From a57c16a69ef46af013a9108f2085872c21516bcc Mon Sep 17 00:00:00 2001 From: Joseph Manley Date: Tue, 28 Jul 2020 18:42:37 -0400 Subject: [PATCH] Allow ECS to pull docker image from private repo Use AWS::NoValue Remove {} Try at CredentialsParameter level Duplicate code :/ Remove volume --- cloudformation/nakama/task.yaml | 98 ++++++++++++++++++++++----------- cloudformation/nakama/top.yaml | 8 +++ 2 files changed, 73 insertions(+), 33 deletions(-) diff --git a/cloudformation/nakama/task.yaml b/cloudformation/nakama/task.yaml index f796348..4f04a12 100644 --- a/cloudformation/nakama/task.yaml +++ b/cloudformation/nakama/task.yaml @@ -38,9 +38,14 @@ Parameters: Type: Number Description: Port for the Postgres server Default: 5432 + RepositoryCredentialsSecret: + Type: String + Description: Arn of repostiory secret from AWS Secrets Manager. See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html for more information + Default: "" Conditions: CreateSecret: !Equals [!Ref NakamaPasswordOverride, ""] + NoRepositoryCredentials: !Equals [!Ref RepositoryCredentialsSecret, ""] Resources: @@ -64,39 +69,66 @@ Resources: Type: AWS::ECS::TaskDefinition Properties: ContainerDefinitions: - - Name: nakama - Essential: 'true' - Image: !Ref NakamaContainer - MemoryReservation: 800 - PortMappings: - - HostPort: 0 - ContainerPort: 7348 - - HostPort: 0 - ContainerPort: 7349 - - HostPort: 0 - ContainerPort: 7350 - - HostPort: 0 - ContainerPort: 7351 - LogConfiguration: - LogDriver: awslogs - Options: - awslogs-region: - Ref: AWS::Region - awslogs-group: - Ref: LogGroup - MountPoints: - - ContainerPath: /nakama/volume - SourceVolume: "nakama-volume" - EntryPoint: - - "/bin/sh" - - "-ecx" - - !Join ["", [ - !Sub "/nakama/nakama migrate up --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} &&\n", - !Sub "exec /nakama/nakama --name ${ServerName} --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} --console.username ${NakamaUsername} --console.password \"", - !If [CreateSecret, !Join ["", ["{{resolve:secretsmanager:", !Ref AdminPortalPassword,":SecretString}}" ]], !Ref NakamaPasswordOverride ], "\"" - ]] - Volumes: - - Name: "nakama-volume" + - !If + - NoRepositoryCredentials + - Name: nakama + Essential: 'true' + Image: !Ref NakamaContainer + MemoryReservation: 800 + PortMappings: + - HostPort: 0 + ContainerPort: 7348 + - HostPort: 0 + ContainerPort: 7349 + - HostPort: 0 + ContainerPort: 7350 + - HostPort: 0 + ContainerPort: 7351 + LogConfiguration: + LogDriver: awslogs + Options: + awslogs-region: + Ref: AWS::Region + awslogs-group: + Ref: LogGroup + EntryPoint: + - "/bin/sh" + - "-ecx" + - !Join ["", [ + !Sub "/nakama/nakama migrate up --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} &&\n", + !Sub "exec /nakama/nakama --name ${ServerName} --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} --console.username ${NakamaUsername} --console.password \"", + !If [CreateSecret, !Join ["", ["{{resolve:secretsmanager:", !Ref AdminPortalPassword,":SecretString}}" ]], !Ref NakamaPasswordOverride ], "\"" + ]] + - Name: nakama + Essential: 'true' + Image: !Ref NakamaContainer + RepositoryCredentials: + CredentialsParameter: !Ref RepositoryCredentialsSecret + MemoryReservation: 800 + PortMappings: + - HostPort: 0 + ContainerPort: 7348 + - HostPort: 0 + ContainerPort: 7349 + - HostPort: 0 + ContainerPort: 7350 + - HostPort: 0 + ContainerPort: 7351 + LogConfiguration: + LogDriver: awslogs + Options: + awslogs-region: + Ref: AWS::Region + awslogs-group: + Ref: LogGroup + EntryPoint: + - "/bin/sh" + - "-ecx" + - !Join ["", [ + !Sub "/nakama/nakama migrate up --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} &&\n", + !Sub "exec /nakama/nakama --name ${ServerName} --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} --console.username ${NakamaUsername} --console.password \"", + !If [CreateSecret, !Join ["", ["{{resolve:secretsmanager:", !Ref AdminPortalPassword,":SecretString}}" ]], !Ref NakamaPasswordOverride ], "\"" + ]] Outputs: TaskArn: Description: ARN of the TaskDefinition diff --git a/cloudformation/nakama/top.yaml b/cloudformation/nakama/top.yaml index 89461f1..18ad633 100644 --- a/cloudformation/nakama/top.yaml +++ b/cloudformation/nakama/top.yaml @@ -25,6 +25,10 @@ Parameters: Type: String Description: The cluster to run the Nakama service on, if empty will create new cluster. Default: "" + RepositoryCredentialsSecret: + Type: String + Description: Arn of repostiory secret from AWS Secrets Manager. See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html for more information + Default: "" #----------------- # Load Balancing @@ -149,6 +153,7 @@ Metadata: default: "ECS Configuration" Parameters: - EcsClusterOverride + - RepositoryCredentialsSecret - Label: default: "Database Configuration" Parameters: @@ -212,6 +217,8 @@ Metadata: default: "RDS Storage" RdsAccessCidr: default: "RDS Allow Access CIDR" + RepositoryCredentialsSecret: + default: "Docker Repository Credentials" Conditions: @@ -298,6 +305,7 @@ Resources: DatabasePort: !If ["CreateRdsStack", !GetAtt RdsDatabase.Outputs.RdsPort, !Ref DatabasePort] NakamaUsername: !Ref NakamaUsername NakamaPasswordOverride: !Ref NakamaPasswordOverride + RepositoryCredentialsSecret: !Ref RepositoryCredentialsSecret EcsService: DependsOn: LoadBalancing