.

DevSecOpsSamples · Aug 15, 2022 · 4e9423b · 4e9423b
1 parent f138f9a
commit 4e9423b
Show file tree

Hide file tree

Showing 9 changed files with 273 additions and 113 deletions.
diff --git a/README.md b/README.md
@@ -27,7 +27,7 @@ Learn the features below using the CDK code:
 3. Deploy IAM Role stack
 4. Docker build, deploy ECR and CodeCommit repository stack
 5. Deploy ECS Fargate Service stack
-6. Deploy ECS FargateSpot Service stack
+6. Deploy ECS FargateSpot Service stackcd
 7. Scale the ECS Tasks
 8. Execute a command using ECS Exec
 9. Deploy ECS Code Pipeline stack
@@ -357,19 +357,15 @@ SSM parameters:
 
 ### Docs
 
-* [Fargate Task Networking](https://docs.aws.amazon.com/ko_kr/AmazonECS/latest/userguide/fargate-task-networking.html) for debugging
-
-* [ECS Exec](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html) for debugging
+* [AuthenticationConfiguration](https://docs.aws.amazon.com/apprunner/latest/api/API_AuthenticationConfiguration.html)
 
 ### CDK Lib
 
-* [ECS](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs-readme.html)
-
-* [ECR Assets](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecr_assets-readme.html)
+* [App Runner v2](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apprunner-readme.html)
 
-* [IAM](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam-readme.html)
+* [App Runner v1](https://www.npmjs.com/package/@aws-cdk/aws-apprunner)
 
-* [SSM](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ssm-readme.html)
+* [ECR Assets](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecr_assets-readme.html)
 
 ### IAM Role & Policy
 

diff --git a/app/README.md b/app/README.md
@@ -1,5 +1,5 @@
 # SpringBoot sample docker
 
-@RequestMapping(value="/", method=RequestMethod.GET)  
-@RequestMapping(value="/ping", method=RequestMethod.GET)  
-@RequestMapping(value="/serviceid/monitoring/v1/ping", method=RequestMethod.GET) 
+build
+
+./gradlew build
diff --git a/apprunner-iam-role/bin/index.ts b/apprunner-iam-role/bin/index.ts
@@ -0,0 +1,17 @@
+#!/usr/bin/env node
+import * as cdk from 'aws-cdk-lib';
+import { DEFAULT_STAGE } from '../../config';
+import { EcsIamRoleStack } from '../lib/ecs-iam-role-stack';
+
+const app = new cdk.App();
+const env = {
+    account: process.env.CDK_DEFAULT_ACCOUNT,
+    region: process.env.CDK_DEFAULT_REGION
+};
+const stage = app.node.tryGetContext('stage') || DEFAULT_STAGE;
+
+new EcsIamRoleStack(app, `apprunner-iam-role-${stage}`,  {
+    env,
+    description: 'AppRunner IAM Role',
+    terminationProtection: stage!==DEFAULT_STAGE
+});
diff --git a/apprunner-iam-role/cdk.json b/apprunner-iam-role/cdk.json
@@ -0,0 +1,32 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/index.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
+    "@aws-cdk/core:stackRelativeExports": true,
+    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
+    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
+    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ]
+  }
+}
diff --git a/apprunner-iam-role/lib/ecs-iam-role-stack.ts b/apprunner-iam-role/lib/ecs-iam-role-stack.ts
@@ -0,0 +1,36 @@
+import { Stack, StackProps, CfnOutput } from 'aws-cdk-lib';
+
+import * as ssm from 'aws-cdk-lib/aws-ssm';
+import * as iam from 'aws-cdk-lib/aws-iam';
+
+import { Construct } from 'constructs';
+import { SSM_PREFIX } from '../../config';
+
+/**
+ * This stack is written to share IAM role among multiple-cluster
+ * 
+ * https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
+ * 
+ * https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html
+ * 
+ */
+export class EcsIamRoleStack extends Stack {
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
+
+    const accessRole = new iam.Role(this, 'access-role', {
+      roleName: `AppRunnerEcrAccessRole`,
+      assumedBy: new iam.ServicePrincipal('build.apprunner.amazonaws.com'),
+      managedPolicies: [
+        iam.ManagedPolicy.fromAwsManagedPolicyName(
+          'service-role/AWSAppRunnerServicePolicyForECRAccess',
+        ),
+      ]
+    });
+
+    const accessRoleParam = new ssm.StringParameter(this, 'ssm-access-role', { parameterName: `${SSM_PREFIX}/access-role-arn`, stringValue: accessRole.roleArn });
+
+    new CfnOutput(this, 'SSMTaskExecRoleParam', { value: accessRoleParam.parameterName });
+    new CfnOutput(this, 'SSMTaskExecRoleParamValue', { value: accessRoleParam.stringValue });
+  }
+}
diff --git a/apprunner/bin/index.ts b/apprunner/bin/index.ts
@@ -10,8 +10,9 @@ const env = {
 };
 const stage = app.node.tryGetContext('stage') || DEFAULT_STAGE;
 
