AWSTemplateFormatVersion: '2010-09-09' Description: > Sales Management System on AWS (販売管理システム) 月額~20万円・50-70名向け。CloudFront + ECS Fargate + Aurora Serverless v2 構成。 # ============================================================ # パラメータ定義 # ============================================================ Parameters: EnvironmentName: Type: String Default: dev AllowedValues: [dev, stg, prod] Description: デプロイ環境 (dev / stg / prod) VpcCidr: Type: String Default: '10.0.0.0/16' # TODO: 実運用時に変更してください Description: VPC CIDR ブロック ContainerImage: Type: String Default: '123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/sales-api:latest' # TODO: 実運用時に変更してください Description: バックエンド API コンテナイメージ AuroraMinCapacity: Type: Number Default: 0.5 Description: Aurora Serverless v2 最小 ACU AuroraMaxCapacity: Type: Number Default: 2 Description: Aurora Serverless v2 最大 ACU # ============================================================ # リソース定義 # ============================================================ Resources: # ----- ネットワーク ----- VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCidr EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Sub '${EnvironmentName}-sales-vpc' PublicSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: '10.0.1.0/24' AvailabilityZone: !Select [0, !GetAZs ''] MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub '${EnvironmentName}-public-1' PublicSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: '10.0.2.0/24' AvailabilityZone: !Select [1, !GetAZs ''] MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub '${EnvironmentName}-public-2' PrivateSubnet1: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: '10.0.10.0/24' AvailabilityZone: !Select [0, !GetAZs ''] Tags: - Key: Name Value: !Sub '${EnvironmentName}-private-1' PrivateSubnet2: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: '10.0.11.0/24' AvailabilityZone: !Select [1, !GetAZs ''] Tags: - Key: Name Value: !Sub '${EnvironmentName}-private-2' InternetGateway: Type: AWS::EC2::InternetGateway IGWAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref VPC InternetGatewayId: !Ref InternetGateway NatEIP: Type: AWS::EC2::EIP Properties: Domain: vpc NatGateway: Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt NatEIP.AllocationId SubnetId: !Ref PublicSubnet1 # ----- セキュリティ ----- ALBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: ALB Security Group VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: '0.0.0.0/0' AppSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: ECS Fargate Security Group VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 8080 ToPort: 8080 SourceSecurityGroupId: !Ref ALBSecurityGroup DBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Aurora Security Group VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 5432 ToPort: 5432 SourceSecurityGroupId: !Ref AppSecurityGroup # ----- Cognito 認証 ----- UserPool: Type: AWS::Cognito::UserPool Properties: UserPoolName: !Sub '${EnvironmentName}-sales-users' AutoVerifiedAttributes: - email Policies: PasswordPolicy: MinimumLength: 12 RequireLowercase: true RequireNumbers: true RequireSymbols: true RequireUppercase: true MfaConfiguration: OPTIONAL UserPoolClient: Type: AWS::Cognito::UserPoolClient Properties: UserPoolId: !Ref UserPool ClientName: !Sub '${EnvironmentName}-sales-app' GenerateSecret: false ExplicitAuthFlows: - ALLOW_USER_SRP_AUTH - ALLOW_REFRESH_TOKEN_AUTH # ----- S3 静的ホスティング ----- SPABucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub '${EnvironmentName}-sales-spa-${AWS::AccountId}' BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true FileBucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub '${EnvironmentName}-sales-files-${AWS::AccountId}' BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true # ----- CloudFront ----- CloudFrontOAC: Type: AWS::CloudFront::OriginAccessControl Properties: OriginAccessControlConfig: Name: !Sub '${EnvironmentName}-sales-oac' OriginAccessControlOriginType: s3 SigningBehavior: always SigningProtocol: sigv4 Distribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: Enabled: true DefaultRootObject: index.html Origins: - Id: S3Origin DomainName: !GetAtt SPABucket.RegionalDomainName OriginAccessControlId: !Ref CloudFrontOAC S3OriginConfig: OriginAccessIdentity: '' - Id: ALBOrigin DomainName: !GetAtt ALB.DNSName CustomOriginConfig: OriginProtocolPolicy: https-only DefaultCacheBehavior: TargetOriginId: S3Origin ViewerProtocolPolicy: redirect-to-https ForwardedValues: QueryString: false CacheBehaviors: - PathPattern: '/api/*' TargetOriginId: ALBOrigin