[The AWS Journey Part 2: Deploying a Docker image from the Command Line with CloudFormation](https://reflectoring.io/aws-cloudformation-deploy-docker-image/)

export AWS_PAGER=""

aws cloudformation create-stack \

--stack-name reflectoring-ecs-zero-downtime-deployment-network \

--template-body file://network.yml \

--capabilities CAPABILITY_IAM

aws cloudformation wait stack-create-complete --stack-name reflectoring-ecs-zero-downtime-deployment-network

aws cloudformation create-stack \

--stack-name reflectoring-ecs-zero-downtime-deployment-service \

--template-body file://service.yml \

--parameters \

ParameterKey=StackName,ParameterValue=reflectoring-ecs-zero-downtime-deployment-network \

ParameterKey=ServiceName,ParameterValue=reflectoring-hello-world \

ParameterKey=ImageUrl,ParameterValue=docker.io/reflectoring/aws-hello-world:latest \

ParameterKey=ContainerPort,ParameterValue=8080 \

ParameterKey=HealthCheckPath,ParameterValue=/hello \

ParameterKey=HealthCheckIntervalSeconds,ParameterValue=90

aws cloudformation wait stack-create-complete --stack-name reflectoring-ecs-zero-downtime-deployment-service

export AWS_PAGER=""

aws cloudformation delete-stack --stack-name reflectoring-ecs-zero-downtime-deployment-service

aws cloudformation wait stack-delete-complete --stack-name reflectoring-ecs-zero-downtime-deployment-service

aws cloudformation delete-stack --stack-name reflectoring-ecs-zero-downtime-deployment-network

aws cloudformation wait stack-delete-complete --stack-name reflectoring-ecs-zero-downtime-deployment-network

<mxfile modified="2020-04-30T21:28:18.347Z" host="app.diagrams.net" agent="5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" etag="X9Eef2gSXNvxkCnmY-_0" version="13.0.4" type="device"><diagram id="Ht1M8jgEwFfnCIfOTk4-" name="Page-1">7Vpbb+o4EP41PC7K/fLIrWcr9UiVWO05+4RM4garIc4aU6C/fseJc7ND6ekB9nQXVKmZsTMez3yf7TEM7Ml6/4WhfPWVxjgdWEa8H9jTgWWZphXCP6E5lBrPcEpFwkgsOzWKOXnFUmlI7ZbEeNPpyClNOcm7yohmGY54R4cYo7tutyeadkfNUYI1xTxCqa79RmK+qublhU3D75gkKzl0YPllwxpVneVMNisU011LZc8G9oRRysun9X6CUxG8Ki7le3dHWmvHGM74e15Y4cjav97736avy2fP+Rr/vVj+Vjn3gtKtnPGfjxPpMD9UUcgpyXgRSXcMf/DSxBi40DIR0tByFYUq+12FqUvCRlehyn5XYarmTWV8U3WwpdCkjnlDGd9oOQh/9phueUoyPKkxZ4AyYSgmkIsJTSkDXUYziN54xdcpSCY87laE43mOIhHVHfAFdE804xL1plXJMvDiHUBNLp7X+0QQbIh2G2eYMLrNiyHvAfe9rYuXPBKvc0afceXSwLItJwhMRwxE0lRx9QUzTgD6o5QkwiqnYhAkpRQ/cWER/CdZ8lBIU9uQPreGGI3G/jgAfYw2KxzL8EicwRB4fxTBZs0LWFAwXWPODtClesGTaJVrSQXeXUNMO5S6VYuTjiGVSC4GSW264Qs8SMr8AH3MUKPP43aZkkjQZ7vMML9R6fNTaYOjLSP8sGg6zwteSXffRzLQz8I7e+adj2n1OOdmmm0pTLPCoR1obKsZ2Gab6ZkFSC5COPvGtxvf/vt8c4Buftj6uL8A90xfI99sMgfFHLMXAshQqddzxNBS5468SeC1Q2oezZcKMCU7talzJMTvJsTvXf9MuycHVnip04arxX9geamA7hIeEvEwynNYDREnwK2qjVWNDxTFuhZogLIIs6oFXKvNaSntXT46bKhS94CWOH2kG1L4Yk+XlHO6PsnFCBIEvnQWn56FxB6iZqaLFCa2WFbz0JaBOzdwbef4OncGvMAZs4MX0w+GgQ6Yqmps48W3LgSX4DRc7kWwi13TQ2uRhmy5yYuIqCj5gjjeocMnAwmR81sk0v1+bHgXxUa9SrSw4esL+lWxodct5VL+B9o8vy+f6tZoW3difC2OIsZ+MDPa/JsSBobKlGeUiQioeZka7gQ2nJ4d46n4XAFRp843aJOX4Xgie+FH/4GH4Q3dsgiXx50xiH0HHxxtzgO2utatwGb07lx+z8blX6xKdm5o+3+gzXL/fbRZeo2oYQzHCa6CKxBBE5qhdNZo25nBWTwSN8kivymNnoUqXRZyleYCOYjxqp/cPODNO5LWO5R29nXcsSeQCmVOFtfggtizw/e28JcQoKqT4nTfbpwe2tIjZgTiKNDVKk7EfN9OMYSnAM5bgZWbBkw0wfzUwUPHTPvgXOGG4RSOcC9d5/ogIc09imq+wV+owM9Uap9yTvKl9t24YsdU6i9bvTEs56wZKgBaT/EnMOvdMPsRzJ6Eons1KFrqUvhhLAYKFs0rY1Ev8z8ZFveEf6/GhucWEkFqgCiEQ0u44NLpvhOu5UnpKng1TfXKyfgYXq1Tho7gFXIt6sm6m7yoPeqw7fYT7JhfWv/QUehSenBe8vQV3TfyXIU84dW4Y1ff+9VfjzjDIDDqj2LwvUxyHLdr1hOn6aNmfxFemc41eKVfWLx1mfUp76isH7+dqn9T0nwtUv1KxT7TxaaS7MDvu7vyw6FUtks81zlOrCMlHojNL2JK8DS/K7Jn/wA=</diagram></mxfile>

