Improvements on Fargate service (#240)

* Test for new Fargate Platform version

* Improvements on Fargate Instrumentation code + add ECR API VPC endpoint

* Update changelog

* Pin to 1.4.0

* Review guide

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Change Log
 
+## v0.24
+
+- [#240](https://github.com/awslabs/amazon-s3-find-and-forget/pull/240): Add ECR
+  API Endpoint and migrate to
+  [Fargate Platform version 1.4.0](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html#platform-version-migration)
+
 ## v0.23
 
 - [#238](https://github.com/awslabs/amazon-s3-find-and-forget/pull/238): Upgrade

docs/USER_GUIDE.md

@@ -42,12 +42,15 @@ The Fargate tasks used by this solution to perform deletions must be able to
 access the following AWS services, either via an Internet Gateway or via [VPC
 Endpoints]:
 
-- Amazon S3
-- Amazon DynamoDB
-- Amazon CloudWatch (monitoring and logs)
-- AWS ECR
-- Amazon SQS
-- AWS STS
+- Amazon S3 (gateway endpoint _com.amazonaws.**region**.s3_)
+- Amazon DynamoDB (gateway endpoint _com.amazonaws.**region**.dynamodb_)
+- Amazon CloudWatch Monitoring (interface endpoint
+  _com.amazonaws.**region**.monitoring_) and Logs (interface endpoint
+  _com.amazonaws.**region**.logs_)
+- AWS ECR API (interface endpoint _com.amazonaws.**region**.ecr.api_) and Docker
+  (interface endpoint _com.amazonaws.**region**.ecr.dkr_)
+- Amazon SQS (interface endpoint _com.amazonaws.**region**.sqs_)
+- AWS STS (interface endpoint _com.amazonaws.**region**.sts_)
 
 #### Creating a New VPC
 

templates/deletion_flow.yaml

@@ -52,6 +52,13 @@ Resources:
 
   ECSCluster:
     Type: AWS::ECS::Cluster
+    Properties:
+      ClusterSettings:
+        - Name: containerInsights
+          Value: !If
+            - WithContainerInsights
+            - enabled
+            - disabled
 
   ECRRepository:
     Type: AWS::ECR::Repository
@@ -139,6 +146,7 @@ Resources:
       Cluster: !GetAtt ECSCluster.Arn
       DesiredCount: 0
       LaunchType: FARGATE
+      PlatformVersion: 1.4.0
       NetworkConfiguration:
         AwsvpcConfiguration:
           SecurityGroups: !Ref VpcSecurityGroups
@@ -189,25 +197,6 @@ Resources:
       KmsMasterKeyId: alias/aws/sqs
       ReceiveMessageWaitTimeSeconds: 0
 
-  UpdateClusterConfig:
-    Type: Custom::Setup
-    Condition: WithContainerInsights
-    Properties:
-      ServiceToken: !GetAtt UpdateClusterEnableContainerInsights.Arn
-
-  UpdateClusterEnableContainerInsights:
-    Type: AWS::Serverless::Function
-    Condition: WithContainerInsights
-    Properties:
-      Handler: enable_container_insights.handler
-      CodeUri: ../backend/lambdas/custom_resources/
-      Description: Custom Lambda resource for the Amazon S3 Find and Forget Cloudformation Stack
-      Policies:
-        - Statement:
-          - Effect: Allow
-            Action: ecs:UpdateClusterSettings
-            Resource: !Sub arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${ECSCluster}
-
 Outputs:
   DeleteObjectsQueueUrl:
     Value: !Ref DelObjQ

templates/template.yaml

@@ -1,6 +1,6 @@
 AWSTemplateFormatVersion: "2010-09-09"
 Transform: AWS::Serverless-2016-10-31
-Description: Amazon S3 Find and Forget (uksb-1q2j8beb0) (version:v0.23)
+Description: Amazon S3 Find and Forget (uksb-1q2j8beb0) (version:v0.24)
 
 Parameters:
   AccessControlAllowOriginOverride:
@@ -135,7 +135,7 @@ Conditions:
 Mappings:
   Solution:
     Constants:
-      Version: 'v0.23'
+      Version: 'v0.24'
 
 Resources:
   TempBucket:

templates/vpc.yaml

@@ -249,6 +249,19 @@ Resources:
       VpcEndpointType: Interface
       VpcId: !Ref VPC
 
+  ECRAPIEndpoint:
+    Type: AWS::EC2::VPCEndpoint
+    Properties:
+      PrivateDnsEnabled: true
+      SecurityGroupIds: [!Ref SecurityGroup]
+      ServiceName: !Sub 'com.amazonaws.${AWS::Region}.ecr.api'
+      SubnetIds:
+        - !Ref PrivateSubnet1
+        - !Ref PrivateSubnet2
+        - !If [HasThreeAZs, !Ref PrivateSubnet3, !Ref 'AWS::NoValue']
+      VpcEndpointType: Interface
+      VpcId: !Ref VPC
+
   S3Endpoint:
     Type: AWS::EC2::VPCEndpoint
     Properties: