template.yaml

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  SAM Template for Minecraft Environment Deployment


Parameters:
  MinecraftDomain:
    Type: String
    Description: Public domain to connect to Minecraft server (ECS container task)
    Default: 'null'
  MinecraftSubDomain:
    Type: String
    Description: Public sub-domain to connect to Minecraft server (ECS container task)
    Default: 'null'
  MinecraftHostedZoneId:
    Type: String
    Description: Hosted zone ID for public domain to connect to Minecraft server
    Default: 'null'
  MinecraftServerImage:
    Type: String
    Description: Container image's $REPOSITORY_URL/$IMAGE:$TAG for Minecraft server
  IsCreatedNLB:
    Type: String
    Description: |
      Is created NLB or not.
      If is not created (== 'true'), no running costs but no the Internet connection (i.e., no connection to the Minecraft server).
      To use for switching on/off by Switcher Lambda Function.
    Default: 'true'
  DesiredECSTaskCount:
    Type: Number
    Description: |
      Number of running ECS task on ECS server.
      If is 0, no running costs but no running server (i.e., no connection to the Minecraft server).
      To use for switching on/off by Switcher Lambda Function.
    Default: 1
  HostedZoneIdForS3:
    Type: String
    Description: |
      Default parameter is from Asia Pacific (Tokyo) region (ap-northeast-1).
      Details > https://docs.aws.amazon.com/general/latest/gr/s3.html#s3_website_region_endpoints
    Default: Z2M4EHUR26P7ZW
  MinecraftWhiteListString:
    Type: String
    Description: |
      Comma-separated user whitelist srting for Minecraft.
      Required username and UUID from Minecraft.
      E.g.) ${UUID_01}:${USERNAME_01},${UUID_02}:${USERNAME_02}
    Default: ''
  MinecraftContainerCpuSize:
    Type: Number
    Description: |
      Minecraft container's CPU size.
    Default: 1024
  MinecraftContainerMemorySoftLimit:
    Type: Number
    Description: |
      Minecraft container's memory soft-limit.
    Default: 1024
  MinecraftContainerMemoryHardLimit:
    Type: Number
    Description: |
      Minecraft container's memory hard-limit.
      This value should be twice soft-limit.
    Default: 2048
  ResourceTagKey:
    Type: String
    Description: Tag key to be associated with resources, almost identical to the key name auto-generated by SAM-CLI (difference is prefix `aws` to `minecraft`,) set AWS::StackName to value
    Default: minecraft:cloudformation:stack-name


Conditions:
  IsCreatedNLB: !Equals [ !Ref IsCreatedNLB, 'true' ]
  IsSetCustomDomain: !Not [ !Equals [ !Ref MinecraftDomain, 'null' ] ]
  IsSetCustomSubDomain: !Not [ !Equals [ !Ref MinecraftSubDomain, 'null' ] ]
  IsReusedHostedZone: !Not [ !Equals [ !Ref MinecraftHostedZoneId, 'null' ] ]


Resources:
  # VPC
  MinecraftVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.10.0.0/24
      EnableDnsHostnames: true
  MinecraftVPCPublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MinecraftVPC
      CidrBlock: 10.10.0.0/28
      MapPublicIpOnLaunch: true
      AvailabilityZone: !Select
      - 0
      - Fn::GetAZs: !Ref AWS::Region
  MinecraftVPCSG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: For Minecraft server
      VpcId: !Ref MinecraftVPC
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 25565
        ToPort: 25565
        CidrIp: 0.0.0.0/0
      - IpProtocol: udp
        FromPort: 25565
        ToPort: 25565
        CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
      - IpProtocol: -1
        FromPort: -1
        ToPort: -1
        CidrIp: 0.0.0.0/0

  # IGW
  MinecraftVPCIGW:
    Type: AWS::EC2::InternetGateway
  MinecraftVPCIGWAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref MinecraftVPCIGW
      VpcId: !Ref MinecraftVPC

  # RoutingTable
  MinecraftVPCRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref MinecraftVPC
  MinecraftVPCRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref MinecraftVPCRouteTable
      SubnetId: !Ref MinecraftVPCPublicSubnet
  MinecraftVPCRoute:
    Type: AWS::EC2::Route
    Properties:
      GatewayId: !Ref MinecraftVPCIGW
      RouteTableId: !Ref MinecraftVPCRouteTable
      DestinationCidrBlock: 0.0.0.0/0

