Improve CD workflow (#888)

.github/workflows/cd.yml

@@ -36,7 +36,9 @@ jobs:
         with:
           context: .
           push: true
-          tags: ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:${{ github.sha }}
+          tags: |
+            ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:${{ github.sha }}
+            ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:latest
 
       - name: Get the image digest
         id: image-digest
@@ -46,13 +48,27 @@ jobs:
         run: |
           aws ecs describe-task-definition --task-definition ${{ vars.ECS_TASK_DEFINITION }} --query taskDefinition > ${{ vars.ECS_TASK_DEFINITION_PATH }}
 
+      - name: Download Parameter Store Values
+        id: ssm-download
+        run: |
+          PARAMETERS_JSON=$(aws ssm describe-parameters --query "Parameters[?contains(Name, 'backend')].{Name:Name,ARN:ARN}" --output json | jq -c '.')
+          echo "parameters=${PARAMETERS_JSON}" >> $GITHUB_OUTPUT
+
+      - name: Format SSM Parameters
+        id: format-secrets
+        run: |
+          FORMATTED_SECRETS=$(ruby bin/format_aws_secrets.rb ${{ steps.ssm-download.outputs.parameters }})
+          echo "formatted_secrets=${FORMATTED_SECRETS}" >> $GITHUB_OUTPUT
+
       - name: Fill in the new image ID in the Amazon ECS task definition
         id: task-def
         uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
           task-definition: ${{ vars.ECS_TASK_DEFINITION_PATH }}
           container-name: ${{ vars.CONTAINER_NAME }}
           image: ${{ steps.image-digest.outputs.image }}
+          secrets: |
+            ${{ steps.format-secrets.outputs.formatted_secrets }}
 
       - name: Deploy Amazon ECS task definition
         uses: aws-actions/amazon-ecs-deploy-task-definition@v2

bin/format_aws_secrets.rb

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+require 'json'
+
+data = JSON.parse(ARGV[0])
+
+formatted_secrets = data.map do |param|
+  param_name = param['Name'].split('/').last.upcase
+"#{param_name}=#{param['ARN']}"
+end.join('\n')
+
+puts formatted_secrets

docs/cd_with_aws.md

@@ -8,20 +8,23 @@ Before you start, make sure you have the following:
 
 1. **AWS Account**: You need an AWS account. Sign up [here](https://aws.amazon.com/).
 
-2. **Amazon ECR (Elastic Container Registry) Setup**: 
+2. **Amazon ECR (Elastic Container Registry) Setup**:
+
    - Create a new repository in Amazon ECR.
    - Note down the repository URI, which will be used in the GitHub Actions workflow.
 
-3. **AWS Credentials**: 
+3. **AWS Credentials**:
+
    - AWS Access Key ID
    - AWS Secret Access Key
-   - These credentials should have permission to interact with ECR and ECS.
+   - These credentials should have permission to interact with ECR and ECS and Parameter Store.
 
 4. **Create Environments**:
 
    The GitHub Actions workflow will automatically deploy to the correct environment based on the branch being pushed to. The branch `main` will always be linked to the `production` environment, while other branches will use their own names as the environment. All environments added in GitHub must have the same name as the branches.
 
 5. **GitHub Repository Setup**:
+
    - **Environment Secrets**: Add the following secrets to your GitHub environments (these are specific to each environment and not set at the repository level):
      - `AWS_ACCESS_KEY_ID`: Your AWS Access Key ID.
      - `AWS_SECRET_ACCESS_KEY`: Your AWS Secret Access Key.
@@ -34,7 +37,31 @@ Before you start, make sure you have the following:
      - `ECS_SERVICE`: The name of your ECS service.
      - `ECS_CLUSTER`: The name of your ECS cluster.
 
-6. **GitHub Actions Workflow**:
+6. **Brief Guide to Configure AWS Systems Manager Parameter Store for GitHub Actions Workflow**:
+
+   - **Access AWS Systems Manager**:
+
+     - Log in to your AWS console.
+     - Navigate to **Systems Manager** and select **Parameter Store**.
+
+   - **Create Parameters**:
+
+     - Click **Create parameter**.
+     - Fill out the details:
+       - **Name**: Provide a unique and valid name (e.g., `/rails_api_base/backend/service_api_key`).
+
+          > The naming convention follows this structure: `project_name/backend/variable_name`. This format is aligned with AWS parameter hierarchy standards, allowing for better organization and management of all parameters.
+
+       - **Type**: Choose `SecureString` for sensitive data.
+       - **Value**: Enter the parameter value (e.g., a password or secret).
+     - Click **Create parameter**.
+
+   - **Integrate with GitHub Actions**:
+
+     - Make sure the AWS credentials stored in GitHub Secrets (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`) have the appropriate permissions for Paramters Store.
+     - The workflow automatically access to the defined Parameters Store and push inside the `secrets:` of the Definition Task.
+
+7. **GitHub Actions Workflow**:
    To set up the GitHub Actions workflow for continuous deployment to AWS, you need to modify the existing cd.yml file in the .github/workflows directory of your GitHub repository.
 
    Uncomment the branches section under `on: push:` and add the necessary branches to enable automatic deployment. For example:
@@ -44,4 +71,5 @@ Before you start, make sure you have the following:
      push:
        branches:
          - main
-         - dev
+         - dev
+   ```