From 637eec12dd5ca60ba9ab69ea5289dd8f894b1a87 Mon Sep 17 00:00:00 2001
From: Maicon Alegre <alegrm@amazon.com>
Date: Mon, 4 Dec 2023 16:49:42 +1030
Subject: [PATCH] modified the file cluster.ts which creates the VPC Resources,
 and now it creates   a VPC with only private subnets without NAT Gateway.   -
 VPC Interface Endpoints to ECR, Docker and OCI client endpoints and
 Cloudwatch   - VPC Gateway Endpoint for S3   This is to provide a fully
 private Cluster and access to the Service Endpoints internally.

  Also, I changed the ALB to be private by changing internetFacing variable to false on the attached file services.ts.
---
 lib/ecs/cluster.ts | 42 ++++++++++++++++++++++++++++++++++++++++--
 lib/ecs/service.ts |  2 +-
 2 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/lib/ecs/cluster.ts b/lib/ecs/cluster.ts
index fe995c1..161f26d 100644
--- a/lib/ecs/cluster.ts
+++ b/lib/ecs/cluster.ts
@@ -17,9 +17,47 @@ export class EcsBlueGreenCluster extends Construct {
     constructor(scope: Construct, id: string, props: EcsBlueGreenClusterProps = {}) {
         super(scope, id);
 
+        // Create the VPC for the ECS cluster.  The VPC will have one private subnet without NAT Gateway.  
         this.vpc = new ec2.Vpc(this, 'ecsClusterVPC', {
-            cidr: props.cidr
-        });
+            cidr: props.cidr,
+            subnetConfiguration: [
+              {
+                name: 'Private',
+                subnetType: ec2.SubnetType.PRIVATE_ISOLATED              
+            }
+            ]  
+          });
+
+        // Create the VPC endpoint for the ECR registry
+        new ec2.InterfaceVpcEndpoint(this, 'ECRVpcEndpoint', {
+            vpc: this.vpc, 
+            service: ec2.InterfaceVpcEndpointAwsService.ECR,
+            privateDnsEnabled: true
+        })
+
+        // Create the VPC endpoint for the ECR Docker registry.  This is required for the Fargate task to pull the docker image from ECR.  
+        //This is not required for the ECS task to pull the docker image from ECR.  The ECS task will pull the docker image from EC
+
+        new ec2.InterfaceVpcEndpoint(this, 'ECRDockerVpcEndpoint', {
+            vpc: this.vpc,            
+            service: ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,
+            privateDnsEnabled: true
+        })
+
+        // access S3 bucket from Fargate task.  This is required for the Fargate task to pull the docker image from ECR.
+        new ec2.GatewayVpcEndpoint(this, 'S3GatewayEndpoint', {
+            service: ec2.GatewayVpcEndpointAwsService.S3,
+            vpc: this.vpc,            
+            subnets: [{ subnetType: ec2.SubnetType.PRIVATE_ISOLATED, }]
+        })
+        
+        // access Cloudwatch logging
+        new ec2.InterfaceVpcEndpoint(this, 'CloudWatchLogsVpcEndpoint', {
+            vpc: this.vpc,            
+            service: ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS,
+            privateDnsEnabled: true
+        })
+
         this.cluster = new ecs.Cluster(this, 'ecsCluster', {
             vpc: this.vpc,
             containerInsights: true
diff --git a/lib/ecs/service.ts b/lib/ecs/service.ts
index d31ae67..3853113 100644
--- a/lib/ecs/service.ts
+++ b/lib/ecs/service.ts
@@ -59,7 +59,7 @@ export class EcsBlueGreenService extends Construct {
         // Creating an application load balancer, listener and two target groups for Blue/Green deployment
         this.alb = new albv2.ApplicationLoadBalancer(this, 'alb', {
             vpc: props.vpc!,
-            internetFacing: true
+            internetFacing: false
         });
         this.albProdListener = this.alb.addListener('albProdListener', {
             port: 80