Change server name to not have -

BUGFIX: Give ECS permission to grab private repo secret
Allow ECS to pull docker image from private repo
2025-09-14 01:43:40 +02:00 · 2020-08-03 22:50:34 -04:00 · 2020-07-31 21:05:06 -04:00 · 2020-07-28 19:45:34 -04:00
2 changed files with 107 additions and 34 deletions
--- a/cloudformation/nakama/task.yaml
+++ b/cloudformation/nakama/task.yaml
@ -3,7 +3,7 @@ Description: Nakama ECS Task
 Parameters:
  ServerName:
    Type: String
-    Default: "nakama-default"
+    Default: "main"
  NakamaContainer:
    Type: String
    Description: test
@ -38,12 +38,49 @@ Parameters:
    Type: Number
    Description: Port for the Postgres server
    Default: 5432
  RepositoryCredentialsSecret:
    Type: String
    Description: Arn of repostiory secret from AWS Secrets Manager. See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html for more information
    Default: ""
 Conditions:
  CreateSecret: !Equals [!Ref NakamaPasswordOverride, ""]
  NoRepositoryCredentials: !Equals [!Ref RepositoryCredentialsSecret, ""]
  RepositoryCredentials: !Not [!Equals [!Ref RepositoryCredentialsSecret, ""]]
 Resources:
  EcsExecutionerRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ecs-tasks.amazonaws.com
          Action:
          - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
  EcsExecutionPolicy:
    Condition: RepositoryCredentials
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: AllowGettingSecrets
      Roles:
        - !Ref EcsExecutionerRole
      PolicyDocument:
        Statement:
          - Sid: ReadDockerSecret
            Action:
              - secretsmanager:Describe*
              - secretsmanager:Get*
              - secretsmanager:List*
            Effect: Allow
            Resource: !Ref RepositoryCredentialsSecret
  AdminPortalPassword:
    Type: AWS::SecretsManager::Secret
    Condition: CreateSecret
@ -63,40 +100,68 @@ Resources:
  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      ExecutionRoleArn: !Ref EcsExecutionerRole
      ContainerDefinitions:
-      - Name: nakama
+      - !If
-        Essential: 'true'
+        - NoRepositoryCredentials
-        Image: !Ref NakamaContainer
+        - Name: nakama
-        MemoryReservation: 800
+          Essential: 'true'
-        PortMappings:
+          Image: !Ref NakamaContainer
-        - HostPort: 0
+          MemoryReservation: 800
-          ContainerPort: 7348
+          PortMappings:
-        - HostPort: 0
+          - HostPort: 0
-          ContainerPort: 7349
+            ContainerPort: 7348
-        - HostPort: 0
+          - HostPort: 0
-          ContainerPort: 7350
+            ContainerPort: 7349
-        - HostPort: 0
+          - HostPort: 0
-          ContainerPort: 7351
+            ContainerPort: 7350
-        LogConfiguration:
+          - HostPort: 0
-          LogDriver: awslogs
+            ContainerPort: 7351
-          Options:
+          LogConfiguration:
-            awslogs-region:
+            LogDriver: awslogs
-              Ref: AWS::Region
+            Options:
-            awslogs-group:
+              awslogs-region:
-              Ref: LogGroup
+                Ref: AWS::Region
-        MountPoints:
+              awslogs-group:
-          - ContainerPath: /nakama/volume
+                Ref: LogGroup
-            SourceVolume: "nakama-volume"
+          EntryPoint: 
-        EntryPoint: 
+              - "/bin/sh"
-            - "/bin/sh"
+              - "-ecx"
-            - "-ecx"
+              - !Join ["", [
-            - !Join ["", [
+                !Sub "/nakama/nakama migrate up --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} &&\n",
-              !Sub "/nakama/nakama migrate up --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} &&\n",
+                !Sub "exec /nakama/nakama --name ${ServerName} --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} --console.username ${NakamaUsername} --console.password \"",
-              !Sub "exec /nakama/nakama --name ${ServerName} --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} --console.username ${NakamaUsername} --console.password \"",
+                !If [CreateSecret, !Join ["", ["{{resolve:secretsmanager:",  !Ref AdminPortalPassword,":SecretString}}" ]], !Ref NakamaPasswordOverride ], "\""
-              !If [CreateSecret, !Join ["", ["{{resolve:secretsmanager:",  !Ref AdminPortalPassword,":SecretString}}" ]], !Ref NakamaPasswordOverride ], "\""
+                ]]
-              ]]                
+        - Name: nakama
-      Volumes:
+          Essential: 'true'
-        - Name: "nakama-volume"
+          Image: !Ref NakamaContainer
          RepositoryCredentials:
            CredentialsParameter: !Ref RepositoryCredentialsSecret
          MemoryReservation: 800
          PortMappings:
          - HostPort: 0
            ContainerPort: 7348
          - HostPort: 0
            ContainerPort: 7349
          - HostPort: 0
            ContainerPort: 7350
          - HostPort: 0
            ContainerPort: 7351
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-region:
                Ref: AWS::Region
              awslogs-group:
                Ref: LogGroup
          EntryPoint: 
              - "/bin/sh"
              - "-ecx"
              - !Join ["", [
                !Sub "/nakama/nakama migrate up --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} &&\n",
                !Sub "exec /nakama/nakama --name ${ServerName} --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} --console.username ${NakamaUsername} --console.password \"",
                !If [CreateSecret, !Join ["", ["{{resolve:secretsmanager:",  !Ref AdminPortalPassword,":SecretString}}" ]], !Ref NakamaPasswordOverride ], "\""
                ]]
 Outputs:
  TaskArn:
    Description: ARN of the TaskDefinition
--- a/cloudformation/nakama/top.yaml
+++ b/cloudformation/nakama/top.yaml
@ -25,6 +25,10 @@ Parameters:
    Type: String
    Description: The cluster to run the Nakama service on, if empty will create new cluster.
    Default: ""
  RepositoryCredentialsSecret:
    Type: String
    Description: Arn of repostiory secret from AWS Secrets Manager. See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html for more information
    Default: ""
  #-----------------
  # Load Balancing 
@ -149,6 +153,7 @@ Metadata:
        default: "ECS Configuration"
      Parameters:
      - EcsClusterOverride
      - RepositoryCredentialsSecret
    - Label:
        default: "Database Configuration"
      Parameters:
@ -212,6 +217,8 @@ Metadata:
        default: "RDS Storage"
      RdsAccessCidr:
        default: "RDS Allow Access CIDR"
      RepositoryCredentialsSecret:
        default: "Docker Repository Credentials"
 Conditions:
@ -298,6 +305,7 @@ Resources:
        DatabasePort: !If ["CreateRdsStack", !GetAtt RdsDatabase.Outputs.RdsPort, !Ref DatabasePort]
        NakamaUsername: !Ref NakamaUsername
        NakamaPasswordOverride: !Ref NakamaPasswordOverride
        RepositoryCredentialsSecret: !Ref RepositoryCredentialsSecret
  EcsService:
    DependsOn: LoadBalancing
Author	SHA1	Message	Date
Joseph Manley	7e496a1228	Change server name to not have `-`	2020-08-03 22:50:34 -04:00
Joseph Manley	a9e6eb3387	BUGFIX: Give ECS permission to grab private repo secret	2020-07-31 21:05:06 -04:00
Joseph Manley	a57c16a69e	Allow ECS to pull docker image from private repo Use AWS::NoValue Remove {} Try at CredentialsParameter level Duplicate code :/ Remove volume	2020-07-28 19:45:34 -04:00