aws-nakama-stack/cloudformation/nakama/task.yaml

AWSTemplateFormatVersion: '2010-09-09'
Description: Nakama ECS Task
Parameters:
  ServerName:
    Type: String
    Default: "main"
  NakamaContainer:
    Type: String
    Description: test
    Default: "heroiclabs/nakama:2.7.0"

  #----------------------------
  # Admin Portal Configuration
  #----------------------------
  NakamaUsername:
    Type: String
    Description: Username to access the Nakama admin portal
    Default: "admin"
  NakamaPasswordOverride:
    Type: String
    Description: Override Nakama admin portal password
    Default: ""

  #------------------------
  # Database Configuration
  #------------------------
  DatabaseUsername:
    Type: String
    Description: Username of the Postgres server
    Default: postgres
  DatabasePassword:
    Type: String
    Description: Password for the Postgres server
  DatabaseEndpoint:
    Type: String
    Description: Endpoint for the Postgres server
  DatabasePort:
    Type: Number
    Description: Port for the Postgres server
    Default: 5432
  RepositoryCredentialsSecret:
    Type: String
    Description: Arn of repostiory secret from AWS Secrets Manager. See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html for more information
    Default: ""

Conditions:
  CreateSecret: !Equals [!Ref NakamaPasswordOverride, ""]
  NoRepositoryCredentials: !Equals [!Ref RepositoryCredentialsSecret, ""]
  RepositoryCredentials: !Not [!Equals [!Ref RepositoryCredentialsSecret, ""]]

Resources:

  EcsExecutionerRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ecs-tasks.amazonaws.com
          Action:
          - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
  EcsExecutionPolicy:
    Condition: RepositoryCredentials
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: AllowGettingSecrets
      Roles:
        - !Ref EcsExecutionerRole
      PolicyDocument:
        Statement:
          - Sid: ReadDockerSecret
            Action:
              - secretsmanager:Describe*
              - secretsmanager:Get*
              - secretsmanager:List*
            Effect: Allow
            Resource: !Ref RepositoryCredentialsSecret

  AdminPortalPassword:
    Type: AWS::SecretsManager::Secret
    Condition: CreateSecret
    Properties:
      Name: !Sub "nakama/admin/password"
      Description: "Admin portal password for Nakama"
      GenerateSecretString:
        ExcludePunctuation: true
        ExcludeCharacters: '"@/\'

  LogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 7
      LogGroupName: "sumu-nakama"

  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      ExecutionRoleArn: !Ref EcsExecutionerRole
      ContainerDefinitions:
      - !If
        - NoRepositoryCredentials
        - Name: nakama
          Essential: 'true'
          Image: !Ref NakamaContainer
          MemoryReservation: 800
          PortMappings:
          - HostPort: 0
            ContainerPort: 7348
          - HostPort: 0
            ContainerPort: 7349
          - HostPort: 0
            ContainerPort: 7350
          - HostPort: 0
            ContainerPort: 7351
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-region:
                Ref: AWS::Region
              awslogs-group:
                Ref: LogGroup
          EntryPoint: 
              - "/bin/sh"
              - "-ecx"
              - !Join ["", [
                !Sub "/nakama/nakama migrate up --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} &&\n",
                !Sub "exec /nakama/nakama --name ${ServerName} --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} --console.username ${NakamaUsername} --console.password \"",
                !If [CreateSecret, !Join ["", ["{{resolve:secretsmanager:",  !Ref AdminPortalPassword,":SecretString}}" ]], !Ref NakamaPasswordOverride ], "\""
                ]]
        - Name: nakama
          Essential: 'true'
          Image: !Ref NakamaContainer
          RepositoryCredentials:
            CredentialsParameter: !Ref RepositoryCredentialsSecret
          MemoryReservation: 800
          PortMappings:
          - HostPort: 0
            ContainerPort: 7348
          - HostPort: 0
            ContainerPort: 7349
          - HostPort: 0
            ContainerPort: 7350
          - HostPort: 0
            ContainerPort: 7351
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-region:
                Ref: AWS::Region
              awslogs-group:
                Ref: LogGroup
          EntryPoint: 
              - "/bin/sh"
              - "-ecx"
              - !Join ["", [
                !Sub "/nakama/nakama migrate up --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} &&\n",
                !Sub "exec /nakama/nakama --name ${ServerName} --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} --console.username ${NakamaUsername} --console.password \"",
                !If [CreateSecret, !Join ["", ["{{resolve:secretsmanager:",  !Ref AdminPortalPassword,":SecretString}}" ]], !Ref NakamaPasswordOverride ], "\""
                ]]
Outputs:
  TaskArn:
    Description: ARN of the TaskDefinition
    Value: !Ref TaskDefinition