ciinabox-ecs 0.1.6

data/ext/zip_helper.rb

@@ -0,0 +1,57 @@
+require 'zip'
+
+
+module Ciinabox
+  module Util
+    ###
+    ### taken from https://github.com/rubyzip/rubyzip/tree/master/samples
+    ###
+    class ZipFileGenerator
+
+      # Initialize with the directory to zip and the location of the output archive.
+      def initialize(input_dir, output_file)
+        @input_dir = input_dir
+        @output_file = output_file
+      end
+
+      # Zip the input directory.
+      def write
+        entries = Dir.entries(@input_dir) - %w(. ..)
+
+        ::Zip::File.open(@output_file, ::Zip::File::CREATE) do |zipfile|
+          write_entries entries, '', zipfile
+        end
+      end
+
+      private
+
+      # A helper method to make the recursion work.
+      def write_entries(entries, path, zipfile)
+        entries.each do |e|
+          zipfile_path = path == '' ? e : File.join(path, e)
+          disk_file_path = File.join(@input_dir, zipfile_path)
+          puts "Deflating #{disk_file_path}"
+
+          if File.directory? disk_file_path
+            recursively_deflate_directory(disk_file_path, zipfile, zipfile_path)
+          else
+            put_into_archive(disk_file_path, zipfile, zipfile_path)
+          end
+        end
+      end
+
+      def recursively_deflate_directory(disk_file_path, zipfile, zipfile_path)
+        zipfile.mkdir zipfile_path
+        subdir = Dir.entries(disk_file_path) - %w(. ..)
+        write_entries subdir, zipfile_path, zipfile
+      end
+
+      def put_into_archive(disk_file_path, zipfile, zipfile_path)
+        zipfile.get_output_stream(zipfile_path) do |f|
+          f.write(File.open(disk_file_path, 'rb').read)
+        end
+      end
+    end
+  end
+end
+

data/lambdas/acm_issuer_validator/lib/install.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+cd $DIR/..
+rm -rf lib
+
+function pipinstall () {
+   if [ $(which pip) == '' ]; then
+        echo "ERROR! No pip installed. Try installing either python3 pip or docker"
+        exit -1
+   fi
+
+   pip install aws-acm-cert-validator==0.1.11 -t lib
+}
+
+if [ $(which docker) == '' ]; then
+    pipinstall
+else
+    docker run --rm -v $DIR/..:/dst -w /dst -u 1000 python:3-alpine pip install aws-acm-cert-validator==0.1.11 -t lib
+fi

data/templates/bastion.rb

@@ -0,0 +1,121 @@
+CloudFormation do
+
+  # Template metadata
+  AWSTemplateFormatVersion '2010-09-09'
+  Description "ciinabox - Bastion v#{ciinabox_version}"
+
+  # Parameters
+  Parameter('EnvironmentType'){ Type 'String' }
+  Parameter('EnvironmentName'){ Type 'String' }
+  Parameter('VPC'){ Type 'String' }
+  Parameter('RouteTablePrivateA'){ Type 'String' }
+  Parameter('RouteTablePrivateB'){ Type 'String' }
+  Parameter('SubnetPublicA'){ Type 'String' }
+  Parameter('SubnetPublicB'){ Type 'String' }
+  Parameter('SecurityGroupBackplane'){ Type 'String' }
+  Parameter('SecurityGroupOps'){ Type 'String' }
+  Parameter('SecurityGroupDev'){ Type 'String' }
+
+  # Global mappings
