-
Notifications
You must be signed in to change notification settings - Fork 0
/
backend.yml
142 lines (135 loc) · 4.81 KB
/
backend.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
AWSTemplateFormatVersion: "2010-09-09"
Description: CloudFormation template for Hotel App with DynamoDB and App Runner, without networking.
Parameters:
HotelName:
Type: String
Default: AWS App Runner Hotel
Description: Enter a name for the Hotel. Default is AWS App Runner Hotel.
Environment:
Type: String
Default: dev
Description: Enter a name for the Environment. Default is dev, this is used later in the workshop to tag the environments
Resources:
# DynamoDB Table for Rooms
RoomsTable:
Type: "AWS::DynamoDB::Table"
Properties:
TableName: !Sub "Rooms-${AWS::StackName}-${AWS::Region}"
AttributeDefinitions:
- AttributeName: "id"
AttributeType: "N"
KeySchema:
- AttributeName: "id"
KeyType: "HASH"
ProvisionedThroughput:
ReadCapacityUnits: 5
WriteCapacityUnits: 5
SSESpecification:
SSEEnabled: true # Enable server-side encryption for the table
# IAM Role for App Runner to access DynamoDB
AppRunnerInstanceRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "AppRunnerHotelAppRole-${AWS::StackName}-${AWS::Region}"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- tasks.apprunner.amazonaws.com
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: AppRunnerDynamoDBPermissions
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "dynamodb:PutItem"
- "dynamodb:GetItem"
- "dynamodb:Scan"
- "dynamodb:UpdateItem"
Resource: !GetAtt RoomsTable.Arn
- PolicyName: AppRunnerServiceRolePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "logs:CreateLogGroup"
- "logs:PutRetentionPolicy"
Resource: "arn:aws:logs:*:*:log-group:/aws/apprunner/*"
- Effect: Allow
Action:
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "logs:DescribeLogStreams"
Resource: "arn:aws:logs:*:*:log-group:/aws/apprunner/*:log-stream:*"
# IAM Role for ECR Access
AppRunnerECRAccessRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "AppRunnerHotelAppECRAccessRole-${AWS::StackName}-${AWS::Region}"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- build.apprunner.amazonaws.com
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess"
#Sample Alarm - we will use this later to prove AWS CodePipeline Condition Gates
DynamoDBReadCapacityAlarm:
Type: "AWS::CloudWatch::Alarm"
Properties:
AlarmName: !Sub "HighReadCapacityAlarm-${AWS::StackName}-${AWS::Region}"
AlarmDescription: "Alarm if DynamoDB read capacity exceeds 80% of provisioned units"
Namespace: "AWS/DynamoDB"
MetricName: "ConsumedReadCapacityUnits"
Dimensions:
- Name: "TableName"
Value: !Ref RoomsTable
Statistic: "Average"
Period: 60
EvaluationPeriods: 1
Threshold: 4 # 80% of 5 ReadCapacityUnits
ComparisonOperator: "GreaterThanThreshold"
AppRunnerService:
Type: AWS::AppRunner::Service
Properties:
ServiceName: !Sub "Hotel-${AWS::StackName}-${AWS::Region}"
SourceConfiguration:
AutoDeploymentsEnabled: false
ImageRepository:
ImageIdentifier: !Sub ${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/hotel-app:latest
ImageRepositoryType: ECR
ImageConfiguration:
Port: "8080"
RuntimeEnvironmentVariables:
- Name: DYNAMODB_TABLE_NAME
Value: !Ref RoomsTable
- Name: HOTEL_NAME
Value: !Ref HotelName
AuthenticationConfiguration:
AccessRoleArn: !GetAtt AppRunnerECRAccessRole.Arn
InstanceConfiguration:
InstanceRoleArn: !GetAtt AppRunnerInstanceRole.Arn
AppRunnerURLSSMParameter:
Type: "AWS::SSM::Parameter"
Properties:
Name: !Sub "/hotelapp/${Environment}/url"
Description: "Hotel app URI"
Type: "String"
Value: !Sub "https://${AppRunnerService.ServiceUrl}"
Outputs:
DynamoDBTableName:
Description: "Name of the DynamoDB Table"
Value: !Ref RoomsTable
AppRunnerServiceUrl:
Description: "URL of the App Runner Service"
Value: !GetAtt AppRunnerService.ServiceUrl