From 5eead99e7ea13d1b736d0d4d554638c98a9f63c1 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 00:16:50 -0700 Subject: [PATCH 01/56] Add checkout step --- .github/workflows/deploy.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 3df5089..72172c9 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -16,6 +16,8 @@ jobs: permissions: id-token: write steps: + - name: Checkout repo + uses: actions/checkout@v3 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1-node16 with: From 9ff8b899b3d62c2b934f6d2782a5eabca7eb7a46 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 00:37:26 -0700 Subject: [PATCH 02/56] Add ecs:DescribeClusters permissions to GithubRole --- cloud-formation/github-role.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index e7b6125..fd08c73 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -84,6 +84,19 @@ Resources: }, ] } + - PolicyName: EcsPolicy + PolicyDocument: { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": Allow, + "Action": [ + ecs:DescribeClusters + ], + "Resource": "*" + }, + ] + } GithubOidc: Type: AWS::IAM::OIDCProvider From 364068ed99bf121eb1658f9f9f32eb5636852624 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 00:45:42 -0700 Subject: [PATCH 03/56] Fix syntax in policy documents --- cloud-formation/github-role.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index fd08c73..0a3bcc4 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -23,7 +23,7 @@ Resources: "Version": "2012-10-17", "Statement": [ { - "Effect": Allow, + "Effect": "Allow", "Action": [ cloudformation:CreateChangeSet, cloudformation:CreateStack, @@ -33,7 +33,7 @@ Resources: cloudformation:ExecuteChangeSet, ], "Resource": "*" - }, + } ] } - PolicyName: IamPolicy @@ -41,7 +41,7 @@ Resources: "Version": "2012-10-17", "Statement": [ { - "Effect": Allow, + "Effect": "Allow", "Action": [ iam:CreateUser, iam:DeleteUser, @@ -55,7 +55,7 @@ Resources: iam:UpdateAssumeRolePolicy, ], "Resource": "*" - }, + } ] } - PolicyName: EcrPolicy @@ -63,7 +63,7 @@ Resources: "Version": "2012-10-17", "Statement": [ { - "Effect": Allow, + "Effect": "Allow", "Action": [ ecr:BatchCheckLayerAvailability, ecr:BatchGetImage, @@ -81,7 +81,7 @@ Resources: ecr:UploadLayerPart ], "Resource": "*" - }, + } ] } - PolicyName: EcsPolicy @@ -89,12 +89,12 @@ Resources: "Version": "2012-10-17", "Statement": [ { - "Effect": Allow, + "Effect": "Allow", "Action": [ - ecs:DescribeClusters + "ecs:DescribeClusters" ], "Resource": "*" - }, + } ] } From 245467c5305b75c52da64025c202d032c4e6fc51 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 01:25:11 -0700 Subject: [PATCH 04/56] Add ecs:CreateCluster permissions to GithubRole --- cloud-formation/github-role.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index 0a3bcc4..ac1bc8a 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -91,7 +91,8 @@ Resources: { "Effect": "Allow", "Action": [ - "ecs:DescribeClusters" + "ecs:DescribeClusters", + "ecs:CreateCluster" ], "Resource": "*" } From edaba4784eb7f0625faea4b707c6ae8a8ddcfd7c Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 01:44:48 -0700 Subject: [PATCH 05/56] Add ECS Service --- cloud-formation/ecs.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index bf54116..ede168f 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -3,3 +3,10 @@ Resources: Type: AWS::ECS::Cluster Properties: ClusterName: GoCaptureCluster + Service: + Type: AWS::ECS::Service + Properties: + Cluster: !Ref Cluster + DesiredCount: 1 + LaunchType: FARGATE + ServiceName: GoCaptureECSService From c28c236c41502f4e25446f3ae893640c2b897ebb Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 01:54:05 -0700 Subject: [PATCH 06/56] Roles for ECS task --- cloud-formation/ecs.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index ede168f..01176ea 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -1,4 +1,14 @@ Resources: + ExecutionRole: + Type: AWS::IAM::Role + Properties: + RoleName: GoCaptureExecutionRole + Path: /gocapture/ + TaskRole: + Type: AWS::IAM::Role + Properties: + RoleName: GoCaptureTaskRole + Path: /gocapture/ Cluster: Type: AWS::ECS::Cluster Properties: From 056cfb3efa9cbf5ec20a93ea30ef88e337771624 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 01:54:12 -0700 Subject: [PATCH 07/56] ECS Task Definition --- cloud-formation/ecs.