Last active
May 19, 2023 06:30
-
-
Save trbngr/2100f852f5350edf703613e417cc3956 to your computer and use it in GitHub Desktop.
TF ECS + Deploy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ${environment} deploy | |
| on: | |
| push: | |
| branches: | |
| - ${deploy_branch} | |
| workflow_dispatch: | |
| env: | |
| CONTAINER_NAME: ${container_name} | |
| ECS_CLUSTER_NAME: ${ecs_cluster} | |
| ECS_SERVICE: ${ecs_service} | |
| ECS_TASK_DEFINITION: ${ecs_task_definition} | |
| ECR_REPOSITORY: ${ecr_repo} | |
| jobs: | |
| deploy: | |
| name: Deploy | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| role-skip-session-tagging: true | |
| aws-access-key-id: $${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: $${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: $${{ secrets.AWS_REGION }} | |
| - name: login to ecr | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| - name: build, tag, and push image | |
| env: | |
| ECR_REGISTRY: $${{ steps.login-ecr.outputs.registry }} | |
| ECR_REPOSITORY: $${{ env.ECR_REPOSITORY }} | |
| IMAGE_TAG: $${{ github.sha }} | |
| run: | | |
| docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . | |
| docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG | |
| - name: logout of ecr | |
| if: always() | |
| run: | | |
| docker logout $${{ steps.login-ecr.outputs.registry }} | |
| - name: fetch current task definition | |
| run: aws ecs describe-task-definition --task-definition $${{ env.ECS_TASK_DEFINITION }} --query taskDefinition > task-definition.json | |
| - name: render task definition | |
| id: render-task-definition | |
| uses: aws-actions/amazon-ecs-render-task-definition@v1 | |
| with: | |
| task-definition: "task-definition.json" | |
| container-name: $${{ env.CONTAINER_NAME }} | |
| image: $${{ format('{0}/{1}:{2}', steps.login-ecr.outputs.registry, env.ECR_REPOSITORY, github.sha) }} | |
| - name: deploy task definition | |
| uses: aws-actions/amazon-ecs-deploy-task-definition@v1 | |
| with: | |
| task-definition: $${{ steps.render-task-definition.outputs.task-definition }} | |
| service: $${{ env.ECS_SERVICE }} | |
| cluster: $${{ env.ECS_CLUSTER_NAME }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "aws_iam_user" "github_deploy" { | |
| name = "${local.prefix}-github-deploy" | |
| } | |
| resource "aws_iam_access_key" "github_deploy" { | |
| user = aws_iam_user.github_deploy.name | |
| } | |
| resource "github_repository_file" "api_deploy_workflow" { | |
| repository = var.api_github_repo | |
| branch = "main" | |
| file = ".github/workflows/deploy-${terraform.workspace}.yml" | |
| content = templatefile("./templates/github/deploy_workflow.yml.tpl", { | |
| environment = terraform.workspace | |
| container_name = local.prefix | |
| ecs_cluster = aws_ecs_cluster.main.name | |
| ecs_service = aws_ecs_service.api.name | |
| ecr_repo = aws_ecr_repository.repo.name | |
| deploy_branch = var.api_github_deploy_branch | |
| ecs_task_definition = aws_ecs_task_definition.api.family | |
| }) | |
| commit_message = "Created by Terraform" | |
| commit_author = "Terraform User" | |
| commit_email = "[email protected]" | |
| overwrite_on_create = true | |
| } | |
| resource "github_actions_secret" "aws_access_key_id" { | |
| repository = var.api_github_repo | |
| secret_name = "AWS_ACCESS_KEY_ID" | |
| plaintext_value = aws_iam_access_key.github_deploy.id | |
| } | |
| resource "github_actions_secret" "aws_secret_access_key" { | |
| repository = var.api_github_repo | |
| secret_name = "AWS_SECRET_ACCESS_KEY" | |
| plaintext_value = aws_iam_access_key.github_deploy.secret | |
| } | |
| resource "github_actions_secret" "aws_region" { | |
| repository = var.api_github_repo | |
| secret_name = "AWS_REGION" | |
| plaintext_value = data.aws_region.current.name | |
| } | |
| resource "aws_iam_user_policy_attachment" "github_deploy" { | |
| user = aws_iam_user.github_deploy.name | |
| policy_arn = aws_iam_policy.github_deploy.arn | |
| } | |
| resource "aws_iam_policy" "github_deploy" { | |
| name = "${local.prefix}-github-deploy" | |
| policy = jsonencode({ | |
| Version = "2012-10-17" | |
| Statement = [ | |
| { | |
| Sid = "GetAuthorizationToken" | |
| Action = ["ecr:GetAuthorizationToken"] | |
| Effect = "Allow" | |
| Resource = "*" | |
| }, | |
| { | |
| Sid = "PassRolesInTaskDefinition" | |
| Action = ["iam:PassRole"] | |
| Effect = "Allow" | |
| Resource = aws_iam_role.task_execution_role.arn | |
| }, | |
| { | |
| Sid = "TaskDefinitions" | |
| Action = [ | |
| "ecs:RegisterTaskDefinition", | |
| "ecs:DescribeTaskDefinition" | |
| ] | |
| Effect = "Allow" | |
| Resource = "*" | |
| }, | |
| { | |
| Sid = "DeployService" | |
| Action = [ | |
| "ecs:UpdateService", | |
| "ecs:DescribeServices" | |
| ] | |
| Effect = "Allow" | |
| Resource = aws_ecs_service.api.id | |
| }, | |
| { | |
| Sid = "AllowPull" | |
| Action = ["ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability"] | |
| Effect = "Allow" | |
| Resource = aws_ecr_repository.repo.arn | |
| }, | |
| { | |
| Sid = "AllowPush" | |
| Action = [ | |
| "ecr:GetDownloadUrlForLayer", | |
| "ecr:BatchGetImage", | |
| "ecr:BatchCheckLayerAvailability", | |
| "ecr:PutImage", | |
| "ecr:InitiateLayerUpload", | |
| "ecr:UploadLayerPart", | |
| "ecr:CompleteLayerUpload" | |
| ] | |
| Effect = "Allow" | |
| Resource = aws_ecr_repository.repo.arn | |
| } | |
| ] | |
| }) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment