Change server name to not have -

BUGFIX: Give ECS permission to grab private repo secret
Allow ECS to pull docker image from private repo
2020-08-03 22:50:34 -04:00 · 2020-07-31 21:05:06 -04:00 · 2020-07-28 19:45:34 -04:00
2 changed files with 107 additions and 34 deletions
--- a/cloudformation/nakama/task.yaml
+++ b/cloudformation/nakama/task.yaml
@ -3,7 +3,7 @@ Description: Nakama ECS Task
 Parameters:
  ServerName:
    Type: String
-    Default: "nakama-default"
+    Default: "main"
  NakamaContainer:
    Type: String
    Description: test
@ -38,12 +38,49 @@ Parameters:
    Type: Number
    Description: Port for the Postgres server
    Default: 5432
+  RepositoryCredentialsSecret:
+    Type: String
+    Description: Arn of repostiory secret from AWS Secrets Manager. See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html for more information
+    Default: ""

 Conditions:
  CreateSecret: !Equals [!Ref NakamaPasswordOverride, ""]
+  NoRepositoryCredentials: !Equals [!Ref RepositoryCredentialsSecret, ""]
+  RepositoryCredentials: !Not [!Equals [!Ref RepositoryCredentialsSecret, ""]]

 Resources:

+  EcsExecutionerRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Principal:
+            Service:
+            - ecs-tasks.amazonaws.com
+          Action:
+          - sts:AssumeRole
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
+  EcsExecutionPolicy:
+    Condition: RepositoryCredentials
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyName: AllowGettingSecrets
+      Roles:
+        - !Ref EcsExecutionerRole
+      PolicyDocument:
+        Statement:
+          - Sid: ReadDockerSecret
+            Action:
+              - secretsmanager:Describe*
+              - secretsmanager:Get*
+              - secretsmanager:List*
+            Effect: Allow
+            Resource: !Ref RepositoryCredentialsSecret
+
  AdminPortalPassword:
    Type: AWS::SecretsManager::Secret
    Condition: CreateSecret
@ -63,40 +100,68 @@ Resources:
  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
+      ExecutionRoleArn: !Ref EcsExecutionerRole
      ContainerDefinitions:
-      - Name: nakama
-        Essential: 'true'
-        Image: !Ref NakamaContainer
-        MemoryReservation: 800
-        PortMappings:
-        - HostPort: 0
-          ContainerPort: 7348
-        - HostPort: 0
-          ContainerPort: 7349
-        - HostPort: 0
-          ContainerPort: 7350
-        - HostPort: 0
-          ContainerPort: 7351
-        LogConfiguration:
-          LogDriver: awslogs
-          Options:
-            awslogs-region:
-              Ref: AWS::Region
-            awslogs-group:
-              Ref: LogGroup
-        MountPoints:
-          - ContainerPath: /nakama/volume
-            SourceVolume: "nakama-volume"
-        EntryPoint: 
-            - "/bin/sh"
-            - "-ecx"
-            - !Join ["", [
-              !Sub "/nakama/nakama migrate up --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} &&\n",
-              !Sub "exec /nakama/nakama --name ${ServerName} --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} --console.username ${NakamaUsername} --console.password \"",
-              !If [CreateSecret, !Join ["", ["{{resolve:secretsmanager:",  !Ref AdminPortalPassword,":SecretString}}" ]], !Ref NakamaPasswordOverride ], "\""
-              ]]                
-      Volumes:
-        - Name: "nakama-volume"
+      - !If
+        - NoRepositoryCredentials
+        - Name: nakama
+          Essential: 'true'
+          Image: !Ref NakamaContainer
+          MemoryReservation: 800
+          PortMappings:
+          - HostPort: 0
+            ContainerPort: 7348
+          - HostPort: 0
+            ContainerPort: 7349
+          - HostPort: 0
+            ContainerPort: 7350
+          - HostPort: 0
+            ContainerPort: 7351
+          LogConfiguration:
+            LogDriver: awslogs
+            Options:
+              awslogs-region:
+                Ref: AWS::Region
+              awslogs-group:
+                Ref: LogGroup
+          EntryPoint: 
+              - "/bin/sh"
+              - "-ecx"
+              - !Join ["", [
+                !Sub "/nakama/nakama migrate up --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} &&\n",
+                !Sub "exec /nakama/nakama --name ${ServerName} --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} --console.username ${NakamaUsername} --console.password \"",
+                !If [CreateSecret, !Join ["", ["{{resolve:secretsmanager:",  !Ref AdminPortalPassword,":SecretString}}" ]], !Ref NakamaPasswordOverride ], "\""
+                ]]
+        - Name: nakama
+          Essential: 'true'
+          Image: !Ref NakamaContainer
+          RepositoryCredentials:
+            CredentialsParameter: !Ref RepositoryCredentialsSecret
+          MemoryReservation: 800
+          PortMappings:
+          - HostPort: 0
+            ContainerPort: 7348
+          - HostPort: 0
+            ContainerPort: 7349
+          - HostPort: 0
+            ContainerPort: 7350
+          - HostPort: 0
+            ContainerPort: 7351
+          LogConfiguration:
+            LogDriver: awslogs
+            Options:
+              awslogs-region:
+                Ref: AWS::Region
+              awslogs-group:
+                Ref: LogGroup
+          EntryPoint: 
+              - "/bin/sh"
+              - "-ecx"
+              - !Join ["", [
+                !Sub "/nakama/nakama migrate up --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} &&\n",
+                !Sub "exec /nakama/nakama --name ${ServerName} --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} --console.username ${NakamaUsername} --console.password \"",
+                !If [CreateSecret, !Join ["", ["{{resolve:secretsmanager:",  !Ref AdminPortalPassword,":SecretString}}" ]], !Ref NakamaPasswordOverride ], "\""
+                ]]
 Outputs:
  TaskArn:
    Description: ARN of the TaskDefinition
--- a/cloudformation/nakama/top.yaml
+++ b/cloudformation/nakama/top.yaml
@ -25,6 +25,10 @@ Parameters:
    Type: String
    Description: The cluster to run the Nakama service on, if empty will create new cluster.
    Default: ""
+  RepositoryCredentialsSecret:
+    Type: String
+    Description: Arn of repostiory secret from AWS Secrets Manager. See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html for more information
+    Default: ""
  
  #-----------------
  # Load Balancing 
@ -149,6 +153,7 @@ Metadata:
        default: "ECS Configuration"
      Parameters:
      - EcsClusterOverride
+      - RepositoryCredentialsSecret
    - Label:
        default: "Database Configuration"
      Parameters:
@ -212,6 +217,8 @@ Metadata:
        default: "RDS Storage"
      RdsAccessCidr:
        default: "RDS Allow Access CIDR"
+      RepositoryCredentialsSecret:
+        default: "Docker Repository Credentials"


 Conditions:
@ -298,6 +305,7 @@ Resources:
        DatabasePort: !If ["CreateRdsStack", !GetAtt RdsDatabase.Outputs.RdsPort, !Ref DatabasePort]
        NakamaUsername: !Ref NakamaUsername
        NakamaPasswordOverride: !Ref NakamaPasswordOverride
+        RepositoryCredentialsSecret: !Ref RepositoryCredentialsSecret

  EcsService:
    DependsOn: LoadBalancing
Author	SHA1	Message	Date
Joseph Manley	7e496a1228	Change server name to not have `-`	2020-08-03 22:50:34 -04:00
Joseph Manley	a9e6eb3387	BUGFIX: Give ECS permission to grab private repo secret	2020-07-31 21:05:06 -04:00
Joseph Manley	a57c16a69e	Allow ECS to pull docker image from private repo Use AWS::NoValue Remove {} Try at CredentialsParameter level Duplicate code :/ Remove volume	2020-07-28 19:45:34 -04:00