Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create ECS Task container from Docker image in central AWS account (cross AWS account access) #119

Merged
merged 23 commits into from
Nov 28, 2024
Merged

Create ECS Task container from Docker image in central AWS account (cross AWS account access) #119

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
1c3ae91
update readme with blue-green deployment pattern use case
kunduso Nov 2, 2024
8d2db99
commented out ecr to create it in central aws account
kunduso Nov 26, 2024
e27bde0
create ecr resource in central aws account
kunduso Nov 26, 2024
4ee20fb
comment out deploy stage and add role for central account
kunduso Nov 26, 2024
1eefbd1
updated statefile storage
kunduso Nov 26, 2024
65ff6e0
do not trigger for changes in the tf folder
kunduso Nov 26, 2024
1195502
added paths and updated working directory
kunduso Nov 26, 2024
955d788
corrected environment
kunduso Nov 26, 2024
ccf660a
added policy for ecr repo
kunduso Nov 26, 2024
8af7f00
added kms key and policy for ecr
kunduso Nov 26, 2024
3dbbefa
added pipeline to deploy ecr and kms key to central aws account
kunduso Nov 26, 2024
277f445
fixed workflow error
kunduso Nov 26, 2024
0613274
corrected working directory
kunduso Nov 26, 2024
53aff04
fix checkov scan results
kunduso Nov 26, 2024
6ed833d
Merge branch 'main' into central-ecr
kunduso Nov 26, 2024
57fde8d
updated to support traditional ecs deployment
kunduso Nov 27, 2024
fda29b3
update resource reference
kunduso Nov 27, 2024
c0bb521
added cross account access policy
kunduso Nov 27, 2024
696c75b
update deployment process to ecs
kunduso Nov 27, 2024
54367d2
comment out code deploy resource to support ecs deploy
kunduso Nov 27, 2024
68dcb2e
Merge branch 'main' into central-ecr
kunduso Nov 27, 2024
7bc2550
Merge branch 'main' into central-ecr
kunduso Nov 27, 2024
9700426
fix for CKV_AWS_355
kunduso Nov 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
296 changes: 148 additions & 148 deletions .github/workflows/app-ci-cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,152 +95,152 @@ jobs:
run: echo "IMAGE_ID=$REGISTRY/$REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
outputs:
image-id: ${{ steps.create-output.outputs.IMAGE_ID }}
# deploy:
# needs: build
# name: 'continuous-deployment'
# runs-on: ubuntu-latest
# environment: development
# env:
# IMAGE_ID: ${{ needs.build.outputs.image-id }}
# permissions:
# contents: read
# id-token: write
# pull-requests: write
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
# defaults:
# run:
# shell: bash
# working-directory: ./deploy
# steps:
# # Checkout the repository to the GitHub Actions runner
# - name: Checkout
# uses: actions/checkout@v3
# - name: Print Image Tag
# run: echo "Tag Name for the Image ${{ env.IMAGE_ID }}"
# - name: Configure AWS Credentials Action For GitHub Actions
# uses: aws-actions/configure-aws-credentials@v1-node16
# with:
# role-to-assume: ${{ secrets.IAM_ROLE }}
# role-session-name: AWSSession
# aws-region: ${{ env.AWS_REGION }}

# # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
# - name: Setup Terraform
# uses: hashicorp/setup-terraform@v1

# - name: Setup Infracost
# uses: infracost/actions/setup@v2
# # See https://github.com/infracost/actions/tree/master/setup for other inputs
# # If you can't use this action, see Docker images in https://infracost.io/cicd
# with:
# api-key: ${{ secrets.INFRACOST_API_KEY }}
# if: github.event_name == 'pull_request'

# # Checkout the base branch of the pull request (e.g. main/master).
# - name: Checkout base branch
# if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
# uses: actions/checkout@v3
# with:
# ref: '${{ github.event.pull_request.base.ref }}'
deploy:
needs: build
name: 'continuous-deployment'
runs-on: ubuntu-latest
environment: development
env:
IMAGE_ID: ${{ needs.build.outputs.image-id }}
permissions:
contents: read
id-token: write
pull-requests: write
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
defaults:
run:
shell: bash
working-directory: ./deploy
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v3
- name: Print Image Tag
run: echo "Tag Name for the Image ${{ env.IMAGE_ID }}"
- name: Configure AWS Credentials Action For GitHub Actions
uses: aws-actions/configure-aws-credentials@v1-node16
with:
role-to-assume: ${{ secrets.IAM_ROLE }}
role-session-name: AWSSession
aws-region: ${{ env.AWS_REGION }}

# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1

- name: Setup Infracost
uses: infracost/actions/setup@v2
# See https://github.com/infracost/actions/tree/master/setup for other inputs
# If you can't use this action, see Docker images in https://infracost.io/cicd
with:
api-key: ${{ secrets.INFRACOST_API_KEY }}
if: github.event_name == 'pull_request'

# Checkout the base branch of the pull request (e.g. main/master).
- name: Checkout base branch
if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
uses: actions/checkout@v3
with:
ref: '${{ github.event.pull_request.base.ref }}'

# # Generate Infracost JSON file as the baseline.
# - name: Generate Infracost cost estimate baseline
# if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
# run: |
# infracost breakdown --path=. \
# --format=json \
# --out-file=/tmp/infracost-base.json

