Les traductions sont fournies par des outils de traduction automatique. En cas de conflit entre le contenu d'une traduction et celui de la version originale en anglais, la version anglaise prévaudra. # Utilisation d'Amazon ECS avec AWS CloudFormation Amazon ECS est intégré à AWS CloudFormation un service que vous pouvez utiliser pour modéliser et configurer des AWS ressources à l'aide de modèles que vous définissez. CloudFormation utilise des **modèles** sous forme de fichier texte `YAML` ou de fichier texte `JSON` formaté. Les modèles sont comme des plans pour la AWS ressource que vous souhaitez créer. Lorsque vous créez et soumettez un modèle, CloudFormation crée une **pile**. La pile vous permet de gérer les ressources que vous avez définies dans votre modèle. Lorsque vous voulez créer, mettre à jour ou supprimer une ressource, vous devez créer, mettre à jour ou supprimer la pile qui a été créée à partir de cette ressource. Lorsqu’il s’agit de mettre à jour vos piles, vous devez d’abord créer un **jeu de modifications**. Les jeux de modifications vous indiquent ce qui est impacté par la modification avant que vous ne l’apportiez. Cela vous empêche de supprimer des bases de données accidentellement en modifiant le nom de votre base de données, par exemple. Pour plus d'informations sur les modèles, les piles et les ensembles de modifications, consultez la section [CloudFormation Fonctionnement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-overview.html#cfn-concepts-stacks) du *guide de l'AWS CloudFormation utilisateur*. En l'utilisant CloudFormation, vous pouvez passer moins de temps à créer et à gérer vos ressources et votre infrastructure. Vous pouvez créer un modèle qui décrit toutes les AWS ressources souhaitées, telles que les clusters Amazon ECS, les définitions de tâches et les services. CloudFormation Il s'occupe ensuite du provisionnement et de la configuration de ces ressources pour vous. CloudFormation vous permet également de réutiliser votre modèle pour configurer vos ressources Amazon ECS de manière cohérente et reproductible. Vous décrivez vos ressources une seule fois, puis vous réapprovisionnez les mêmes ressources sur plusieurs Comptes AWS et Régions AWS. CloudFormation les modèles peuvent être utilisés à la fois avec AWS Management Console ou AWS Command Line Interface pour créer des ressources. Pour en savoir plus CloudFormation, consultez les ressources suivantes : + [AWS CloudFormation](https://aws.amazon.com/cloudformation/) + [AWS CloudFormation Guide de l'utilisateur](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) + [AWS CloudFormation Guide de l'utilisateur de l'interface de ligne de commande](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/what-is-cloudformation-cli.html) **Topics** + [Création de ressources Amazon ECS à l'aide de la CloudFormation console](ecs-cloudformation-console.md) + [Création de ressources Amazon ECS à l'aide de AWS CLI commandes pour CloudFormation](ecs-cloudformation-cli.md) + [CloudFormation exemples de modèles pour Amazon ECS](working-with-templates.md) # Création de ressources Amazon ECS à l'aide de la CloudFormation console L'une des manières d'utiliser Amazon ECS CloudFormation est d'utiliser le AWS Management Console. Ici, vous pouvez créer vos piles CloudFormation pour les composants Amazon ECS tels que les définitions de tâches, les clusters et les services et les déployer directement depuis la console. Le didacticiel suivant montre comment utiliser la console CloudFormation pour créer des ressources Amazon ECS à l’aide d’un modèle. ## Conditions préalables Ce didacticiel suppose que les conditions préalables suivantes ont été remplies. + Vous devez avoir suivi les étapes de [Configurer l'utilisation d'Amazon ECS](get-set-up-for-amazon-ecs.md). + Votre utilisateur IAM dispose des autorisations requises spécifiées dans l’exemple de politique IAM [Amazon ECS\$1 FullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonECS_FullAccess). ## Étape 1 : créer un modèle Suivez les étapes ci-dessous pour créer un modèle de CloudFormation pile pour un service Amazon ECS et d'autres ressources associées. 1. À l’aide d’un éditeur de texte de votre choix, créez un fichier appelé `ecs-tutorial-template.yaml`. 1. Dans le fichier `ecs-tutorial-template.yaml`, collez le modèle suivant et enregistrez les modifications. ``` AWSTemplateFormatVersion: '2010-09-09' Description: '[AWSDocs] ECS: load-balanced-web-application' Parameters: VpcCidr: Type: String Default: '10.0.0.0/16' Description: CIDR block for the VPC ContainerImage: Type: String Default: 'public.ecr.aws/ecs-sample-image/amazon-ecs-sample:latest' Description: Container image to use in task definition PublicSubnet1Cidr: Type: String Default: '10.0.1.0/24' Description: CIDR block for public subnet 1 PublicSubnet2Cidr: Type: String Default: '10.0.2.0/24' Description: CIDR block for public subnet 2 PrivateSubnet1Cidr: Type: String Default: '10.0.3.0/24' Description: CIDR block for private subnet 1 PrivateSubnet2Cidr: Type: String Default: '10.0.4.0/24' Description: CIDR block for private subnet 2 ServiceName: Type: String Default: 'tutorial-app' Description: Name of the ECS service ContainerPort: Type: Number Default: 80 Description: Port on which the container listens DesiredCount: Type: Number Default: 2 Description: Desired number of tasks MinCapacity: Type: Number Default: 1 Description: Minimum number of tasks for auto scaling MaxCapacity: Type: Number Default: 10 Description: Maximum number of tasks for auto scaling Resources: # VPC and Networking VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCidr EnableDnsHostnames: true EnableDnsSupport: true Tags: - Key: Name Value: !Sub '${AWS::StackName}-vpc' # Internet Gateway InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Sub '${AWS::StackName}-igw' InternetGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VPC # Public Subnets for ALB PublicSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [0, !GetAZs ''] CidrBlock: !Ref PublicSubnet1Cidr MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub '${AWS::StackName}-public-subnet-1' PublicSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [1, !GetAZs ''] CidrBlock: !Ref PublicSubnet2Cidr MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub '${AWS::StackName}-public-subnet-2' # Private Subnets for ECS Tasks PrivateSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [0, !GetAZs ''] CidrBlock: !Ref PrivateSubnet1Cidr Tags: - Key: Name Value: !Sub '${AWS::StackName}-private-subnet-1' PrivateSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [1, !GetAZs ''] CidrBlock: !Ref PrivateSubnet2Cidr Tags: - Key: Name Value: !Sub '${AWS::StackName}-private-subnet-2' # NAT Gateways for private subnet internet access NatGateway1EIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc Tags: - Key: Name Value: !Sub '${AWS::StackName}-nat-eip-1' NatGateway2EIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc Tags: - Key: Name Value: !Sub '${AWS::StackName}-nat-eip-2' NatGateway1: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGateway1EIP.AllocationId SubnetId: !Ref PublicSubnet1 Tags: - Key: Name Value: !Sub '${AWS::StackName}-nat-1' NatGateway2: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGateway2EIP.AllocationId SubnetId: !Ref PublicSubnet2 Tags: - Key: Name Value: !Sub '${AWS::StackName}-nat-2' # Route Tables PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub '${AWS::StackName}-public-routes' DefaultPublicRoute: Type: AWS::EC2::Route DependsOn: InternetGatewayAttachment Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway PublicSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet1 PublicSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet2 PrivateRouteTable1: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub '${AWS::StackName}-private-routes-1' DefaultPrivateRoute1: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable1 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGateway1 PrivateSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTable1 SubnetId: !Ref PrivateSubnet1 PrivateRouteTable2: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub '${AWS::StackName}-private-routes-2' DefaultPrivateRoute2: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable2 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGateway2 PrivateSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTable2 SubnetId: !Ref PrivateSubnet2 # Security Groups ALBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub '${AWS::StackName}-alb-sg' GroupDescription: Security group for Application Load Balancer VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 Description: Allow HTTP traffic from internet SecurityGroupEgress: - IpProtocol: -1 CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic Tags: - Key: Name Value: !Sub '${AWS::StackName}-alb-sg' ECSSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub '${AWS::StackName}-ecs-sg' GroupDescription: Security group for ECS tasks VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: !Ref ContainerPort ToPort: !Ref ContainerPort SourceSecurityGroupId: !Ref ALBSecurityGroup Description: Allow traffic from ALB SecurityGroupEgress: - IpProtocol: -1 CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic Tags: - Key: Name Value: !Sub '${AWS::StackName}-ecs-sg' # Application Load Balancer ApplicationLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: !Sub '${AWS::StackName}-alb' Scheme: internet-facing Type: application Subnets: - !Ref PublicSubnet1 - !Ref PublicSubnet2 SecurityGroups: - !Ref ALBSecurityGroup Tags: - Key: Name Value: !Sub '${AWS::StackName}-alb' ALBTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: !Sub '${AWS::StackName}-tg' Port: !Ref ContainerPort Protocol: HTTP VpcId: !Ref VPC TargetType: ip HealthCheckIntervalSeconds: 30 HealthCheckPath: / HealthCheckProtocol: HTTP HealthCheckTimeoutSeconds: 5 HealthyThresholdCount: 2 UnhealthyThresholdCount: 5 Tags: - Key: Name Value: !Sub '${AWS::StackName}-tg' ALBListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - Type: forward TargetGroupArn: !Ref ALBTargetGroup LoadBalancerArn: !Ref ApplicationLoadBalancer Port: 80 Protocol: HTTP # ECS Cluster ECSCluster: Type: AWS::ECS::Cluster Properties: ClusterName: !Sub '${AWS::StackName}-cluster' CapacityProviders: - FARGATE - FARGATE_SPOT DefaultCapacityProviderStrategy: - CapacityProvider: FARGATE Weight: 1 - CapacityProvider: FARGATE_SPOT Weight: 4 ClusterSettings: - Name: containerInsights Value: enabled Tags: - Key: Name Value: !Sub '${AWS::StackName}-cluster' # IAM Roles ECSTaskExecutionRole: Type: AWS::IAM::Role Properties: RoleName: !Sub '${AWS::StackName}-task-execution-role' AssumeRolePolicyDocument: Version: '2012-10-17 ' Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy Tags: - Key: Name Value: !Sub '${AWS::StackName}-task-execution-role' ECSTaskRole: Type: AWS::IAM::Role Properties: RoleName: !Sub '${AWS::StackName}-task-role' AssumeRolePolicyDocument: Version: '2012-10-17 ' Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Action: sts:AssumeRole Tags: - Key: Name Value: !Sub '${AWS::StackName}-task-role' # CloudWatch Log Group LogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: !Sub '/ecs/${AWS::StackName}' RetentionInDays: 7 # ECS Task Definition TaskDefinition: Type: AWS::ECS::TaskDefinition Properties: Family: !Sub '${AWS::StackName}-task' Cpu: '256' Memory: '512' NetworkMode: awsvpc RequiresCompatibilities: - FARGATE ExecutionRoleArn: !GetAtt ECSTaskExecutionRole.Arn TaskRoleArn: !GetAtt ECSTaskRole.Arn ContainerDefinitions: - Name: !Ref ServiceName Image: !Ref ContainerImage PortMappings: - ContainerPort: !Ref ContainerPort Protocol: tcp Essential: true LogConfiguration: LogDriver: awslogs Options: awslogs-group: !Ref LogGroup awslogs-region: !Ref AWS::Region awslogs-stream-prefix: ecs HealthCheck: Command: - CMD-SHELL - curl -f http://localhost/ || exit 1 Interval: 30 Timeout: 5 Retries: 3 StartPeriod: 60 Tags: - Key: Name Value: !Sub '${AWS::StackName}-task' # ECS Service ECSService: Type: AWS::ECS::Service DependsOn: ALBListener Properties: ServiceName: !Sub '${AWS::StackName}-service' Cluster: !Ref ECSCluster TaskDefinition: !Ref TaskDefinition DesiredCount: !Ref DesiredCount LaunchType: FARGATE PlatformVersion: LATEST NetworkConfiguration: AwsvpcConfiguration: AssignPublicIp: DISABLED SecurityGroups: - !Ref ECSSecurityGroup Subnets: - !Ref PrivateSubnet1 - !Ref PrivateSubnet2 LoadBalancers: - ContainerName: !Ref ServiceName ContainerPort: !Ref ContainerPort TargetGroupArn: !Ref ALBTargetGroup DeploymentConfiguration: MaximumPercent: 200 MinimumHealthyPercent: 50 DeploymentCircuitBreaker: Enable: true Rollback: true EnableExecuteCommand: true # For debugging Tags: - Key: Name Value: !Sub '${AWS::StackName}-service' # Auto Scaling Target ServiceScalingTarget: Type: AWS::ApplicationAutoScaling::ScalableTarget Properties: MaxCapacity: !Ref MaxCapacity MinCapacity: !Ref MinCapacity ResourceId: !Sub 'service/${ECSCluster}/${ECSService.Name}' RoleARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService' ScalableDimension: ecs:service:DesiredCount ServiceNamespace: ecs # Auto Scaling Policy - CPU Utilization ServiceScalingPolicy: Type: AWS::ApplicationAutoScaling::ScalingPolicy Properties: PolicyName: !Sub '${AWS::StackName}-cpu-scaling-policy' PolicyType: TargetTrackingScaling ScalingTargetId: !Ref ServiceScalingTarget TargetTrackingScalingPolicyConfiguration: PredefinedMetricSpecification: PredefinedMetricType: ECSServiceAverageCPUUtilization TargetValue: 70.0 ScaleOutCooldown: 300 ScaleInCooldown: 300 Outputs: VPCId: Description: VPC ID Value: !Ref VPC Export: Name: !Sub '${AWS::StackName}-VPC-ID' LoadBalancerURL: Description: URL of the Application Load Balancer Value: !Sub 'http://${ApplicationLoadBalancer.DNSName}' Export: Name: !Sub '${AWS::StackName}-ALB-URL' ECSClusterName: Description: Name of the ECS Cluster Value: !Ref ECSCluster Export: Name: !Sub '${AWS::StackName}-ECS-Cluster' ECSServiceName: Description: Name of the ECS Service Value: !GetAtt ECSService.Name Export: Name: !Sub '${AWS::StackName}-ECS-Service' PrivateSubnet1: Description: Private Subnet 1 ID Value: !Ref PrivateSubnet1 Export: Name: !Sub '${AWS::StackName}-Private-Subnet-1' PrivateSubnet2: Description: Private Subnet 2 ID Value: !Ref PrivateSubnet2 Export: Name: !Sub '${AWS::StackName}-Private-Subnet-2' ``` Le modèle utilisé dans ce didacticiel crée un service Amazon ECS avec deux tâches exécutées sur Fargate. Les tâches exécutent chacune un exemple d’application Amazon ECS. Le modèle crée également un Application Load Balancer qui distribue le trafic des applications et une politique Application Auto Scaling qui adapte l’application en fonction de l’utilisation de l’UC. Le modèle crée également les ressources réseau nécessaires au déploiement de l’application, les ressources de journalisation pour les journaux de conteneurs et un rôle IAM d’exécution de tâches Amazon ECS. Pour plus d'informations sur le rôle d'exécution de tâche, consultez [Rôle IAM d'exécution de tâche Amazon ECS](task_execution_IAM_role.md). Pour plus d’informations sur l’autoscaling, consultez la section [Mise à l’échelle automatique de votre service Amazon ECS](service-auto-scaling.md). ## Étape 2 : créer une pile pour les ressources Amazon ECS Après avoir créé un fichier pour le modèle, vous pouvez suivre ces étapes pour créer une pile avec le modèle à l'aide de la CloudFormation console. Pour plus d'informations sur la création d'une pile à l'aide de la CloudFormation console, consultez la section [Création d'une pile sur la CloudFormation console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-stack.html) dans le *Guide de l'AWS CloudFormation utilisateur* et utilisez le tableau suivant pour déterminer les options à spécifier. | Option | Value | | --- | --- | | Prérequis : préparer le modèle | Choisissez un modèle existant | | Spécifier le modèle | Charger un fichier de modèle | | Choisissez un fichier | ecs-tutorial-template.yaml | | Nom de la pile | ecs-tutorial-stack | | Parameters | Laissez toutes les valeurs des paramètres par défaut. | | Fonctionnalités | Choisissez **Je reconnais que ce modèle peut créer des ressources IAM pour confirmer la CloudFormation création de ressources** IAM. | ## Étape 3 : vérifier Suivez les étapes suivantes pour vérifier la création de ressources Amazon ECS à l’aide du modèle fourni. Pour plus d'informations sur la façon d'afficher les informations et les ressources de la [pile, consultez la section Affichage des informations de la pile depuis la CloudFormation console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-view-stack-data-resources.html) dans le *Guide de l'AWS CloudFormation utilisateur* et utilisez le tableau suivant pour déterminer les éléments à vérifier. | Champ de détails de la pile | Ce qu’il faut rechercher | | --- | --- | | Stack info (Infos de pile) | Un statut CREATE\$1COMPLETE. | | Ressources | Liste des ressources créées avec des liens vers la console de service. Choisissez des liens vers `ECSCluster`, `ECSService` et `TaskDefinition` pour afficher plus de détails sur le service, le cluster et la définition de tâche créés dans la console Amazon ECS. | | Sorties | **LoadBalancerURL**. Collez l’URL dans un navigateur Web pour afficher une page Web qui affiche un exemple d’application Amazon ECS. | ## Étape 4 : Nettoyer les ressources Pour nettoyer les ressources et éviter d'encourir des coûts supplémentaires, suivez les étapes décrites dans [Supprimer une pile de la CloudFormation console dans le guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-delete-stack.html) de l'*CloudFormation utilisateur*. # Création de ressources Amazon ECS à l'aide de AWS CLI commandes pour CloudFormation Une autre façon d'utiliser Amazon ECS CloudFormation consiste à utiliser le AWS CLI. Vous pouvez utiliser des commandes pour créer vos CloudFormation piles pour les composants Amazon ECS tels que les définitions de tâches, les clusters et les services, puis les déployer. Le didacticiel suivant montre comment vous pouvez utiliser le AWS CLI pour créer des ressources Amazon ECS à l'aide d'un CloudFormation modèle. ## Conditions préalables + Vous devez avoir suivi les étapes de [Configurer l'utilisation d'Amazon ECS](get-set-up-for-amazon-ecs.md). + Votre utilisateur IAM dispose des autorisations requises spécifiées dans l’exemple de politique IAM [Amazon ECS\$1 FullAccess](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonECS_FullAccess). ## Étape 1 : créer une pile Pour créer une pile en utilisant le fichier AWS CLI enregistré dans un fichier appelé`ecs-tutorial-template.yaml`, exécutez la commande suivante. ``` cat << 'EOF' > ecs-tutorial-template.yaml AWSTemplateFormatVersion: '2010-09-09' Description: '[AWSDocs] ECS: load-balanced-web-application' Parameters: VpcCidr: Type: String Default: '10.0.0.0/16' Description: CIDR block for the VPC ContainerImage: Type: String Default: 'public.ecr.aws/ecs-sample-image/amazon-ecs-sample:latest' Description: Container image to use in task definition PublicSubnet1Cidr: Type: String Default: '10.0.1.0/24' Description: CIDR block for public subnet 1 PublicSubnet2Cidr: Type: String Default: '10.0.2.0/24' Description: CIDR block for public subnet 2 PrivateSubnet1Cidr: Type: String Default: '10.0.3.0/24' Description: CIDR block for private subnet 1 PrivateSubnet2Cidr: Type: String Default: '10.0.4.0/24' Description: CIDR block for private subnet 2 ServiceName: Type: String Default: 'tutorial-app' Description: Name of the ECS service ContainerPort: Type: Number Default: 80 Description: Port on which the container listens DesiredCount: Type: Number Default: 2 Description: Desired number of tasks MinCapacity: Type: Number Default: 1 Description: Minimum number of tasks for auto scaling MaxCapacity: Type: Number Default: 10 Description: Maximum number of tasks for auto scaling Resources: # VPC and Networking VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCidr EnableDnsHostnames: true EnableDnsSupport: true Tags: - Key: Name Value: !Sub '${AWS::StackName}-vpc' # Internet Gateway InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Sub '${AWS::StackName}-igw' InternetGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VPC # Public Subnets for ALB PublicSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [0, !GetAZs ''] CidrBlock: !Ref PublicSubnet1Cidr MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub '${AWS::StackName}-public-subnet-1' PublicSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [1, !GetAZs ''] CidrBlock: !Ref PublicSubnet2Cidr MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub '${AWS::StackName}-public-subnet-2' # Private Subnets for ECS Tasks PrivateSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [0, !GetAZs ''] CidrBlock: !Ref PrivateSubnet1Cidr Tags: - Key: Name Value: !Sub '${AWS::StackName}-private-subnet-1' PrivateSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [1, !GetAZs ''] CidrBlock: !Ref PrivateSubnet2Cidr Tags: - Key: Name Value: !Sub '${AWS::StackName}-private-subnet-2' # NAT Gateways for private subnet internet access NatGateway1EIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc Tags: - Key: Name Value: !Sub '${AWS::StackName}-nat-eip-1' NatGateway2EIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc Tags: - Key: Name Value: !Sub '${AWS::StackName}-nat-eip-2' NatGateway1: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGateway1EIP.AllocationId SubnetId: !Ref PublicSubnet1 Tags: - Key: Name Value: !Sub '${AWS::StackName}-nat-1' NatGateway2: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGateway2EIP.AllocationId SubnetId: !Ref PublicSubnet2 Tags: - Key: Name Value: !Sub '${AWS::StackName}-nat-2' # Route Tables PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub '${AWS::StackName}-public-routes' DefaultPublicRoute: Type: AWS::EC2::Route DependsOn: InternetGatewayAttachment Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway PublicSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet1 PublicSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet2 PrivateRouteTable1: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub '${AWS::StackName}-private-routes-1' DefaultPrivateRoute1: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable1 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGateway1 PrivateSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTable1 SubnetId: !Ref PrivateSubnet1 PrivateRouteTable2: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub '${AWS::StackName}-private-routes-2' DefaultPrivateRoute2: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable2 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGateway2 PrivateSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTable2 SubnetId: !Ref PrivateSubnet2 # Security Groups ALBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub '${AWS::StackName}-alb-sg' GroupDescription: Security group for Application Load Balancer VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 Description: Allow HTTP traffic from internet SecurityGroupEgress: - IpProtocol: -1 CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic Tags: - Key: Name Value: !Sub '${AWS::StackName}-alb-sg' ECSSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub '${AWS::StackName}-ecs-sg' GroupDescription: Security group for ECS tasks VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: !Ref ContainerPort ToPort: !Ref ContainerPort SourceSecurityGroupId: !Ref ALBSecurityGroup Description: Allow traffic from ALB SecurityGroupEgress: - IpProtocol: -1 CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic Tags: - Key: Name Value: !Sub '${AWS::StackName}-ecs-sg' # Application Load Balancer ApplicationLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: !Sub '${AWS::StackName}-alb' Scheme: internet-facing Type: application Subnets: - !Ref PublicSubnet1 - !Ref PublicSubnet2 SecurityGroups: - !Ref ALBSecurityGroup Tags: - Key: Name Value: !Sub '${AWS::StackName}-alb' ALBTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: !Sub '${AWS::StackName}-tg' Port: !Ref ContainerPort Protocol: HTTP VpcId: !Ref VPC TargetType: ip HealthCheckIntervalSeconds: 30 HealthCheckPath: / HealthCheckProtocol: HTTP HealthCheckTimeoutSeconds: 5 HealthyThresholdCount: 2 UnhealthyThresholdCount: 5 Tags: - Key: Name Value: !Sub '${AWS::StackName}-tg' ALBListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - Type: forward TargetGroupArn: !Ref ALBTargetGroup LoadBalancerArn: !Ref ApplicationLoadBalancer Port: 80 Protocol: HTTP # ECS Cluster ECSCluster: Type: AWS::ECS::Cluster Properties: ClusterName: !Sub '${AWS::StackName}-cluster' CapacityProviders: - FARGATE - FARGATE_SPOT DefaultCapacityProviderStrategy: - CapacityProvider: FARGATE Weight: 1 - CapacityProvider: FARGATE_SPOT Weight: 4 ClusterSettings: - Name: containerInsights Value: enabled Tags: - Key: Name Value: !Sub '${AWS::StackName}-cluster' # IAM Roles ECSTaskExecutionRole: Type: AWS::IAM::Role Properties: RoleName: !Sub '${AWS::StackName}-task-execution-role' AssumeRolePolicyDocument: Version: '2012-10-17 ' Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy Tags: - Key: Name Value: !Sub '${AWS::StackName}-task-execution-role' ECSTaskRole: Type: AWS::IAM::Role Properties: RoleName: !Sub '${AWS::StackName}-task-role' AssumeRolePolicyDocument: Version: '2012-10-17 ' Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Action: sts:AssumeRole Tags: - Key: Name Value: !Sub '${AWS::StackName}-task-role' # CloudWatch Log Group LogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: !Sub '/ecs/${AWS::StackName}' RetentionInDays: 7 # ECS Task Definition TaskDefinition: Type: AWS::ECS::TaskDefinition Properties: Family: !Sub '${AWS::StackName}-task' Cpu: '256' Memory: '512' NetworkMode: awsvpc RequiresCompatibilities: - FARGATE ExecutionRoleArn: !GetAtt ECSTaskExecutionRole.Arn TaskRoleArn: !GetAtt ECSTaskRole.Arn ContainerDefinitions: - Name: !Ref ServiceName Image: !Ref ContainerImage PortMappings: - ContainerPort: !Ref ContainerPort Protocol: tcp Essential: true LogConfiguration: LogDriver: awslogs Options: awslogs-group: !Ref LogGroup awslogs-region: !Ref AWS::Region awslogs-stream-prefix: ecs HealthCheck: Command: - CMD-SHELL - curl -f http://localhost/ || exit 1 Interval: 30 Timeout: 5 Retries: 3 StartPeriod: 60 Tags: - Key: Name Value: !Sub '${AWS::StackName}-task' # ECS Service ECSService: Type: AWS::ECS::Service DependsOn: ALBListener Properties: ServiceName: !Sub '${AWS::StackName}-service' Cluster: !Ref ECSCluster TaskDefinition: !Ref TaskDefinition DesiredCount: !Ref DesiredCount LaunchType: FARGATE PlatformVersion: LATEST NetworkConfiguration: AwsvpcConfiguration: AssignPublicIp: DISABLED SecurityGroups: - !Ref ECSSecurityGroup Subnets: - !Ref PrivateSubnet1 - !Ref PrivateSubnet2 LoadBalancers: - ContainerName: !Ref ServiceName ContainerPort: !Ref ContainerPort TargetGroupArn: !Ref ALBTargetGroup DeploymentConfiguration: MaximumPercent: 200 MinimumHealthyPercent: 50 DeploymentCircuitBreaker: Enable: true Rollback: true EnableExecuteCommand: true # For debugging Tags: - Key: Name Value: !Sub '${AWS::StackName}-service' # Auto Scaling Target ServiceScalingTarget: Type: AWS::ApplicationAutoScaling::ScalableTarget Properties: MaxCapacity: !Ref MaxCapacity MinCapacity: !Ref MinCapacity ResourceId: !Sub 'service/${ECSCluster}/${ECSService.Name}' RoleARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService' ScalableDimension: ecs:service:DesiredCount ServiceNamespace: ecs # Auto Scaling Policy - CPU Utilization ServiceScalingPolicy: Type: AWS::ApplicationAutoScaling::ScalingPolicy Properties: PolicyName: !Sub '${AWS::StackName}-cpu-scaling-policy' PolicyType: TargetTrackingScaling ScalingTargetId: !Ref ServiceScalingTarget TargetTrackingScalingPolicyConfiguration: PredefinedMetricSpecification: PredefinedMetricType: ECSServiceAverageCPUUtilization TargetValue: 70.0 ScaleOutCooldown: 300 ScaleInCooldown: 300 Outputs: VPCId: Description: VPC ID Value: !Ref VPC Export: Name: !Sub '${AWS::StackName}-VPC-ID' LoadBalancerURL: Description: URL of the Application Load Balancer Value: !Sub 'http://${ApplicationLoadBalancer.DNSName}' Export: Name: !Sub '${AWS::StackName}-ALB-URL' ECSClusterName: Description: Name of the ECS Cluster Value: !Ref ECSCluster Export: Name: !Sub '${AWS::StackName}-ECS-Cluster' ECSServiceName: Description: Name of the ECS Service Value: !GetAtt ECSService.Name Export: Name: !Sub '${AWS::StackName}-ECS-Service' PrivateSubnet1: Description: Private Subnet 1 ID Value: !Ref PrivateSubnet1 Export: Name: !Sub '${AWS::StackName}-Private-Subnet-1' PrivateSubnet2: Description: Private Subnet 2 ID Value: !Ref PrivateSubnet2 Export: Name: !Sub '${AWS::StackName}-Private-Subnet-2' EOF ``` Le modèle utilisé dans ce didacticiel crée un service Amazon ECS avec deux tâches exécutées sur Fargate. Les tâches exécutent chacune un exemple d’application Amazon ECS. Le modèle crée également un Application Load Balancer qui distribue le trafic des applications et une politique Application Auto Scaling qui adapte l’application en fonction de l’utilisation de l’UC. Le modèle crée également les ressources réseau nécessaires au déploiement de l’application, les ressources de journalisation pour les journaux de conteneurs et un rôle IAM d’exécution de tâches Amazon ECS. Pour plus d'informations sur le rôle d'exécution de tâche, consultez [Rôle IAM d'exécution de tâche Amazon ECS](task_execution_IAM_role.md). Pour plus d’informations sur l’autoscaling, consultez la section [Mise à l’échelle automatique de votre service Amazon ECS](service-auto-scaling.md). Après avoir créé un fichier modèle, utilisez la commande suivante pour créer une pile. L’indicateur `--capabilities` est nécessaire pour créer un rôle d’exécution de tâche Amazon ECS tel que spécifié dans le modèle. Vous pouvez également spécifier l’indicateur `--parameters` pour personnaliser les paramètres du modèle. ``` aws cloudformation create-stack \ --stack-name ecs-tutorial-stack \ --template-body file://ecs-tutorial-template.yaml \ --region aws-region \ --capabilities CAPABILITY_NAMED_IAM ``` Après avoir exécuté la commande `create-stack`, vous pouvez l’utiliser `describe-stacks` pour vérifier l’état de la création de la pile. ``` aws cloudformation describe-stacks \ --stack-name ecs-tutorial-stack \ --region aws-region ``` ## Étape 2 : vérifier la création de ressource Amazon ECS Pour vous assurer que les ressources Amazon ECS sont créées correctement, procédez comme suit. 1. Exécutez la commande suivante pour répertorier toutes les définitions de tâches dans une Région AWS. ``` aws ecs list-task-definitions ``` La commande renvoie une liste des Amazon Resource Name (ARN) des définitions de tâches. L’ARN de la définition de tâche que vous avez créée à l’aide du modèle sera affiché au format suivant. ``` { "taskDefinitionArns": [ ..... "arn:aws:ecs:aws-region:111122223333:task-definition/ecs-tutorial-stack-task:1", ..... ] } ``` 1. Exécutez la commande suivante pour répertorier tous les clusters d’une Région AWS. ``` aws ecs list-clusters ``` La commande renvoie une liste de clusters ARNs. L’ARN du cluster que vous avez créé à l’aide du modèle sera affiché au format suivant. ``` { "clusterArns": [ ..... "arn:aws:ecs:aws-region:111122223333:cluster/ecs-tutorial-stack-cluster", ..... ] } ``` 1. Exécutez la commande suivante pour répertorier tous les services du cluster `ecs-tutorial-stack-cluster`. ``` aws ecs list-services \ --cluster ecs-tutorial-stack-cluster ``` La commande renvoie une liste de services ARNs. L’ARN du service que vous avez créée à l’aide du modèle sera affiché au format suivant. ``` { "serviceArns": [ "arn:aws:ecs:aws-region:111122223333:service/ecs-tutorial-stack-cluster/ecs-tutorial-stack-service" ] } ``` Vous pouvez également obtenir le nom DNS de l’Application Load Balancer créé et l’utiliser pour vérifier la création des ressources. Pour obtenir le nom DNS, exécutez la commande suivante : Exécutez la commande suivante pour récupérer les sorties de la pile créée. ``` aws cloudformation describe-stacks \ --stack-name ecs-tutorial-stack \ --region aws-region \ --query 'Stacks[0].Outputs[?OutputKey==`LoadBalancerURL`].OutputValue' \ --output text ``` Sortie : ``` http://ecs-tutorial-stack-alb-0123456789.aws-region.elb.amazonaws.com ``` Collez le nom DNS dans un navigateur pour afficher une page Web qui affiche un exemple d’application Amazon ECS. ## Étape 3 : Nettoyer Pour nettoyer les ressources que vous avez créées, exécutez la commande suivante. ``` aws cloudformation delete-stack \ --stack-name ecs-stack ``` La `delete-stack` commande lance la suppression de la CloudFormation pile créée dans ce didacticiel, en supprimant toutes les ressources de la pile. Pour vérifier la suppression, vous pouvez répéter la procédure dans [Étape 2 : vérifier la création de ressource Amazon ECS](#ecs-cloudformation-cli-verify). La liste ARNs des sorties n'inclura plus de définition de tâche appelée `ecs-tutorial-stack-task` ni de cluster appelé`ecs-tutorial-stack-cluster`. L’appel `list-services` échouera. # CloudFormation exemples de modèles pour Amazon ECS Vous pouvez créer des clusters Amazon ECS, des définitions de tâches et des services à l'aide de CloudFormation. Les rubriques suivantes incluent des modèles qui illustrent comment créer des ressources avec des configurations différentes. Vous pouvez créer ces ressources à l'aide de ces modèles à l'aide de la CloudFormation console ou du AWS CLI. CloudFormation les modèles sont des fichiers texte au format JSON ou YAML qui décrivent les ressources que vous souhaitez fournir dans vos CloudFormation piles. Si vous ne connaissez pas le format JSON ou YAML, ou les deux, vous pouvez les utiliser AWS Infrastructure Composer pour commencer à utiliser des CloudFormation modèles. Pour plus d’informations, consultez la section [Création visuelle de modèles avec Infrastructure Composer](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/infrastructure-composer-for-cloudformation.html) dans le *Guide de l’utilisateur AWS CloudFormation *. Les rubriques suivantes présentent des exemples de modèles pour les définitions de tâche, les clusters et les services Amazon ECS. **Topics** + [Définitions de tâche](#cfn-task-definition) + [Fournisseurs de capacité](#create-capacity-providers) + [Clusters](#create-clusters) + [Services](#create-service) + [Rôles IAM pour Amazon ECS](#ecs-cloudformation-iam-roles) ## Définitions de tâche Une définition de tâche est un plan pour votre application qui décrit les paramètres et un ou plusieurs conteneurs qui constituent votre application. Vous trouverez ci-dessous des exemples CloudFormation de modèles pour les définitions de tâches Amazon ECS. Pour de plus amples informations sur les définitions de tâche Amazon ECS, consultez [Définitions de tâche Amazon ECS](task_definitions.md). ### Définition de tâche Fargate Linux Vous pouvez utiliser le modèle suivant pour créer un exemple de tâche Fargate Linux. ------ #### [ JSON ] ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "ECS Task Definition with parameterized values", "Parameters": { "ContainerImage": { "Type": "String", "Default": "public.ecr.aws/docker/library/httpd:2.4", "Description": "The container image to use for the task" }, "ContainerCpu": { "Type": "Number", "Default": 256, "Description": "The number of CPU units to reserve for the container", "AllowedValues": [256, 512, 1024, 2048, 4096] }, "ContainerMemory": { "Type": "Number", "Default": 512, "Description": "The amount of memory (in MiB) to reserve for the container", "AllowedValues": [512, 1024, 2048, 3072, 4096, 5120, 6144, 7168, 8192] }, "TaskFamily": { "Type": "String", "Default": "task-definition-cfn", "Description": "The name of the task definition family" }, "ContainerName": { "Type": "String", "Default": "sample-fargate-app", "Description": "The name of the container" }, "ContainerPort": { "Type": "Number", "Default": 80, "Description": "The port number on the container" }, "HostPort": { "Type": "Number", "Default": 80, "Description": "The port number on the host" }, "ExecutionRoleArn": { "Type": "String", "Default": "arn:aws:iam::aws_account_id:role/ecsTaskExecutionRole", "Description": "The ARN of the task execution role" }, "LogGroup": { "Type": "String", "Default": "/ecs/fargate-task-definition", "Description": "The CloudWatch log group for container logs" }, "NetworkMode": { "Type": "String", "Default": "awsvpc", "Description": "The Docker networking mode to use", "AllowedValues": ["awsvpc", "bridge", "host", "none"] }, "OperatingSystemFamily": { "Type": "String", "Default": "LINUX", "Description": "The operating system for the task", "AllowedValues": ["LINUX", "WINDOWS_SERVER_2019_FULL", "WINDOWS_SERVER_2019_CORE", "WINDOWS_SERVER_2022_FULL", "WINDOWS_SERVER_2022_CORE"] } }, "Resources": { "ECSTaskDefinition": { "Type": "AWS::ECS::TaskDefinition", "Properties": { "ContainerDefinitions": [ { "Command": [ "/bin/sh -c \"echo ' Amazon ECS Sample App

