Skip to content

Commit

Permalink
add UpdateReplacePolicy and DeletionPolicy to cfn templates for crowd…
Browse files Browse the repository at this point in the history 
… environment stacks e.g. crowd-prod, with the intent to allow for future non-destructive stack updates. (#2450)
  • Loading branch information
@jkueloc
jkueloc authored Jul 12, 2024
1 parent 36b28cd commit de1def2
Show file tree
Hide file tree
Showing 7 changed files with 128 additions and 0 deletions.
4 changes: 4 additions & 0 deletions cloudformation/infrastructure/elasticache.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,12 +20,16 @@ Parameters:

Resources:
CachePrivateSubnetGroup:
UpdateReplacePolicy: Retain
Type: AWS::ElastiCache::SubnetGroup
DeletionPolicy: Retain
Properties:
Description: Private subnet group
SubnetIds: !Ref PrivateSubnets
RedisService:
UpdateReplacePolicy: Retain
Type: AWS::ElastiCache::CacheCluster
DeletionPolicy: Retain
Properties:
VpcSecurityGroupIds:
- !Ref 'SecurityGroup'
Expand Down
28 changes: 28 additions & 0 deletions cloudformation/infrastructure/fargate-cluster.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,12 +87,14 @@ Parameters:

Resources:
ConcordiaS3BucketAccessPolicy:
UpdateReplacePolicy: Retain
Type: AWS::IAM::Policy
Metadata:
cfn_nag:
rules_to_suppress:
- id: W12
reason: 'S3 buckets must be specified with /* after the bucket name'
DeletionPolicy: Retain
Properties:
PolicyName: !Sub ConcordiaServiceS3BucketAccess-${EnvironmentName}
Roles:
Expand All @@ -114,7 +116,9 @@ Resources:
- !Sub 'arn:aws:s3:::crowd-${EnvironmentName}-export/*'

ConcordiaKMSAccessPolicy:
UpdateReplacePolicy: Retain
Type: AWS::IAM::Policy
DeletionPolicy: Retain
Properties:
PolicyName: !Sub ConcordiaServiceKMSAccess-${EnvironmentName}
Roles:
Expand All @@ -136,7 +140,9 @@ Resources:
- 'arn:aws:kms:us-east-1:619333082511:key/d300e73d-9170-4001-933a-37af0bcdb956'

ConcordiaServiceSecretAccessPolicy:
UpdateReplacePolicy: Retain
Type: AWS::IAM::Policy
DeletionPolicy: Retain
Properties:
PolicyName: !Sub ConcordiaServiceSecretAccess-${EnvironmentName}
Roles:
Expand All @@ -157,7 +163,9 @@ Resources:
- !Sub 'arn:aws:secretsmanager:us-east-1:619333082511:secret:crowd/${EnvName}/DB/MasterUserPassword-${DbSecretId}'

ConcordiaEC2Role:
UpdateReplacePolicy: Retain
Type: AWS::IAM::Role
DeletionPolicy: Retain
Properties:
Path: /
AssumeRolePolicyDocument:
Expand All @@ -172,14 +180,18 @@ Resources:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy

ConcordiaInstanceProfile:
UpdateReplacePolicy: Retain
Type: AWS::IAM::InstanceProfile
DeletionPolicy: Retain
Properties:
Path: /
Roles:
- !Ref 'ConcordiaEC2Role'

ConcordiaTaskRole:
UpdateReplacePolicy: Retain
Type: AWS::IAM::Role
DeletionPolicy: Retain
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Expand All @@ -194,13 +206,17 @@ Resources:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy

ConcordiaAppLogsGroup:
UpdateReplacePolicy: Retain
Type: AWS::Logs::LogGroup
DeletionPolicy: Retain
Properties:
LogGroupName: !Ref AWS::StackName
RetentionInDays: 30

ConcordiaExternalTargetGroup:
UpdateReplacePolicy: Retain
Type: AWS::ElasticLoadBalancingV2::TargetGroup
DeletionPolicy: Retain
Properties:
HealthCheckIntervalSeconds: 30
HealthCheckPath: /healthz
Expand All @@ -214,13 +230,17 @@ Resources:
VpcId: !Ref VpcId

LoadBalancer:
UpdateReplacePolicy: Retain
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
DeletionPolicy: Retain
Properties:
Subnets: !Ref PublicSubnets
SecurityGroups:
- !Ref LoadBalancerSecurityGroup

