diff --git a/.github/workflows/build-and-push-image-to-ecr.yaml b/.github/workflows/build-and-push-image-to-ecr.yaml new file mode 100644 index 0000000..8e38d1a --- /dev/null +++ b/.github/workflows/build-and-push-image-to-ecr.yaml @@ -0,0 +1,69 @@ +on: + workflow_call: + inputs: + environment: + description: The environment that this job references. e.g. prod + required: false + type: string + default: '' + awsRegion: + description: AWS region. e.g. ap-southeast-1 + required: true + type: string + iamRoleToAssume: + description: IAM role to assume when logging in to AWS. e.g. arn:aws:iam::11111:role/read-only + required: false + type: string + default: '' + ecrRegistryName: + description: ECR registry name. e.g. 11111111.dkr.ecr.ap-southeast-1.amazonaws.com + required: true + type: string + imageRepoName: + description: Docker image repository. e.g. customer + required: true + type: string + imageTag: + description: Docker image tag. e.g. 1.0.0 + required: true + type: string + + secrets: + AWS_ACCESS_KEY_ID: + description: AWS access key ID. + required: true + AWS_SECRET_ACCESS_KEY: + description: AWS secret access key. + required: true + GIT_TOKEN_BASIC: + required: false + +jobs: + build-and-push-docker-image: + name: Builds a Docker image and pushes it to an ECR repository. + runs-on: ubuntu-latest + environment: ${{ inputs.environment }} + steps: + - uses: actions/checkout@v4 + with: + submodules: true + token: ${{ secrets.GIT_TOKEN_BASIC || github.token }} + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ inputs.awsRegion }} + role-to-assume: ${{ inputs.iamRoleToAssume }} + + - name: Login to ECR + uses: docker/login-action@v3 + with: + registry: ${{ inputs.ecrRegistryName }} + + - name: Build and push + uses: docker/build-push-action@v5 + with: + push: true + tags: ${{ inputs.ecrRegistryName }}/${{ inputs.imageRepoName }}:${{ inputs.imageTag }} diff --git a/.github/workflows/update-ecs.yaml b/.github/workflows/update-ecs.yaml new file mode 100644 index 0000000..b946a15 --- /dev/null +++ b/.github/workflows/update-ecs.yaml @@ -0,0 +1,110 @@ +on: + workflow_call: + inputs: + environment: + description: The environment that this job references. e.g. prod + required: false + type: string + default: '' + awsRegion: + description: AWS region. e.g. ap-southeast-1 + required: true + type: string + iamRoleToAssume: + description: IAM role to assume when logging in to AWS. e.g. arn:aws:iam::11111:role/read-only + required: false + type: string + default: '' + ecsCluster: + description: The name of the ECS service's cluster + required: true + type: string + ecsService: + description: The name of the ECS service to update + required: true + type: string + ecsTaskFamily: + description: Family of the task. This is available in the JSON of the task definition. + required: true + type: string + ecsNewDockerImage: + description: The rull URI of the container image to insert into the ECS task definition. + required: true + type: string + imageRepoName: + description: The name of container image to insert into the ECS task definition. + required: true + type: string + + secrets: + AWS_ACCESS_KEY_ID: + description: AWS access key ID. + required: true + AWS_SECRET_ACCESS_KEY: + description: AWS secret access key. + required: true + GIT_TOKEN_BASIC: + required: false + +jobs: + update-ecs: + name: Update ECS task definition with a new Docker image, and update the ECS service. + runs-on: ubuntu-latest + environment: ${{ inputs.environment }} + steps: + - uses: actions/checkout@v4 + with: + submodules: true + token: ${{ secrets.GIT_TOKEN_BASIC || github.token }} + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ inputs.awsRegion }} + role-to-assume: ${{ inputs.iamRoleToAssume }} + + - name: Download current task definition + run: | + + echo "Getting latest task definition" + latest_revision=$(aws ecs list-task-definitions --family-prefix ${{ inputs.ecsTaskFamily }} --query 'taskDefinitionArns[0]' --sort DESC --no-paginate | sed 's/.*:\(.*\)"/\1/') + + echo "Registering task definition" + aws ecs describe-task-definition --task-definition "${{ inputs.ecsTaskFamily }}:${latest_revision}" --query \ + 'taskDefinition.{ + family: family, + taskRoleArn: taskRoleArn, + executionRoleArn: executionRoleArn, + networkMode: networkMode, + containerDefinitions: containerDefinitions, + volumes: volumes, + placementConstraints: placementConstraints, + requiresCompatibilities: requiresCompatibilities, + cpu: cpu, + memory: memory, + ephemeralStorage: ephemeralStorage, + runtimePlatform: runtimePlatform}' > latest-task-definition.json + + - name: Render new task definition + id: render-new-task-definition + uses: aws-actions/amazon-ecs-render-task-definition@v1 + with: + task-definition: latest-task-definition.json + container-name: ${{ inputs.imageRepoName }} + image: ${{ inputs.ecsNewDockerImage }} + + - name: Echo new task definition + run: | + + echo "Print latest task definition" + cat latest-task-definition.json + echo ${{ steps.render-new-task-definition.outputs.task-definition }} + + - name: Update ECS service + uses: aws-actions/amazon-ecs-deploy-task-definition@v1 + with: + task-definition: ${{ steps.render-new-task-definition.outputs.task-definition }} + cluster: ${{ inputs.ecsCluster }} + service: ${{ inputs.ecsService }}