Amazon ECS Sample App

Congratulations!

Your application is now running on a container in Amazon ECS.

' > /usr/local/apache2/htdocs/index.html && -foreground\"" ], "EntryPoint": [ "sh", "-c" ], "Essential": true, "Image": {"Ref": "ContainerImage"}, "LogConfiguration": { "LogDriver": "awslogs", "Options": { "mode": "non-blocking", "max-buffer-size": "25m", "awslogs-create-group": "true", "awslogs-group": {"Ref": "LogGroup"}, "awslogs-region": {"Ref": "AWS::Region"}, "awslogs-stream-prefix": "ecs" } }, "Name": {"Ref": "ContainerName"}, "PortMappings": [ { "ContainerPort": {"Ref": "ContainerPort"}, "HostPort": {"Ref": "HostPort"}, "Protocol": "tcp" } ] } ], "Cpu": {"Ref": "ContainerCpu"}, "ExecutionRoleArn": {"Ref": "ExecutionRoleArn"}, "Family": {"Ref": "TaskFamily"}, "Memory": {"Ref": "ContainerMemory"}, "NetworkMode": {"Ref": "NetworkMode"}, "RequiresCompatibilities": [ "FARGATE" ], "RuntimePlatform": { "OperatingSystemFamily": {"Ref": "OperatingSystemFamily"} } } } }, "Outputs": { "TaskDefinitionArn": { "Description": "The ARN of the created task definition", "Value": {"Ref": "ECSTaskDefinition"} } } } ``` ------ #### [ YAML ] ``` AWSTemplateFormatVersion: 2010-09-09 Description: 'ECS Task Definition to deploy a sample app' Parameters: ContainerImage: Type: String Default: 'public.ecr.aws/docker/library/httpd:2.4' Description: The container image to use for the task ContainerCpu: Type: Number Default: 256 Description: The number of CPU units to reserve for the container AllowedValues: [256, 512, 1024, 2048, 4096] ContainerMemory: Type: Number Default: 512 Description: The amount of memory (in MiB) to reserve for the container AllowedValues: [512, 1024, 2048, 3072, 4096, 5120, 6144, 7168, 8192] TaskFamily: Type: String Default: 'task-definition-cfn' Description: The name of the task definition family ContainerName: Type: String Default: 'sample-fargate-app' Description: The name of the container ContainerPort: Type: Number Default: 80 Description: The port number on the container HostPort: Type: Number Default: 80 Description: The port number on the host ExecutionRoleArn: Type: String Default: 'arn:aws:iam::111122223333:role/ecsTaskExecutionRole' Description: The ARN of the task execution role LogGroup: Type: String Default: '/ecs/fargate-task-definition' Description: The CloudWatch log group for container logs NetworkMode: Type: String Default: 'awsvpc' Description: The Docker networking mode to use AllowedValues: ['awsvpc', 'bridge', 'host', 'none'] OperatingSystemFamily: Type: String Default: 'LINUX' Description: The operating system for the task AllowedValues: ['LINUX', 'WINDOWS_SERVER_2019_FULL', 'WINDOWS_SERVER_2019_CORE', 'WINDOWS_SERVER_2022_FULL', 'WINDOWS_SERVER_2022_CORE'] Resources: ECSTaskDefinition: Type: 'AWS::ECS::TaskDefinition' Properties: ContainerDefinitions: - Command: - >- /bin/sh -c "echo ' Amazon ECS Sample App

Amazon ECS Sample App

Congratulations!

Your application is now running on a container in Amazon ECS.