+  Mapping('EnvironmentType', Mappings['EnvironmentType'])
+  Mapping('bastionAMI', bastionAMI)
+
+  Resource('Role') {
+    Type 'AWS::IAM::Role'
+    Property('AssumeRolePolicyDocument', {
+        Statement: [
+            Effect: 'Allow',
+            Principal: { Service: [ 'ec2.amazonaws.com' ] },
+            Action: [ 'sts:AssumeRole' ]
+        ]
+    })
+    Property('Path','/')
+    Property('Policies', [
+        {
+            PolicyName: 'associate-address',
+            PolicyDocument: {
+                Statement: [
+                    {
+                        Effect: 'Allow',
+                        Action: ['ec2:AssociateAddress'],
+                        Resource: '*'
+                    }
+                ]
+            }
+        },
+        {
+            PolicyName: 'describe-ec2-autoscaling',
+            PolicyDocument: {
+                Statement: [
+                    {
+                        Effect:'Allow',
+                        Action: ['ec2:Describe*', 'autoscaling:Describe*' ],
+                        Resource: [ '*' ]
+                    }
+                ]
+            }
+        }
+    ])
+  }
+
+  InstanceProfile('InstanceProfile') {
+    Path '/'
+    Roles [ Ref('Role') ]
+  }
+
+  Resource('BastionIPAddress') {
+    Type 'AWS::EC2::EIP'
+    Property('Domain', 'vpc')
+  }
+
+  Resource('LaunchConfig') {
+    Type 'AWS::AutoScaling::LaunchConfiguration'
+    DependsOn ['BastionIPAddress']
+    Property('ImageId', FnFindInMap('bastionAMI', Ref('AWS::Region'), 'ami'))
+    Property('KeyName', FnFindInMap('EnvironmentType', 'ciinabox', 'KeyName'))
+    Property('AssociatePublicIpAddress',true)
+    Property('IamInstanceProfile', Ref('InstanceProfile'))
+    FnFindInMap('EnvironmentType', 'ciinabox', 'KeyName')
+    Property('SecurityGroups', [ Ref('SecurityGroupDev'),
+        Ref('SecurityGroupBackplane'),
+        Ref('SecurityGroupOps') ])
+    Property('InstanceType', bastionInstanceType)
+    Property('UserData', FnBase64(FnJoin('',[
+        "#!/bin/bash\n",
+        'export NEW_HOSTNAME=', Ref('EnvironmentName'),"-bastion-xx-`/opt/aws/bin/ec2-metadata --instance-id|/usr/bin/awk '{print $2}'`", "\n",
+        "echo \"NEW_HOSTNAME=$NEW_HOSTNAME\" \n",
+        "hostname $NEW_HOSTNAME\n",
+        "sed -i \"s/^HOSTNAME=.*/HOSTNAME=$NEW_HOSTNAME/\" /etc/sysconfig/network\n",
+        'aws --region ', Ref('AWS::Region'), ' ec2 associate-address --allocation-id ', FnGetAtt('BastionIPAddress','AllocationId') ," --instance-id $(curl http://169.254.169.254/2014-11-05/meta-data/instance-id -s)\n",
+    ])))
+  }
+
+  AutoScalingGroup('AutoScaleGroup') {
+    UpdatePolicy('AutoScalingRollingUpdate', {
+        'MinInstancesInService' => '0',
+        'MaxBatchSize' => '1',
+    })
+    LaunchConfigurationName Ref('LaunchConfig')
+    HealthCheckGracePeriod '500'
+    HealthCheckType 'EC2'
+    MinSize 1
+    MaxSize 1
+    VPCZoneIdentifier [ Ref('SubnetPublicA') ]
+    addTag('Name', FnJoin('-',[Ref('EnvironmentName'), 'bastion' , 'xx']), true)
+    addTag('Environment', Ref('EnvironmentName'), true)
+    addTag('EnvironmentType', Ref('EnvironmentType'), true)
+    addTag('Role', 'bastion', true)
+  }
+
+  Resource('BastionRecordSet') {
+    Type 'AWS::Route53::RecordSet'
+    DependsOn ['BastionIPAddress']
+    Property('HostedZoneName', FnJoin('', [ dns_domain, '.' ]))
+    Property('Comment', 'Bastion record set')
+    Property('Name', FnJoin('', [ 'bastion.',  Ref('EnvironmentName') , '.', dns_domain, '.' ]))
+    Property('Type', 'A')
+    Property('TTL', '60')
+    Property('ResourceRecords', [  Ref('BastionIPAddress') ] )
+  }
+
+end

data/templates/ciinabox.rb

@@ -0,0 +1,159 @@
+require_relative '../ext/policies'
+
+CloudFormation do
+
+  # Template metadata
+  AWSTemplateFormatVersion '2010-09-09'
+  Description "ciinabox ECS #{Gem.latest_spec_for('ciinabox-ecs').version.to_s} - v#{ciinabox_version}"
+
+  Resource(cluster_name) {
+    Type 'AWS::ECS::Cluster'
+  }
+
+  # VPC Stack
+  Resource('VPCStack') {
+    Type 'AWS::CloudFormation::Stack'
+    Property('TemplateURL', "https://#{source_bucket}.s3.amazonaws.com/ciinabox/#{ciinabox_version}/vpc.json")
+    Property('TimeoutInMinutes', 10)
+  }
+
+  # ECS Cluster Stack
+  Resource('ECSStack') {
+    Type 'AWS::CloudFormation::Stack'
+    Property('TemplateURL', "https://#{source_bucket}.s3.amazonaws.com/ciinabox/#{ciinabox_version}/ecs-cluster.json")
+    Property('TimeoutInMinutes', 10)
+    Property('Parameters',{
+      ECSCluster: Ref(cluster_name),
+      VPC: FnGetAtt('VPCStack', 'Outputs.VPCId'),
+      RouteTablePrivateA: FnGetAtt('VPCStack', 'Outputs.RouteTablePrivateA'),
+      RouteTablePrivateB: FnGetAtt('VPCStack', 'Outputs.RouteTablePrivateB'),
+      SubnetPublicA: FnGetAtt('VPCStack', 'Outputs.SubnetPublicA'),
+      SubnetPublicB: FnGetAtt('VPCStack', 'Outputs.SubnetPublicB'),
+      SecurityGroupBackplane: FnGetAtt('VPCStack', 'Outputs.SecurityGroupBackplane')
+    })
+  }
+
+  # ECS Services Stack
+  Resource('ECSServicesStack') {
+    Type 'AWS::CloudFormation::Stack'
+    Property('TemplateURL', "https://#{source_bucket}.s3.amazonaws.com/ciinabox/#{ciinabox_version}/ecs-services.json")
+    Property('TimeoutInMinutes', 15)
+    Property('Parameters',{
+      ECSCluster: Ref(cluster_name),
+      VPC: FnGetAtt('VPCStack', 'Outputs.VPCId'),
+      SubnetPublicA: FnGetAtt('VPCStack', 'Outputs.SubnetPublicA'),
+      SubnetPublicB: FnGetAtt('VPCStack', 'Outputs.SubnetPublicB'),
+      ECSSubnetPrivateA: FnGetAtt('ECSStack', 'Outputs.ECSSubnetPrivateA'),
+      ECSSubnetPrivateB: FnGetAtt('ECSStack', 'Outputs.ECSSubnetPrivateB'),
+      ECSENIPrivateIpAddress: FnGetAtt('ECSStack', 'Outputs.ECSENIPrivateIpAddress'),
+      SecurityGroupBackplane: FnGetAtt('VPCStack', 'Outputs.SecurityGroupBackplane'),
+      SecurityGroupOps: FnGetAtt('VPCStack', 'Outputs.SecurityGroupOps'),
+      SecurityGroupDev: FnGetAtt('VPCStack', 'Outputs.SecurityGroupDev'),