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index 01176ea..a77b03c 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -20,3 +20,17 @@ Resources: DesiredCount: 1 LaunchType: FARGATE ServiceName: GoCaptureECSService + TaskDefinition: !Ref TaskDefinition + TaskDefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - ContainerDefinition + Cpu: .25 vCPU + ExecutionRoleArn: !Ref ExecutionRole + Family: GoCapture + Memory: 0.5 GB + NetworkMode: awsvpc + RuntimePlatform: + RuntimePlatform + TaskRoleArn: !Ref TaskRole From 3754aea3de8adda27ad90cac262dcb873bb999cc Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 01:58:01 -0700 Subject: [PATCH 08/56] Add CAPABILITY_NAMED_IAM for deploy --- .github/workflows/deploy.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 72172c9..ccfbf4d 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -28,5 +28,6 @@ jobs: uses: aws-actions/aws-cloudformation-github-deploy@v1 with: name: GoCaptureECSCluster + capabilities: CAPABILITY_NAMED_IAM template: cloud-formation/ecs.yaml no-fail-on-empty-changeset: 1 From e9b888b6a5df0ceb0cef8c73f67d4a6dbdcab55b Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 02:12:53 -0700 Subject: [PATCH 09/56] Add AssumeRolePolicyDocument for ExecutionRole --- cloud-formation/ecs.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index a77b03c..b52228c 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -3,6 +3,12 @@ Resources: Type: AWS::IAM::Role Properties: RoleName: GoCaptureExecutionRole + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Action: sts:AssumeRole + Principle: + Service: ecs-tasks.amazonaws.com Path: /gocapture/ TaskRole: Type: AWS::IAM::Role From 2b8047d2493def0e91a0881a8d2d90a8f4001f8e Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 02:16:17 -0700 Subject: [PATCH 10/56] Add AssumeRolePolicyDocument for TaskRole --- cloud-formation/ecs.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index b52228c..ac41030 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -14,6 +14,12 @@ Resources: Type: AWS::IAM::Role Properties: RoleName: GoCaptureTaskRole + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Action: sts:AssumeRole + Principle: + Service: ecs-tasks.amazonaws.com Path: /gocapture/ Cluster: Type: AWS::ECS::Cluster From 77c28b2b07d7c5692c57f4ca41d2b04143f12886 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 02:23:38 -0700 Subject: [PATCH 11/56] Add iam:CreateRole to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index ac1bc8a..4d83119 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -43,6 +43,7 @@ Resources: { "Effect": "Allow", "Action": [ + iam:CreateRole, iam:CreateUser, iam:DeleteUser, iam:DeleteUserPolicy, From 91e66a1a8c55979252f20bd217a863755bb400c7 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 02:40:27 -0700 Subject: [PATCH 12/56] Fix spelling --- cloud-formation/ecs.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index ac41030..8c5086d 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -7,7 +7,7 @@ Resources: Statement: - Effect: Allow Action: sts:AssumeRole - Principle: + Principal: Service: ecs-tasks.amazonaws.com Path: /gocapture/ TaskRole: @@ -18,7 +18,7 @@ Resources: Statement: - Effect: Allow Action: sts:AssumeRole - Principle: + Principal: Service: ecs-tasks.amazonaws.com Path: /gocapture/ Cluster: From 678c812d3481d7d1cc0abd130453ca01d532294e Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 03:18:29 -0700 Subject: [PATCH 13/56] Add container definition --- .github/workflows/deploy.yaml | 1 + cloud-formation/ecs.yaml | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index ccfbf4d..b3ef5c3 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -29,5 +29,6 @@ jobs: with: name: GoCaptureECSCluster capabilities: CAPABILITY_NAMED_IAM + parameter-overrides: "TaskImage=$REGISTRY/$REPOSITORY:$IMAGE_TAG" template: cloud-formation/ecs.yaml no-fail-on-empty-changeset: 1 diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index 8c5086d..055d7a2 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -1,3 +1,6 @@ +Parameters: + TaskImage: + Type: String Resources: ExecutionRole: Type: AWS::IAM::Role @@ -37,7 +40,8 @@ Resources: Type: AWS::ECS::TaskDefinition Properties: ContainerDefinitions: - - ContainerDefinition + - Name: GoCaptureContainer + Image: !Ref TaskImage Cpu: .25 vCPU ExecutionRoleArn: !Ref ExecutionRole Family: GoCapture From ac3d268f0ece5c9a28a7e5d7507ede30004adf40 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 03:27:38 -0700 Subject: [PATCH 14/56] Define runtime platform for tasks --- cloud-formation/ecs.