feat!(guest-webapp-sample): Change container repository to ECR with p…

…ull through cache. (#72) * feat!: Change container repository to ECR with pull through cache. * feat!: Change subnet type of ECS Task to Protected. * feat: Revert code samples for own repo/images. Co-authored-by: Yukitaka Ohmura <[email protected]>
aws-samples · Sep 5, 2022 · eb33947 · eb33947
1 parent 121ea77
commit eb33947
Show file tree

Hide file tree

Showing 10 changed files with 170 additions and 1,683 deletions.
diff --git a/usecases/guest-webapp-sample/bin/blea-guest-ecsapp-sample-pipeline.ts b/usecases/guest-webapp-sample/bin/blea-guest-ecsapp-sample-pipeline.ts
@@ -5,8 +5,6 @@ import { BLEADbAuroraPgStack } from '../lib/blea-db-aurora-pg-stack';
 import { BLEAECSAppStack } from '../lib/blea-ecsapp-stack';
 import { BLEAMonitorAlarmStack } from '../lib/blea-monitor-alarm-stack';
 import { BLEAChatbotStack } from '../lib/blea-chatbot-stack';
-import { BLEABuildContainerStack } from '../lib/blea-build-container-stack';
-import { BLEAECRStack } from '../lib/blea-ecr-stack';
 import { BLEAWafStack } from '../lib/blea-waf-stack';
 import { BLEAFrontendSimpleStack } from '../lib/blea-frontend-simple-stack';
 import { BLEADashboardStack } from '../lib/blea-dashboard-stack';
@@ -102,31 +100,14 @@ export class BLEAPipelineStage extends cdk.Stage {
       // env: getProcEnv(),
     });
 
-    // Container Repository
-    const ecr = new BLEAECRStack(this, `${pjPrefix}-ECR`, {
-      // TODO: will get "repositoryName" from parameters
-      repositoryName: 'apprepo',
-      alarmTopic: monitorAlarm.alarmTopic,
-      // env: getProcEnv(),
-    });
-
-    // Build Container Image
-    const build_container = new BLEABuildContainerStack(this, `${pjPrefix}-ContainerImage`, {
-      ecrRepository: ecr.repository,
-      // env: getProcEnv(),
-    });
-
     // Application Stack (LoadBalancer + Fargate)
     const ecsApp = new BLEAECSAppStack(this, `${pjPrefix}-ECSApp`, {
       myVpc: prodVpc.myVpc,
       appKey: appKey.kmsKey,
-      repository: ecr.repository,
-      imageTag: build_container.imageTag,
       alarmTopic: monitorAlarm.alarmTopic,
       webFront: front,
       // env: getProcEnv(),
     });
-    ecsApp.addDependency(build_container);
 
     // Aurora
     const dbCluster = new BLEADbAuroraPgStack(this, `${pjPrefix}-DBAuroraPg`, {

diff --git a/usecases/guest-webapp-sample/bin/blea-guest-ecsapp-sample.ts b/usecases/guest-webapp-sample/bin/blea-guest-ecsapp-sample.ts
@@ -5,12 +5,12 @@ import { BLEADbAuroraPgStack } from '../lib/blea-db-aurora-pg-stack';
 import { BLEAECSAppStack } from '../lib/blea-ecsapp-stack';
 import { BLEAMonitorAlarmStack } from '../lib/blea-monitor-alarm-stack';
 import { BLEAChatbotStack } from '../lib/blea-chatbot-stack';
-import { BLEABuildContainerStack } from '../lib/blea-build-container-stack';
-import { BLEAECRStack } from '../lib/blea-ecr-stack';
 import { BLEAWafStack } from '../lib/blea-waf-stack';
 import { BLEAFrontendSimpleStack } from '../lib/blea-frontend-simple-stack';
 import { BLEADashboardStack } from '../lib/blea-dashboard-stack';
 import { BLEACanaryStack } from '../lib/blea-canary-stack';
+// import { BLEABuildContainerStack } from '../lib/blea-build-container-stack';
+// import { BLEAECRStack } from '../lib/blea-ecr-stack';
 
 const pjPrefix = 'BLEA';
 
@@ -92,31 +92,36 @@ const front = new BLEAFrontendSimpleStack(app, `${pjPrefix}-SimpleFrontStack`, {
   env: getProcEnv(),
 });
 
-// Container Repository
-const ecr = new BLEAECRStack(app, `${pjPrefix}-ECR`, {
-  // TODO: will get "repositoryName" from parameters
-  repositoryName: 'apprepo',
-  alarmTopic: monitorAlarm.alarmTopic,
-  env: getProcEnv(),
-});
-
-// Build Container Image
-const build_container = new BLEABuildContainerStack(app, `${pjPrefix}-ContainerImage`, {
-  ecrRepository: ecr.repository,
-  env: getProcEnv(),
-});
+// -- SAMPLE: Create your own ECR Repository and store your own image
+//
+// // Container Repository
+// const ecr = new BLEAECRStack(app, `${pjPrefix}-ECR`, {
+//   // TODO: will get "repositoryName" from parameters
+//   repositoryName: 'apprepo',
+//   alarmTopic: monitorAlarm.alarmTopic,
+//   env: getProcEnv(),
+// });
+//
+// // Build Container Image (Don't forget add dependency to BLEAECSAppStack)
+// const build_container = new BLEABuildContainerStack(app, `${pjPrefix}-ContainerImage`, {
+//   ecrRepository: ecr.repository,
+//   env: getProcEnv(),
+// });
 
 // Application Stack (LoadBalancer + Fargate)
 const ecsApp = new BLEAECSAppStack(app, `${pjPrefix}-ECSApp`, {
   myVpc: prodVpc.myVpc,
   appKey: appKey.kmsKey,
-  repository: ecr.repository,
-  imageTag: build_container.imageTag,
   alarmTopic: monitorAlarm.alarmTopic,
   webFront: front,
   env: getProcEnv(),
+  // -- SAMPLE: Pass your own ECR repository and your own image
+  //  repository: ecr.repository,
+  //  imageTag: build_container.imageTag,
 });
-ecsApp.addDependency(build_container);
+
+// -- SAMPLE: Need this when you use build_container
+// ecsApp.addDependency(build_container);
 
 // Aurora
 const dbCluster = new BLEADbAuroraPgStack(app, `${pjPrefix}-DBAuroraPg`, {

diff --git a/usecases/guest-webapp-sample/bin/blea-guest-ecsapp-ssl-sample.ts b/usecases/guest-webapp-sample/bin/blea-guest-ecsapp-ssl-sample.ts
@@ -5,8 +5,6 @@ import { BLEADbAuroraPgStack } from '../lib/blea-db-aurora-pg-stack';
 import { BLEAECSAppStack } from '../lib/blea-ecsapp-stack';
 import { BLEAMonitorAlarmStack } from '../lib/blea-monitor-alarm-stack';
 import { BLEAChatbotStack } from '../lib/blea-chatbot-stack';
-import { BLEABuildContainerStack } from '../lib/blea-build-container-stack';
-import { BLEAECRStack } from '../lib/blea-ecr-stack';
 import { BLEAWafStack } from '../lib/blea-waf-stack';
 import { BLEAFrontendSslStack } from '../lib/blea-frontend-ssl-stack';
 import { BLEADashboardStack } from '../lib/blea-dashboard-stack';
@@ -95,31 +93,14 @@ const front = new BLEAFrontendSslStack(app, `${pjPrefix}-SSLFrontStack`, {
   env: getProcEnv(),
 });
 
-// Container Repository
-const ecr = new BLEAECRStack(app, `${pjPrefix}-ECR`, {
-  // TODO: will get "repositoryName" from parameters
-  repositoryName: 'apprepo',
-  alarmTopic: monitorAlarm.alarmTopic,
-  env: getProcEnv(),
-});
-
-// Build Container Image
-const build_container = new BLEABuildContainerStack(app, `${pjPrefix}-ContainerImage`, {
-  ecrRepository: ecr.repository,
-  env: getProcEnv(),
-});
-
 // Application Stack (LoadBalancer + Fargate)
 const ecsApp = new BLEAECSAppStack(app, `${pjPrefix}-ECSAppSSL`, {
   myVpc: prodVpc.myVpc,
   appKey: appKey.kmsKey,
-  repository: ecr.repository,
-  imageTag: build_container.imageTag,
   alarmTopic: monitorAlarm.alarmTopic,
   webFront: front,
   env: getProcEnv(),
 });
-ecsApp.addDependency(build_container);
 