+      SecurityGroupNatGateway: FnGetAtt('VPCStack', 'Outputs.SecurityGroupNatGateway'),
+      CRAcmCertArn: FnGetAtt('LambdasStack','Outputs.LambdaCRIssueACMCertificateArn')
+    })
+  }
+
+  #These are the commona params for use below in "foreign templates
+  base_params = {
+    VPC: FnGetAtt('VPCStack', 'Outputs.VPCId'),
+    SecurityGroupBackplane: FnGetAtt('VPCStack', 'Outputs.SecurityGroupBackplane'),
+    SecurityGroupOps: FnGetAtt('VPCStack', 'Outputs.SecurityGroupOps'),
+    SecurityGroupDev: FnGetAtt('VPCStack', 'Outputs.SecurityGroupDev'),
+    EnvironmentType: 'ciinabox',
+    EnvironmentName: 'ciinabox'
+  }
+
+  availability_zones.each do |az|
+    base_params.merge!("SubnetPublic#{az}" => FnGetAtt('VPCStack', "Outputs.SubnetPublic#{az}"))
+    base_params.merge!("RouteTablePrivate#{az}" => FnGetAtt('VPCStack', "Outputs.RouteTablePrivate#{az}"))
+  end
+
+  # Lambda functions stack
+  Resource('LambdasStack') do
+    Type 'AWS::CloudFormation::Stack'
+    Property('TemplateURL', "https://#{source_bucket}.s3.amazonaws.com/ciinabox/#{ciinabox_version}/lambdas.json")
+    Property('Parameters', base_params)
+  end
+
+
+  # Bastion if required
+  Resource('BastionStack') do
+    Type 'AWS::CloudFormation::Stack'
+    Property('TemplateURL', "https://#{source_bucket}.s3.amazonaws.com/ciinabox/#{ciinabox_version}/bastion.json")
+    Property('Parameters', base_params)
+  end if include_bastion_stack
+
+
+
+  #Foreign templates
+  #e.g CIINABOXES_DIR/CIINABOX/templates/x.rb
+  #for f in foreign templates do:
+  #  new stack
+
+  if defined? extra_stacks
+    extra_stacks.each do | stack, details |
+
+      #Note: each time we use base_params we need to clone
+      #assignment for hash is a shalow copy
+      #we could also use z = Hash[x] or  Marshal.load(Marshal.dump(original_hash))
+      #also add any params from the config
+      params = base_params.clone
+      params.merge!details["parameters"] if details["parameters"]
+
+      #if file_name not applied assume stack name = file_name
+      file_name = details["file_name"] ? details["file_name"] : stack
+
+      Resource(stack) {
+        Type 'AWS::CloudFormation::Stack'
+        Property('TemplateURL', "https://#{source_bucket}.s3.amazonaws.com/ciinabox/#{ciinabox_version}/#{file_name}.json")
+        Property('Parameters', params)
+      }
+
+      if details['outputs']
+        details['outputs'].each do |output|
+          Output(output) {
+            Value(FnGetAtt(stack, "Outputs.#{output}"))
+          }
+        end
+      end
+    end
+  end
+
+  Output("Region") {
+    Value(Ref('AWS::Region'))
+  }
+
+  Output("VPCId") {
+    Value(FnGetAtt('VPCStack', 'Outputs.VPCId'))
+  }
+
+  availability_zones.each do |az|
+    Output("PublicSubnet#{az}") {
+      Value(FnGetAtt('VPCStack', "Outputs.SubnetPublic#{az}"))
+    }
+  end
+
+  availability_zones.each do |az|
+    Output("ECSPrivateSubnet#{az}") {
+      Value(FnGetAtt('ECSStack', "Outputs.ECSSubnetPrivate#{az}"))
+    }
+  end
+
+  Output("SecurityGroup") {