  # NLB
  MinecraftVPCPublicSubnetNLB:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Condition: IsCreatedNLB
    Properties:
      Type: network
      Subnets:
      - !Ref MinecraftVPCPublicSubnet
      Tags:
      - Key: !Ref ResourceTagKey
        Value: !Ref AWS::StackName
  MinecraftVPCPublicSubnetNLBTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Condition: IsCreatedNLB
    Properties:
      VpcId: !Ref MinecraftVPC
      TargetType: ip
      Protocol: TCP_UDP
      Port: 25565
  MinecraftVPCPublicSubnetNLBListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Condition: IsCreatedNLB
    Properties:
      LoadBalancerArn: !Ref MinecraftVPCPublicSubnetNLB
      Protocol: TCP_UDP
      Port: 25565
      DefaultActions:
      - Type: forward
        TargetGroupArn: !Ref MinecraftVPCPublicSubnetNLBTargetGroup

  # Route53
  MinecraftRoute53HostedZone:
    Type: AWS::Route53::HostedZone
    Condition: IsSetCustomDomain
    Properties:
      Name: !Ref MinecraftDomain
      HostedZoneTags:
      - Key: !Ref ResourceTagKey
        Value: !Ref AWS::StackName
  MinecraftRoute53RecordSetGroup:
    Type: AWS::Route53::RecordSetGroup
    Condition: IsSetCustomSubDomain
    Properties:
      HostedZoneId: !If
      - IsReusedHostedZone
      - !Ref MinecraftHostedZoneId
      - !Ref MinecraftRoute53HostedZone
      RecordSets:
      - Type: A
        Name: !Sub ${MinecraftSubDomain}.
        AliasTarget: !If
        - IsCreatedNLB
        - HostedZoneId: !GetAtt MinecraftVPCPublicSubnetNLB.CanonicalHostedZoneID
          DNSName: !GetAtt MinecraftVPCPublicSubnetNLB.DNSName
        - HostedZoneId: !Ref HostedZoneIdForS3
          DNSName: !Sub s3-website-${AWS::Region}.amazonaws.com

  # ECS
  MinecraftECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterName: !Sub ${AWS::StackName}-minecraft
      ClusterSettings:
      - Name: containerInsights
        Value: enabled
  MinecraftECSTask:
    Type: AWS::ECS::TaskDefinition
    DependsOn:
    - MinecraftBucket
    - MinecraftBackupBucket
    Properties:
      Family: minecraft
      Cpu: !Ref MinecraftContainerCpuSize
      Memory: !Ref MinecraftContainerMemoryHardLimit
      RuntimePlatform:
        CpuArchitecture: ARM64
      RequiresCompatibilities:
      - FARGATE
      NetworkMode: awsvpc
      TaskRoleArn: !Ref MinecraftECSTaskRole
      ExecutionRoleArn: !Ref MinecraftECSTaskExecRole
      ContainerDefinitions:
      - Name: minecraft-server
        Image: !Ref MinecraftServerImage
        MemoryReservation: !Ref MinecraftContainerMemorySoftLimit
        PortMappings:
        - ContainerPort: 25565
        StopTimeout: 120
        Essential: true
        Environment:
        - Name: BUCKET_NAME
          Value: !Ref AWS::StackName
        - Name: BACKUP_BUCKET_NAME
          Value: !Sub backup.${AWS::StackName}
        - Name: MINECRAFT_MEMORY
          Value: !Ref MinecraftContainerMemorySoftLimit
        - Name: MINECRAFT_WHITE_LIST
          Value: !Ref MinecraftWhiteListString
        LogConfiguration:
          LogDriver: awslogs
          Options:
            awslogs-region: !Ref AWS::Region
            awslogs-group: !Ref MinecraftECSLogGroup
            awslogs-stream-prefix: minecraft
      Tags:
      - Key: !Ref ResourceTagKey
        Value: !Ref AWS::StackName
  MinecraftECSService:
    Type: AWS::ECS::Service
    Properties:
      Cluster: !Ref MinecraftECSCluster
      ServiceName: minecraft
      LaunchType: FARGATE
      TaskDefinition: !Ref MinecraftECSTask
      DesiredCount: !Ref DesiredECSTaskCount
      DeploymentConfiguration:
        MinimumHealthyPercent: 0
      EnableExecuteCommand: true
      LoadBalancers:
      - !If
        - IsCreatedNLB
        - ContainerName: minecraft-server
          ContainerPort: 25565
          TargetGroupArn: !Ref MinecraftVPCPublicSubnetNLBTargetGroup
        - !Ref AWS::NoValue
      NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: ENABLED
          SecurityGroups:
          - !Ref MinecraftVPCSG
          Subnets:
          - !Ref MinecraftVPCPublicSubnet
      Tags:
      - Key: !Ref ResourceTagKey
        Value: !Ref AWS::StackName
      # ECS service depends on NLB Listener but DependsOn cannot use Fn::If
      - !If
        - IsCreatedNLB
        - Key: NLBListener
          Value: !Ref MinecraftVPCPublicSubnetNLBListener
        - !Ref AWS::NoValue
  MinecraftECSLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub /ecs/logs/${AWS::StackName}/minecraft-server
      RetentionInDays: 14
      Tags:
      - Key: !Ref ResourceTagKey
        Value: !Ref AWS::StackName

