC2::EgressOnlyInternetGateway",
+    {},
+    0,
+  );
+});
+
+test("No ECR Repository", () => {
+  template.resourcePropertiesCountIs("AWS::ECR::Repository", {}, 0);
+});
+
+test("ECS Cluster", () => {
+  template.hasResource("AWS::ECS::Cluster", {});
+});