+    Value(FnGetAtt('VPCStack', 'Outputs.SecurityGroupBackplane'))
+  }
+
+  Output("ECSRole") {
+    Value(FnGetAtt('ECSStack', 'Outputs.ECSRole'))
+  }
+
+  Output("ECSInstanceProfile") {
+    Value(FnGetAtt('ECSStack', 'Outputs.ECSInstanceProfile'))
+  }
+
+  Output('DefaultSSLCertificate'){
+    Value(FnGetAtt('ECSServicesStack','Outputs.DefaultSSLCertificate'))
+  }
+
+end

data/templates/ecs-cluster.rb

@@ -0,0 +1,252 @@
+require 'cfndsl'
+
+volume_name = "ECSDataVolume"
+if defined? ecs_data_volume_name
+  volume_name = ecs_data_volume_name
+end
+
+volume_size = 100
+if defined? ecs_data_volume_size
+  volume_size = ecs_data_volume_size
+end
+
+CloudFormation {
+
+  # Template metadata
+  AWSTemplateFormatVersion "2010-09-09"
+  Description "ciinabox - ECS Cluster v#{ciinabox_version}"
+
+  # Parameters
+  Parameter("ECSCluster") {Type 'String'}
+  Parameter("VPC") {Type 'String'}
+  Parameter("RouteTablePrivateA") {Type 'String'}
+  Parameter("RouteTablePrivateB") {Type 'String'}
+  Parameter("SubnetPublicA") {Type 'String'}
+  Parameter("SubnetPublicB") {Type 'String'}
+  Parameter("SecurityGroupBackplane") {Type 'String'}
+
+
+  # Global mappings
+  Mapping('EnvironmentType', Mappings['EnvironmentType'])
+  Mapping('ecsAMI', ecs_ami)
+
+  availability_zones.each do |az|
+    Resource("SubnetPrivate#{az}") {
+      Type 'AWS::EC2::Subnet'
+      Property('VpcId', Ref('VPC'))
+      Property('CidrBlock', FnJoin("", [FnFindInMap('EnvironmentType', 'ciinabox', 'NetworkPrefix'), ".", FnFindInMap('EnvironmentType', 'ciinabox', 'StackOctet'), ".", ecs["SubnetOctet#{az}"], ".0/", FnFindInMap('EnvironmentType', 'ciinabox', 'SubnetMask')]))
+      Property('AvailabilityZone', FnSelect(azId[az], FnGetAZs(Ref("AWS::Region"))))
+    }
+  end
+
+  availability_zones.each do |az|
+    Resource("SubnetRouteTableAssociationPrivate#{az}") {
+      Type 'AWS::EC2::SubnetRouteTableAssociation'
+      Property('SubnetId', Ref("SubnetPrivate#{az}"))
+      Property('RouteTableId', Ref("RouteTablePrivate#{az}"))
+    }
+  end
+
+  ecs_iam_role_permissions = ecs_iam_role_permissions_default
+  if defined? ecs_iam_role_permissions_extras
+    ecs_iam_role_permissions = ecs_iam_role_permissions + ecs_iam_role_permissions_extras
+  end
+
+  ecs_role_policies = ecs_iam_role_permissions.collect {|p|
+    {
+        PolicyName: p['name'],
+        PolicyDocument: {
+            Statement: [
+                {
+                    Effect: 'Allow',
+                    Action: p['actions'],
+                    Resource: p['resource'] || '*'
+                }
+            ]
+        }
+    }
+  }
+
+  has_ciinabox_role_predefined = defined? ciinabox_iam_role_name
+
+  Resource("Role") {
+    Type 'AWS::IAM::Role'
+    Property('AssumeRolePolicyDocument', {
+        Statement: [
+            Effect: 'Allow',
+            Principal: {Service: ['ec2.amazonaws.com']},
+            Action: ['sts:AssumeRole']
+        ]
+    })
+    Property('Path', '/')