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index 055d7a2..a9c63ba 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -48,5 +48,6 @@ Resources: Memory: 0.5 GB NetworkMode: awsvpc RuntimePlatform: - RuntimePlatform + CpuArchitecture: X86_64 + OperatingSystemFamily: LINUX TaskRoleArn: !Ref TaskRole From 0b2bdfe154a0469a22af72b3d51888157e619e71 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 03:33:14 -0700 Subject: [PATCH 15/56] Add iam:DeleteRole to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index 4d83119..8efcdd7 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -45,6 +45,7 @@ Resources: "Action": [ iam:CreateRole, iam:CreateUser, + iam:DeleteRole, iam:DeleteUser, iam:DeleteUserPolicy, iam:GetRole, From 671ce37bdfdf1890ae1cd0bdc4b82e1071cb2ac5 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 11:16:57 -0700 Subject: [PATCH 16/56] Add ecs:RegisterTaskDefinition to GithubRole --- cloud-formation/github-role.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index 8efcdd7..9933952 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -94,7 +94,8 @@ Resources: "Effect": "Allow", "Action": [ "ecs:DescribeClusters", - "ecs:CreateCluster" + "ecs:CreateCluster", + "ecs:RegisterTaskDefinition" ], "Resource": "*" } From ce81e8a9ef7a551f68f05e68996a66d6924f8b97 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 11:17:25 -0700 Subject: [PATCH 17/56] Sort actions --- cloud-formation/github-role.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index 9933952..c9f1e99 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -93,8 +93,8 @@ Resources: { "Effect": "Allow", "Action": [ - "ecs:DescribeClusters", "ecs:CreateCluster", + "ecs:DescribeClusters", "ecs:RegisterTaskDefinition" ], "Resource": "*" From a29113e566d5c38b000db76d8b9d38132cac42a6 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 11:24:54 -0700 Subject: [PATCH 18/56] Add iam:PassRole to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index c9f1e99..41bf83e 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -51,6 +51,7 @@ Resources: iam:GetRole, iam:GetUser, iam:ListAccessKeys, + iam:PassRole, iam:PutRolePolicy, iam:PutRoleRole, iam:PutUserPolicy, From 7a6cf1ee8b561fbafdae0d659a9c87633d74d981 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 11:49:50 -0700 Subject: [PATCH 19/56] Correctly set up image tag --- .github/workflows/deploy.yaml | 10 +++++++++- cloud-formation/github-role.yaml | 4 ++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index b3ef5c3..cff78ad 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -24,11 +24,19 @@ jobs: role-to-assume: arn:aws:iam::200049542062:role/gocapture/GithubRole aws-region: us-west-1 + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + - name: Deploy ECS Cluster + env: + REGISTRY: ${{ steps.login-ecr.outputs.registry }} + REPOSITORY: go-capture + IMAGE_TAG: ${{ github.sha }} uses: aws-actions/aws-cloudformation-github-deploy@v1 with: name: GoCaptureECSCluster capabilities: CAPABILITY_NAMED_IAM - parameter-overrides: "TaskImage=$REGISTRY/$REPOSITORY:$IMAGE_TAG" + parameter-overrides: "TaskImage=${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ env.IMAGE_TAG }}" template: cloud-formation/ecs.yaml no-fail-on-empty-changeset: 1 diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index 41bf83e..afbe20b 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -51,7 +51,6 @@ Resources: iam:GetRole, iam:GetUser, iam:ListAccessKeys, - iam:PassRole, iam:PutRolePolicy, iam:PutRoleRole, iam:PutUserPolicy, @@ -96,7 +95,8 @@ Resources: "Action": [ "ecs:CreateCluster", "ecs:DescribeClusters", - "ecs:RegisterTaskDefinition" + "ecs:RegisterTaskDefinition", + "iam:PassRole" ], "Resource": "*" } From c2c4e0b389f292cd00aa0bdb7a34b1810dfd1d25 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 12:28:05 -0700 Subject: [PATCH 20/56] Add ecs:DescribeServices to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index afbe20b..e049ee0 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -95,6 +95,7 @@ Resources: "Action": [ "ecs:CreateCluster", "ecs:DescribeClusters", + "ecs:DescribeServices", "ecs:RegisterTaskDefinition", "iam:PassRole" ], From 20222ccb2464699529a196b0243158957c8cec4b Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 12:40:28 -0700 Subject: [PATCH 21/56] Add ecs:DeregisterTaskDefinition to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index e049ee0..caf9d5d 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -94,6 +94,7 @@ Resources: "Effect": "Allow", "Action": [ "ecs:CreateCluster", + "ecs:DeregisterTaskDefinition", "ecs:DescribeClusters", "ecs:DescribeServices", "ecs:RegisterTaskDefinition", From 1972ca620d4643d899d26bcefd6cefd9ed3c9715 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 12:56:51 -0700 Subject: [PATCH 22/56] Add ecs:CreateService to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index caf9d5d..da69983 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -94,6 +94,7 @@ Resources: "Effect": "Allow", "Action": [ "ecs:CreateCluster", + "ecs:CreateService", "ecs:DeregisterTaskDefinition", "ecs:DescribeClusters", "ecs:DescribeServices", From a45719c505c9f21b7dcb6c725df6f7aa6cb7e6de Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 20:32:32 -0700 Subject: [PATCH 23/56] Add network configuration for ECS Service --- cloud-formation/ecs.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index a9c63ba..c8b3952 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -24,6 +24,19 @@ Resources: Principal: Service: ecs-tasks.amazonaws.com Path: /gocapture/ + Vpc: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/16 + SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: GoCaptureSecurityGroup + VpcId: !Ref Vpc + PublicSubnet: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref Vpc Cluster: Type: AWS::ECS::Cluster Properties: @@ -34,6 +47,13 @@ Resources: Cluster: !Ref Cluster DesiredCount: 1 LaunchType: FARGATE + NetworkConfiguration: + AwsvpcConfiguration: + AssignPublicIp: ENABLED + SecurityGroups: + - !Ref SecurityGroup + Subnets: + - !Ref PublicSubnet ServiceName: GoCaptureECSService TaskDefinition: !Ref TaskDefinition TaskDefinition: From a56a1964ab801309e6db3dc5a51677bf0ebeecc6 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 22:02:29 -0700 Subject: [PATCH 24/56] Add ec2:CreateVpc to GithubRole --- cloud-formation/github-role.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index da69983..8d44b4c 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -105,6 +105,19 @@ Resources: } ] } + - PolicyName: Ec2Policy + PolicyDocument: { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:CreateVpc" + ], + "Resource": "*" + } + ] + } GithubOidc: Type: AWS::IAM::OIDCProvider From e52c877707edc9d41cea962c162f8876eec6cc76 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 23:19:37 -0700 Subject: [PATCH 25/56] Add GroupDescription for Security Group --- cloud-formation/ecs.yaml | 1 + cloud-formation/github-role.yaml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index c8b3952..ac8e40f 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -32,6 +32,7 @@ Resources: Type: AWS::EC2::SecurityGroup Properties: GroupName: GoCaptureSecurityGroup + GroupDescription: Security Group for Go Capture ECS Service VpcId: !Ref Vpc PublicSubnet: Type: AWS::EC2::Subnet diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index 8d44b4c..d2b0bc3 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -112,7 +112,8 @@ Resources: { "Effect": "Allow", "Action": [ - "ec2:CreateVpc" + "ec2:CreateVpc", + "ec2:DeleteVpc" ], "Resource": "*" } From e9fcc3be38aafd5c7bcd3eec9feebd83e49790a9 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 23:30:29 -0700 Subject: [PATCH 26/56] Add CidrBlock to subnet --- cloud-formation/ecs.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index ac8e40f..25151f0 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -37,6 +37,7 @@ Resources: PublicSubnet: Type: AWS::EC2::Subnet Properties: + CidrBlock: 10.0.0.0/16 VpcId: !Ref Vpc Cluster: Type: AWS::ECS::Cluster From 7b710be6d0527d5a82f8ce8a9c465a1bc0ded0ca Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sat, 24 Dec 2022 23:54:49 -0700 Subject: [PATCH 27/56] Add policy to ExecutionRole --- cloud-formation/ecs.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index 25151f0..e7ed32c 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -12,6 +12,8 @@ Resources: Action: sts:AssumeRole Principal: Service: ecs-tasks.amazonaws.com + ManagedPolicyArns: + - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy Path: /gocapture/ TaskRole: Type: AWS::IAM::Role From 29d70093a9b4adc3761c1aa95b40b7ff184eaa07 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Wed, 28 Dec 2022 22:34:50 -0700 Subject: [PATCH 28/56] Add more ec2 permissions to GithubRole --- cloud-formation/github-role.