Originally based on
Workflows are triggered on a push to the main/master branch or a manual trigger one-click:
deployimage.yml= builds app with a docker or ecr base image then pushes app image to ECR for deploy in place to ECS ecr-repo/cluster/service.loaddb.yml= loads a mysql dump onto an rds instance via bastion mysql client in the same VPC.
Note: build is done during deploy workflow because secrets need to be passed as env vars at container runtime. This happens via the task definition that is managed with our terraform envs. This avoids secrets being built into image which is a security vulnerability.
Define the following secrets in the GitHub repo:
AWS_ACCESS_KEY_ID: access key ID.AWS_SECRET_ACCESS_KEY: secret access key.DB_PW: DB passwordDB_USERNAME: DB usernameDB_NAME: DB nameJUMPHOST_PRIVATE_KEY_AWS: bastion ec2 pem key for devops
Edit the following environment variables in the workflow file as needed:
AWS_REGION: AWS region.ECR_REPOSITORY: ECR repository name - aligns w/ terra cloud env local varsECS_SERVICE: ECS service name - aligns w/ terra cloud env local varsECS_CLUSTER: ECS cluster name - aligns w/ terra cloud env local varsDOCKER_HUB_USERNAME: Docker Hub username.DOCKER_HUB_TOKEN: Docker Hub access token.IMAGE_NAME: Docker image name.IMAGE_TAG: Docker image tag.
Simply run the actions with one click to deploy the new app image to the ecs cluster/service in place here.
Infra managed with Terraform repo envs here.
Workflow steps:
- Checkout the repo code
- Configure AWS creds
- Log into ECR
- Build and push the Docker image to the ECR repo
- Deploy updated Docker image to ECS cluster/service in place
Terraform alignment:
ECR_REPOSITORYin GitHub Actions <->nameinaws_ecr_repositoryin Terraform (ecr_images)ECS_SERVICEin GitHub Actions <->nameinaws_ecs_servicein Terraform (my_service)ECS_CLUSTERin GitHub Actions <->nameinaws_ecs_clusterin Terraform (my_cluster)IMAGE_NAMEandIMAGE_TAGin GitHub Actions <-> Used for building and tagging the Docker image.