' > /usr/local/apache2/htdocs/index.html && httpd-foreground" EntryPoint: - sh - '-c' Essential: true Image: !Ref ContainerImage LogConfiguration: LogDriver: awslogs Options: mode: non-blocking max-buffer-size: 25m awslogs-create-group: 'true' awslogs-group: !Ref LogGroup awslogs-region: !Ref AWS::Region awslogs-stream-prefix: ecs Name: !Ref ContainerName PortMappings: - ContainerPort: !Ref ContainerPort HostPort: !Ref HostPort Protocol: tcp Cpu: !Ref ContainerCpu ExecutionRoleArn: !Ref ExecutionRoleArn Family: !Ref TaskFamily Memory: !Ref ContainerMemory NetworkMode: !Ref NetworkMode RequiresCompatibilities: - FARGATE RuntimePlatform: OperatingSystemFamily: !Ref OperatingSystemFamily Outputs: TaskDefinitionArn: Description: The ARN of the created task definition Value: !Ref ECSTaskDefinition ``` ------ ### Définition de tâche Amazon ECS Vous pouvez utiliser le modèle suivant pour créer une tâche qui utilise un système de fichiers Amazon EFS que vous avez créé. Pour plus d’informations sur l’utilisation des volumes Amazon EFS avec Amazon ECS, consultez la section [Utilisation des volumes Amazon EFS avec Amazon ECS](efs-volumes.md). ------ #### [ JSON ] ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Create a task definition for a web server with parameterized values.", "Parameters": { "ExecutionRoleArn": { "Type": "String", "Default": "arn:aws:iam::123456789012:role/ecsTaskExecutionRole", "Description": "The ARN of the task execution role" }, "NetworkMode": { "Type": "String", "Default": "awsvpc", "Description": "The Docker networking mode to use", "AllowedValues": ["awsvpc", "bridge", "host", "none"] }, "TaskFamily": { "Type": "String", "Default": "my-ecs-task", "Description": "The name of the task definition family" }, "ContainerCpu": { "Type": "String", "Default": "256", "Description": "The number of CPU units to reserve for the container", "AllowedValues": ["256", "512", "1024", "2048", "4096"] }, "ContainerMemory": { "Type": "String", "Default": "512", "Description": "The amount of memory (in MiB) to reserve for the container", "AllowedValues": ["512", "1024", "2048", "3072", "4096", "5120", "6144", "7168", "8192"] }, "ContainerName": { "Type": "String", "Default": "nginx", "Description": "The name of the container" }, "ContainerImage": { "Type": "String", "Default": "public.ecr.aws/nginx/nginx:latest", "Description": "The container image to use for the task" }, "ContainerPort": { "Type": "Number", "Default": 80, "Description": "The port number on the container" }, "InitProcessEnabled": { "Type": "String", "Default": "true", "Description": "Whether to enable the init process inside the container", "AllowedValues": ["true", "false"] }, "EfsVolumeName": { "Type": "String", "Default": "efs-volume", "Description": "The name of the EFS volume" }, "EfsContainerPath": { "Type": "String", "Default": "/usr/share/nginx/html", "Description": "The path in the container where the EFS volume will be mounted" }, "LogGroup": { "Type": "String", "Default": "LogGroup", "Description": "The CloudWatch log group for container logs" }, "LogStreamPrefix": { "Type": "String", "Default": "efs-task", "Description": "The prefix for the log stream" }, "EfsFilesystemId": { "Type": "String", "Default": "fs-1234567890abcdef0", "Description": "The ID of the EFS filesystem" }, "EfsRootDirectory": { "Type": "String", "Default": "/", "Description": "The root directory in the EFS filesystem" }, "EfsTransitEncryption": { "Type": "String", "Default": "ENABLED", "Description": "Whether to enable transit encryption for EFS", "AllowedValues": ["ENABLED", "DISABLED"] } }, "Resources": { "ECSTaskDefinition": { "Type": "AWS::ECS::TaskDefinition", "Properties": { "ExecutionRoleArn": {"Ref": "ExecutionRoleArn"}, "NetworkMode": {"Ref": "NetworkMode"}, "RequiresCompatibilities": ["FARGATE"], "Family": {"Ref": "TaskFamily"}, "Cpu": {"Ref": "ContainerCpu"}, "Memory": {"Ref": "ContainerMemory"}, "ContainerDefinitions": [ { "Name": {"Ref": "ContainerName"}, "Image": {"Ref": "ContainerImage"}, "Essential": true, "PortMappings": [ { "ContainerPort": {"Ref": "ContainerPort"}, "Protocol": "tcp" } ], "LinuxParameters": { "InitProcessEnabled": {"Ref": "InitProcessEnabled"} }, "MountPoints": [ { "SourceVolume": {"Ref": "EfsVolumeName"}, "ContainerPath": {"Ref": "EfsContainerPath"} } ], "LogConfiguration": { "LogDriver": "awslogs", "Options": { "mode": "non-blocking", "max-buffer-size": "25m", "awslogs-group": {"Ref": "LogGroup"}, "awslogs-region": {"Ref": "AWS::Region"}, "awslogs-create-group": "true", "awslogs-stream-prefix": {"Ref": "LogStreamPrefix"} } } } ], "Volumes": [ { "Name": {"Ref": "EfsVolumeName"}, "EFSVolumeConfiguration": { "FilesystemId": {"Ref": "EfsFilesystemId"}, "RootDirectory": {"Ref": "EfsRootDirectory"}, "TransitEncryption": {"Ref": "EfsTransitEncryption"} } } ] } } }, "Outputs": { "TaskDefinitionArn": { "Description": "The ARN of the created task definition", "Value": {"Ref": "ECSTaskDefinition"} } } } ``` ------ #### [ YAML ] ``` AWSTemplateFormatVersion: 2010-09-09 Description: Create a task definition for a web server with parameterized values. Parameters: ExecutionRoleArn: Type: String Default: arn:aws:iam::123456789012:role/ecsTaskExecutionRole Description: The ARN of the task execution role NetworkMode: Type: String Default: awsvpc Description: The Docker networking mode to use AllowedValues: [awsvpc, bridge, host, none] TaskFamily: Type: String Default: my-ecs-task Description: The name of the task definition family ContainerCpu: Type: String Default: "256" Description: The number of CPU units to reserve for the container AllowedValues: ["256", "512", "1024", "2048", "4096"] ContainerMemory: Type: String Default: "512" Description: The amount of memory (in MiB) to reserve for the container AllowedValues: ["512", "1024", "2048", "3072", "4096", "5120", "6144", "7168", "8192"] ContainerName: Type: String Default: nginx Description: The name of the container ContainerImage: Type: String Default: public.ecr.aws/nginx/nginx:latest Description: The container image to use for the task ContainerPort: Type: Number Default: 80 Description: The port number on the container InitProcessEnabled: Type: String Default: "true" Description: Whether to enable the init process inside the container AllowedValues: ["true", "false"] EfsVolumeName: Type: String Default: efs-volume Description: The name of the EFS volume EfsContainerPath: Type: String Default: /usr/share/nginx/html Description: The path in the container where the EFS volume will be mounted LogGroup: Type: String Default: LogGroup Description: The CloudWatch log group for container logs LogStreamPrefix: Type: String Default: efs-task Description: The prefix for the log stream EfsFilesystemId: Type: String Default: fs-1234567890abcdef0 Description: The ID of the EFS filesystem EfsRootDirectory: Type: String Default: / Description: The root directory in the EFS filesystem EfsTransitEncryption: Type: String Default: ENABLED Description: Whether to enable transit encryption for EFS AllowedValues: [ENABLED, DISABLED] Resources: ECSTaskDefinition: Type: AWS::ECS::TaskDefinition Properties: ExecutionRoleArn: !Ref ExecutionRoleArn NetworkMode: !Ref NetworkMode RequiresCompatibilities: - FARGATE Family: !Ref TaskFamily Cpu: !Ref ContainerCpu Memory: !Ref ContainerMemory ContainerDefinitions: - Name: !Ref ContainerName Image: !Ref ContainerImage Essential: true PortMappings: - ContainerPort: !Ref ContainerPort Protocol: tcp LinuxParameters: InitProcessEnabled: !Ref InitProcessEnabled MountPoints: - SourceVolume: !Ref EfsVolumeName ContainerPath: !Ref EfsContainerPath LogConfiguration: LogDriver: awslogs Options: mode: non-blocking max-buffer-size: 25m awslogs-group: !Ref LogGroup awslogs-region: !Ref AWS::Region awslogs-create-group: "true" awslogs-stream-prefix: !Ref LogStreamPrefix Volumes: - Name: !Ref EfsVolumeName EFSVolumeConfiguration: FilesystemId: !Ref EfsFilesystemId RootDirectory: !Ref EfsRootDirectory TransitEncryption: !Ref EfsTransitEncryption Outputs: TaskDefinitionArn: Description: The ARN of the created task definition Value: !Ref ECSTaskDefinition ``` ------ ## Fournisseurs de capacité Les fournisseurs de capacité sont associés à un cluster Amazon ECS et sont utilisés pour gérer la capacité de calcul pour vos charges de travail. ### Création d’un fournisseur de capacité pour les instances gérées Amazon ECS Par défaut, Amazon ECS fournit un fournisseur de capacité qui sélectionne automatiquement les types d’instances à usage général les plus optimisés en termes de coûts. Vous pouvez toutefois créer des fournisseurs de capacité personnalisés pour spécifier les exigences des instances, telles que les types d’instances, les fabricants d’UCs, les types d’accélérateurs et d’autres exigences. Vous pouvez utiliser le modèle suivant pour créer un fournisseur de capacité pour les instances gérées Amazon ECS qui répond aux exigences de mémoire et d’UC spécifiées. ------ #### [ JSON ] ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "MyCapacityProvider": { "Type": "AWS::ECS::CapacityProvider", "Properties": { "ManagedInstancesProvider": { "InfrastructureRoleArn": "arn:aws:iam::123456789012:role/ECSInfrastructureRole", "InstanceLaunchTemplate": { "Ec2InstanceProfileArn": "arn:aws:iam::123456789012:instance-profile/ecsInstanceProfile", "NetworkConfiguration": null, "Subnets": [ "subnet-12345678" ], "SecurityGroups": [ "sg-87654321" ] }, "StorageConfiguration": { "StorageSizeGiB": 30 }, "InstanceRequirements": { "VCpuCount": { "Min": 1, "Max": 4 }, "MemoryMiB": { "Min": 2048, "Max": 8192 } } } } } } } ``` ------ #### [ YAML ] ``` AWSTemplateFormatVersion: 2010-09-09 Resources: MyCapacityProvider: Type: AWS::ECS::CapacityProvider Properties: ManagedInstancesProvider: InfrastructureRoleArn: "arn:aws:iam::123456789012:role/ECSInfrastructureRole" InstanceLaunchTemplate: Ec2InstanceProfileArn: "arn:aws:iam::123456789012:instance-profile/ecsInstanceProfile" NetworkConfiguration: Subnets: - "subnet-12345678" SecurityGroups: - "sg-87654321" StorageConfiguration: StorageSizeGiB: 30 InstanceRequirements: VCpuCount: Min: 1 Max: 4 MemoryMiB: Min: 2048 Max: 8192 ``` ------ ## Clusters Un cluster Amazon ECS est un regroupement logique de tâches ou de services. Vous pouvez utiliser les modèles suivants pour créer des clusters avec des configurations différentes. Pour plus d’informations sur les clusters Amazon ECS, consultez la section [Clusters Amazon ECS](clusters.md). ### Création d’un cluster vide avec les paramètres par défaut Vous pouvez utiliser le modèle suivant pour créer un cluster vide avec les paramètres par défaut. ------ #### [ JSON ] ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "ECSCluster": { "Type": "AWS::ECS::Cluster", "Properties": { "ClusterName": "MyEmptyCluster" } } } } ``` ------ #### [ YAML ] ``` AWSTemplateFormatVersion: 2010-09-09 Resources: ECSCluster: Type: 'AWS::ECS::Cluster' Properties: ClusterName: MyEmptyCluster ``` ------ ### Création d’un cluster vide avec chiffrement du stockage géré et fonctionnalité Container Insights améliorée Vous pouvez utiliser le modèle suivant pour créer un cluster avec un stockage géré au niveau du cluster et la fonctionnalité Container Insights améliorée activée. Le chiffrement au niveau du cluster s’applique aux volumes de données gérés par Amazon ECS tels que les volumes Amazon EBS. Pour plus d’informations sur le chiffrement Amazon EFS, consultez la section [Chiffrement des données stockées dans les volumes Amazon EBS associés aux tâches Amazon ECS](ebs-kms-encryption.md). Pour plus d’informations sur l’utilisation de Container Insights avec observabilité améliorée, consultez la section [Surveillance des conteneurs Amazon ECS au moyen de Container Insights avec observabilité améliorée](cloudwatch-container-insights.md). ------ #### [ JSON ] ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "Cluster": { "Type": "AWS::ECS::Cluster", "Properties": { "ClusterName": "EncryptedEnhancedCluster", "ClusterSettings": [ { "Name": "containerInsights", "Value": "enhanced" } ], "Configuration": { "ManagedStorageConfiguration": { "KmsKeyId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } } } } } } ``` ------ #### [ YAML ] ``` AWSTemplateFormatVersion: 2010-09-09 Resources: Cluster: Type: AWS::ECS::Cluster Properties: ClusterName: EncryptedEnhancedCluster ClusterSettings: - Name: containerInsights Value: enhanced Configuration: ManagedStorageConfiguration: KmsKeyId: a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 ``` ------ ### Créez un cluster avec AL2023 Amazon ECS-Optimized-AMI Vous pouvez utiliser le modèle suivant pour créer un cluster qui utilise un fournisseur de capacité qui lance des instances AL2023 sur Amazon EC2. **Important** Pour obtenir la dernière AMI IDs, consultez l'[AMI optimisée pour Amazon ECS dans le manuel](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html) *Amazon Elastic Container Service Developer Guide*. ------ #### [ JSON ] ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "EC2 ECS cluster that starts out empty, with no EC2 instances yet. An ECS capacity provider automatically launches more EC2 instances as required on the fly when you request ECS to launch services or standalone tasks.", "Parameters": { "InstanceType": { "Type": "String", "Description": "EC2 instance type", "Default": "t2.medium", "AllowedValues": [ "t1.micro", "t2.2xlarge", "t2.large", "t2.medium", "t2.micro", "t2.nano", "t2.small", "t2.xlarge", "t3.2xlarge", "t3.large", "t3.medium", "t3.micro", "t3.nano", "t3.small", "t3.xlarge" ] }, "DesiredCapacity": { "Type": "Number", "Default": "0", "Description": "Number of EC2 instances to launch in your ECS cluster." }, "MaxSize": { "Type": "Number", "Default": "100", "Description": "Maximum number of EC2 instances that can be launched in your ECS cluster." }, "ECSAMI": { "Description": "The Amazon Machine Image ID used for the cluster", "Type": "AWS::SSM::Parameter::Value", "Default": "/aws/service/ecs/optimized-ami/amazon-linux-2023/recommended/image_id" }, "VpcId": { "Type": "AWS::EC2::VPC::Id", "Description": "VPC ID where the ECS cluster is launched", "Default": "vpc-1234567890abcdef0" }, "SubnetIds": { "Type": "List", "Description": "List of subnet IDs where the EC2 instances will be launched", "Default": "subnet-021345abcdef67890" } }, "Resources": { "ECSCluster": { "Type": "AWS::ECS::Cluster", "Properties": { "ClusterSettings": [ { "Name": "containerInsights", "Value": "enabled" } ] } }, "ECSAutoScalingGroup": { "Type": "AWS::AutoScaling::AutoScalingGroup", "DependsOn": [ "ECSCluster", "EC2Role" ], "Properties": { "VPCZoneIdentifier": { "Ref": "SubnetIds" }, "LaunchTemplate": { "LaunchTemplateId": { "Ref": "ContainerInstances" }, "Version": { "Fn::GetAtt": [ "ContainerInstances", "LatestVersionNumber" ] } }, "MinSize": 0, "MaxSize": { "Ref": "MaxSize" }, "DesiredCapacity": { "Ref": "DesiredCapacity" }, "NewInstancesProtectedFromScaleIn": true }, "UpdatePolicy": { "AutoScalingReplacingUpdate": { "WillReplace": "true" } } }, "ContainerInstances": { "Type": "AWS::EC2::LaunchTemplate", "Properties": { "LaunchTemplateName": "asg-launch-template-2", "LaunchTemplateData": { "ImageId": { "Ref": "ECSAMI" }, "InstanceType": { "Ref": "InstanceType" }, "IamInstanceProfile": { "Name": { "Ref": "EC2InstanceProfile" } }, "SecurityGroupIds": [ { "Ref": "ContainerHostSecurityGroup" } ], "UserData": { "Fn::Base64": { "Fn::Sub": "#!/bin/bash -xe\n echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config\n yum install -y aws-cfn-bootstrap\n /opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource ContainerInstances --configsets full_install --region ${AWS::Region} &\n" } }, "MetadataOptions": { "HttpEndpoint": "enabled", "HttpTokens": "required" } } } }, "EC2InstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "EC2Role" } ] } }, "CapacityProvider": { "Type": "AWS::ECS::CapacityProvider", "Properties": { "AutoScalingGroupProvider": { "AutoScalingGroupArn": { "Ref": "ECSAutoScalingGroup" }, "ManagedScaling": { "InstanceWarmupPeriod": 60, "MinimumScalingStepSize": 1, "MaximumScalingStepSize": 100, "Status": "ENABLED", "TargetCapacity": 100 }, "ManagedTerminationProtection": "ENABLED" } } }, "CapacityProviderAssociation": { "Type": "AWS::ECS::ClusterCapacityProviderAssociations", "Properties": { "CapacityProviders": [ { "Ref": "CapacityProvider" } ], "Cluster": { "Ref": "ECSCluster" }, "DefaultCapacityProviderStrategy": [ { "Base": 0, "CapacityProvider": { "Ref": "CapacityProvider" }, "Weight": 1 } ] } }, "ContainerHostSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Access to the EC2 hosts that run containers", "VpcId": { "Ref": "VpcId" } } }, "EC2Role": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "Path": "/", "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" ] } }, "ECSTaskExecutionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ], "Condition": { "ArnLike": { "aws:SourceArn": { "Fn::Sub": "arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:*" } }, "StringEquals": { "aws:SourceAccount": { "Fn::Sub": "${AWS::AccountId}" } } } } ] }, "Path": "/", "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" ] } } }, "Outputs": { "ClusterName": { "Description": "The ECS cluster into which to launch resources", "Value": "ECSCluster" }, "ECSTaskExecutionRole": { "Description": "The role used to start up a task", "Value": "ECSTaskExecutionRole" }, "CapacityProvider": { "Description": "The cluster capacity provider that the service should use to request capacity when it wants to start up a task", "Value": "CapacityProvider" } } } ``` ------ #### [ YAML ] ``` AWSTemplateFormatVersion: '2010-09-09' Description: EC2 ECS cluster that starts out empty, with no EC2 instances yet. An ECS capacity provider automatically launches more EC2 instances as required on the fly when you request ECS to launch services or standalone tasks. Parameters: InstanceType: Type: String Description: EC2 instance type Default: t2.medium AllowedValues: - t1.micro - t2.2xlarge - t2.large - t2.medium - t2.micro - t2.nano - t2.small - t2.xlarge - t3.2xlarge - t3.large - t3.medium - t3.micro - t3.nano - t3.small - t3.xlarge DesiredCapacity: Type: Number Default: '0' Description: Number of EC2 instances to launch in your ECS cluster. MaxSize: Type: Number Default: '100' Description: Maximum number of EC2 instances that can be launched in your ECS cluster. ECSAMI: Description: The Amazon Machine Image ID used for the cluster Type: AWS::SSM::Parameter::Value Default: /aws/service/ecs/optimized-ami/amazon-linux-2023/recommended/image_id VpcId: Type: AWS::EC2::VPC::Id Description: VPC ID where the ECS cluster is launched Default: vpc-1234567890abcdef0 SubnetIds: Type: List Description: List of subnet IDs where the EC2 instances will be launched Default: subnet-021345abcdef67890 Resources: ECSCluster: Type: AWS::ECS::Cluster Properties: ClusterSettings: - Name: containerInsights Value: enabled ECSAutoScalingGroup: Type: AWS::AutoScaling::AutoScalingGroup DependsOn: - ECSCluster - EC2Role Properties: VPCZoneIdentifier: !Ref SubnetIds LaunchTemplate: LaunchTemplateId: !Ref ContainerInstances Version: !GetAtt ContainerInstances.LatestVersionNumber MinSize: 0 MaxSize: !Ref MaxSize DesiredCapacity: !Ref DesiredCapacity NewInstancesProtectedFromScaleIn: true UpdatePolicy: AutoScalingReplacingUpdate: WillReplace: 'true' ContainerInstances: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateName: asg-launch-template-2 LaunchTemplateData: ImageId: !Ref ECSAMI InstanceType: !Ref InstanceType IamInstanceProfile: Name: !Ref EC2InstanceProfile SecurityGroupIds: - !Ref ContainerHostSecurityGroup UserData: !Base64 Fn::Sub: | #!/bin/bash -xe echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config yum install -y aws-cfn-bootstrap /opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource ContainerInstances --configsets full_install --region ${AWS::Region} & MetadataOptions: HttpEndpoint: enabled HttpTokens: required EC2InstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: / Roles: - !Ref EC2Role CapacityProvider: Type: AWS::ECS::CapacityProvider Properties: AutoScalingGroupProvider: AutoScalingGroupArn: !Ref ECSAutoScalingGroup ManagedScaling: InstanceWarmupPeriod: 60 MinimumScalingStepSize: 1 MaximumScalingStepSize: 100 Status: ENABLED TargetCapacity: 100 ManagedTerminationProtection: ENABLED CapacityProviderAssociation: Type: AWS::ECS::ClusterCapacityProviderAssociations Properties: CapacityProviders: - !Ref CapacityProvider Cluster: !Ref ECSCluster DefaultCapacityProviderStrategy: - Base: 0 CapacityProvider: !Ref CapacityProvider Weight: 1 ContainerHostSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to the EC2 hosts that run containers VpcId: !Ref VpcId EC2Role: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: / ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore ECSTaskExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: - ecs-tasks.amazonaws.com Action: - sts:AssumeRole Condition: ArnLike: aws:SourceArn: !Sub arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:* StringEquals: aws:SourceAccount: !Sub ${AWS::AccountId} Path: / ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy Outputs: ClusterName: Description: The ECS cluster into which to launch resources Value: ECSCluster ECSTaskExecutionRole: Description: The role used to start up a task Value: ECSTaskExecutionRole CapacityProvider: Description: The cluster capacity provider that the service should use to request capacity when it wants to start up a task Value: CapacityProvider ``` ------ ## Services Vous pouvez utiliser un service Amazon ECS service pour exécuter et gérer simultanément un nombre spécifié d'instances d'une définition de tâche dans un cluster Amazon ECS. Si l'une de vos tâches échoue ou s'arrête, le planificateur de service d'Amazon ECS service lance une autre instance de votre définition de tâche pour la remplacer. Cela permet de maintenir le nombre de tâches souhaité dans le service. Les modèles suivants peuvent être utilisés pour déployer des services. Pour plus d’informations sur les limites de service par défaut d’Amazon ECS, consultez la section [Services Amazon ECS](ecs_services.md). ### Déploiement d’une application Web à charge équilibrée Le modèle suivant crée un service Amazon ECS avec deux tâches qui s’exécutent sur Fargate. Les tâches possèdent chacune un conteneur NGINX. Le modèle crée également un Application Load Balancer qui distribue le trafic des applications et une politique Application Auto Scaling qui adapte l’application en fonction de l’utilisation de l’UC. Le modèle crée également les ressources réseau nécessaires au déploiement de l’application, les ressources de journalisation pour les journaux de conteneurs et un rôle IAM d’exécution de tâches Amazon ECS. Pour plus d'informations sur le rôle d'exécution de tâche, consultez [Rôle IAM d'exécution de tâche Amazon ECS](task_execution_IAM_role.md). Pour plus d’informations sur l’autoscaling, consultez la section [Mise à l’échelle automatique de votre service Amazon ECS](service-auto-scaling.md). ------ #### [ JSON ] ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "[AWSDocs] ECS: load-balanced-web-application", "Parameters": { "VpcCidr": { "Type": "String", "Default": "10.0.0.0/16", "Description": "CIDR block for the VPC" }, "ContainerImage": { "Type": "String", "Default": "public.ecr.aws/ecs-sample-image/amazon-ecs-sample:latest", "Description": "Container image to use in task definition" }, "PublicSubnet1Cidr": { "Type": "String", "Default": "10.0.1.0/24", "Description": "CIDR block for public subnet 1" }, "PublicSubnet2Cidr": { "Type": "String", "Default": "10.0.2.0/24", "Description": "CIDR block for public subnet 2" }, "PrivateSubnet1Cidr": { "Type": "String", "Default": "10.0.3.0/24", "Description": "CIDR block for private subnet 1" }, "PrivateSubnet2Cidr": { "Type": "String", "Default": "10.0.4.0/24", "Description": "CIDR block for private subnet 2" }, "ServiceName": { "Type": "String", "Default": "tutorial-app", "Description": "Name of the ECS service" }, "ContainerPort": { "Type": "Number", "Default": 80, "Description": "Port on which the container listens" }, "DesiredCount": { "Type": "Number", "Default": 2, "Description": "Desired number of tasks" }, "MinCapacity": { "Type": "Number", "Default": 1, "Description": "Minimum number of tasks for auto scaling" }, "MaxCapacity": { "Type": "Number", "Default": 10, "Description": "Maximum number of tasks for auto scaling" } }, "Resources": { "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": { "Ref": "VpcCidr" }, "EnableDnsHostnames": true, "EnableDnsSupport": true, "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-vpc" } } ] } }, "InternetGateway": { "Type": "AWS::EC2::InternetGateway", "Properties": { "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-igw" } } ] } }, "InternetGatewayAttachment": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { "InternetGatewayId": { "Ref": "InternetGateway" }, "VpcId": { "Ref": "VPC" } } }, "PublicSubnet1": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "AvailabilityZone": { "Fn::Select": [ 0, { "Fn::GetAZs": "" } ] }, "CidrBlock": { "Ref": "PublicSubnet1Cidr" }, "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-public-subnet-1" } } ] } }, "PublicSubnet2": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "AvailabilityZone": { "Fn::Select": [ 1, { "Fn::GetAZs": "" } ] }, "CidrBlock": { "Ref": "PublicSubnet2Cidr" }, "MapPublicIpOnLaunch": true, "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-public-subnet-2" } } ] } }, "PrivateSubnet1": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "AvailabilityZone": { "Fn::Select": [ 0, { "Fn::GetAZs": "" } ] }, "CidrBlock": { "Ref": "PrivateSubnet1Cidr" }, "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-private-subnet-1" } } ] } }, "PrivateSubnet2": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "AvailabilityZone": { "Fn::Select": [ 1, { "Fn::GetAZs": "" } ] }, "CidrBlock": { "Ref": "PrivateSubnet2Cidr" }, "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-private-subnet-2" } } ] } }, "NatGateway1EIP": { "Type": "AWS::EC2::EIP", "DependsOn": "InternetGatewayAttachment", "Properties": { "Domain": "vpc", "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-nat-eip-1" } } ] } }, "NatGateway2EIP": { "Type": "AWS::EC2::EIP", "DependsOn": "InternetGatewayAttachment", "Properties": { "Domain": "vpc", "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-nat-eip-2" } } ] } }, "NatGateway1": { "Type": "AWS::EC2::NatGateway", "Properties": { "AllocationId": { "Fn::GetAtt": [ "NatGateway1EIP", "AllocationId" ] }, "SubnetId": { "Ref": "PublicSubnet1" }, "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-nat-1" } } ] } }, "NatGateway2": { "Type": "AWS::EC2::NatGateway", "Properties": { "AllocationId": { "Fn::GetAtt": [ "NatGateway2EIP", "AllocationId" ] }, "SubnetId": { "Ref": "PublicSubnet2" }, "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-nat-2" } } ] } }, "PublicRouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-public-routes" } } ] } }, "DefaultPublicRoute": { "Type": "AWS::EC2::Route", "DependsOn": "InternetGatewayAttachment", "Properties": { "RouteTableId": { "Ref": "PublicRouteTable" }, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "InternetGateway" } } }, "PublicSubnet1RouteTableAssociation": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { "Ref": "PublicRouteTable" }, "SubnetId": { "Ref": "PublicSubnet1" } } }, "PublicSubnet2RouteTableAssociation": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { "Ref": "PublicRouteTable" }, "SubnetId": { "Ref": "PublicSubnet2" } } }, "PrivateRouteTable1": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-private-routes-1" } } ] } }, "DefaultPrivateRoute1": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { "Ref": "PrivateRouteTable1" }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "NatGateway1" } } }, "PrivateSubnet1RouteTableAssociation": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { "Ref": "PrivateRouteTable1" }, "SubnetId": { "Ref": "PrivateSubnet1" } } }, "PrivateRouteTable2": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-private-routes-2" } } ] } }, "DefaultPrivateRoute2": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { "Ref": "PrivateRouteTable2" }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "NatGateway2" } } }, "PrivateSubnet2RouteTableAssociation": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "RouteTableId": { "Ref": "PrivateRouteTable2" }, "SubnetId": { "Ref": "PrivateSubnet2" } } }, "ALBSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupName": { "Fn::Sub": "${AWS::StackName}-alb-sg" }, "GroupDescription": "Security group for Application Load Balancer", "VpcId": { "Ref": "VPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0", "Description": "Allow HTTP traffic from internet" } ], "SecurityGroupEgress": [ { "IpProtocol": -1, "CidrIp": "0.0.0.0/0", "Description": "Allow all outbound traffic" } ], "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-alb-sg" } } ] } }, "ECSSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupName": { "Fn::Sub": "${AWS::StackName}-ecs-sg" }, "GroupDescription": "Security group for ECS tasks", "VpcId": { "Ref": "VPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": { "Ref": "ContainerPort" }, "ToPort": { "Ref": "ContainerPort" }, "SourceSecurityGroupId": { "Ref": "ALBSecurityGroup" }, "Description": "Allow traffic from ALB" } ], "SecurityGroupEgress": [ { "IpProtocol": -1, "CidrIp": "0.0.0.0/0", "Description": "Allow all outbound traffic" } ], "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-ecs-sg" } } ] } }, "ApplicationLoadBalancer": { "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Properties": { "Name": { "Fn::Sub": "${AWS::StackName}-alb" }, "Scheme": "internet-facing", "Type": "application", "Subnets": [ { "Ref": "PublicSubnet1" }, { "Ref": "PublicSubnet2" } ], "SecurityGroups": [ { "Ref": "ALBSecurityGroup" } ], "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-alb" } } ] } }, "ALBTargetGroup": { "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", "Properties": { "Name": { "Fn::Sub": "${AWS::StackName}-tg" }, "Port": { "Ref": "ContainerPort" }, "Protocol": "HTTP", "VpcId": { "Ref": "VPC" }, "TargetType": "ip", "HealthCheckIntervalSeconds": 30, "HealthCheckPath": "/", "HealthCheckProtocol": "HTTP", "HealthCheckTimeoutSeconds": 5, "HealthyThresholdCount": 2, "UnhealthyThresholdCount": 5, "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-tg" } } ] } }, "ALBListener": { "Type": "AWS::ElasticLoadBalancingV2::Listener", "Properties": { "DefaultActions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "ALBTargetGroup" } } ], "LoadBalancerArn": { "Ref": "ApplicationLoadBalancer" }, "Port": 80, "Protocol": "HTTP" } }, "ECSCluster": { "Type": "AWS::ECS::Cluster", "Properties": { "ClusterName": { "Fn::Sub": "${AWS::StackName}-cluster" }, "CapacityProviders": [ "FARGATE", "FARGATE_SPOT" ], "DefaultCapacityProviderStrategy": [ { "CapacityProvider": "FARGATE", "Weight": 1 }, { "CapacityProvider": "FARGATE_SPOT", "Weight": 4 } ], "ClusterSettings": [ { "Name": "containerInsights", "Value": "enabled" } ], "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-cluster" } } ] } }, "ECSTaskExecutionRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::Sub": "${AWS::StackName}-task-execution-role" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" ], "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-task-execution-role" } } ] } }, "ECSTaskRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": { "Fn::Sub": "${AWS::StackName}-task-role" }, "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-task-role" } } ] } }, "LogGroup": { "Type": "AWS::Logs::LogGroup", "Properties": { "LogGroupName": { "Fn::Sub": "/ecs/${AWS::StackName}" }, "RetentionInDays": 7 } }, "TaskDefinition": { "Type": "AWS::ECS::TaskDefinition", "Properties": { "Family": { "Fn::Sub": "${AWS::StackName}-task" }, "Cpu": "256", "Memory": "512", "NetworkMode": "awsvpc", "RequiresCompatibilities": [ "FARGATE" ], "ExecutionRoleArn": { "Fn::GetAtt": [ "ECSTaskExecutionRole", "Arn" ] }, "TaskRoleArn": { "Fn::GetAtt": [ "ECSTaskRole", "Arn" ] }, "ContainerDefinitions": [ { "Name": { "Ref": "ServiceName" }, "Image": { "Ref": "ContainerImage" }, "PortMappings": [ { "ContainerPort": { "Ref": "ContainerPort" }, "Protocol": "tcp" } ], "Essential": true, "LogConfiguration": { "LogDriver": "awslogs", "Options": { "awslogs-group": { "Ref": "LogGroup" }, "awslogs-region": { "Ref": "AWS::Region" }, "awslogs-stream-prefix": "ecs" } }, "HealthCheck": { "Command": [ "CMD-SHELL", "curl -f http://localhost/ || exit 1" ], "Interval": 30, "Timeout": 5, "Retries": 3, "StartPeriod": 60 } } ], "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-task" } } ] } }, "ECSService": { "Type": "AWS::ECS::Service", "DependsOn": "ALBListener", "Properties": { "ServiceName": { "Fn::Sub": "${AWS::StackName}-service" }, "Cluster": { "Ref": "ECSCluster" }, "TaskDefinition": { "Ref": "TaskDefinition" }, "DesiredCount": { "Ref": "DesiredCount" }, "LaunchType": "FARGATE", "PlatformVersion": "LATEST", "NetworkConfiguration": { "AwsvpcConfiguration": { "AssignPublicIp": "DISABLED", "SecurityGroups": [ { "Ref": "ECSSecurityGroup" } ], "Subnets": [ { "Ref": "PrivateSubnet1" }, { "Ref": "PrivateSubnet2" } ] } }, "LoadBalancers": [ { "ContainerName": { "Ref": "ServiceName" }, "ContainerPort": { "Ref": "ContainerPort" }, "TargetGroupArn": { "Ref": "ALBTargetGroup" } } ], "DeploymentConfiguration": { "MaximumPercent": 200, "MinimumHealthyPercent": 50, "DeploymentCircuitBreaker": { "Enable": true, "Rollback": true } }, "EnableExecuteCommand": true, "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "${AWS::StackName}-service" } } ] } }, "ServiceScalingTarget": { "Type": "AWS::ApplicationAutoScaling::ScalableTarget", "Properties": { "MaxCapacity": { "Ref": "MaxCapacity" }, "MinCapacity": { "Ref": "MinCapacity" }, "ResourceId": { "Fn::Sub": "service/${ECSCluster}/${ECSService.Name}" }, "RoleARN": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService" }, "ScalableDimension": "ecs:service:DesiredCount", "ServiceNamespace": "ecs" } }, "ServiceScalingPolicy": { "Type": "AWS::ApplicationAutoScaling::ScalingPolicy", "Properties": { "PolicyName": { "Fn::Sub": "${AWS::StackName}-cpu-scaling-policy" }, "PolicyType": "TargetTrackingScaling", "ScalingTargetId": { "Ref": "ServiceScalingTarget" }, "TargetTrackingScalingPolicyConfiguration": { "PredefinedMetricSpecification": { "PredefinedMetricType": "ECSServiceAverageCPUUtilization" }, "TargetValue": 70, "ScaleOutCooldown": 300, "ScaleInCooldown": 300 } } } }, "Outputs": { "VPCId": { "Description": "VPC ID", "Value": { "Ref": "VPC" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-VPC-ID" } } }, "LoadBalancerURL": { "Description": "URL of the Application Load Balancer", "Value": { "Fn::Sub": "http://${ApplicationLoadBalancer.DNSName}" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-ALB-URL" } } }, "ECSClusterName": { "Description": "Name of the ECS Cluster", "Value": { "Ref": "ECSCluster" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-ECS-Cluster" } } }, "ECSServiceName": { "Description": "Name of the ECS Service", "Value": { "Fn::GetAtt": [ "ECSService", "Name" ] }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-ECS-Service" } } }, "PrivateSubnet1": { "Description": "Private Subnet 1 ID", "Value": { "Ref": "PrivateSubnet1" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-Private-Subnet-1" } } }, "PrivateSubnet2": { "Description": "Private Subnet 2 ID", "Value": { "Ref": "PrivateSubnet2" }, "Export": { "Name": { "Fn::Sub": "${AWS::StackName}-Private-Subnet-2" } } } } } ``` ------ #### [ YAML ] ``` AWSTemplateFormatVersion: '2010-09-09' Description: '[AWSDocs] ECS: load-balanced-web-application' Parameters: VpcCidr: Type: String Default: '10.0.0.0/16' Description: CIDR block for the VPC ContainerImage: Type: String Default: 'public.ecr.aws/ecs-sample-image/amazon-ecs-sample:latest' Description: Container image to use in task definition PublicSubnet1Cidr: Type: String Default: '10.0.1.0/24' Description: CIDR block for public subnet 1 PublicSubnet2Cidr: Type: String Default: '10.0.2.0/24' Description: CIDR block for public subnet 2 PrivateSubnet1Cidr: Type: String Default: '10.0.3.0/24' Description: CIDR block for private subnet 1 PrivateSubnet2Cidr: Type: String Default: '10.0.4.0/24' Description: CIDR block for private subnet 2 ServiceName: Type: String Default: 'tutorial-app' Description: Name of the ECS service ContainerPort: Type: Number Default: 80 Description: Port on which the container listens DesiredCount: Type: Number Default: 2 Description: Desired number of tasks MinCapacity: Type: Number Default: 1 Description: Minimum number of tasks for auto scaling MaxCapacity: Type: Number Default: 10 Description: Maximum number of tasks for auto scaling Resources: # VPC and Networking VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCidr EnableDnsHostnames: true EnableDnsSupport: true Tags: - Key: Name Value: !Sub '${AWS::StackName}-vpc' # Internet Gateway InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Sub '${AWS::StackName}-igw' InternetGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VPC # Public Subnets for ALB PublicSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [0, !GetAZs ''] CidrBlock: !Ref PublicSubnet1Cidr MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub '${AWS::StackName}-public-subnet-1' PublicSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [1, !GetAZs ''] CidrBlock: !Ref PublicSubnet2Cidr MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub '${AWS::StackName}-public-subnet-2' # Private Subnets for ECS Tasks PrivateSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [0, !GetAZs ''] CidrBlock: !Ref PrivateSubnet1Cidr Tags: - Key: Name Value: !Sub '${AWS::StackName}-private-subnet-1' PrivateSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC AvailabilityZone: !Select [1, !GetAZs ''] CidrBlock: !Ref PrivateSubnet2Cidr Tags: - Key: Name Value: !Sub '${AWS::StackName}-private-subnet-2' # NAT Gateways for private subnet internet access NatGateway1EIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc Tags: - Key: Name Value: !Sub '${AWS::StackName}-nat-eip-1' NatGateway2EIP: Type: AWS::EC2::EIP DependsOn: InternetGatewayAttachment Properties: Domain: vpc Tags: - Key: Name Value: !Sub '${AWS::StackName}-nat-eip-2' NatGateway1: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGateway1EIP.AllocationId SubnetId: !Ref PublicSubnet1 Tags: - Key: Name Value: !Sub '${AWS::StackName}-nat-1' NatGateway2: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatGateway2EIP.AllocationId SubnetId: !Ref PublicSubnet2 Tags: - Key: Name Value: !Sub '${AWS::StackName}-nat-2' # Route Tables PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub '${AWS::StackName}-public-routes' DefaultPublicRoute: Type: AWS::EC2::Route DependsOn: InternetGatewayAttachment Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway PublicSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet1 PublicSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet2 PrivateRouteTable1: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub '${AWS::StackName}-private-routes-1' DefaultPrivateRoute1: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable1 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGateway1 PrivateSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTable1 SubnetId: !Ref PrivateSubnet1 PrivateRouteTable2: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub '${AWS::StackName}-private-routes-2' DefaultPrivateRoute2: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable2 DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !Ref NatGateway2 PrivateSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref PrivateRouteTable2 SubnetId: !Ref PrivateSubnet2 # Security Groups ALBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub '${AWS::StackName}-alb-sg' GroupDescription: Security group for Application Load Balancer VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 Description: Allow HTTP traffic from internet SecurityGroupEgress: - IpProtocol: -1 CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic Tags: - Key: Name Value: !Sub '${AWS::StackName}-alb-sg' ECSSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub '${AWS::StackName}-ecs-sg' GroupDescription: Security group for ECS tasks VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: !Ref ContainerPort ToPort: !Ref ContainerPort SourceSecurityGroupId: !Ref ALBSecurityGroup Description: Allow traffic from ALB SecurityGroupEgress: - IpProtocol: -1 CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic Tags: - Key: Name Value: !Sub '${AWS::StackName}-ecs-sg' # Application Load Balancer ApplicationLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: !Sub '${AWS::StackName}-alb' Scheme: internet-facing Type: application Subnets: - !Ref PublicSubnet1 - !Ref PublicSubnet2 SecurityGroups: - !Ref ALBSecurityGroup Tags: - Key: Name Value: !Sub '${AWS::StackName}-alb' ALBTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: !Sub '${AWS::StackName}-tg' Port: !Ref ContainerPort Protocol: HTTP VpcId: !Ref VPC TargetType: ip HealthCheckIntervalSeconds: 30 HealthCheckPath: / HealthCheckProtocol: HTTP HealthCheckTimeoutSeconds: 5 HealthyThresholdCount: 2 UnhealthyThresholdCount: 5 Tags: - Key: Name Value: !Sub '${AWS::StackName}-tg' ALBListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - Type: forward TargetGroupArn: !Ref ALBTargetGroup LoadBalancerArn: !Ref ApplicationLoadBalancer Port: 80 Protocol: HTTP # ECS Cluster ECSCluster: Type: AWS::ECS::Cluster Properties: ClusterName: !Sub '${AWS::StackName}-cluster' CapacityProviders: - FARGATE - FARGATE_SPOT DefaultCapacityProviderStrategy: - CapacityProvider: FARGATE Weight: 1 - CapacityProvider: FARGATE_SPOT Weight: 4 ClusterSettings: - Name: containerInsights Value: enabled Tags: - Key: Name Value: !Sub '${AWS::StackName}-cluster' # IAM Roles ECSTaskExecutionRole: Type: AWS::IAM::Role Properties: RoleName: !Sub '${AWS::StackName}-task-execution-role' AssumeRolePolicyDocument: Version: '2012-10-17 ' Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy Tags: - Key: Name Value: !Sub '${AWS::StackName}-task-execution-role' ECSTaskRole: Type: AWS::IAM::Role Properties: RoleName: !Sub '${AWS::StackName}-task-role' AssumeRolePolicyDocument: Version: '2012-10-17 ' Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Action: sts:AssumeRole Tags: - Key: Name Value: !Sub '${AWS::StackName}-task-role' # CloudWatch Log Group LogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: !Sub '/ecs/${AWS::StackName}' RetentionInDays: 7 # ECS Task Definition TaskDefinition: Type: AWS::ECS::TaskDefinition Properties: Family: !Sub '${AWS::StackName}-task' Cpu: '256' Memory: '512' NetworkMode: awsvpc RequiresCompatibilities: - FARGATE ExecutionRoleArn: !GetAtt ECSTaskExecutionRole.Arn TaskRoleArn: !GetAtt ECSTaskRole.Arn ContainerDefinitions: - Name: !Ref ServiceName Image: !Ref ContainerImage PortMappings: - ContainerPort: !Ref ContainerPort Protocol: tcp Essential: true LogConfiguration: LogDriver: awslogs Options: awslogs-group: !Ref LogGroup awslogs-region: !Ref AWS::Region awslogs-stream-prefix: ecs HealthCheck: Command: - CMD-SHELL - curl -f http://localhost/ || exit 1 Interval: 30 Timeout: 5 Retries: 3 StartPeriod: 60 Tags: - Key: Name Value: !Sub '${AWS::StackName}-task' # ECS Service ECSService: Type: AWS::ECS::Service DependsOn: ALBListener Properties: ServiceName: !Sub '${AWS::StackName}-service' Cluster: !Ref ECSCluster TaskDefinition: !Ref TaskDefinition DesiredCount: !Ref DesiredCount LaunchType: FARGATE PlatformVersion: LATEST NetworkConfiguration: AwsvpcConfiguration: AssignPublicIp: DISABLED SecurityGroups: - !Ref ECSSecurityGroup Subnets: - !Ref PrivateSubnet1 - !Ref PrivateSubnet2 LoadBalancers: - ContainerName: !Ref ServiceName ContainerPort: !Ref ContainerPort TargetGroupArn: !Ref ALBTargetGroup DeploymentConfiguration: MaximumPercent: 200 MinimumHealthyPercent: 50 DeploymentCircuitBreaker: Enable: true Rollback: true EnableExecuteCommand: true # For debugging Tags: - Key: Name Value: !Sub '${AWS::StackName}-service' # Auto Scaling Target ServiceScalingTarget: Type: AWS::ApplicationAutoScaling::ScalableTarget Properties: MaxCapacity: !Ref MaxCapacity MinCapacity: !Ref MinCapacity ResourceId: !Sub 'service/${ECSCluster}/${ECSService.Name}' RoleARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService' ScalableDimension: ecs:service:DesiredCount ServiceNamespace: ecs # Auto Scaling Policy - CPU Utilization ServiceScalingPolicy: Type: AWS::ApplicationAutoScaling::ScalingPolicy Properties: PolicyName: !Sub '${AWS::StackName}-cpu-scaling-policy' PolicyType: TargetTrackingScaling ScalingTargetId: !Ref ServiceScalingTarget TargetTrackingScalingPolicyConfiguration: PredefinedMetricSpecification: PredefinedMetricType: ECSServiceAverageCPUUtilization TargetValue: 70.0 ScaleOutCooldown: 300 ScaleInCooldown: 300 Outputs: VPCId: Description: VPC ID Value: !Ref VPC Export: Name: !Sub '${AWS::StackName}-VPC-ID' LoadBalancerURL: Description: URL of the Application Load Balancer Value: !Sub 'http://${ApplicationLoadBalancer.DNSName}' Export: Name: !Sub '${AWS::StackName}-ALB-URL' ECSClusterName: Description: Name of the ECS Cluster Value: !Ref ECSCluster Export: Name: !Sub '${AWS::StackName}-ECS-Cluster' ECSServiceName: Description: Name of the ECS Service Value: !GetAtt ECSService.Name Export: Name: !Sub '${AWS::StackName}-ECS-Service' PrivateSubnet1: Description: Private Subnet 1 ID Value: !Ref PrivateSubnet1 Export: Name: !Sub '${AWS::StackName}-Private-Subnet-1' PrivateSubnet2: Description: Private Subnet 2 ID Value: !Ref PrivateSubnet2 Export: Name: !Sub '${AWS::StackName}-Private-Subnet-2' ``` ------ ### Déploiement d’un service avec ECS Exec activé Vous pouvez utiliser le modèle suivant pour déployer un service avec ECS Exec activé. Le service s’exécute dans un cluster avec une clé KMS pour chiffrer les sessions ECS Exec et une configuration de journal pour rediriger les journaux des sessions de commande d’exécution vers un compartiment Amazon S3. Pour de plus amples informations, veuillez consulter [Surveillance des conteneurs Amazon ECS avec ECS Exec](ecs-exec.md). ------ #### [ JSON ] ``` { "AWSTemplateFormatVersion": "2010-09-09", "Description": "ECS Cluster with Fargate Service and Task Definition and ECS Exec enabled.", "Parameters": { "ClusterName": { "Type": "String", "Default": "CFNCluster", "Description": "Name of the ECS Cluster" }, "S3BucketName": { "Type": "String", "Default": "amzn-s3-demo-bucket", "Description": "S3 bucket for ECS execute command logs" }, "KmsKeyId": { "Type": "String", "Default": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description": "KMS Key ID for ECS execute command encryption" }, "ContainerImage": { "Type": "String", "Default": "public.ecr.aws/docker/library/httpd:2.4", "Description": "Container image to use for the task" }, "ContainerCpu": { "Type": "Number", "Default": 256, "AllowedValues": [256, 512, 1024, 2048, 4096], "Description": "CPU units for the container (256 = 0.25 vCPU)" }, "ContainerMemory": { "Type": "Number", "Default": 512, "AllowedValues": [512, 1024, 2048, 3072, 4096, 5120, 6144, 7168, 8192], "Description": "Memory for the container (in MiB)" }, "DesiredCount": { "Type": "Number", "Default": 1, "Description": "Desired count of tasks in the service" }, "SecurityGroups": { "Type": "List", "Description": "Security Group IDs for the ECS Service" }, "Subnets": { "Type": "List", "Description": "Subnet IDs for the ECS Service" }, "ServiceName": { "Type": "String", "Default": "cfn-service", "Description": "Name of the ECS service" }, "TaskFamily": { "Type": "String", "Default": "task-definition-cfn", "Description": "Family name for the task definition" }, "TaskExecutionRoleArn": { "Type": "String", "Description": "ARN of an existing IAM role for ECS task execution", "Default": "arn:aws:iam::111122223333:role/ecsTaskExecutionRole" }, "TaskRoleArn": { "Type": "String", "Description": "ARN of an existing IAM role for ECS tasks", "Default": "arn:aws:iam::111122223333:role/execTaskRole" } }, "Resources": { "ECSCluster": { "Type": "AWS::ECS::Cluster", "Properties": { "ClusterName": {"Ref": "ClusterName"}, "Configuration": { "ExecuteCommandConfiguration": { "Logging": "OVERRIDE", "LogConfiguration": { "S3BucketName": {"Ref": "S3BucketName"} }, "KmsKeyId": {"Ref": "KmsKeyId"} } }, "Tags": [ { "Key": "Environment", "Value": {"Ref": "AWS::StackName"} } ] } }, "ECSTaskDefinition": { "Type": "AWS::ECS::TaskDefinition", "Properties": { "ContainerDefinitions": [ { "Command": [ "/bin/sh -c \"echo ' Amazon ECS Sample App

Amazon ECS Sample App

Congratulations!

Your application is now running on a container in Amazon ECS.

' > /usr/local/apache2/htdocs/index.html && httpd-foreground\"" ], "EntryPoint": [ "sh", "-c" ], "Essential": true, "Image": {"Ref": "ContainerImage"}, "LogConfiguration": { "LogDriver": "awslogs", "Options": { "mode": "non-blocking", "max-buffer-size": "25m", "awslogs-create-group": "true", "awslogs-group": {"Fn::Sub": "/ecs/${AWS::StackName}"}, "awslogs-region": {"Ref": "AWS::Region"}, "awslogs-stream-prefix": "ecs" } }, "Name": "sample-fargate-app", "PortMappings": [ { "ContainerPort": 80, "HostPort": 80, "Protocol": "tcp" } ] } ], "Cpu": {"Ref": "ContainerCpu"}, "ExecutionRoleArn": {"Ref": "TaskExecutionRoleArn"}, "TaskRoleArn": {"Ref": "TaskRoleArn"}, "Family": {"Ref": "TaskFamily"}, "Memory": {"Ref": "ContainerMemory"}, "NetworkMode": "awsvpc", "RequiresCompatibilities": [ "FARGATE" ], "RuntimePlatform": { "OperatingSystemFamily": "LINUX" }, "Tags": [ { "Key": "Name", "Value": {"Fn::Sub": "${AWS::StackName}-TaskDefinition"} } ] } }, "ECSService": { "Type": "AWS::ECS::Service", "Properties": { "ServiceName": {"Ref": "ServiceName"}, "Cluster": {"Ref": "ECSCluster"}, "DesiredCount": {"Ref": "DesiredCount"}, "EnableExecuteCommand": true, "LaunchType": "FARGATE", "NetworkConfiguration": { "AwsvpcConfiguration": { "AssignPublicIp": "ENABLED", "SecurityGroups": {"Ref": "SecurityGroups"}, "Subnets": {"Ref": "Subnets"} } }, "TaskDefinition": {"Ref": "ECSTaskDefinition"}, "Tags": [ { "Key": "Name", "Value": {"Fn::Sub": "${AWS::StackName}-Service"} } ] } } }, "Outputs": { "ClusterName": { "Description": "The name of the ECS cluster", "Value": {"Ref": "ECSCluster"} }, "ServiceName": { "Description": "The name of the ECS service", "Value": {"Ref": "ServiceName"} }, "TaskDefinitionArn": { "Description": "The ARN of the task definition", "Value": {"Ref": "ECSTaskDefinition"} }, "ClusterArn": { "Description": "The ARN of the ECS cluster", "Value": {"Fn::GetAtt": ["ECSCluster", "Arn"]} }, "StackName": { "Description": "The name of this stack", "Value": {"Ref": "AWS::StackName"} }, "StackId": { "Description": "The unique identifier for this stack", "Value": {"Ref": "AWS::StackId"} }, "Region": { "Description": "The AWS Region where the stack is deployed", "Value": {"Ref": "AWS::Region"} }, "AccountId": { "Description": "The AWS Account ID", "Value": {"Ref": "AWS::AccountId"} } } } ``` ------ #### [ YAML ] ``` AWSTemplateFormatVersion: '2010-09-09' Description: ECS Cluster with Fargate Service and Task Definition and ECS Exec enabled. Parameters: ClusterName: Type: String Default: CFNCluster Description: Name of the ECS Cluster S3BucketName: Type: String Default: amzn-s3-demo-bucket Description: S3 bucket for ECS execute command logs KmsKeyId: Type: String Default: a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 Description: KMS Key ID for ECS execute command encryption ContainerImage: Type: String Default: public.ecr.aws/docker/library/httpd:2.4 Description: Container image to use for the task ContainerCpu: Type: Number Default: 256 AllowedValues: [256, 512, 1024, 2048, 4096] Description: CPU units for the container (256 = 0.25 vCPU) ContainerMemory: Type: Number Default: 512 AllowedValues: [512, 1024, 2048, 3072, 4096, 5120, 6144, 7168, 8192] Description: Memory for the container (in MiB) DesiredCount: Type: Number Default: 1 Description: Desired count of tasks in the service SecurityGroups: Type: List Description: Security Group IDs for the ECS Service Subnets: Type: List Description: Subnet IDs for the ECS Service ServiceName: Type: String Default: cfn-service Description: Name of the ECS service TaskFamily: Type: String Default: task-definition-cfn Description: Family name for the task definition TaskExecutionRoleArn: Type: String Description: ARN of an existing IAM role for ECS task execution Default: 'arn:aws:iam::111122223333:role/ecsTaskExecutionRole' TaskRoleArn: Type: String Description: ARN of an existing IAM role for ECS tasks Default: 'arn:aws:iam::111122223333:role/execTaskRole' Resources: ECSCluster: Type: AWS::ECS::Cluster Properties: ClusterName: !Ref ClusterName Configuration: ExecuteCommandConfiguration: Logging: OVERRIDE LogConfiguration: S3BucketName: !Ref S3BucketName KmsKeyId: !Ref KmsKeyId Tags: - Key: Environment Value: !Ref AWS::StackName ECSTaskDefinition: Type: AWS::ECS::TaskDefinition Properties: ContainerDefinitions: - Command: - >- /bin/sh -c "echo ' Amazon ECS Sample App

Amazon ECS Sample App

Congratulations!

Your application is now running on a container in Amazon ECS.

Amazon ECS Sample App

Congratulations!

Your application is now running on a container in Amazon ECS.

' > /usr/local/apache2/htdocs/index.html && httpd-foreground\"" ], "EntryPoint": [ "sh", "-c" ], "Essential": true, "Image": {"Ref": "ContainerImage"}, "LogConfiguration": { "LogDriver": "awslogs", "Options": { "mode": "non-blocking", "max-buffer-size": "25m", "awslogs-create-group": "true", "awslogs-group": {"Ref": "LogGroupName"}, "awslogs-region": {"Ref": "AWS::Region"}, "awslogs-stream-prefix": "ecs" } }, "Name": "vpc-lattice-container", "PortMappings": [ { "ContainerPort": 80, "HostPort": 80, "Protocol": "tcp", "Name": "vpc-lattice-port" } ] } ], "Cpu": {"Ref": "TaskCpu"}, "ExecutionRoleArn": {"Fn::GetAtt": ["ECSTaskExecutionRole", "Arn"]}, "Family": "vpc-lattice-task-definition", "Memory": {"Ref": "TaskMemory"}, "NetworkMode": "awsvpc", "RequiresCompatibilities": [ "FARGATE" ], "RuntimePlatform": { "OperatingSystemFamily": "LINUX" } } }, "ECSService": { "Type": "AWS::ECS::Service", "Properties": { "Cluster": {"Ref": "ECSCluster"}, "TaskDefinition": {"Ref": "VpcLatticeTaskDefinition"}, "LaunchType": "FARGATE", "ServiceName": {"Ref": "ECSServiceName"}, "SchedulingStrategy": "REPLICA", "DesiredCount": 2, "AvailabilityZoneRebalancing": "ENABLED", "NetworkConfiguration": { "AwsvpcConfiguration": { "AssignPublicIp": "ENABLED", "SecurityGroups": { "Ref": "SecurityGroupIDs" }, "Subnets": { "Ref": "SubnetIDs" } } }, "PlatformVersion": "LATEST", "VpcLatticeConfigurations": [ { "RoleArn": "arn:aws:iam::111122223333:role/ecsInfrastructureRole", "PortName": "vpc-lattice-port", "TargetGroupArn": { "Ref": "TargetGroup1" } } ], "DeploymentConfiguration": { "DeploymentCircuitBreaker": { "Enable": true, "Rollback": true }, "MaximumPercent": 200, "MinimumHealthyPercent": 100 }, "DeploymentController": { "Type": "ECS" }, "ServiceConnectConfiguration": { "Enabled": false }, "Tags": [], "EnableECSManagedTags": true } }, "TargetGroup1": { "Type": "AWS::VpcLattice::TargetGroup", "Properties": { "Type": "IP", "Name": "first-target-group", "Config": { "Port": 80, "Protocol": "HTTP", "VpcIdentifier": {"Ref": "VpcID"}, "HealthCheck": { "Enabled": true, "Path": "/" } }, "Tags": [ { "Key": "ecs-application-networking/ServiceName", "Value": {"Ref": "ECSServiceName"} }, { "Key": "ecs-application-networking/ClusterName", "Value": {"Ref": "ECSClusterName"} }, { "Key": "ecs-application-networking/TaskDefinition", "Value": {"Ref": "VpcLatticeTaskDefinition"} }, { "Key": "ecs-application-networking/VpcId", "Value": {"Ref": "VpcID"} } ] } } }, "Outputs": { "ClusterName": { "Description": "The cluster used to create the service.", "Value": { "Ref": "ECSCluster" } }, "ClusterArn": { "Description": "The ARN of the ECS cluster", "Value": { "Fn::GetAtt": ["ECSCluster", "Arn"] } }, "ECSService": { "Description": "The created service.", "Value": { "Ref": "ECSService" } }, "TaskDefinitionArn": { "Description": "The ARN of the task definition", "Value": { "Ref": "VpcLatticeTaskDefinition" } } } } ``` ------ #### [ YAML ] ``` AWSTemplateFormatVersion: '2010-09-09' Description: The template used to create an ECS Service with VPC Lattice. Parameters: ECSClusterName: Type: String Default: vpc-lattice-cluster ECSServiceName: Type: String Default: vpc-lattice-service SecurityGroupIDs: Type: List Description: Security Group IDs for the ECS Service SubnetIDs: Type: List Description: Subnet IDs for the ECS Service VpcID: Type: AWS::EC2::VPC::Id Description: VPC ID for the resources ContainerImage: Type: String Default: public.ecr.aws/docker/library/httpd:2.4 Description: Container image to use for the task TaskCpu: Type: Number Default: 256 AllowedValues: [256, 512, 1024, 2048, 4096] Description: CPU units for the task TaskMemory: Type: Number Default: 512 AllowedValues: [512, 1024, 2048, 4096, 8192, 16384] Description: Memory (in MiB) for the task LogGroupName: Type: String Default: /ecs/vpc-lattice-task Description: CloudWatch Log Group name EnableContainerInsights: Type: String Default: 'enhanced' AllowedValues: ['enabled', 'disabled', 'enhanced'] Description: Enable or disable CloudWatch Container Insights for the cluster Resources: # ECS Cluster ECSCluster: Type: AWS::ECS::Cluster Properties: ClusterName: !Ref ECSClusterName ClusterSettings: - Name: containerInsights Value: !Ref EnableContainerInsights Tags: - Key: Name Value: !Ref ECSClusterName # IAM Roles ECSTaskExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17 ' Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy # CloudWatch Logs TaskLogGroup: Type: AWS::Logs::LogGroup DeletionPolicy: Retain UpdateReplacePolicy: Retain Properties: LogGroupName: !Ref LogGroupName RetentionInDays: 30 # Task Definition VpcLatticeTaskDefinition: Type: AWS::ECS::TaskDefinition Properties: ContainerDefinitions: - Command: - >- /bin/sh -c "echo ' Amazon ECS Sample App

Amazon ECS Sample App

Congratulations!

Your application is now running on a container in Amazon ECS.