Skip to content

Commit

Permalink
gh workflow updates
Browse files Browse the repository at this point in the history
  • Loading branch information
alismx committed Jun 25, 2024
1 parent e664bf4 commit 47e90cb
Show file tree
Hide file tree
Showing 5 changed files with 136 additions and 56 deletions.
66 changes: 33 additions & 33 deletions .github/workflows/ecr_deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,36 +1,37 @@
name: Deploy to ECR
name: Deploy to ECS

on:
push:
branches:
#- main
- 1611-create-elastic-container-service

permissions:
id-token: write
contents: read
# packages: write
jobs:
deploy:
terraform:
name: Run Terraform
runs-on: ubuntu-latest

defaults:
run:
shell: bash
working-directory: ./terraform/implementation/ecs
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Check Out Changes
uses: actions/checkout@v4

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3

- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
with:
region: us-east-1

# - name: Authenticate Docker Registry for ECR
# run: aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 339712971032.dkr.ecr.us-east-1.amazonaws.com
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
role-session-name: githubECSDeploymentWorkflow
aws-region: us-east-1

- uses: hashicorp/[email protected]
with:
terraform_version: 1.3.3
- name: Init Terraform
working-directory: ./terraform/implementation/ecs
- name: Load variables
env:
ENVIRONMENT: dev
BUCKET: infra-tfstate-alis-default-aizwjxuh
Expand All @@ -40,16 +41,15 @@ jobs:
PROJECT: infra
shell: bash
run: |
touch $ENVIRONMENT.tfvars
echo "owner = \"$OWNER\""
echo "project = \"$PROJECT\""
echo "region = \"$REGION\""
./ecs.sh -e dev --ci
# - name: Apply Terraform
# working-directory: ./terraform/implementation/ecs
# env:
# ENVIRONMENT: value
# shell: bash
# run: |
# terraform apply -var-file="$ENVIRONMENT.tfvars"
echo "ENVIRONMENT=$ENVIRONMENT" >> .env
echo "BUCKET=infra-tfstate-alis-default-aizwjxuh" >> .env
echo "DYNAMODB_TABLE=infra-tfstate-lock-alis-default-aizwjxuh" >> .env
echo "REGION=us-east-1" >> .env
echo "owner = \"$OWNER\"" >> $ENVIRONMENT.tfvars
echo "project = \"$PROJECT\"" >> $ENVIRONMENT.tfvars
echo "region = \"$REGION\"" >> $ENVIRONMENT.tfvars
- name: Terraform
run: |
ls -lhsa
./ecs.sh -e dev --ci
22 changes: 15 additions & 7 deletions terraform/implementation/ecs/ecs.sh
Original file line number Diff line number Diff line change
Expand Up @@ -116,12 +116,13 @@ terraform init \
-backend-config "region=$REGION" \
|| (echo "terraform init failed, exiting..." && exit 1)

if [ "$CI" = false ]; then
# Check if workspace exists
if terraform workspace list | grep -q "$ENVIRONMENT"; then
echo "Selecting $ENVIRONMENT terraform workspace"
terraform workspace select "$ENVIRONMENT"
else

# Check if workspace exists
if terraform workspace list | grep -q "$ENVIRONMENT"; then
echo "Selecting $ENVIRONMENT terraform workspace"
terraform workspace select "$ENVIRONMENT"
else
if [ "$CI" = false ]; then
read -p "Workspace '$ENVIRONMENT' does not exist. Do you want to create it? (y/n): " choice
if [[ $choice =~ ^[Yy]$ ]]; then
echo "Creating '$ENVIRONMENT' terraform workspace"
Expand All @@ -130,7 +131,14 @@ if [ "$CI" = false ]; then
echo "Workspace creation cancelled."
exit 1
fi
else
echo "Creating '$ENVIRONMENT' terraform workspace"
terraform workspace new "$ENVIRONMENT"
fi
fi

terraform apply -var-file="$ENVIRONMENT.tfvars"
# if [ "$CI" = false ]; then
terraform apply -var-file="$ENVIRONMENT.tfvars"
# else
# terraform apply -auto-approve -var-file="$ENVIRONMENT.tfvars"
# fi
87 changes: 87 additions & 0 deletions terraform/implementation/setup/iam.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
data "aws_caller_identity" "current" {}