-new AppRunnerStack(app, `ecs-vpc-${stage}`,  {
+new AppRunnerStack(app, `apprunner-${stage}`,  {
     env,
-    description: 'VPC for Fargate and EC2 ECS',
+    stage,
+    description: 'AppRunner with SpringBoot application',
     terminationProtection: stage!==DEFAULT_STAGE
 });
diff --git a/apprunner/lib/apprunner-stack copy.ts b/apprunner/lib/apprunner-stack copy.ts
@@ -0,0 +1,108 @@
+// import { Stack, StackProps, CfnOutput } from 'aws-cdk-lib';
+// import { Construct } from 'constructs';
+
+// import * as apprunner from 'aws-cdk-lib/aws-apprunner';
+// import * as iam from 'aws-cdk-lib/aws-iam';
+
+// import { StackCommonProps, SSM_PREFIX } from '../../config';
+
+// /** */
+// export class AppRunnerStack extends Stack {
+//   constructor(scope: Construct, id: string, props: StackCommonProps) {
+//     super(scope, id, props);
+
+//     // const service = apprunner.CfnService
+
+//     const serviceName = `apprunnder-${props.stage}`;
+//     const ecrUrl = `${props.env?.account}.dkr.ecr.${props.env?.region}.amazonaws.com/fargate-restapi-${props.stage}:latest`;
+
+//     const taskExecutionRole = new iam.Role(this, 'task-execution-role', {
+//       roleName: 'AppRunnerEcrAccessRole',
+//       assumedBy: new iam.ServicePrincipal('build.apprunner.amazonaws.com"'),
+//       managedPolicies: [
+//         iam.ManagedPolicy.fromAwsManagedPolicyName(
+//           'service-role/AmazonECSTaskExecutionRolePolicy',
+//         ),
+//       ]
+//     });
+
+//     const cfnService = new apprunner.CfnService(this, 'cfn-service', {
+//       sourceConfiguration: {
+//           authenticationConfiguration: {
+//             accessRoleArn: taskExecutionRole.roleArn,
+//         //     connectionArn: 'connectionArn',
+//           },
+//         autoDeploymentsEnabled: false,
+//         // codeRepository: {
+//         //   repositoryUrl: ecrUrl,
+//         //   sourceCodeVersion: {
+//         //     type: 'BRANCH',
+//         //     value: 'master',
+//         //   },
+//         //   codeConfiguration: {
+//         //     configurationSource: 'API',
+//         //     codeConfigurationValues: {
+//         //       runtime: 'corretto11',
+//         //       buildCommand: './gradlew build',
+//         //       port: '8080',
+//         //       runtimeEnvironmentVariables: [{
+//         //         name: 'name',
+//         //         value: 'value',
+//         //       }],
+//         //       startCommand: 'java -Djava.security.egd=file:/dev/./urandom -jar ./build/libs/devops-java-gradle.jar',
+//         //     },
+//         //   },
+//         // },
+//         imageRepository: {
+//           imageRepositoryType: 'ECR',
+//           imageIdentifier: ecrUrl,
+//           imageConfiguration: {
+//             port: '8080',
+//             runtimeEnvironmentVariables: [{
+//               name: 'stage',
+//               value: props.stage,
+//             }],
+//             // startCommand: 'startCommand',
+//           },
+//         },
+//       },
+//       healthCheckConfiguration: {
+//         healthyThreshold: 2,
+//         unhealthyThreshold: 5,
+//         timeout: 19,
+//         interval: 20,
+//         path: '/',
+//         protocol: 'HTTP'
+//       },
+//       // instanceConfiguration: {
+//       //   cpu: 'cpu',
+//       //   instanceRoleArn: 'instanceRoleArn',
+//       //   memory: 'memory',
+//       // },
+//       // networkConfiguration: {
+//       //   egressConfiguration: {
+//       //     egressType: 'egressType',
+
+//       //     // the properties below are optional
+//       //     vpcConnectorArn: 'vpcConnectorArn',
+//       //   },
+//       // },
+//       // observabilityConfiguration: {
+//       //   observabilityEnabled: false,
+
+//       //   // the properties below are optional
+//       //   observabilityConfigurationArn: 'observabilityConfigurationArn',
+//       // },
+//       serviceName,
+//       tags: [{
+//         key: 'stage',
+//         value: props.stage,
+//       }],
+//     });
+//     // const parameter = new ssm.StringParameter(this, 'SSMVPCID', { parameterName: `${SSM_PREFIX}/vpc-id`, stringValue: vpc.vpcId });
+//     // new CfnOutput(this, 'VPC', { value: vpc.vpcId });
+//     // new CfnOutput(this, 'SSMParameter', { value: parameter.parameterName });
+//     // new CfnOutput(this, 'SSMParameterValue', { value: vpc.vpcId });
+//     // new CfnOutput(this, 'SSMURL', { value: `https://${this.region}.console.aws.amazon.com/systems-manager/parameters/` });
+//   }
+// }