AWSTemplateFormatVersion: 2010-09-09
Description: spiceql
Resources:
  SpiceQLECSLaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    DependsOn: ECSCluster
    Properties:
      LaunchTemplateData:
        ImageId: /aws/service/ecs/optimized-ami/amazon-linux-2/kernel-5.10/recommended/image_id
        KeyName: AscEc2DevKey
        IamInstanceProfile:
          Arn: !Ref 'IamRoleInstanceProfile'
        BlockDeviceMappings:
          - DeviceName: /dev/xvda
            Ebs:
              VolumeSize: '5000'
        UserData: !Base64
          Fn::Sub:
            - "#!/bin/bash \necho ECS_CLUSTER=${ClusterName} >> /etc/ecs/ecs.config;"
            - ClusterName: !Ref 'ECSClusterName'
  SpiceQLProdLogGroupSlot1:
    Type: 'AWS::Logs::LogGroup'
    Properties:
      LogGroupName: spiceql_prod_slot1_log_group
    Metadata:
      'AWS::CloudFormation::Designer':
        id: e9e7c015-1dda-480c-98e4-c4795d48e148
  SpiceQLProdTaskDefSlot1:
    Type: 'AWS::ECS::TaskDefinition'
    Properties:
      RequiresCompatibilities:
        - EC2 #FARGATE
      ExecutionRoleArn: 'arn:aws:iam::950438895271:role/csr-EcsTask-Role'
      Cpu: 4096
      Memory: 8192
      NetworkMode: awsvpc
      Volumes:
        - Name: spiceql-ebs
          ConfiguredAtLaunch: true
          DockerVolumeConfiguration:
            Scope: shared
      ContainerDefinitions:
        - Name: spiceql_prod_slot1_container
          Image: 950438895271.dkr.ecr.us-west-2.amazonaws.com/spiceql:latest'
          MountPoints:
            - SourceVolume: spiceql-ebs
              ContainerPath: /mnt/isis_data
              ReadOnly: true
          PortMappings:
            - ContainerPort: 80
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-region: !Ref 'AWS::Region'
              awslogs-group: !Ref SpiceQLProdLogGroupSlot1
              awslogs-stream-prefix: ecs
          Environment: 
            - Name: SPICEROOT
              Value: /mnt/isis_data
            - Name: SPICEQL_LOG_LEVEL
              Value: DEBUG
            - Name: SSPICE_DEBUG
              Value: TRUE
  SpiceQLProdECSClusterSlot1:
    Type: 'AWS::ECS::Cluster'
    Properties:
      ClusterName: spiceqlProdCluster_slot1
      ClusterSettings: 
        - Name: containerInsights 
          Value: enabled
  SpiceQLProdLBSlot1:
    Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
    Properties:
      Name: spiceql-prod-slot1-LB
      Scheme: internal
      Subnets:
        - subnet-0567fccf47f9b29a0
        - subnet-0326c18b7c38caa73
      Type: application
      SecurityGroups:
        - !GetAtt SpiceQLProdLBSGSlot1.GroupId
  SpiceQLProdTGSlot1:
    Type: 'AWS::ElasticLoadBalancingV2::TargetGroup'
    Properties:
      Name: spiceql-prod-slot1-TG
      VpcId: vpc-004f1e36134bcaa04
      Protocol: HTTP
      Port: 80
      TargetType: ip
      HealthCheckPath: /
  SpiceQLProdListenerSlot1:
    Type: 'AWS::ElasticLoadBalancingV2::Listener'
    Properties:
      DefaultActions:
        - TargetGroupArn: !Ref SpiceQLProdTGSlot1
          Type: forward
      LoadBalancerArn: !Ref SpiceQLProdLBSlot1
      Port: 443
      Protocol: HTTPS
      SslPolicy: ELBSecurityPolicy-FS-1-2-Res-2020-10
      Certificates:
        - CertificateArn: >-
            arn:aws:acm:us-west-2:950438895271:certificate/6aa50410-fb5a-4300-888f-55aae14463df
  SpiceQLProdLBSGSlot1:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      VpcId: vpc-004f1e36134bcaa04
      GroupDescription: SG for the Fargate ALB
      GroupName: spiceql-prod-slot1-LBSG
      SecurityGroupIngress:
        - CidrIpv6: '::/0'
          FromPort: 80
          ToPort: 443
          IpProtocol: TCP
          Description: Inbound rule for IPv6 traffic
        - CidrIp: 0.0.0.0/0
          FromPort: 80
          ToPort: 443
          IpProtocol: TCP
          Description: Inbound rule for IPv4 traffic
  SpiceQLProdContainerSGSlot1:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupName: spiceql_prod_slot1_sg
      GroupDescription: Security group for NGINX container
      VpcId: vpc-004f1e36134bcaa04
      SecurityGroupIngress:
        - IpProtocol: -1
          SourceSecurityGroupId: !GetAtt SpiceQLProdLBSGSlot1.GroupId
          Description: Inbound rule for all traffic
  SpiceQLProdDNSSlot1:
    Type: 'AWS::Route53::RecordSet'
    Properties:
      HostedZoneName: prod-asc.chs.usgs.gov.
      Name: spiceql-slot1.prod-asc.chs.usgs.gov
      Type: A
      AliasTarget:
        HostedZoneId: !GetAtt SpiceQLProdLBSlot1.CanonicalHostedZoneID
        DNSName: !GetAtt SpiceQLProdLBSlot1.DNSName
  SpiceQLProdECSServiceSlot1:
    Type: 'AWS::ECS::Service'
    DependsOn:
      - SpiceQLProdListenerSlot1
    Properties:
      LaunchType: FARGATE
      Cluster:
        Ref: SpiceQLProdECSClusterSlot1
      DesiredCount: 1
      TaskDefinition:
        Ref: SpiceQLProdTaskDefSlot1
      DeploymentConfiguration:
        MaximumPercent: 100
        MinimumHealthyPercent: 0
      NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: DISABLED
          SecurityGroups:
            - !GetAtt SpiceQLProdContainerSGSlot1.GroupId
          Subnets:
            - subnet-0326c18b7c38caa73
      LoadBalancers:
        - TargetGroupArn:
            Ref: SpiceQLProdTGSlot1
          ContainerPort: 80 
          ContainerName: spiceql_prod_slot1_container