# # create a role that can be assumed to pull and push docker images from
data "aws_iam_policy_document" "github_iodc" {
statement {
principals {
type = "Federated"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"]
}
actions = [
"sts:AssumeRoleWithWebIdentity"
]
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:aud"
values = ["sts.amazonaws.com",]
}
condition {
test = "StringLike"
variable = "token.actions.githubusercontent.com:sub"
values = [
"repo:CDCgov/dibbs-aws:*",
]
}
}
}

data "aws_iam_policy_document" "gh_perms" {
statement {
actions = [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"ecr:GetAuthorizationToken",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:HeadObject",
"ec2:DescribeVpcs",
"ecr:DescribeRepositories",
"ecs:DescribeClusters",
"logs:DescribeLogGroups",
"appmesh:DescribeMesh",
"iam:GetRole",
"iam:GetPolicy"

]
resources = [
aws_dynamodb_table.tfstate_lock.arn,
"${aws_dynamodb_table.tfstate_lock.arn}/*",
aws_s3_bucket.tfstate.arn,
"${aws_s3_bucket.tfstate.arn}/*",
"arn:aws:ecr:${var.region}:${data.aws_caller_identity.current.account_id}:repository/*",
"arn:aws:ecs:${var.region}:${data.aws_caller_identity.current.account_id}:cluster/*",
"arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group::*",
"arn:aws:appmesh:${var.region}:${data.aws_caller_identity.current.account_id}:mesh/*"
]
}
}

resource "aws_iam_policy" "gh_perms" {
name = "GH-PERMS-POLICY"
description = ""
policy = data.aws_iam_policy_document.gh_perms.json
}

resource "aws_iam_role" "gh_perms" {
name = "GH-PERMS-ROLE"
assume_role_policy = data.aws_iam_policy_document.github_iodc.json
}

resource "aws_iam_role_policy_attachment" "gh_perms" {
role = aws_iam_role.gh_perms.name
policy_arn = aws_iam_policy.gh_perms.arn
}


#
# │ Error: getting ECR authorization token: AccessDeniedException: User: arn:aws:sts::339712971032:assumed-role/GH-PERMS-ROLE/githubECSDeploymentWorkflow is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action
# │ status code: 400, request id: 6c7898a1-0512-4a96-960a-1b0ab8aab60f
#
# │ with module.ecr.data.aws_ecr_authorization_token.container_registry_token,
# │ on ../../modules/ecr/_data.tf line 6, in data "aws_ecr_authorization_token" "container_registry_token":
# │ 6: data "aws_ecr_authorization_token" "container_registry_token" {}
#
#
2 changes: 1 addition & 1 deletion terraform/implementation/setup/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -77,4 +77,4 @@ resource "local_file" "ecs_env" {
REGION=${var.region}
EOT
filename = "../ecs/.env"
}
}
15 changes: 0 additions & 15 deletions terraform/modules/ecr/_data.tf
Original file line number Diff line number Diff line change
@@ -1,18 +1,3 @@
data "aws_iam_policy_document" "ecr_policy" {

for_each = var.service_data
statement {
actions = [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
]

resources = ["arn:aws:ecs:${var.region}:${var.aws_caller_identity}:cluster/${var.ecs_cluster_name}/${each.key}"]
}
}

data "docker_registry_image" "ghcr_data" {
for_each = var.service_data
name = "ghcr.io/cdcgov/phdi/${each.key}:${var.phdi_version}"
Expand Down

0 comments on commit 47e90cb

Please sign in to comment.