AWSTemplateFormatVersion: '2010-09-09'

Description: A network stack for deploying containers in AWS ECS.

This stack creates a VPC with two public subnets and a loadbalancer to balance traffic between those subnets.

Derived from a template at https://github.com/nathanpeck/aws-cloudformation-fargate.

Resources:

VPC:

Type: AWS::EC2::VPC

Properties:

CidrBlock: '10.0.0.0/16'

PublicSubnetOne:

Type: AWS::EC2::Subnet

Properties:

AvailabilityZone:

Fn::Select:

- 0

- Fn::GetAZs: {Ref: 'AWS::Region'}

VpcId: !Ref 'VPC'

CidrBlock: '10.0.1.0/24'

MapPublicIpOnLaunch: true

PublicSubnetTwo:

Type: AWS::EC2::Subnet

Properties:

AvailabilityZone:

Fn::Select:

- 1

- Fn::GetAZs: {Ref: 'AWS::Region'}

VpcId: !Ref 'VPC'

CidrBlock: '10.0.2.0/24'

MapPublicIpOnLaunch: true

InternetGateway:

Type: AWS::EC2::InternetGateway

GatewayAttachement:

Type: AWS::EC2::VPCGatewayAttachment

Properties:

VpcId: !Ref 'VPC'

InternetGatewayId: !Ref 'InternetGateway'

PublicRouteTable:

Type: AWS::EC2::RouteTable

Properties:

VpcId: !Ref 'VPC'

PublicSubnetOneRouteTableAssociation:

Type: AWS::EC2::SubnetRouteTableAssociation

Properties:

SubnetId: !Ref PublicSubnetOne

RouteTableId: !Ref PublicRouteTable

PublicSubnetTwoRouteTableAssociation:

Type: AWS::EC2::SubnetRouteTableAssociation

Properties:

SubnetId: !Ref PublicSubnetTwo

RouteTableId: !Ref PublicRouteTable

PublicRoute:

Type: AWS::EC2::Route

DependsOn: GatewayAttachement

Properties:

RouteTableId: !Ref 'PublicRouteTable'

DestinationCidrBlock: '0.0.0.0/0'

GatewayId: !Ref 'InternetGateway'

PublicLoadBalancerSecurityGroup:

Type: AWS::EC2::SecurityGroup

Properties:

GroupDescription: Access to the public facing load balancer

VpcId: !Ref 'VPC'

SecurityGroupIngress:

# Allow access to ALB from anywhere on the internet

- CidrIp: 0.0.0.0/0

IpProtocol: -1

PublicLoadBalancer:

Type: AWS::ElasticLoadBalancingV2::LoadBalancer

Properties:

Scheme: internet-facing

Subnets:

# The load balancer is placed into the public subnets, so that traffic

# from the internet can reach the load balancer directly via the internet gateway

- !Ref PublicSubnetOne

- !Ref PublicSubnetTwo

SecurityGroups: [!Ref 'PublicLoadBalancerSecurityGroup']

DummyTargetGroupPublic:

Type: AWS::ElasticLoadBalancingV2::TargetGroup

Properties:

HealthCheckIntervalSeconds: 6

HealthCheckPath: /

HealthCheckProtocol: HTTP

HealthCheckTimeoutSeconds: 5

HealthyThresholdCount: 2

Name: "no-op"

Port: 80

Protocol: HTTP

UnhealthyThresholdCount: 2

VpcId: !Ref 'VPC'

PublicLoadBalancerListener:

Type: AWS::ElasticLoadBalancingV2::Listener

DependsOn:

- PublicLoadBalancer

Properties:

DefaultActions:

- TargetGroupArn: !Ref 'DummyTargetGroupPublic'

Type: 'forward'

LoadBalancerArn: !Ref 'PublicLoadBalancer'

Port: 80

Protocol: HTTP

ECSCluster:

Type: AWS::ECS::Cluster

ECSSecurityGroup:

Type: AWS::EC2::SecurityGroup

Properties:

GroupDescription: Access to the ECS containers

VpcId: !Ref 'VPC'

ECSSecurityGroupIngressFromPublicALB:

Type: AWS::EC2::SecurityGroupIngress

Properties:

Description: Ingress from the public ALB

GroupId: !Ref 'ECSSecurityGroup'

IpProtocol: -1

SourceSecurityGroupId: !Ref 'PublicLoadBalancerSecurityGroup'

ECSSecurityGroupIngressFromSelf:

Type: AWS::EC2::SecurityGroupIngress

Properties:

Description: Ingress from other containers in the same security group

GroupId: !Ref 'ECSSecurityGroup'

IpProtocol: -1

SourceSecurityGroupId: !Ref 'ECSSecurityGroup'

ECSRole:

Type: AWS::IAM::Role

Properties:

AssumeRolePolicyDocument:

Statement:

- Effect: Allow

Principal:

Service: [ecs.amazonaws.com]

Action: ['sts:AssumeRole']

Path: /

Policies:

- PolicyName: ecs-service

PolicyDocument:

Statement:

- Effect: Allow

Action:

# Rules which allow ECS to attach network interfaces to instances

# on your behalf in order for awsvpc networking mode to work right

- 'ec2:AttachNetworkInterface'

- 'ec2:CreateNetworkInterface'

- 'ec2:CreateNetworkInterfacePermission'

- 'ec2:DeleteNetworkInterface'

- 'ec2:DeleteNetworkInterfacePermission'

- 'ec2:Describe*'

- 'ec2:DetachNetworkInterface'

# Rules which allow ECS to update load balancers on your behalf

# with the information sabout how to send traffic to your containers

- 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer'

- 'elasticloadbalancing:DeregisterTargets'

- 'elasticloadbalancing:Describe*'

- 'elasticloadbalancing:RegisterInstancesWithLoadBalancer'

- 'elasticloadbalancing:RegisterTargets'

Resource: '*'

ECSTaskExecutionRole:

Type: AWS::IAM::Role

Properties:

AssumeRolePolicyDocument:

Statement:

- Effect: Allow

Principal:

Service: [ecs-tasks.amazonaws.com]

Action: ['sts:AssumeRole']

Path: /

Policies:

- PolicyName: AmazonECSTaskExecutionRolePolicy

PolicyDocument:

Statement:

- Effect: Allow

Action:

# Allow the ECS Tasks to download images from ECR

- 'ecr:GetAuthorizationToken'

- 'ecr:BatchCheckLayerAvailability'

- 'ecr:GetDownloadUrlForLayer'

- 'ecr:BatchGetImage'

# Allow the ECS tasks to upload logs to CloudWatch

- 'logs:CreateLogStream'

- 'logs:PutLogEvents'

Resource: '*'

Outputs:

ClusterName:

Description: The name of the ECS cluster

Value: !Ref 'ECSCluster'

Export:

Name: !Join [ ':', [ !Ref 'AWS::StackName', 'ClusterName' ] ]

ExternalUrl:

Description: The url of the external load balancer

Value: !Join ['', ['http://', !GetAtt 'PublicLoadBalancer.DNSName']]

Export:

Name: !Join [ ':', [ !Ref 'AWS::StackName', 'ExternalUrl' ] ]

ECSRole:

Description: The ARN of the ECS role

Value: !GetAtt 'ECSRole.Arn'

Export:

Name: !Join [ ':', [ !Ref 'AWS::StackName', 'ECSRole' ] ]

ECSTaskExecutionRole:

Description: The ARN of the ECS role

Value: !GetAtt 'ECSTaskExecutionRole.Arn'

Export:

Name: !Join [ ':', [ !Ref 'AWS::StackName', 'ECSTaskExecutionRole' ] ]

PublicListener:

Description: The ARN of the public load balancer's Listener

Value: !Ref PublicLoadBalancerListener

Export:

Name: !Join [ ':', [ !Ref 'AWS::StackName', 'PublicListener' ] ]

VPCId:

Description: The ID of the VPC that this stack is deployed in

Value: !Ref 'VPC'

Export:

Name: !Join [ ':', [ !Ref 'AWS::StackName', 'VPCId' ] ]

PublicSubnetOne:

Description: Public subnet one

Value: !Ref 'PublicSubnetOne'

Export:

Name: !Join [ ':', [ !Ref 'AWS::StackName', 'PublicSubnetOne' ] ]

PublicSubnetTwo:

Description: Public subnet two

Value: !Ref 'PublicSubnetTwo'

Export:

Name: !Join [ ':', [ !Ref 'AWS::StackName', 'PublicSubnetTwo' ] ]

ECSSecurityGroup:

Description: A security group used to allow ECS containers to receive traffic

Value: !Ref 'ECSSecurityGroup'

Export:

Name: !Join [ ':', [ !Ref 'AWS::StackName', 'ECSSecurityGroup' ] ]