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index d2b0bc3..a430958 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -112,8 +112,12 @@ Resources: { "Effect": "Allow", "Action": [ + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateTags", "ec2:CreateVpc", - "ec2:DeleteVpc" + "ec2:DeleteVpc", + "ec2:ModifyVpcAttribute" ], "Resource": "*" } From 1a96a9854b42f68ebecb7e8179f7703a28d1f60f Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Thu, 29 Dec 2022 10:23:10 -0700 Subject: [PATCH 29/56] Add more iam permissions to GithubRole --- cloud-formation/github-role.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index a430958..e8f6fe0 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -99,6 +99,8 @@ Resources: "ecs:DescribeClusters", "ecs:DescribeServices", "ecs:RegisterTaskDefinition", + "iam:AttachRolePolicy", + "iam:DetachRolePolicy", "iam:PassRole" ], "Resource": "*" From ab9c732028850afccd7063086b2886391094b534 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Thu, 29 Dec 2022 10:48:00 -0700 Subject: [PATCH 30/56] Add some more permissions --- cloud-formation/github-role.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index e8f6fe0..ddba037 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -95,6 +95,7 @@ Resources: "Action": [ "ecs:CreateCluster", "ecs:CreateService", + "ecs:DeleteCluster", "ecs:DeregisterTaskDefinition", "ecs:DescribeClusters", "ecs:DescribeServices", @@ -119,6 +120,7 @@ Resources: "ec2:CreateTags", "ec2:CreateVpc", "ec2:DeleteVpc", + "ec2:DescribeVpcs", "ec2:ModifyVpcAttribute" ], "Resource": "*" From 6c10a10bfb482aff35ffaede5fe0f845ce22aadb Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Thu, 29 Dec 2022 10:53:24 -0700 Subject: [PATCH 31/56] Add ec2:DescribeSecurityGroups to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index ddba037..f500a1a 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -120,6 +120,7 @@ Resources: "ec2:CreateTags", "ec2:CreateVpc", "ec2:DeleteVpc", + "ec2:DescribeSecurityGroups", "ec2:DescribeVpcs", "ec2:ModifyVpcAttribute" ], From 05b8092ba56afea75f1b1cb3ace971351408a5fe Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Thu, 29 Dec 2022 11:07:06 -0700 Subject: [PATCH 32/56] Add ec2:DeleteSecurityGroup and ec2:DeleteSubnet permissions to GithubRole --- cloud-formation/github-role.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index f500a1a..a694bf9 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -119,6 +119,8 @@ Resources: "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateVpc", + "ec2:DeleteSecurityGroup", + "ec2:DeleteSubnet", "ec2:DeleteVpc", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcs", From c88f99db03b3b0a9ee1b1bebca8b544da6ed9900 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Thu, 29 Dec 2022 11:31:46 -0700 Subject: [PATCH 33/56] Add ec2:DescribeSubnets to GitHubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index a694bf9..3637efb 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -123,6 +123,7 @@ Resources: "ec2:DeleteSubnet", "ec2:DeleteVpc", "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:ModifyVpcAttribute" ], From b78e0df84a6c9c349113b5082aeefd36bc55a70f Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Thu, 29 Dec 2022 23:36:28 -0700 Subject: [PATCH 34/56] Add ecs:DeleteService to GitHubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index 3637efb..878aa5c 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -96,6 +96,7 @@ Resources: "ecs:CreateCluster", "ecs:CreateService", "ecs:DeleteCluster", + "ecs:DeleteService", "ecs:DeregisterTaskDefinition", "ecs:DescribeClusters", "ecs:DescribeServices", From b2b56147b5f9be1a9cd2408147efa81c6d97b2b4 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Sun, 1 Jan 2023 00:16:47 -0700 Subject: [PATCH 35/56] Revert "Only allow deploy if build is successful" This reverts commit 4e0bc5fc8400603c657a88a17318114be222736b. --- .github/workflows/deploy.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index cff78ad..7686643 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -12,7 +12,6 @@ on: jobs: deploy: runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.conclusion == 'success' }} permissions: id-token: write steps: From 103e7ada2025162ba1ee6c157a38ad3b2058e5fa Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Mon, 2 Jan 2023 02:08:53 -0700 Subject: [PATCH 36/56] Remove paths from roles --- cloud-formation/ecs.