# # Checkout the current PR branch so we can create a diff.
# - name: Checkout PR branch
# if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
# uses: actions/checkout@v3

# # Generate an Infracost diff and save it to a JSON file.
# - name: Generate Infracost diff
# if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
# run: |
# infracost diff --path=. \
# --format=json \
# --compare-to=/tmp/infracost-base.json \
# --out-file=/tmp/infracost.json

# # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
# - name: Terraform Init
# id: init
# run: terraform init

# # Checks that all Terraform configuration files adhere to a canonical format
# - name: Terraform Format
# id: fmt
# run: terraform fmt -check
# # Checks that all Terraform configuration files are correctly written
# - name: Terraform Validate
# id: validate
# run: terraform validate -no-color
# # Generates an execution plan for Terraform
# - name: Terraform Plan
# id: plan
# if: github.ref != 'refs/heads/main' || github.event_name == 'pull_request'
# run: |
# terraform plan -no-color -input=false \
# -var="image_tag=${{ env.IMAGE_ID }}" \
# -out=TFplan.JSON
# continue-on-error: true

# # Generate an Infracost diff and save it to a JSON file.
# - name: Generate Infracost diff
# if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'tf_plan') }}
# run: |
# infracost diff --path=TFplan.JSON \
# --format=json \
# --out-file=/tmp/infracost.json

# - name: Post Infracost estimate
# if: github.event_name == 'pull_request'
# run: |
# infracost comment github --path=/tmp/infracost.json \
# --repo=$GITHUB_REPOSITORY \
# --github-token=${{github.token}} \
# --pull-request=${{github.event.pull_request.number}} \
# --show-skipped \
# --behavior=update

# - name: Post Terraform Plan output
# uses: actions/github-script@v6
# if: github.event_name == 'pull_request'
# env:
# PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
# with:
# github-token: ${{ secrets.GITHUB_TOKEN }}
# script: |
# const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
# #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
# #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
# #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`

# <details><summary>Show Plan</summary>

# \`\`\`\n
# ${process.env.PLAN}
# \`\`\`

# </details>

# *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;

# github.rest.issues.createComment({
# issue_number: context.issue.number,
# owner: context.repo.owner,
# repo: context.repo.repo,
# body: output
# })

# # On push to "main", build or change infrastructure according to Terraform configuration files
# # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
# - name: Terraform Apply
# if: github.ref == 'refs/heads/main'
# run: |
# terraform apply -auto-approve -input=false \
# -var="image_tag=${{ env.IMAGE_ID }}"
# Generate Infracost JSON file as the baseline.
- name: Generate Infracost cost estimate baseline
if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
run: |
infracost breakdown --path=. \
--format=json \
--out-file=/tmp/infracost-base.json

# Checkout the current PR branch so we can create a diff.
- name: Checkout PR branch
if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
uses: actions/checkout@v3

# Generate an Infracost diff and save it to a JSON file.
- name: Generate Infracost diff
if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
run: |
infracost diff --path=. \
--format=json \
--compare-to=/tmp/infracost-base.json \
--out-file=/tmp/infracost.json

# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
id: init
run: terraform init

# Checks that all Terraform configuration files adhere to a canonical format
- name: Terraform Format
id: fmt
run: terraform fmt -check
# Checks that all Terraform configuration files are correctly written
- name: Terraform Validate
id: validate
run: terraform validate -no-color
# Generates an execution plan for Terraform
- name: Terraform Plan
id: plan
if: github.ref != 'refs/heads/main' || github.event_name == 'pull_request'
run: |
terraform plan -no-color -input=false \
-var="image_tag=${{ env.IMAGE_ID }}" \
-out=TFplan.JSON
continue-on-error: true

# Generate an Infracost diff and save it to a JSON file.
- name: Generate Infracost diff
if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'tf_plan') }}
run: |
infracost diff --path=TFplan.JSON \
--format=json \
--out-file=/tmp/infracost.json

- name: Post Infracost estimate
if: github.event_name == 'pull_request'
run: |
infracost comment github --path=/tmp/infracost.json \
--repo=$GITHUB_REPOSITORY \
--github-token=${{github.token}} \
--pull-request=${{github.event.pull_request.number}} \
--show-skipped \
--behavior=update

- name: Post Terraform Plan output
uses: actions/github-script@v6
if: github.event_name == 'pull_request'
env:
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`

<details><summary>Show Plan</summary>

\`\`\`\n
${process.env.PLAN}
\`\`\`

</details>

*Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;

github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})

# On push to "main", build or change infrastructure according to Terraform configuration files
# Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
- name: Terraform Apply
if: github.ref == 'refs/heads/main'
run: |
terraform apply -auto-approve -input=false \
-var="image_tag=${{ env.IMAGE_ID }}"
4 changes: 3 additions & 1 deletion .github/workflows/code-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,13 @@ on:
paths:
- 'infra/**'
- 'deploy/**'
- 'app/tf/**'
pull_request:
branches: [ "main" ]
paths:
- 'infra/**'
- 'deploy/**'
- 'app/tf/**'
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
permissions: read-all
Expand All @@ -29,7 +31,7 @@ jobs:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./infra
working-directory: .
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/terraform.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
terraform:
name: 'continuous-integration'
runs-on: ubuntu-latest
environment: production
environment: development
permissions:
contents: read
id-token: write
Expand Down
Loading
Loading