 // Aurora
 const dbCluster = new BLEADbAuroraPgStack(app, `${pjPrefix}-DBAuroraPg`, {

diff --git a/usecases/guest-webapp-sample/lib/blea-ecsapp-stack.ts b/usecases/guest-webapp-sample/lib/blea-ecsapp-stack.ts
@@ -17,10 +17,11 @@ import { IBLEAFrontend } from './blea-frontend-interface';
 export interface BLEAECSAppStackProps extends cdk.StackProps {
   myVpc: ec2.Vpc;
   appKey: kms.IKey;
-  repository: ecr.Repository;
-  imageTag: string;
   alarmTopic: sns.Topic;
   webFront: IBLEAFrontend;
+  // -- SAMPLE: Receive your own ECR repository and your own image
+  //  repository: ecr.Repository;
+  //  imageTag: string;
 }
 
 export class BLEAECSAppStack extends cdk.Stack {
@@ -45,6 +46,18 @@ export class BLEAECSAppStack extends cdk.Stack {
     const executionRole = new iam.Role(this, 'EcsTaskExecutionRole', {
       assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
       managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonECSTaskExecutionRolePolicy')],
+      inlinePolicies: {
+        ecrPullThroughCache:
+          // https://docs.aws.amazon.com/AmazonECR/latest/userguide/pull-through-cache.html#pull-through-cache-iam
+          new iam.PolicyDocument({
+            statements: [
+              new iam.PolicyStatement({
+                actions: ['ecr:BatchImportUpstreamImage', 'ecr:CreateRepository'],
+                resources: ['*'],
+              }),
+            ],
+          }),
+      },
     });
 
     // Role for Container
@@ -105,12 +118,32 @@ export class BLEAECSAppStack extends cdk.Stack {
       memoryLimitMiB: 512,
     });
 
+    // Container Registry
+    // - Using pull through cache rules
+    //   https://docs.aws.amazon.com/AmazonECR/latest/userguide/pull-through-cache.html
+    //   ecrRepositoryPrefix must start with a letter and can only contain lowercase letters, numbers, hyphens, and underscores and max length is 20.
+    const ecrRepositoryPrefix = `ecr-${cdk.Stack.of(this).stackName.toLowerCase()}`;
+    new ecr.CfnPullThroughCacheRule(this, 'PullThroughCacheRule', {
+      ecrRepositoryPrefix: ecrRepositoryPrefix,
+      upstreamRegistryUrl: 'public.ecr.aws',
+    });
+
     // Container
+    const containerImage = 'docker/library/httpd';
     const ecsContainer = ecsTask.addContainer('EcsApp', {
-      // -- SAMPLE: if you want to use your ECR repository, you can use like this.
-      image: ecs.ContainerImage.fromEcrRepository(props.repository, props.imageTag),
-
-      // -- SAMPLE: if you want to use DockerHub, you can use like this.
+      // -- Option 1: If you want to use your ECR repository with pull through cache, you can use like this.
+      image: ecs.ContainerImage.fromEcrRepository(
+        ecr.Repository.fromRepositoryName(this, 'PullThrough', `${ecrRepositoryPrefix}/${containerImage}`),
+        'latest',
+      ),
+
+      // -- Option 2: If you want to use your ECR repository, you can use like this.
+      // --           You Need to create your repository and dockerimage, then pass it to this stack.
+      // image: ecs.ContainerImage.fromEcrRepository(props.repository, props.imageTag),
+
+      // -- Option 3: If you want to use DockerHub, you can use like this.
+      // --           You need public access route to internet for ECS Task.
+      // --           See vpcSubnets property for new ecs.FargateService().
       // image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"),
 
       environment: {
@@ -156,8 +189,8 @@ export class BLEAECSAppStack extends cdk.Stack {
         //},
       ],
       vpcSubnets: props.myVpc.selectSubnets({
-        subnetGroupName: 'Private', // For public DockerHub
-        //subnetGroupName: 'Protected'   // For your ECR. Need to use PrivateLinke for ECR
+        // subnetGroupName: 'Private', // For public DockerHub
+        subnetGroupName: 'Protected', // For your ECR. Need to use PrivateLinke for ECR
       }),
       securityGroups: [securityGroupForFargate],
     });