ViewerProtocolPolicy: https-only AllowedMethods: [GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE] ForwardedValues: QueryString: true Headers: ['Authorization'] # ----- ALB ----- ALB: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: !Sub '${EnvironmentName}-sales-alb' Scheme: internet-facing Type: application SecurityGroups: - !Ref ALBSecurityGroup Subnets: - !Ref PublicSubnet1 - !Ref PublicSubnet2 ALBTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: !Sub '${EnvironmentName}-sales-tg' Port: 8080 Protocol: HTTP VpcId: !Ref VPC TargetType: ip HealthCheckPath: /health ALBListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: LoadBalancerArn: !Ref ALB Port: 443 Protocol: HTTPS Certificates: - CertificateArn: 'arn:aws:acm:ap-northeast-1:123456789012:certificate/dummy' # TODO: 実運用時に変更してください DefaultActions: - Type: forward TargetGroupArn: !Ref ALBTargetGroup # ----- ECS Fargate ----- ECSCluster: Type: AWS::ECS::Cluster Properties: ClusterName: !Sub '${EnvironmentName}-sales-cluster' ClusterSettings: - Name: containerInsights Value: enabled TaskExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy TaskDefinition: Type: AWS::ECS::TaskDefinition Properties: Family: !Sub '${EnvironmentName}-sales-api' Cpu: '512' Memory: '1024' NetworkMode: awsvpc RequiresCompatibilities: [FARGATE] ExecutionRoleArn: !GetAtt TaskExecutionRole.Arn ContainerDefinitions: - Name: sales-api Image: !Ref ContainerImage PortMappings: - ContainerPort: 8080 LogConfiguration: LogDriver: awslogs Options: awslogs-group: !Ref LogGroup awslogs-region: !Ref 'AWS::Region' awslogs-stream-prefix: sales-api ECSService: Type: AWS::ECS::Service DependsOn: ALBListener Properties: Cluster: !Ref ECSCluster TaskDefinition: !Ref TaskDefinition DesiredCount: 2 LaunchType: FARGATE NetworkConfiguration: AwsvpcConfiguration: Subnets: - !Ref PrivateSubnet1 - !Ref PrivateSubnet2 SecurityGroups: - !Ref AppSecurityGroup LoadBalancers: - ContainerName: sales-api ContainerPort: 8080 TargetGroupArn: !Ref ALBTargetGroup # ----- Aurora Serverless v2 ----- DBSubnetGroup: Type: AWS::RDS::DBSubnetGroup Properties: DBSubnetGroupDescription: Aurora Subnet Group SubnetIds: - !Ref PrivateSubnet1 - !Ref PrivateSubnet2 AuroraCluster: Type: AWS::RDS::DBCluster Properties: Engine: aurora-postgresql EngineVersion: '15.4' DatabaseName: salesdb # TODO: 実運用時に変更してください MasterUsername: admin # TODO: 実運用時に変更してください ManageMasterUserPassword: true ServerlessV2ScalingConfiguration: MinCapacity: !Ref AuroraMinCapacity MaxCapacity: !Ref AuroraMaxCapacity DBSubnetGroupName: !Ref DBSubnetGroup VpcSecurityGroupIds: - !Ref DBSecurityGroup StorageEncrypted: true DeletionProtection: true AuroraInstance: Type: AWS::RDS::DBInstance Properties: DBClusterIdentifier: !Ref AuroraCluster DBInstanceClass: db.serverless Engine: aurora-postgresql # ----- ECR ----- ECRRepository: Type: AWS::ECR::Repository Properties: RepositoryName: !Sub '${EnvironmentName}-sales-api' ImageScanningConfiguration: ScanOnPush: true EncryptionConfiguration: EncryptionType: AES256 # ----- Secrets Manager ----- DBSecret: Type: AWS::SecretsManager::Secret Properties: Name: !Sub '${EnvironmentName}/sales/db-credentials' Description: Aurora DB 接続情報 GenerateSecretString: SecretStringTemplate: '{"username": "admin"}' GenerateStringKey: password PasswordLength: 32 ExcludeCharacters: '"@/\' # ----- CloudWatch ----- LogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: !Sub '/ecs/${EnvironmentName}-sales-api' RetentionInDays: 30 CPUAlarm: Type: AWS::CloudWatch::Alarm Properties: AlarmName: !Sub '${EnvironmentName}-sales-cpu-high' MetricName: CPUUtilization Namespace: AWS/ECS Statistic: Average Period: 300 EvaluationPeriods: 2 Threshold: 80 ComparisonOperator: GreaterThanThreshold Dimensions: - Name: ClusterName Value: !Ref ECSCluster - Name: ServiceName Value: !GetAtt ECSService.Name AlarmActions: - !Ref AlarmTopic AlarmTopic: Type: AWS::SNS::Topic Properties: TopicName: !Sub '${EnvironmentName}-sales-alarms' KmsMasterKeyId: alias/aws/sns # ============================================================ # 出力 # ============================================================ Outputs: CloudFrontDomain: Description: CloudFront ディストリビューション URL Value: !GetAtt Distribution.DomainName ALBEndpoint: Description: ALB DNS 名 Value: !GetAtt ALB.DNSName AuroraEndpoint: Description: Aurora クラスタエンドポイント Value: !GetAtt AuroraCluster.Endpoint.Address UserPoolId: Description: Cognito User Pool ID Value: !Ref UserPool ECRRepositoryUri: Description: ECR リポジトリ URI Value: !GetAtt ECRRepository.RepositoryUri