Merge pull request #1 from ContainerOnAWS/init

init

.github/workflows/build.yml

@@ -0,0 +1,37 @@
+name: Build
+on:
+  push:
+    branches:
+      - master
+      - develop
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: Set up JDK 11
+        uses: actions/setup-java@v1
+        with:
+          java-version: 11
+      - name: Cache SonarCloud packages
+        uses: actions/cache@v1
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+          restore-keys: ${{ runner.os }}-sonar
+      - name: Cache Gradle packages
+        uses: actions/cache@v1
+        with:
+          path: ~/.gradle/caches
+          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
+          restore-keys: ${{ runner.os }}-gradle
+      - name: Build and analyze
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: ./gradlew build sonarqube --info

.gitignore

@@ -1,16 +1,10 @@
-# Compiled class file
-*.class
 
-# Log file
-*.log
-
-# BlueJ files
-*.ctxt
 
-# Mobile Tools for Java (J2ME)
-.mtj.tmp/
+.gradle
+.vscode
+**/logs
 
-# Package Files #
+*.log
 *.jar
 *.war
 *.nar
@@ -19,5 +13,151 @@
 *.tar.gz
 *.rar
 
-# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
-hs_err_pid*
+# internal
+*internal*
+
+# MAC
+**/.DS_Store
+
+# Lambda layer
+**/layers
+**/temp
+
+# CDK
+**/node_modules
+**/cdk.out
+**/cdk.context.json
+**/cdk-outputs.json
+
+#-------------------
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+# CDK
+#lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/

00-vpc/bin/index.ts

@@ -0,0 +1,17 @@
+#!/usr/bin/env node
+import * as cdk from 'aws-cdk-lib';
+import { VpcStack } from '../lib/vpc-stack';
+import { DEFAULT_STAGE } from '../../config';
+
+const app = new cdk.App();
+const env = {
+    account: process.env.CDK_DEFAULT_ACCOUNT,
+    region: process.env.CDK_DEFAULT_REGION
+};
+const stage = app.node.tryGetContext('stage') || DEFAULT_STAGE;
+
+new VpcStack(app, `ecs-vpc-${stage}`,  {
+    env,
+    description: 'VPC for AppRunner',
+    terminationProtection: stage!==DEFAULT_STAGE
+});

00-vpc/cdk.json

@@ -0,0 +1,32 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/index.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
+    "@aws-cdk/core:stackRelativeExports": true,
+    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
+    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
+    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ]
+  }
+}

00-vpc/lib/vpc-stack.ts

@@ -0,0 +1,38 @@
+import { Stack, StackProps, CfnOutput } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as ssm from 'aws-cdk-lib/aws-ssm';
+
+import { SSM_PREFIX } from '../../config';
+
+export class VpcStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        const cidr = `10.100.0.0/16`;
+        const vpc = new ec2.Vpc(this, 'Vpc', {
+            maxAzs: 3,
+            natGateways: 3,
+            cidr,
+            subnetConfiguration: [
+                {
+                    cidrMask: 20,
+                    name: 'public',
+                    subnetType: ec2.SubnetType.PUBLIC,
+                },
+                {
+                    cidrMask: 20,
+                    name: 'private',
+                    subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
+                }
+            ]
+        });
+
+        const parameter = new ssm.StringParameter(this, 'SSMVPCID', { parameterName: `${SSM_PREFIX}/vpc-id`, stringValue: vpc.vpcId });
+        new CfnOutput(this, 'VPC', { value: vpc.vpcId });
+        new CfnOutput(this, 'SSMParameter', { value: parameter.parameterName });
+        new CfnOutput(this, 'SSMParameterValue', { value: vpc.vpcId });
+        new CfnOutput(this, 'SSMURL', { value: `https://${this.region}.console.aws.amazon.com/systems-manager/parameters/` });
+    }
+}

01-iam-role/bin/index.ts

@@ -0,0 +1,17 @@
+#!/usr/bin/env node
+import * as cdk from 'aws-cdk-lib';
+import { DEFAULT_STAGE } from '../../config';
+import { EcsIamRoleStack } from '../lib/ecs-iam-role-stack';
+
+const app = new cdk.App();
+const env = {
+    account: process.env.CDK_DEFAULT_ACCOUNT,
+    region: process.env.CDK_DEFAULT_REGION
+};
+const stage = app.node.tryGetContext('stage') || DEFAULT_STAGE;
+
+new EcsIamRoleStack(app, `apprunner-iam-role-${stage}`,  {
+    env,
+    description: 'AppRunner IAM Role',
+    terminationProtection: stage!==DEFAULT_STAGE
+});

01-iam-role/cdk.json

@@ -0,0 +1,32 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/index.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
+    "@aws-cdk/core:stackRelativeExports": true,
+    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
+    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
+    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ]
+  }
+}

01-iam-role/lib/ecs-iam-role-stack.ts

@@ -0,0 +1,36 @@
+import { Stack, StackProps, CfnOutput } from 'aws-cdk-lib';
+
+import * as ssm from 'aws-cdk-lib/aws-ssm';
+import * as iam from 'aws-cdk-lib/aws-iam';
+
+import { Construct } from 'constructs';
+import { SSM_PREFIX } from '../../config';
+
+/**
+ * This stack is written to share IAM role among multiple-cluster
+ * 
+ * https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
+ * 
+ * https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html
+ * 
+ */
+export class EcsIamRoleStack extends Stack {
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
+
+    const accessRole = new iam.Role(this, 'access-role', {
+      roleName: `AppRunnerEcrAccessRole`,
+      assumedBy: new iam.ServicePrincipal('build.apprunner.amazonaws.com'),
+      managedPolicies: [
+        iam.ManagedPolicy.fromAwsManagedPolicyName(
+          'service-role/AWSAppRunnerServicePolicyForECRAccess',
+        ),
+      ]
+    });
+
+    const accessRoleParam = new ssm.StringParameter(this, 'ssm-access-role', { parameterName: `${SSM_PREFIX}/access-role-arn`, stringValue: accessRole.roleArn });
+
+    new CfnOutput(this, 'SSMTaskExecRoleParam', { value: accessRoleParam.parameterName });
+    new CfnOutput(this, 'SSMTaskExecRoleParamValue', { value: accessRoleParam.stringValue });
+  }
+}