low-cost-ecs 0.0.6

package/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2022 Yohta Kimura
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,117 @@
+[![NPM version](https://badge.fury.io/js/low-cost-ecs.svg)](https://www.npmjs.com/package/low-cost-ecs)
+[![PyPI version](https://badge.fury.io/py/low-cost-ecs.svg)](https://pypi.org/project/low-cost-ecs/0.0.4/)
+[![Release](https://github.com/rajyan/low-cost-ecs/workflows/release/badge.svg)](https://github.com/rajyan/low-cost-ecs/actions/workflows/release.yml)
+[<img src="https://constructs.dev/badge?package=low-cost-ecs" width="150">](https://constructs.dev/packages/low-cost-ecs)
+
+# Low-Cost ECS
+
+A CDK construct that provides easy and low-cost ECS on EC2 server setup without a load balancer.
+TLS/SSL certificates are installed automatically on startup of the server and renewed by a scheduled state machine using [certbot-dns-route53](https://certbot-dns-route53.readthedocs.io/en/stable/).
+
+**This construct is for development purposes only** see [Limitations](#Limitations).
+
+# Try it out!
+
+The easiest way to see what this construct creates is to clone this repository and deploying sample server.
+Edit settings in `bin/low-cost-ecs.ts` and deploy cdk construct. [Public hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/AboutHZWorkingWith.html) with your own domain is required.
+
+```
+git clone https://github.com/rajyan/low-cost-ecs.git
+# edit settings in bin/low-cost-ecs.ts
+npx cdk deploy
+```
+
+Access to configured `recordDomainNames` and see that the nginx sample server has been deployed.
+
+# Installation
+
+To use this construct in your own cdk stack as a library,
+
+```
+npm install low-cost-ecs
+```
+
+```ts
+import { Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import { LowCostECS } from 'low-cost-ecs';
+
+class SampleStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        const vpc = /** Your VPC */;
+        const securityGroup = /** Your security group */;
+        const serverTaskDefinition = /** Your task definition */;
+
+        new LowCostECS(this, 'LowCostECS', {
+            hostedZoneDomain: "rajyan.net",
+            email: "kitakita7617@gmail.com",
+            vpc: vpc,
+            securityGroup: securityGroup,
+            serverTaskDefinition: serverTaskDefinition
+        });
+    }
+}
+```
+
+The required fields are `hostedZoneDomain` and `email`.
+Set your own task definition, and other props. Read [`LowCostECSProps` documentation](https://github.com/rajyan/low-cost-ecs/blob/main/API.md#low-cost-ecs.LowCostECSProps) for details.
+
+# Why
+
+ECS may often seem expensive when used for personal development purposes, because of the cost of load balancer.
+The application load balancer is a great service because it is easy to set up managed ACM certificates, it scales, and has dynamic port mapping, 
+but it is over-featured for running 1 ECS service.
+
+However, to run a ECS sever without a load balancer, you need to associate an Elastic IP to the host instance, and install your certificate by yourself.
+This construct aims to automate these work and deploying resources to run low-cost ECS server.
+
+[//]: # (# Overview)
+
+# Cost
+
+All resources except Route53 HostedZone should be included in [AWS Free Tier](https://docs.aws.amazon.com/whitepapers/latest/how-aws-pricing-works/get-started-with-the-aws-free-tier.html)
+***if you are in the 12 Months Free period***.
+After your 12 Months Free period, setting [`hostInstanceSpotPrice`](https://github.com/rajyan/low-cost-ecs/blob/main/API.md#low-cost-ecs.LowCostECSProps.property.hostInstanceSpotPrice) to use spot instances is recommended.
+
+* EC2
+  * t2,micro 750 instance hours (12 Months Free Tier)
+  * 30GB EBS volume (12 Months Free Tier)
+* ECS
+  * No additional charge because using ECS on EC2
+* EFS
+  * Usage is very small, it should be free
+* Cloud Watch
+  * Usage is very small, and it should be included in the free tier
+  * Enabling [`containerInsights`](https://github.com/rajyan/low-cost-ecs/blob/main/API.md#low-cost-ecs.LowCostECSProps.property.containerInsights) will charge for custom metrics
+
+# Debugging
+
+* SSM Session Manager
+
+SSM manager is pre-installed (in ECS-optimized Amazon Linux 2 AMI) in the host instance and `AmazonSSMManagedInstanceCore` is added to the host instance role
+to access and debug in your host instance.
+
+```
+aws ssm start-session --target $INSTANCE_ID
+```
+
+* ECS Exec
+
+Service ECS Exec is enabled, so execute commands can be used to debug in your server task container.
+
+```
+aws ecs execute-command \
+--cluster $CLUSTER_ID \
+--task $TASK_ID \
+--container nginx \
+--command bash \
+--interactive
+```
+
+# Limitations
+
+The ecs service occupies the host port, only one service can be run at a time.
+The old task must be terminated before the new task launches, and this causes downtime on release.
+Also, if you make changes that require recreating service, you may need to manually terminate the task of old the service.