  # S3
  MinecraftBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref AWS::StackName
  MinecraftBackupBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub backup.${AWS::StackName}
      VersioningConfiguration:
        Status: Enabled
      LifecycleConfiguration:
        Rules:
        - Id: VersioningSettingForLatestMinecraftServer
          Status: Enabled
          Prefix: minecraft-server/latest/
          NoncurrentVersionTransitions:
          - StorageClass: GLACIER
            TransitionInDays: 7
          NoncurrentVersionExpiration:
            NoncurrentDays: 90
            NewerNoncurrentVersions: 10
        - Id: AbortIncompleteMultipartUploadForLatestMinecraftServer
          Status: Enabled
          Prefix: minecraft-server/latest/
          AbortIncompleteMultipartUpload:
            DaysAfterInitiation: 3

  ## NLBリソースを削除している際にもRoute53のHostedZoneでドメイン登録するために
  ## 用意しているダミーS3バケット
  HoldedDomainSettingsBucket:
    Type: AWS::S3::Bucket
    Condition: IsSetCustomSubDomain
    Properties:
      BucketName: !Ref MinecraftSubDomain

  # Lambda
  MinecraftSwitcher:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub ${AWS::StackName}-minecraft-switcher
      CodeUri: src/switcher/
      Handler: app.handler
      Runtime: python3.9
      Architectures:
      - arm64
      FunctionUrlConfig:
        AuthType: NONE
      Environment:
        Variables:
          STACK_NAME: !Ref AWS::StackName
          SWITCHED_PARAMETER: 'IsCreatedNLB'
          CHANGED_TASK_COUNT_PARAMETER: 'DesiredECSTaskCount'
          TABLE_NAME: !Ref MinecraftConnectedCounterTable
      Events:
        SnsSwitchOffTopic:
          Type: SNS
          Properties:
            Topic: !Ref MinecraftServerSwitchOffSNSTopic
      Policies:
      - ElasticLoadBalancingReadOnly
      - AmazonRoute53ReadOnlyAccess
      - CloudFormationDescribeStacksPolicy: !Ref AWS::NoValue
      - Route53ChangeResourceRecordSetsPolicy:
          HostedZoneId: '*'
      - SNSCrudPolicy:
          TopicName: '*'
      - DynamoDBReadPolicy:
          TableName: !Ref MinecraftConnectedCounterTable
      - Statement:
        - Sid: CloudFormationUpdateStack
          Effect: Allow
          Action:
          - cloudformation:*
          Resource:
          - !Ref AWS::StackId
        - Sid: ECSUpdateService
          Effect: Allow
          Action: '*'
          Resource:
          - !Ref MinecraftECSService
        - Sid: IAMPassRole
          Effect: Allow
          Action:
          - iam:GetRole
          - iam:PassRole
          Resource:
          - !GetAtt MinecraftECSTaskExecRole.Arn
          - !GetAtt MinecraftECSTaskRole.Arn
          - !GetAtt CloudWatchLogsSubscriptionFilterRole.Arn
        - Sid: NLBUpdate
          Effect: Allow
          Action:
          - elasticloadbalancing:CreateLoadBalancer
          - elasticloadbalancing:DeleteLoadBalancer
          - elasticloadbalancing:CreateTargetGroup
          - elasticloadbalancing:DeleteTargetGroup
          - elasticloadbalancing:CreateListener
          - elasticloadbalancing:DeleteListener
          Resource:
          - !Sub arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/net/*
          - !Sub arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:targetgroup/*
          - !Sub arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener/net/*
        - Sid: Route53UpdateHostedZone
          Effect: Allow
          Action:
          - route53:CreateHostedZone
          - route53:DeleteHostedZone
          Resource: '*'
        - Sid: LambdaGetURLConfig
          Effect: Allow
          Action:
          - lambda:GetFunctionUrlConfig
          Resource:
          - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*
        - Sid: CloudWatchLogsDescribeLogGroups
          Effect: Allow
          Action:
