Created
May 15, 2018 13:16
-
-
Save jlis/4bc528041b9661ae6594c63cd2ef673c to your computer and use it in GitHub Desktop.
AWS ECS and ECR deployment via Docker and Gitlab CI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| image: docker:latest | |
| variables: | |
| REPOSITORY_URL: <AWS ACCOUNT ID>.dkr.ecr.eu-central-1.amazonaws.com/<ECS REPOSITORY NAME> | |
| REGION: eu-central-1 | |
| TASK_DEFINTION_NAME: <TASK DEFINITION NAME> | |
| CLUSTER_NAME: <CLUSTER NAME> | |
| SERVICE_NAME: <SERVICE NAME> | |
| services: | |
| - docker:dind | |
| before_script: | |
| - apk add --no-cache curl jq python py-pip | |
| - pip install awscli | |
| - $(aws ecr get-login --no-include-email --region "${REGION}") | |
| - IMAGE_TAG="$(echo $CI_COMMIT_SHA | head -c 8)" | |
| stages: | |
| - build | |
| - deploy | |
| build: | |
| stage: build | |
| script: | |
| - echo "Building image..." | |
| - docker build -t $REPOSITORY_URL:latest . | |
| - echo "Tagging image..." | |
| - docker tag $REPOSITORY_URL:latest $REPOSITORY_URL:$IMAGE_TAG | |
| - echo "Pushing image..." | |
| - docker push $REPOSITORY_URL:latest | |
| - docker push $REPOSITORY_URL:$IMAGE_TAG | |
| only: | |
| - master | |
| deploy: | |
| stage: deploy | |
| script: | |
| - echo $REPOSITORY_URL:$IMAGE_TAG | |
| - TASK_DEFINITION=$(aws ecs describe-task-definition --task-definition "$TASK_DEFINTION_NAME" --region "${REGION}") | |
| - NEW_CONTAINER_DEFINTIION=$(echo $TASK_DEFINITION | python $CI_PROJECT_DIR/update_task_definition_image.py $REPOSITORY_URL:$IMAGE_TAG) | |
| - echo "Registering new container definition..." | |
| - aws ecs register-task-definition --region "${REGION}" --family "${TASK_DEFINTION_NAME}" --container-definitions "${NEW_CONTAINER_DEFINTIION}" | |
| - echo "Updating the service..." | |
| - aws ecs update-service --region "${REGION}" --cluster "${CLUSTER_NAME}" --service "${SERVICE_NAME}" --task-definition "${TASK_DEFINTION_NAME}" | |
| only: | |
| - master |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys, json, argparse | |
| parser = argparse.ArgumentParser('Replaces image in the task definition') | |
| parser.add_argument('image_uri', metavar='I', type=str, nargs='+', | |
| help='The new image URI') | |
| args = parser.parse_args() | |
| definition = json.load(sys.stdin)['taskDefinition']['containerDefinitions'] | |
| definition[0]['image'] = args.image_uri[0] | |
| print json.dumps(definition) |
Hi Team ,
i am using for deployment below script
scripts:
- $(aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $AWS_ECR_REGISTRY | tr -d '\r')
- TASK_DEFINITION_CURRENT=$(aws ecs describe-services --services "${SERVICE_NAME}" --cluster "${CLUSTER_NAME}" | jq -r .services[].taskDefinition | cut -d "/" -f 2)
- TASK_DEFINTION_NAME=$(echo $TASK_DEFINITION_CURRENT | cut -d ":" -f 1 )
- TASK_DEFINITION=$(aws ecs describe-task-definition --task-definition "$TASK_DEFINTION_NAME")
- NEW_CONTAINER_DEFINTIION=$(echo
$TASK_DEFINITION | jq --arg IMAGE "$ {AWS_ECR_REGISTRY}/${APP_NAME}/${CI_COMMIT_REF_SLUG}:${SEMVER}" '.taskDefinition.containerDefinitions[0].image = $IMAGE | .taskDefinition.containerDefinitions[0]') - EXECUTION_ROLE_ARN=$(echo $TASK_DEFINITION | jq -r '.taskDefinition.executionRoleArn')
- TASK_ROLE_ARN=$(echo $TASK_DEFINITION | jq -r '.taskDefinition.taskRoleArn')
- CONTAINER_MEMORY=$(echo $TASK_DEFINITION | jq -r '.taskDefinition.memory')
- CONTAINER_CPU=$(echo $TASK_DEFINITION | jq -r '.taskDefinition.cpu')
- REQUIRE_COMPATABILITIES=$(echo $TASK_DEFINITION | jq -r '.taskDefinition.requiresCompatibilities[]')
- NETWORK_MODE=$(echo $TASK_DEFINITION | jq -r '.taskDefinition.networkMode')
- echo "Registering new container definition..."
- aws ecs register-task-definition --family "${TASK_DEFINTION_NAME}" --container-definitions "${NEW_CONTAINER_DEFINTIION}" --execution-role-arn "${EXECUTION_ROLE_ARN}" --memory "${CONTAINER_MEMORY}" --requires-compatibilities "${REQUIRE_COMPATABILITIES}" --network-mode "${NETWORK_MODE}" --cpu "${CONTAINER_CPU}" --task-role-arn "${TASK_ROLE_ARN}"
- echo "Updating the service..."
- aws ecs update-service --cluster "${CLUSTER_NAME}" --service "${SERVICE_NAME}" --task-definition "${TASK_DEFINTION_NAME}"
but i am getting below error
“message”: “(service crm-api-secured) failed to launch a task with (error ECS was unable to assume the role ‘arn:aws:iam::XXXXXXXXX:role/null’ that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role.).”
any one pls help for the same.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Team ,
ia m getting below vunrability how to fix any one pls help
Improper access control in the Intel(R) Ethernet Controller RDMA driver for linux before version 1.9.30 may allow an unauthenticated user to potentially enable escalation of privilege via network access.