package/bin/low-cost-ecs.ts

@@ -0,0 +1,15 @@
+import { App } from "aws-cdk-lib";
+import { LowCostECS } from '../src';
+
+const app = new App();
+
+new LowCostECS(app, "LowCostECSStack", {
+  env: {
+    account: process.env.CDK_DEFAULT_ACCOUNT,
+    region: process.env.CDK_DEFAULT_REGION,
+  },
+  hostedZoneDomain: "rajyan.net",
+  recordDomainNames: ["test1.rajyan.net", "test2.rajyan.net"],
+  email: "kitakita7617@gmail.com",
+  hostInstanceSpotPrice: "0.0050",
+});

package/cdk.json

@@ -0,0 +1,3 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/low-cost-ecs.ts"
+}

package/containers/nginx-proxy/Dockerfile

@@ -0,0 +1,3 @@
+FROM nginx:stable
+
+COPY ./templates /etc/nginx/templates

package/containers/nginx-proxy/templates/default.conf.template

@@ -0,0 +1,15 @@
+server {
+    listen 80 default_server;
+    listen 443 ssl http2 default_server;
+    listen [::]:80 default_server;
+    listen [::]:443 ssl http2 default_server;
+
+    ssl_reject_handshake on;
+
+    error_page 497 =444 @close;
+    location @close {
+        return 444;
+    }
+
+    return 444;
+}

package/containers/nginx-proxy/templates/http_to_https_redirect.conf.template

@@ -0,0 +1,6 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name ${SERVER_NAME};
+    return 301 https://$host$request_uri;
+}

package/containers/nginx-proxy/templates/https.conf.template

@@ -0,0 +1,33 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${SERVER_NAME};
+
+    ssl_certificate /etc/letsencrypt/live/${CERT_NAME}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${CERT_NAME}/privkey.pem;
+    ssl_session_cache shared:ssl:10m;
+    ssl_session_timeout 1d;
+    ssl_session_tickets off;
+
+    # based on https://ssl-config.mozilla.org/
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    # vpc resolver https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html
+    resolver 169.254.169.253;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+}

package/lib/index.d.ts

@@ -0,0 +1 @@
+export * from './low-cost-ecs';

package/lib/index.js

@@ -0,0 +1,14 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !exports.hasOwnProperty(p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./low-cost-ecs"), exports);
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7O0FBQUEsaURBQStCIiwic291cmNlc0NvbnRlbnQiOlsiZXhwb3J0ICogZnJvbSAnLi9sb3ctY29zdC1lY3MnO1xuIl19

package/lib/low-cost-ecs.d.ts

@@ -0,0 +1,102 @@
+import * as lib from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as ecs from 'aws-cdk-lib/aws-ecs';
+import { ILogGroup } from 'aws-cdk-lib/aws-logs';
+import { Construct } from 'constructs';
+export interface LowCostECSProps extends lib.StackProps {
+    /**
+     * Domain name of the hosted zone.
+     */
+    readonly hostedZoneDomain: string;
+    /**
+     * Email for expiration emails to register to your let's encrypt account.
+     *
+     * @link https://letsencrypt.org/docs/expiration-emails/
+     *
+     * Also registered as a subscriber of the sns topic, notified on certbot task failure.
+     * Subscription confirmation email would be sent on stack creation.
+     *
+     * @link https://docs.aws.amazon.com/sns/latest/dg/sns-email-notifications.html
+     */
+    readonly email: string;
+    /**
+     * Domain names for A records to elastic ip of ECS host instance.
+     *
+     * @default - [ props.hostedZone.zoneName ]
+     */
+    readonly recordDomainNames?: string[];
+    /**
+     * Vpc of the ECS host instance and cluster.
+     *
+     * @default - Creates vpc with only public subnets and no NAT gateways.
+     */
+    readonly vpc?: ec2.IVpc;
+    /**
+     * Security group of the ECS host instance
+     *
+     * @default - Creates security group with allowAllOutbound and ingress rule (ipv4, ipv6) => (tcp 80, 443).
+     */
+    readonly securityGroup?: ec2.SecurityGroup;
+    /**
+     * Instance type of the ECS host instance.
+     *
+     * @default - t2.micro
+     */
+    readonly hostInstanceType?: string;
+    /**
+     * The maximum hourly price (in USD) to be paid for any Spot Instance launched to fulfill the request.
+     * Host instance asg would use spot instances if hostInstanceSpotPrice is set.
+     *
+     * @link https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs.AddCapacityOptions.html#spotprice
+     * @default - undefined
+     */
+    readonly hostInstanceSpotPrice?: string;
+    /**
+     * Log group of the certbot task and the aws-cli task.
+     *
+     * @default - Creates default cdk log group
+     */
+    readonly logGroup?: ILogGroup;
+    /**
+     * Docker image tag of certbot/dns-route53 to create certificates.
+     *
+     * @link https://hub.docker.com/r/certbot/dns-route53/tags
+     * @default - v1.29.0
+     */
+    readonly certbotDockerTag?: string;
+    /**
+     * Certbot task schedule interval in days to renew the certificate.
+     *
+     * @default - 60
+     */
+    readonly certbotScheduleInterval?: number;
+    /**
+     * Docker image tag of amazon/aws-cli.
+     * This image is used to associate elastic ip on host instance startup, and run certbot cfn on ecs container startup.
+     *
+     * @default - latest
+     */
+    readonly awsCliDockerTag?: string;
+    /**
+     * Enable container insights or not
+     *
+     * @default - undefined (container insights disabled)
+     */
+    readonly containerInsights?: boolean;
+    /**
+     * Removal policy for the file system and log group (if using default).
+     *
+     * @default - RemovalPolicy.DESTROY
+     */
+    readonly removalPolicy?: lib.RemovalPolicy;
+    /**
+     * Task definition for the server ecs task.
+     *
+     * @default - Nginx server task definition defined in sampleServerTask()
+     */
+    readonly serverTaskDefinition?: ecs.Ec2TaskDefinition;
+}
+export declare class LowCostECS extends lib.Stack {
+    constructor(scope: Construct, id: string, props: LowCostECSProps);
+    private sampleSeverTask;
+}