From e3b9bbc6f939230c43f4fdb198edea3d98094e4a Mon Sep 17 00:00:00 2001 From: Samir Tapiero <50454914+blacksam07@users.noreply.github.com> Date: Mon, 16 Dec 2024 14:40:38 -0500 Subject: [PATCH] Improve CD workflow (#888) --- .github/workflows/cd.yml | 18 +++++++++++++++++- bin/format_aws_secrets.rb | 11 +++++++++++ docs/cd_with_aws.md | 38 +++++++++++++++++++++++++++++++++----- 3 files changed, 61 insertions(+), 6 deletions(-) create mode 100755 bin/format_aws_secrets.rb diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 22240e5f..b3edae6d 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -36,7 +36,9 @@ jobs: with: context: . push: true - tags: ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:${{ github.sha }} + tags: | + ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:${{ github.sha }} + ${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPOSITORY }}:latest - name: Get the image digest id: image-digest @@ -46,6 +48,18 @@ jobs: run: | aws ecs describe-task-definition --task-definition ${{ vars.ECS_TASK_DEFINITION }} --query taskDefinition > ${{ vars.ECS_TASK_DEFINITION_PATH }} + - name: Download Parameter Store Values + id: ssm-download + run: | + PARAMETERS_JSON=$(aws ssm describe-parameters --query "Parameters[?contains(Name, 'backend')].{Name:Name,ARN:ARN}" --output json | jq -c '.') + echo "parameters=${PARAMETERS_JSON}" >> $GITHUB_OUTPUT + + - name: Format SSM Parameters + id: format-secrets + run: | + FORMATTED_SECRETS=$(ruby bin/format_aws_secrets.rb ${{ steps.ssm-download.outputs.parameters }}) + echo "formatted_secrets=${FORMATTED_SECRETS}" >> $GITHUB_OUTPUT + - name: Fill in the new image ID in the Amazon ECS task definition id: task-def uses: aws-actions/amazon-ecs-render-task-definition@v1 @@ -53,6 +67,8 @@ jobs: task-definition: ${{ vars.ECS_TASK_DEFINITION_PATH }} container-name: ${{ vars.CONTAINER_NAME }} image: ${{ steps.image-digest.outputs.image }} + secrets: | + ${{ steps.format-secrets.outputs.formatted_secrets }} - name: Deploy Amazon ECS task definition uses: aws-actions/amazon-ecs-deploy-task-definition@v2 diff --git a/bin/format_aws_secrets.rb b/bin/format_aws_secrets.rb new file mode 100755 index 00000000..d1b159f2 --- /dev/null +++ b/bin/format_aws_secrets.rb @@ -0,0 +1,11 @@ +#!/usr/bin/env ruby +require 'json' + +data = JSON.parse(ARGV[0]) + +formatted_secrets = data.map do |param| + param_name = param['Name'].split('/').last.upcase +"#{param_name}=#{param['ARN']}" +end.join('\n') + +puts formatted_secrets diff --git a/docs/cd_with_aws.md b/docs/cd_with_aws.md index 42eaef5d..c2a7bcb2 100644 --- a/docs/cd_with_aws.md +++ b/docs/cd_with_aws.md @@ -8,20 +8,23 @@ Before you start, make sure you have the following: 1. **AWS Account**: You need an AWS account. Sign up [here](https://aws.amazon.com/). -2. **Amazon ECR (Elastic Container Registry) Setup**: +2. **Amazon ECR (Elastic Container Registry) Setup**: + - Create a new repository in Amazon ECR. - Note down the repository URI, which will be used in the GitHub Actions workflow. -3. **AWS Credentials**: +3. **AWS Credentials**: + - AWS Access Key ID - AWS Secret Access Key - - These credentials should have permission to interact with ECR and ECS. + - These credentials should have permission to interact with ECR and ECS and Parameter Store. 4. **Create Environments**: The GitHub Actions workflow will automatically deploy to the correct environment based on the branch being pushed to. The branch `main` will always be linked to the `production` environment, while other branches will use their own names as the environment. All environments added in GitHub must have the same name as the branches. 5. **GitHub Repository Setup**: + - **Environment Secrets**: Add the following secrets to your GitHub environments (these are specific to each environment and not set at the repository level): - `AWS_ACCESS_KEY_ID`: Your AWS Access Key ID. - `AWS_SECRET_ACCESS_KEY`: Your AWS Secret Access Key. @@ -34,7 +37,31 @@ Before you start, make sure you have the following: - `ECS_SERVICE`: The name of your ECS service. - `ECS_CLUSTER`: The name of your ECS cluster. -6. **GitHub Actions Workflow**: +6. **Brief Guide to Configure AWS Systems Manager Parameter Store for GitHub Actions Workflow**: + + - **Access AWS Systems Manager**: + + - Log in to your AWS console. + - Navigate to **Systems Manager** and select **Parameter Store**. + + - **Create Parameters**: + + - Click **Create parameter**. + - Fill out the details: + - **Name**: Provide a unique and valid name (e.g., `/rails_api_base/backend/service_api_key`). + + > The naming convention follows this structure: `project_name/backend/variable_name`. This format is aligned with AWS parameter hierarchy standards, allowing for better organization and management of all parameters. + + - **Type**: Choose `SecureString` for sensitive data. + - **Value**: Enter the parameter value (e.g., a password or secret). + - Click **Create parameter**. + + - **Integrate with GitHub Actions**: + + - Make sure the AWS credentials stored in GitHub Secrets (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`) have the appropriate permissions for Paramters Store. + - The workflow automatically access to the defined Parameters Store and push inside the `secrets:` of the Definition Task. + +7. **GitHub Actions Workflow**: To set up the GitHub Actions workflow for continuous deployment to AWS, you need to modify the existing cd.yml file in the .github/workflows directory of your GitHub repository. Uncomment the branches section under `on: push:` and add the necessary branches to enable automatic deployment. For example: @@ -44,4 +71,5 @@ Before you start, make sure you have the following: push: branches: - main - - dev \ No newline at end of file + - dev + ```