maintenance/git-gc/cf-task-git-gc.yml - aws-gerrit - Git at Google

 AWSTemplateFormatVersion: '2010-09-09'
 Description: ECS service scheduling GC against specified git projects
 Parameters:
   ClusterStackName:
     Description: Stack name of the ECS cluster to deploy this service onto
     Type: String
     Default: gerrit-cluster
   ProjectList:
     Description: Comma separated list of projects to perform GC against
     Type: CommaDelimitedList
     Default: ''
   EnvironmentName:
     Description: An environment name used to build the log stream names
     Type: String
     Default: test
   TemplateBucketName:
     Description: S3 bucket containing cloudformation templates
     Type: String
   DockerImageFQN:
     Description: Fully qualified name of the git-gc docker image
     Type: String
   ScheduleCronExpression:
     Description: Cron expression string to schedule GC at
     Type: String
   GitSourcePath:
     Description: The absolute path storing git data
     Type: String
   GitGCOptions:
     Description: Options to pass to the JGit GC command line
     Type: String
     Default: ''
   PackThreads:
     Description: Number of threads for packing concurrently
     Type: String
     Default: ''
   PruneExpire:
     Description: Grace period after which unreachable objects will be pruned
     Type: String
     Default: ''
   PrunePackExpire:
     Description: Grace period after which packfiles only containing unreachable objects will be pruned
     Type: String
     Default: ''
   JavaArgs:
     Description: extra JVM options to pass to the JGit JVM
     Type: String
     Default: ''

 Mappings:
   Gerrit:
     Volume:
       Git: gerrit-git
   GitGC:
     Task:
       Name: git-gc

 Resources:
     TaskDefinition:
         Type: AWS::ECS::TaskDefinition
         Properties:
             Family: !FindInMap ['GitGC', 'Task', 'Name']
             TaskRoleArn: !GetAtt ECSTaskExecutionRoleStack.Outputs.TaskExecutionRoleRef
             ExecutionRoleArn: !GetAtt ECSTaskExecutionRoleStack.Outputs.TaskExecutionRoleRef
             NetworkMode: bridge
             PlacementConstraints:
                 - Expression: !Sub 'attribute:target_group =~ primary.*'
                   Type: "memberOf"
             ContainerDefinitions:
                 - Name: !FindInMap ['GitGC', 'Task', 'Name']
                   Essential: true
                   Image: !Ref DockerImageFQN
                   Environment:
                     - Name: GC_PROJECT_LIST
                       Value: !Join [',', !Ref ProjectList]
                     - Name: GIT_GC_OPTION
                       Value: !Ref GitGCOptions
                     - Name: PACK_THREADS
                       Value: !Ref PackThreads
                     - Name: PRUNE_EXPIRE
                       Value: !Ref PruneExpire
                     - Name: PRUNE_PACK_EXPIRE
                       Value: !Ref PrunePackExpire
                     - Name: JAVA_ARGS
                       Value: !Ref JavaArgs
                   MountPoints:
                     - SourceVolume: !FindInMap ['Gerrit', 'Volume', 'Git']
                       ContainerPath: /git
                   Cpu: 1024
                   Memory: 1024
                   LogConfiguration:
                     LogDriver: awslogs
                     Options:
                         awslogs-group: !Ref ClusterStackName
                         awslogs-region: !Ref AWS::Region
                         awslogs-stream-prefix: !Ref EnvironmentName
             Volumes:
               - Name: !FindInMap ['Gerrit', 'Volume', 'Git']
                 Host:
                   SourcePath: !Ref GitSourcePath

     ECSTaskExecutionRoleStack:
       Type: AWS::CloudFormation::Stack
       Properties:
         TemplateURL: !Join [ '', ['https://', !Ref TemplateBucketName, '.s3.amazonaws.com/cf-gerrit-task-execution-role.yml'] ]
         TimeoutInMinutes: '5'

     EventsInvokeTaskRole:
       Type: AWS::IAM::Role
       Properties:
         AssumeRolePolicyDocument:
           Statement:
             - Effect: Allow
               Principal:
                 Service: [events.amazonaws.com]
               Action:
                 - sts:AssumeRole
         Path: /
         Policies:
           - PolicyName: "AllowTaskInvoke"
             PolicyDocument:
               Statement:
                 - Effect: "Allow"
                   Action:
                     - 'ecs:RunTask'
                   Resource: !Sub
                     - "arn:aws:ecs:*:${AWS::AccountId}:task-definition/${TaskName}:*"
                     - { TaskName: !FindInMap ['GitGC', 'Task', 'Name'] }
                   Condition:
                     ArnLike:
                       ecs:cluster: !Sub
                         - "arn:aws:ecs:*:${AWS::AccountId}:cluster/${ClusterName}"
                         - { ClusterName:
                               { Fn::ImportValue: !Join [':', [!Ref 'ClusterStackName', 'ClusterName']] }
                         }
                 - Effect: "Allow"
                   Action: "iam:PassRole"
                   Resource: "*"
                   Condition:
                     StringLike:
                       iam:PassedToService: "ecs-tasks.amazonaws.com"

     TaskSchedule:
       Type: AWS::Events::Rule
       Properties:
         Description: "Run git garbage collection on a list of specified projects"
         Name: git-GC
         ScheduleExpression: !Sub "cron(${ScheduleCronExpression})"
         State: ENABLED
         Targets:
           - Id: git-gc-primary
             RoleArn: !GetAtt EventsInvokeTaskRole.Arn
             EcsParameters:
               TaskDefinitionArn: !Ref TaskDefinition
               TaskCount: 1
             Arn:
               Fn::ImportValue:
                 !Join [':', [!Ref 'ClusterStackName', 'ClusterArn']]
	AWSTemplateFormatVersion: '2010-09-09'
	Description: ECS service scheduling GC against specified git projects
	Parameters:
	ClusterStackName:
	Description: Stack name of the ECS cluster to deploy this service onto
	Type: String
	Default: gerrit-cluster
	ProjectList:
	Description: Comma separated list of projects to perform GC against
	Type: CommaDelimitedList
	Default: ''
	EnvironmentName:
	Description: An environment name used to build the log stream names
	Type: String
	Default: test
	TemplateBucketName:
	Description: S3 bucket containing cloudformation templates
	Type: String
	DockerImageFQN:
	Description: Fully qualified name of the git-gc docker image
	Type: String
	ScheduleCronExpression:
	Description: Cron expression string to schedule GC at
	Type: String
	GitSourcePath:
	Description: The absolute path storing git data
	Type: String
	GitGCOptions:
	Description: Options to pass to the JGit GC command line
	Type: String
	Default: ''
	PackThreads:
	Description: Number of threads for packing concurrently
	Type: String
	Default: ''
	PruneExpire:
	Description: Grace period after which unreachable objects will be pruned
	Type: String
	Default: ''
	PrunePackExpire:
	Description: Grace period after which packfiles only containing unreachable objects will be pruned
	Type: String
	Default: ''
	JavaArgs:
	Description: extra JVM options to pass to the JGit JVM
	Type: String
	Default: ''

	Mappings:
	Gerrit:
	Volume:
	Git: gerrit-git
	GitGC:
	Task:
	Name: git-gc

	Resources:
	TaskDefinition:
	Type: AWS::ECS::TaskDefinition
	Properties:
	Family: !FindInMap ['GitGC', 'Task', 'Name']
	TaskRoleArn: !GetAtt ECSTaskExecutionRoleStack.Outputs.TaskExecutionRoleRef
	ExecutionRoleArn: !GetAtt ECSTaskExecutionRoleStack.Outputs.TaskExecutionRoleRef
	NetworkMode: bridge
	PlacementConstraints:
	- Expression: !Sub 'attribute:target_group =~ primary.*'
	Type: "memberOf"
	ContainerDefinitions:
	- Name: !FindInMap ['GitGC', 'Task', 'Name']
	Essential: true
	Image: !Ref DockerImageFQN
	Environment:
	- Name: GC_PROJECT_LIST
	Value: !Join [',', !Ref ProjectList]
	- Name: GIT_GC_OPTION
	Value: !Ref GitGCOptions
	- Name: PACK_THREADS
	Value: !Ref PackThreads
	- Name: PRUNE_EXPIRE
	Value: !Ref PruneExpire
	- Name: PRUNE_PACK_EXPIRE
	Value: !Ref PrunePackExpire
	- Name: JAVA_ARGS
	Value: !Ref JavaArgs
	MountPoints:
	- SourceVolume: !FindInMap ['Gerrit', 'Volume', 'Git']
	ContainerPath: /git
	Cpu: 1024
	Memory: 1024
	LogConfiguration:
	LogDriver: awslogs
	Options:
	awslogs-group: !Ref ClusterStackName
	awslogs-region: !Ref AWS::Region
	awslogs-stream-prefix: !Ref EnvironmentName
	Volumes:
	- Name: !FindInMap ['Gerrit', 'Volume', 'Git']
	Host:
	SourcePath: !Ref GitSourcePath

	ECSTaskExecutionRoleStack:
	Type: AWS::CloudFormation::Stack
	Properties:
	TemplateURL: !Join [ '', ['https://', !Ref TemplateBucketName, '.s3.amazonaws.com/cf-gerrit-task-execution-role.yml'] ]
	TimeoutInMinutes: '5'

	EventsInvokeTaskRole:
	Type: AWS::IAM::Role
	Properties:
	AssumeRolePolicyDocument:
	Statement:
	- Effect: Allow
	Principal:
	Service: [events.amazonaws.com]
	Action:
	- sts:AssumeRole
	Path: /
	Policies:
	- PolicyName: "AllowTaskInvoke"
	PolicyDocument:
	Statement:
	- Effect: "Allow"
	Action:
	- 'ecs:RunTask'
	Resource: !Sub
	- "arn:aws:ecs::${AWS::AccountId}:task-definition/${TaskName}:"
	- { TaskName: !FindInMap ['GitGC', 'Task', 'Name'] }
	Condition:
	ArnLike:
	ecs:cluster: !Sub
	- "arn:aws:ecs:*:${AWS::AccountId}:cluster/${ClusterName}"
	- { ClusterName:
	{ Fn::ImportValue: !Join [':', [!Ref 'ClusterStackName', 'ClusterName']] }
	}
	- Effect: "Allow"
	Action: "iam:PassRole"
	Resource: "*"
	Condition:
	StringLike:
	iam:PassedToService: "ecs-tasks.amazonaws.com"

	TaskSchedule:
	Type: AWS::Events::Rule
	Properties:
	Description: "Run git garbage collection on a list of specified projects"
	Name: git-GC
	ScheduleExpression: !Sub "cron(${ScheduleCronExpression})"
	State: ENABLED
	Targets:
	- Id: git-gc-primary
	RoleArn: !GetAtt EventsInvokeTaskRole.Arn
	EcsParameters:
	TaskDefinitionArn: !Ref TaskDefinition
	TaskCount: 1
	Arn:
	Fn::ImportValue:
	!Join [':', [!Ref 'ClusterStackName', 'ClusterArn']]