ExternalLoadBalancerListener:
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Properties:
DefaultActions:
# FIXME: When AWS CF supports it, redirect to https
Expand All @@ -233,6 +253,8 @@ Resources:
Type: AWS::ElasticLoadBalancingV2::Listener

SecureExternalLoadBalancerListener:
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Properties:
Certificates:
- CertificateArn: !Sub 'arn:aws:iam::${AWS::AccountId}:server-certificate/${CanonicalHostName}'
Expand All @@ -245,12 +267,16 @@ Resources:
Type: AWS::ElasticLoadBalancingV2::Listener

ECSCluster:
UpdateReplacePolicy: Retain
Type: AWS::ECS::Cluster
DeletionPolicy: Retain
Properties:
ClusterName: !Ref EnvironmentName

ConcordiaTask:
UpdateReplacePolicy: Retain
Type: AWS::ECS::TaskDefinition
DeletionPolicy: Retain
Properties:
Family: !Sub crowd-${EnvName}
Cpu: '4096'
Expand Down Expand Up @@ -387,8 +413,10 @@ Resources:
Value: concordia.settings_ecs

ConcordiaExternalService:
UpdateReplacePolicy: Retain
Type: AWS::ECS::Service
DependsOn: ExternalLoadBalancerListener
DeletionPolicy: Retain
Properties:
Cluster: !Ref ECSCluster
LaunchType: FARGATE
Expand Down
28 changes: 28 additions & 0 deletions cloudformation/infrastructure/network-acl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,9 @@ Parameters:

Resources:
NetworkAcl:
UpdateReplacePolicy: Retain
Type: AWS::EC2::NetworkAcl
DeletionPolicy: Retain
Properties:
VpcId:
Ref: VPC
Expand All @@ -42,7 +44,9 @@ Resources:
# NOTE: These rules are for dev / test / stage only

acl4:
UpdateReplacePolicy: Retain
Type: AWS::EC2::NetworkAclEntry
DeletionPolicy: Retain
Properties:
CidrBlock: 0.0.0.0/0
Egress: true
Expand All @@ -51,31 +55,39 @@ Resources:
RuleNumber: 100
NetworkAclId: !Ref NetworkAcl
acl5:
UpdateReplacePolicy: Retain
Type: AWS::EC2::NetworkAclEntry
DeletionPolicy: Retain
Properties:
CidrBlock: 140.147.236.152/32
Protocol: -1
RuleAction: deny
RuleNumber: 10
NetworkAclId: !Ref NetworkAcl
acl6:
UpdateReplacePolicy: Retain
Type: AWS::EC2::NetworkAclEntry
DeletionPolicy: Retain
Properties:
CidrBlock: 140.147.236.214/32
Protocol: -1
RuleAction: deny
RuleNumber: 11
NetworkAclId: !Ref NetworkAcl
acl6b:
UpdateReplacePolicy: Retain
Type: AWS::EC2::NetworkAclEntry
DeletionPolicy: Retain
Properties:
CidrBlock: 140.147.236.213/32
Protocol: -1
RuleAction: deny
RuleNumber: 12
NetworkAclId: !Ref NetworkAcl
acl7:
UpdateReplacePolicy: Retain
Type: AWS::EC2::NetworkAclEntry
DeletionPolicy: Retain
Properties:
CidrBlock: 140.147.0.0/16
Protocol: 6
Expand All @@ -87,7 +99,9 @@ Resources:
NetworkAclId:
Ref: NetworkAcl
acl8:
UpdateReplacePolicy: Retain
Type: AWS::EC2::NetworkAclEntry
DeletionPolicy: Retain
Properties:
CidrBlock: 0.0.0.0/0
Protocol: 6
Expand All @@ -99,7 +113,9 @@ Resources:
NetworkAclId:
Ref: NetworkAcl
acl9:
UpdateReplacePolicy: Retain
Type: AWS::EC2::NetworkAclEntry
DeletionPolicy: Retain
Properties:
CidrBlock: 0.0.0.0/0
Protocol: 6
Expand All @@ -110,7 +126,9 @@ Resources:
To: 80
NetworkAclId: !Ref NetworkAcl
acl10:
UpdateReplacePolicy: Retain
Type: AWS::EC2::NetworkAclEntry
DeletionPolicy: Retain
Properties:
CidrBlock: 0.0.0.0/0
Protocol: 6
Expand All @@ -122,7 +140,9 @@ Resources:
NetworkAclId: !Ref NetworkAcl

acl11:
UpdateReplacePolicy: Retain
Type: AWS::EC2::NetworkAclEntry
DeletionPolicy: Retain
Properties:
CidrBlock: 0.0.0.0/0
Protocol: -1
Expand All @@ -131,25 +151,33 @@ Resources:
NetworkAclId: !Ref NetworkAcl

subnetacl5:
UpdateReplacePolicy: Retain
Type: AWS::EC2::SubnetNetworkAclAssociation
DeletionPolicy: Retain
Properties:
NetworkAclId: !Ref NetworkAcl
SubnetId: !Ref PrivateSubnet1

subnetacl6:
UpdateReplacePolicy: Retain
Type: AWS::EC2::SubnetNetworkAclAssociation
DeletionPolicy: Retain
Properties:
NetworkAclId: !Ref NetworkAcl
SubnetId: !Ref PrivateSubnet2

subnetacl7:
UpdateReplacePolicy: Retain
Type: AWS::EC2::SubnetNetworkAclAssociation
DeletionPolicy: Retain
Properties:
NetworkAclId: !Ref NetworkAcl
SubnetId: !Ref PublicSubnet1

subnetacl8:
UpdateReplacePolicy: Retain
Type: AWS::EC2::SubnetNetworkAclAssociation
DeletionPolicy: Retain
Properties:
NetworkAclId: !Ref NetworkAcl
SubnetId: !Ref PublicSubnet2
4 changes: 4 additions & 0 deletions cloudformation/infrastructure/rds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,15 +24,19 @@ Parameters:

Resources:
PostgresSubnetGroup:
UpdateReplacePolicy: Retain
Type: AWS::RDS::DBSubnetGroup
DeletionPolicy: Retain
Properties:
DBSubnetGroupDescription: Created from the RDS Management Console
SubnetIds:
- Ref: PrivateSubnet1
- Ref: PrivateSubnet2

PostgresService:
UpdateReplacePolicy: Retain
Type: AWS::RDS::DBInstance
DeletionPolicy: Retain
Properties:
AllocatedStorage: '20'
AllowMajorVersionUpgrade: false
Expand Down
10 changes: 10 additions & 0 deletions cloudformation/infrastructure/security-groups.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,9 @@ Resources:
# By default we're just allowing access from the load balancer. If you want to SSH
# into the hosts, or expose non-load balanced services you can open their ports here.
ECSHostSecurityGroup:
UpdateReplacePolicy: Retain
Type: AWS::EC2::SecurityGroup
DeletionPolicy: Retain
Properties:
VpcId: !Ref VPC
GroupDescription: Access to the ECS hosts and the tasks/containers that run on them
Expand All @@ -40,12 +42,14 @@ Resources:
Value: !Sub ${EnvironmentName}-ECS-Hosts

LoadBalancerSecurityGroup:
UpdateReplacePolicy: Retain
Type: AWS::EC2::SecurityGroup
Metadata:
cfn_nag:
rules_to_suppress:
- id: W9
reason: 'The CIDR block should only allow 140.147.*.* IPs so it should end in /16'
DeletionPolicy: Retain
Properties:
VpcId: !Ref VPC
GroupDescription: Access to the load balancer that sits in front of ECS
Expand All @@ -71,7 +75,9 @@ Resources:
Value: 'true'

DatabaseSecurityGroup:
UpdateReplacePolicy: Retain
Type: AWS::EC2::SecurityGroup
DeletionPolicy: Retain
Properties:
VpcId: !Ref VPC
GroupDescription: Access to the RDS Postgres database
Expand All @@ -87,12 +93,14 @@ Resources:
CidrIp: 0.0.0.0/0

BastionHostSecurityGroup:
UpdateReplacePolicy: Retain
Type: AWS::EC2::SecurityGroup
Metadata:
cfn_nag:
rules_to_suppress:
- id: W9
reason: 'The CIDR block should only allow 140.147.*.* IPs so it should end in /16'
DeletionPolicy: Retain
Properties:
VpcId: !Ref VPC
GroupDescription: Bastion hosts for ECS access
Expand All @@ -111,7 +119,9 @@ Resources:
Value: !Sub ${EnvironmentName}-BastionHosts

CacheServiceSecurityGroup:
UpdateReplacePolicy: Retain
Type: AWS::EC2::SecurityGroup
DeletionPolicy: Retain
Properties:
VpcId: !Ref VPC
GroupDescription: Access to cache services for ECS hosts
Expand Down
Loading

0 comments on commit de1def2

Please sign in to comment.