ECS canary deployment components stage 1

Deploys Green target group, ECS canary nested stack and 5xx + anomaly detection cloudwatch alarms

Issue: AUT-3494

.github/workflows/deploy-frontend-sp.yml

@@ -3,7 +3,7 @@ name: Deploy frontend (with SAM Deploy Pipeline)
 on:
   push:
     branches:
-      - AUT-3492
+      - AUT-3494
   workflow_dispatch:
 
 jobs:

cloudformation/deploy/template.yaml

@@ -224,9 +224,11 @@ Resources:
       LaunchType: FARGATE
       DesiredCount: 2
       HealthCheckGracePeriodSeconds: 15
-      DeploymentConfiguration:
-        MaximumPercent: 150
-        MinimumHealthyPercent: 50
+      DeploymentConfiguration: !If
+        - UseECSCanaryDeploymentStack
+        - !Ref AWS::NoValue
+        - MaximumPercent: 150
+          MinimumHealthyPercent: 50
       DeploymentController:
         Type: !If
           - UseECSCanaryDeploymentStack
@@ -238,6 +240,7 @@ Resources:
           TargetGroupArn: !Ref ApplicationLoadBalancerTargetGroup
       NetworkConfiguration:
         AwsvpcConfiguration:
+          AssignPublicIp: DISABLED
           SecurityGroups:
             - !GetAtt ContainerServiceSecurityGroup.GroupId
           Subnets:
@@ -796,6 +799,34 @@ Resources:
         - Key: Source
           Value: govuk-one-login/authentication-frontend/cloudformation/deploy/template.yaml
 
+  ApplicationLoadBalancerTargetGroupGreen:
+    Type: AWS::ElasticLoadBalancingV2::TargetGroup
+    Properties:
+      Name: !Sub "${Environment}-frontend-target-green"
+      HealthCheckIntervalSeconds: 10
+      HealthCheckTimeoutSeconds: 3
+      HealthCheckPath: /healthcheck/
+      HealthCheckProtocol: HTTP
+      HealthyThresholdCount: 2
+      Port: 80
+      Protocol: HTTP
+      ProtocolVersion: HTTP1
+      Matcher:
+        HttpCode: "200"
+      TargetType: ip
+      VpcId:
+        Fn::ImportValue:
+          !Sub "${VpcStackName}-VpcId"
+      Tags:
+        - Key: Name
+          Value: !Sub "${AWS::StackName}-ApplicationLoadBalancerTargetGroupGreen"
+        - Key: Environment
+          Value: !Ref Environment
+        - Key: Application
+          Value: "auth-frontend"
+        - Key: Source
+          Value: govuk-one-login/authentication-frontend/cloudformation/deploy/template.yaml
+
   ApplicationLoadBalancerDnsRecord:
     Type: AWS::Route53::RecordSet
     Properties:
@@ -965,6 +996,99 @@ Resources:
       FromPort: 8080
       ToPort: 8080
 
+  #
+  # ECS Alarms
+  #
+
+  ELB5XXAlarm:
+    Type: AWS::CloudWatch::Alarm
+    Properties:
+      AlarmDescription: >
+        The number of HTTP 5XX server error codes that originate from the load balancer.
+        This count does not include any response codes generated by the targets.
+      MetricName: HTTPCode_ELB_5XX_Count
+      Namespace: AWS/ApplicationELB
+      Statistic: Sum
+      Dimensions:
+        - Name: LoadBalancer
+          Value: !Ref ApplicationLoadBalancer
+      Period: 60
+      EvaluationPeriods: 2
+      DatapointsToAlarm: 2
+      Threshold: 2
+      ComparisonOperator: GreaterThanThreshold
+      TreatMissingData: notBreaching
+
+  ELB4XXAnomalyAlarm:
+    Type: AWS::CloudWatch::Alarm
+    Properties:
+      AlarmDescription: >
+        Based on anomaly detection, the number of HTTP 4XX server error codes that
+        originate from the load balancer. This count does not include any response
+        codes generated by the targets.
+      EvaluationPeriods: 2
+      DatapointsToAlarm: 2
+      ThresholdMetricId: ad1
+      ComparisonOperator: GreaterThanUpperThreshold
+      TreatMissingData: notBreaching
+      Metrics:
+        - Id: ad1
+          ReturnData: true
+          Expression: ANOMALY_DETECTION_BAND(m1, 2)
+        - Id: m1
+          ReturnData: true
+          MetricStat:
+            Metric:
+              Namespace: AWS/ApplicationELB
+              MetricName: HTTPCode_ELB_4XX_Count
+              Dimensions:
+                - Name: LoadBalancer
+                  Value: !GetAtt ApplicationLoadBalancer.LoadBalancerFullName
+            Period: 60
+            Stat: Sum
+
+  #
+  # Canary Deployment
+  #
+
+  ECSCanaryDeploymentStack:
+    Type: AWS::CloudFormation::Stack
+    Condition: UseECSCanaryDeploymentStack
+    DeletionPolicy: Delete
+    UpdateReplacePolicy: Delete
+    Properties:
+      TemplateURL: https://template-storage-templatebucket-1upzyw6v9cs42.s3.amazonaws.com/ecs-canary-deployment/template.yaml
+      Parameters:
+        VpcId: !Sub ${VpcStackName}-VpcId
+        Subnets: !Join
+          - ","
+          - - Fn::ImportValue:
+                !Sub "${VpcStackName}-PrivateSubnetIdA"
+            - Fn::ImportValue:
+                !Sub "${VpcStackName}-PrivateSubnetIdB"
+            - Fn::ImportValue:
+                !Sub "${VpcStackName}-PrivateSubnetIdC"
+        SecurityGroups: !GetAtt ContainerServiceSecurityGroup.GroupId
+        PermissionsBoundary:
+          Fn::ImportValue: !Sub "${AWS::StackName}-ECSCanaryPermissionsBoundaryArn"
+        CodeSigningConfigArn: !If
+          - UseCodeSigning
+          - !Ref CodeSigningConfigArn
+          - !Ref AWS::NoValue
+        ECSClusterName: !Ref FrontendECSCluster
+        ECSServiceName: !GetAtt FrontendECSService.Name
+        TargetGroupName: !GetAtt ApplicationLoadBalancerTargetGroup.TargetGroupName
+        GreenTargetGroupName: !GetAtt ApplicationLoadBalancerTargetGroupGreen.TargetGroupName
+        LoadBalancerListenerARN: !Ref ApplicationLoadBalancerListenerHTTPS
+        ECSServiceTaskDefinition: !Ref TaskDefinition
+        DeploymentStrategy: !Ref DeploymentStrategy
+        ContainerName: !If [UseNginxSidecar, "nginx-sidecar", "frontend-application"]
+        ContainerPort: !If [UseNginxSidecar, 8080, 3000]
+        CloudWatchAlarms: !Sub
+          - "${ELB5XXAlarm},${ELB4XXAnomalyAlarm}"
+          - ELB5XXAlarm: !Ref ELB5XXAlarm
+            ELB4XXAnomalyAlarm: !Ref ELB4XXAnomalyAlarm
+
   #
   # Service down page
   #