+    Property('Policies', ecs_role_policies)
+  } unless has_ciinabox_role_predefined
+
+  InstanceProfile("InstanceProfile") {
+    Path '/'
+    Roles [Ref('Role')] unless has_ciinabox_role_predefined
+    Roles [ciinabox_iam_role_name] if has_ciinabox_role_predefined
+  }
+
+  EC2_Volume(volume_name) {
+    DeletionPolicy 'Snapshot'
+    Size volume_size
+    VolumeType 'gp2'
+    if defined? ecs_data_volume_snapshot
+      SnapshotId ecs_data_volume_snapshot
+    end
+    AvailabilityZone FnSelect(0, FnGetAZs(""))
+    addTag('Name', 'ciinabox-ecs-data-xx')
+    addTag('Environment', 'ciinabox')
+    addTag('EnvironmentType', 'ciinabox')
+    addTag('Role', 'ciinabox-data')
+    if data_volume_shelvery_backups
+      addTag('shelvery:create_backup','true')
+      addTag('shelvery:config:shelvery_keep_daily_backups', data_volume_retain_daily_backups)
+      addTag('shelvery:config:shelvery_keep_weekly_backups', data_volume_retain_weekly_backups)
+      addTag('shelvery:config:shelvery_keep_monthly_backups', data_volume_reatin_monthly_backups)
+    end
+
+  }
+
+  ecs_block_device_mapping = []
+  user_data_init_devices = ''
+  if defined? ecs_root_volume_size and ecs_root_volume_size > 8
+    ecs_block_device_mapping << {
+        "DeviceName" => "/dev/xvda",
+        "Ebs" => {
+            "VolumeSize" => ecs_root_volume_size
+        }
+    }
+  end
+
+  if defined? ecs_docker_volume_size and ecs_docker_volume_size > 22
+    ecs_block_device_mapping << {
+        "DeviceName" => "/dev/xvdcz",
+        "Ebs" => {
+            "VolumeSize" => ecs_docker_volume_size,
+            "VolumeType" => "gp2"
+        }
+    }
+    if (defined? 'ecs_docker_volume_volumemount') and (binding.eval('ecs_docker_volume_volumemount') == true)
+      user_data_init_devices = "mkfs.ext4 /dev/xvdcz && " +
+                               "mount /dev/xvdcz /var/lib/docker\n"
+    end
+  end
+
+  ecs_allow_sg_ingress = [
+    { IpProtocol: 'tcp', FromPort: '32768', ToPort: '65535', CidrIp: FnJoin( "", [ FnFindInMap('EnvironmentType','ciinabox','NetworkPrefix'),".", FnFindInMap('EnvironmentType','ciinabox','StackOctet'), ".0.0/",FnFindInMap('EnvironmentType','ciinabox','StackMask') ] ) },
+  ]
+
+  Resource("SecurityGroupECS") {
+    Type 'AWS::EC2::SecurityGroup'
+    Property('VpcId', Ref('VPC'))
+    Property('GroupDescription', 'ECS SG')
+    Property('SecurityGroupIngress', ecs_allow_sg_ingress)
+  }
+
+  ecs_sgs = [Ref('SecurityGroupBackplane'), Ref('SecurityGroupECS')]
+
+  Resource("ECSENI") {
+    Type 'AWS::EC2::NetworkInterface'
+    Property('SubnetId', Ref('SubnetPrivateA'))
+    Property('GroupSet', ecs_sgs)
+  }
+
+  LaunchConfiguration(:LaunchConfig) {
+    ImageId FnFindInMap('ecsAMI', Ref('AWS::Region'), 'ami')
+    IamInstanceProfile Ref('InstanceProfile')
+    KeyName FnFindInMap('EnvironmentType', 'ciinabox', 'KeyName')
+    SecurityGroups ecs_sgs
+    InstanceType FnFindInMap('EnvironmentType', 'ciinabox', 'ECSInstanceType')
+    if not ecs_block_device_mapping.empty?
+      Property("BlockDeviceMappings", ecs_block_device_mapping)
+    end
+    UserData FnBase64(FnJoin("", [
+        "#!/bin/bash\n",
+        "echo ECS_CLUSTER=", Ref('ECSCluster'), " >> /etc/ecs/ecs.config\n",
+        "INSTANCE_ID=$(echo `/opt/aws/bin/ec2-metadata -i | cut -f2 -d:`)\n",
+        "PRIVATE_IP=`/opt/aws/bin/ec2-metadata -o | cut -f2 -d: | cut -f2 -d-`\n",
+        "yum install -y python-pip\n",
+        "python-pip install --upgrade awscli\n",
+        "/usr/local/bin/aws --region ", Ref("AWS::Region"), " ec2 attach-volume --volume-id ", Ref(volume_name), " --instance-id ${INSTANCE_ID} --device /dev/sdf\n",
+        "echo 'waiting for ECS Data volume to attach' && sleep 20\n",
+        "/usr/local/bin/aws --region ", Ref("AWS::Region"), " ec2 attach-network-interface --network-interface-id ",  Ref('ECSENI'), " --instance-id ${INSTANCE_ID} --device-index 1\n",
+        "echo 'waiting for ECS ENI to attach' && sleep 20\n",
+        "echo '/dev/xvdf   /data        ext4    defaults,nofail 0   2' >> /etc/fstab\n",
+        "mkdir -p /data\n",
+        "mount /data && echo \"ECS Data volume already formatted\" || mkfs -t ext4 /dev/xvdf\n",
+        "mount -a && echo 'mounting ECS Data volume' || echo 'failed to mount ECS Data volume'\n",
+        "#{user_data_init_devices}",
+        "export BOOTSTRAP=/data/bootstrap \n",
+        "if [ ! -e \"$BOOTSTRAP\" ]; then echo \"boostrapping\"; chmod -R 777 /data; mkdir -p /data/jenkins; chown -R 1000:1000 /data/jenkins;  touch $BOOTSTRAP; fi \n",
+        "ifconfig eth0 mtu 1500\n",
+        "curl https://amazon-ssm-", Ref("AWS::Region"), ".s3.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm -o /tmp/amazon-ssm-agent.rpm\n",
+        "yum install -y /tmp/amazon-ssm-agent.rpm\n",
+        "stop ecs\n",
+        "service docker stop\n",
+        "service docker start\n",
+        "start ecs\n",
+        "echo 'done!!!!'\n"
+    ]))
+  }
+
+  AutoScalingGroup("AutoScaleGroup") {
+    UpdatePolicy("AutoScalingRollingUpdate", {
+        "MinInstancesInService" => "0",
+        "MaxBatchSize" => "1",
+    })
+    LaunchConfigurationName Ref('LaunchConfig')
+    HealthCheckGracePeriod '500'
+    MinSize 1
+    MaxSize 1
+    DesiredCapacity 1
+    VPCZoneIdentifier [Ref('SubnetPrivateA')]
+    addTag("Name", FnJoin("", ["ciinabox-ecs-xx"]), true)
+    addTag("Environment", 'ciinabox', true)
+    addTag("EnvironmentType", 'ciinabox', true)
+    addTag("Role", "ciinabox-ecs", true)
+  }
+
+  if defined? scale_up_schedule
+    Resource("ScheduledActionUp") {
+      Type 'AWS::AutoScaling::ScheduledAction'
+      Property('AutoScalingGroupName', Ref('AutoScaleGroup'))
+      Property('MinSize', '1')
+      Property('MaxSize', '1')
+      Property('DesiredCapacity', '1')
+      Property('Recurrence', scale_up_schedule)
+    }
+  end
+
+  if defined? scale_down_schedule
+    Resource("ScheduledActionDown") {
+      Type 'AWS::AutoScaling::ScheduledAction'
+      Property('AutoScalingGroupName', Ref('AutoScaleGroup'))
+      Property('MinSize', '0')
+      Property('MaxSize', '0')
+      Property('DesiredCapacity', '0')
+      Property('Recurrence', scale_down_schedule)
+    }
+  end
+
+  availability_zones.each do |az|
+    Output("ECSSubnetPrivate#{az}") {
+      Value(Ref("SubnetPrivate#{az}"))
+    }
+  end
+
+  Output("ECSRole") {
+    Value(Ref('Role')) unless has_ciinabox_role_predefined
+    Value(ciinabox_iam_role_name) if has_ciinabox_role_predefined
+  }
+
+  Output("ECSENIPrivateIpAddress") {
+    Value(FnGetAtt('ECSENI', 'PrimaryPrivateIpAddress'))
+  }
+
+  Output("ECSInstanceProfile") {
+    Value(Ref('InstanceProfile'))
+  }
+
+}