          - logs:DescribeLogGroups
          - logs:DescribeSubscriptionFilters
          Resource: '*'
        - Sid: CloudWatchLogsCreateSubscriptionFilter
          Effect: Allow
          Action:
          - logs:CreateSubscriptionFilter
          - logs:DeleteSubscriptionFilter
          - logs:PutSubscriptionFilter
          Resource:
          - !GetAtt MinecraftECSLogGroup.Arn
        - Sid: KinesisCreateStream
          Effect: Allow
          Action:
          - kinesis:DescribeStreamSummary
          - kinesis:CreateStream
          - kinesis:DeleteStream
          - kinesis:AddTagsToStream
          - kinesis:RemoveTagsFromStream
          Resource:
          - !Sub arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*
        - Sid: LambdaCreateEvent
          Effect: Allow
          Action:
          - lambda:GetEventSourceMapping
          - lambda:CreateEventSourceMapping
          - lambda:DeleteEventSourceMapping
          # lambda:*EventSourceMappingアクションはリソースレベルのアクセス許可が未サポート
          Resource: '*'
        - Sid: LambdaAddPermission
          Effect: Allow
          Action:
          - lambda:AddPermission
          - lambda:RemovePermission
          Resource:
          - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*
  MinecraftSwitcherLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub /aws/lambda/${MinecraftSwitcher}
      RetentionInDays: 14
      Tags:
      - Key: !Ref ResourceTagKey
        Value: !Ref AWS::StackName

  # CloudWatch Logs Subscription Filter to count the number of connected some clients
  MinecraftECSConnectedCountSubscriptionFilter:
    Type: AWS::Logs::SubscriptionFilter
    Condition: IsCreatedNLB
    Properties:
      LogGroupName: !Ref MinecraftECSLogGroup
      FilterPattern: ' the game'
      DestinationArn: !GetAtt MinecraftECSLogKinesisDataStream.Arn
      RoleArn: !GetAtt CloudWatchLogsSubscriptionFilterRole.Arn
  MinecraftECSLogKinesisDataStream:
    Type: AWS::Kinesis::Stream
    Condition: IsCreatedNLB
    Properties:
      StreamModeDetails:
        StreamMode: ON_DEMAND
      Tags:
      - Key: !Ref ResourceTagKey
        Value: !Ref AWS::StackName
  MinecraftECSConnectedSomeClientsCounter:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub ${AWS::StackName}-minecraft-ecs-connected-counter
      CodeUri: src/clients_counter
      Handler: app.handler
      Runtime: python3.9
      Architectures:
      - arm64
      Environment:
        Variables:
          TABLE_NAME: !Ref MinecraftConnectedCounterTable
      Policies:
      - KinesisStreamReadPolicy:
          StreamName: '*'
      - DynamoDBCrudPolicy:
          TableName: !Ref MinecraftConnectedCounterTable
  MinecraftECSConnectedSomeClientsCounterEventOfKinesisDataStream:
    Type: AWS::Lambda::Permission
    Condition: IsCreatedNLB
    Properties:
      FunctionName: !Ref MinecraftECSConnectedSomeClientsCounter
      Action: lambda:InvokeFunction
      Principal: kinesis.amazonaws.com
      SourceArn: !GetAtt MinecraftECSLogKinesisDataStream.Arn
  MinecraftECSConnectedSomeClientsCounterEventSourceMapping:
    Type: AWS::Lambda::EventSourceMapping
    Condition: IsCreatedNLB
    Properties:
      Enabled: true
      FunctionName: !Ref MinecraftECSConnectedSomeClientsCounter
      EventSourceArn: !GetAtt MinecraftECSLogKinesisDataStream.Arn
      StartingPosition: TRIM_HORIZON
  MinecraftECSConnectedSomeClientsCounterLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub /aws/lambda/${MinecraftECSConnectedSomeClientsCounter}
      RetentionInDays: 14
      Tags:
      - Key: !Ref ResourceTagKey
        Value: !Ref AWS::StackName
  MinecraftConnectedCounterTable:
    Type: AWS::Serverless::SimpleTable
    Properties:
      Tags:
        # Key is not used Fn::Ref: ResourceTagKey
        minecraft:cloudformation:stack-name: !Ref AWS::StackName