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index e7ed32c..a8e7528 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -14,7 +14,6 @@ Resources: Service: ecs-tasks.amazonaws.com ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy - Path: /gocapture/ TaskRole: Type: AWS::IAM::Role Properties: @@ -25,7 +24,6 @@ Resources: Action: sts:AssumeRole Principal: Service: ecs-tasks.amazonaws.com - Path: /gocapture/ Vpc: Type: AWS::EC2::VPC Properties: From 5a4c21f81a04a584cce9696499ee41c9075c8cfc Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Mon, 2 Jan 2023 21:02:54 -0700 Subject: [PATCH 37/56] Make PublicSubnet public --- cloud-formation/ecs.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index a8e7528..5859744 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -38,6 +38,7 @@ Resources: Type: AWS::EC2::Subnet Properties: CidrBlock: 10.0.0.0/16 + MapPublicIpOnLaunch: true VpcId: !Ref Vpc Cluster: Type: AWS::ECS::Cluster From 028f387e696fa96899f7d1f02ffac27fa85ae8c5 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Mon, 2 Jan 2023 21:12:23 -0700 Subject: [PATCH 38/56] Add ec2:ModifySubnetAttribute permission to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index 878aa5c..4d1877f 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -126,6 +126,7 @@ Resources: "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", + "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute" ], "Resource": "*" From ae2cbdfcc00370650d15c33e3235225f7608a1a6 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Mon, 2 Jan 2023 21:23:44 -0700 Subject: [PATCH 39/56] Add ecs:UpdateService permission to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index 4d1877f..a99f4dc 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -101,6 +101,7 @@ Resources: "ecs:DescribeClusters", "ecs:DescribeServices", "ecs:RegisterTaskDefinition", + "ecs:UpdateService", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:PassRole" From 2392e1c7ff1a935705a5505d46781e834e3a04c7 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Mon, 2 Jan 2023 23:57:51 -0700 Subject: [PATCH 40/56] Add an internet gateway --- cloud-formation/ecs.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index 5859744..e8ee15e 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -28,6 +28,13 @@ Resources: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 + InternetGateway: + Type: AWS::EC2::InternetGateway + VPCGatewayAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref InternetGateway + VpcId: !Ref Vpc SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: From 5a9edbe1bdc8ac640e7bd1c8e13c7144374f3c13 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Tue, 3 Jan 2023 00:08:08 -0700 Subject: [PATCH 41/56] Add ec2:CreateInternetGateway permission to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index a99f4dc..bd25b2d 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -117,6 +117,7 @@ Resources: { "Effect": "Allow", "Action": [ + "ec2:CreateInternetGateway", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateTags", From fd86d5e5fbcb8ae0934733fbba63463ecdc06070 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Tue, 3 Jan 2023 00:22:14 -0700 Subject: [PATCH 42/56] Add ec2:DescribeInternetGateways permission to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index bd25b2d..79f5940 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -125,6 +125,7 @@ Resources: "ec2:DeleteSecurityGroup", "ec2:DeleteSubnet", "ec2:DeleteVpc", + "ec2:DescribeInternetGateways", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", From 1044107db8abef6a694c0a482340a69ad4962964 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Tue, 3 Jan 2023 00:23:07 -0700 Subject: [PATCH 43/56] Add ec2:DeleteInternetGateway permission to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index 79f5940..07d0fca 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -122,6 +122,7 @@ Resources: "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateVpc", + "ec2:DeleteInternetGateway", "ec2:DeleteSecurityGroup", "ec2:DeleteSubnet", "ec2:DeleteVpc", From a66addee9bf9a086f16b364b61e79325bbc7c5b9 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Tue, 3 Jan 2023 00:29:36 -0700 Subject: [PATCH 44/56] Add ec2:AttachInternetGateway permission to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index 07d0fca..cf43c13 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -117,6 +117,7 @@ Resources: { "Effect": "Allow", "Action": [ + "ec2:AttachInternetGateway", "ec2:CreateInternetGateway", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", From 48efa86ce91bbfa4e056d12d534fd18dd230df23 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Wed, 18 Jan 2023 22:59:08 -0700 Subject: [PATCH 45/56] Add iam:DeleteRolePolicy permission to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index cf43c13..e6e0880 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -46,6 +46,7 @@ Resources: iam:CreateRole, iam:CreateUser, iam:DeleteRole, + iam:DeleteRolePolicy, iam:DeleteUser, iam:DeleteUserPolicy, iam:GetRole, From cc783c5f461aa19e64599ae87f2cb9dccb10e094 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Tue, 21 Feb 2023 17:24:01 -0700 Subject: [PATCH 46/56] Add GatewayAttachment and PublicRoute --- cloud-formation/ecs.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index e8ee15e..5b54c97 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -81,3 +81,24 @@ Resources: CpuArchitecture: X86_64 OperatingSystemFamily: LINUX TaskRoleArn: !Ref TaskRole + GatewayAttachment: + Type: 'AWS::EC2::VPCGatewayAttachment' + Properties: + InternetGatewayId: !Ref InternetGateway + VpcId: !Ref Vpc + PublicRoute: + Type: 'AWS::EC2::Route' + DependsOn: GatewayAttachment + Properties: + DestinationCidrBlock: '0.0.0.0/0' + GatewayId: !Ref InternetGateway + RouteTableId: !Ref PublicRouteTable + PublicRouteTable: + Type: 'AWS::EC2::RouteTable' + Properties: + VpcId: !Ref Vpc + PublicSubnetRouteTableAssociation: + Type: 'AWS::EC2::SubnetRouteTableAssociation' + Properties: + RouteTableId: !Ref PublicRouteTable + SubnetId: !Ref PublicSubnet From 0f90d52062bfd1c06cb59217947571e9289687b2 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Tue, 21 Feb 2023 18:06:00 -0700 Subject: [PATCH 47/56] Add ec2:AttachInternetGateway and ec2:DetachInternetGateway permissions to GithubRole --- cloud-formation/github-role.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index e6e0880..a12df7a 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -120,6 +120,7 @@ Resources: "Action": [ "ec2:AttachInternetGateway", "ec2:CreateInternetGateway", + "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateTags", @@ -132,6 +133,7 @@ Resources: "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", + "ec2:DetachInternetGateway", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute" ], From 3e9d1f4786321cea85d9fbfa893b84a4da9a5991 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Tue, 21 Feb 2023 18:19:59 -0700 Subject: [PATCH 48/56] Add ec2:DescribeRouteTables permissions to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index a12df7a..b3bdbc0 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -130,6 +130,7 @@ Resources: "ec2:DeleteSubnet", "ec2:DeleteVpc", "ec2:DescribeInternetGateways", + "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", From c0fbfbcb0a17e2acd4602cbf1b1ea3fb5440376a Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Tue, 21 Feb 2023 18:27:18 -0700 Subject: [PATCH 49/56] Add ec2:AssociateRouteTable permissions to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index b3bdbc0..726ad9c 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -118,6 +118,7 @@ Resources: { "Effect": "Allow", "Action": [ + "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:CreateInternetGateway", "ec2:CreateRouteTable", From 0181d86bcd2a0a24f2b759d9ede3ae0f5bef0df8 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Tue, 21 Feb 2023 22:21:30 -0700 Subject: [PATCH 50/56] Add ec2:CreateRoute permissions to GithubRole --- cloud-formation/github-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index 726ad9c..dfc8ad2 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -121,6 +121,7 @@ Resources: "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:CreateInternetGateway", + "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", From 527efd7227e227467968fab0c0cb293a99758016 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Tue, 21 Feb 2023 22:22:40 -0700 Subject: [PATCH 51/56] No quotes in YAML --- cloud-formation/github-role.yaml | 66 ++++++++++++++++---------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index dfc8ad2..ce0fad7 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -94,18 +94,18 @@ Resources: { "Effect": "Allow", "Action": [ - "ecs:CreateCluster", - "ecs:CreateService", - "ecs:DeleteCluster", - "ecs:DeleteService", - "ecs:DeregisterTaskDefinition", - "ecs:DescribeClusters", - "ecs:DescribeServices", - "ecs:RegisterTaskDefinition", - "ecs:UpdateService", - "iam:AttachRolePolicy", - "iam:DetachRolePolicy", - "iam:PassRole" + ecs:CreateCluster, + ecs:CreateService, + ecs:DeleteCluster, + ecs:DeleteService, + ecs:DeregisterTaskDefinition, + ecs:DescribeClusters, + ecs:DescribeServices, + ecs:RegisterTaskDefinition, + ecs:UpdateService, + iam:AttachRolePolicy, + iam:DetachRolePolicy, + iam:PassRole ], "Resource": "*" } @@ -118,27 +118,27 @@ Resources: { "Effect": "Allow", "Action": [ - "ec2:AssociateRouteTable", - "ec2:AttachInternetGateway", - "ec2:CreateInternetGateway", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpc", - "ec2:DeleteInternetGateway", - "ec2:DeleteSecurityGroup", - "ec2:DeleteSubnet", - "ec2:DeleteVpc", - "ec2:DescribeInternetGateways", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "ec2:DetachInternetGateway", - "ec2:ModifySubnetAttribute", - "ec2:ModifyVpcAttribute" + ec2:AssociateRouteTable, + ec2:AttachInternetGateway, + ec2:CreateInternetGateway, + ec2:CreateRoute, + ec2:CreateRouteTable, + ec2:CreateSecurityGroup, + ec2:CreateSubnet, + ec2:CreateTags, + ec2:CreateVpc, + ec2:DeleteInternetGateway, + ec2:DeleteSecurityGroup, + ec2:DeleteSubnet, + ec2:DeleteVpc, + ec2:DescribeInternetGateways, + ec2:DescribeRouteTables, + ec2:DescribeSecurityGroups, + ec2:DescribeSubnets, + ec2:DescribeVpcs, + ec2:DetachInternetGateway, + ec2:ModifySubnetAttribute, + ec2:ModifyVpcAttribute ], "Resource": "*" } From 0eb36d0f111103d1b2e3756a4c418345433d2e54 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Tue, 21 Feb 2023 22:26:22 -0700 Subject: [PATCH 52/56] Add ec2:DisassociateRouteTable and ec2:DeleteRouteTable permissions to GithubRole --- cloud-formation/github-role.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index ce0fad7..c8de5a3 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -128,6 +128,7 @@ Resources: ec2:CreateTags, ec2:CreateVpc, ec2:DeleteInternetGateway, + ec2:DeleteRouteTable, ec2:DeleteSecurityGroup, ec2:DeleteSubnet, ec2:DeleteVpc, @@ -137,6 +138,7 @@ Resources: ec2:DescribeSubnets, ec2:DescribeVpcs, ec2:DetachInternetGateway, + ec2:DisassociateRouteTable, ec2:ModifySubnetAttribute, ec2:ModifyVpcAttribute ], From 7bdb895e284a152f95d4131a29f11973574d5c80 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Tue, 21 Feb 2023 23:26:49 -0700 Subject: [PATCH 53/56] Add LogConfiguration to TaskDefinition --- cloud-formation/ecs.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index 5b54c97..9aad57b 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -72,6 +72,8 @@ Resources: ContainerDefinitions: - Name: GoCaptureContainer Image: !Ref TaskImage + LogConfiguration: + LogDriver: awslogs Cpu: .25 vCPU ExecutionRoleArn: !Ref ExecutionRole Family: GoCapture From 141a07ab496c369dc0b57c4cf54510ad21e735bb Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Tue, 21 Feb 2023 23:48:16 -0700 Subject: [PATCH 54/56] Add options for log configuration --- cloud-formation/ecs.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index 9aad57b..44af186 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -74,6 +74,9 @@ Resources: Image: !Ref TaskImage LogConfiguration: LogDriver: awslogs + Options: + awslogs-region: us-west-1 + awslogs-group: !Ref LogGroup Cpu: .25 vCPU ExecutionRoleArn: !Ref ExecutionRole Family: GoCapture @@ -104,3 +107,7 @@ Resources: Properties: RouteTableId: !Ref PublicRouteTable SubnetId: !Ref PublicSubnet + LogGroup: + Type: AWS::Logs::LogGroup + Properties: + LogGroupName: GoCaptureLogs From 89dd3de31716133bc6853b16b42d521b992a1a98 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Tue, 21 Feb 2023 23:54:29 -0700 Subject: [PATCH 55/56] Add logs:CreateLogGroup permission to GithubRole --- cloud-formation/github-role.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index c8de5a3..3a3c424 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -105,7 +105,8 @@ Resources: ecs:UpdateService, iam:AttachRolePolicy, iam:DetachRolePolicy, - iam:PassRole + iam:PassRole, + logs:CreateLogGroup ], "Resource": "*" } From 06f1cf72ae897eb6b104a39ec72a7f5628e14d06 Mon Sep 17 00:00:00 2001 From: Code-Apprentice Date: Wed, 22 Feb 2023 00:31:25 -0700 Subject: [PATCH 56/56] Add logs:DeleteLogGroup permission to GithubRole --- cloud-formation/github-role.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index 3a3c424..a8f797f 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -106,7 +106,8 @@ Resources: iam:AttachRolePolicy, iam:DetachRolePolicy, iam:PassRole, - logs:CreateLogGroup + logs:CreateLogGroup, + logs:DeleteLogGroup ], "Resource": "*" }