  # CloudWatch Logs Metric Filter for alarm when the number of connected some clients reaches 0
  MinecraftECSConnectedCountMetricFilter:
    Type: AWS::Logs::MetricFilter
    Properties:
      FilterPattern: '{ $.connected_count = 0 }'
      LogGroupName: !Ref MinecraftECSConnectedSomeClientsCounterLogGroup
      MetricTransformations:
      - MetricNamespace: MinecraftECSTask
        MetricName: !Sub ${MinecraftECSConnectedSomeClientsCounterLogGroup}/minecraft-connected-count
        MetricValue: 1
  MinecraftECSConnectedAnyClientsAlarm:
    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: !Sub ${AWS::StackName}-minecraft-ecs-connected-any-clients
      ComparisonOperator: GreaterThanOrEqualToThreshold
      Threshold: 1
      DatapointsToAlarm: 1
      EvaluationPeriods: 30
      TreatMissingData: notBreaching
      Metrics:
      - Id: result
        Label: minecraft_connected_count_repeared
        Expression: FILL(m1, 0)
        ReturnData: true
      - Id: m1
        Label: minecraft_connected_count
        MetricStat:
          Metric:
            Namespace: MinecraftECSTask
            MetricName: !Sub ${MinecraftECSConnectedSomeClientsCounterLogGroup}/minecraft-connected-count
          Period: 60
          Stat: Sum
        ReturnData: false
      OKActions:
      - !Ref MinecraftServerSwitchOffSNSTopic
  MinecraftServerSwitchOffSNSTopic:
    Type: AWS::SNS::Topic
    Properties:
      Subscription:
      - Protocol: lambda
        Endpoint: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-minecraft-switcher
      Tags:
      - Key: !Ref ResourceTagKey
        Value: !Ref AWS::StackName

  # IAM
  MinecraftECSTaskExecRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub ${AWS::StackName}-minecraft-server-task-exec-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ecs-tasks.amazonaws.com
          Action:
          - sts:AssumeRole
      ManagedPolicyArns:
      - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
      Tags:
      - Key: !Ref ResourceTagKey
        Value: !Ref AWS::StackName
  MinecraftECSTaskRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub ${AWS::StackName}-minecraft-server-task-role
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - ecs-tasks.amazonaws.com
          Action:
          - sts:AssumeRole
      ManagedPolicyArns:
      - arn:aws:iam::aws:policy/AmazonS3FullAccess
      - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
      Tags:
      - Key: !Ref ResourceTagKey
        Value: !Ref AWS::StackName
  CloudWatchLogsSubscriptionFilterRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - !Sub logs.${AWS::Region}.amazonaws.com
          Action:
          - sts:AssumeRole
      Policies:
      - PolicyName: !Sub ${AWS::StackName}-PutRecordToKinesisDataStream
        PolicyDocument:
          Version: 2012-10-17
          Statement:
          - Effect: Allow
            Action:
            - kinesis:PutRecord
            Resource: '*'
      Tags:
      - Key: !Ref ResourceTagKey
        Value: !Ref AWS::StackName


Outputs:
  MinecraftSwitcherURL:
    Description: MinecraftSwitcher Lambda function endpoint URL
    Value: !GetAtt MinecraftSwitcherUrl.FunctionUrl