-
Notifications
You must be signed in to change notification settings - Fork 1
155 lines (140 loc) · 6.9 KB
/
aws.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# This workflow will build and push a new container image to Amazon ECR,
# and then will deploy a new task definition to Amazon ECS, when there is a push to the "main" branch.
#
# To use this workflow, you will need to complete the following set-up steps:
#
# 1. Create an ECR repository to store your images.
# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`.
# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name.
# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region.
#
# 2. Create an ECS task definition, an ECS cluster, and an ECS service.
# For example, follow the Getting Started guide on the ECS console:
# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun
# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service.
# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster.
#
# 3. Store your ECS task definition as a JSON file in your repository.
# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`.
# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file.
# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container
# in the `containerDefinitions` section of the task definition.
#
# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
# See the documentation for each action used below for the recommended IAM policies for this IAM user,
# and best practices on handling the access key credentials.
name: Deploy to Amazon ECS
on:
push:
branches: [ "5165-cicd" ]
env:
AWS_REGION: ap-southeast-2 #MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1
ECR_REPOSITORY: 704910415367.dkr.ecr.ap-southeast-2.amazonaws.com/aodn-v2 # set this to your Amazon ECR repository name
ECS_SERVICE: ogcapi-java-service #MY_ECS_SERVICE # set this to your Amazon ECS service name
ECS_CLUSTER: aodn-imos-v2 # set this to your Amazon ECS cluster name
ECS_TASK_DEFINITION: ./ogcapi-java-dev-td.json #MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition
# file, e.g. .aws/task-definition.json
CONTAINER_NAME: aodn-dev-container #MY_CONTAINER_NAME # set this to the name of the container in the
# containerDefinitions section of your task definition
ROLE_ARN: arn:aws:iam::704910415367:role/tlc-ci-cd
permissions:
contents: read
jobs:
deploy:
name: Deploy
runs-on: ubuntu-latest
environment: development
steps:
- name: Prepare
id: prep
run: |
BRANCH=${GITHUB_REF##*/}
TS=$(date +%s)
REVISION=${GITHUB_SHA::8}
BUILD_ID="${BRANCH}-${REVISION}-${TS}"
LATEST_ID=canary
if [[ $GITHUB_REF == refs/tags/* ]]; then
BUILD_ID=${GITHUB_REF/refs\/tags\//}
LATEST_ID=latest
fi
echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
echo ::set-output name=BUILD_ID::${BUILD_ID}
echo ::set-output name=LATEST_ID::${LATEST_ID} >> $GITHUB_OUTPUT
- name: Checkout
uses: actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '17'
cache: 'maven'
- name: Build with Maven
run: mvn -B package --file pom.xml
# - name: Configure AWS credentials
# uses: ./.github/workflows/github-actions.yml
# - name: Configure AWS credentials
# uses: aws-actions/configure-aws-credentials@v1
# with:
# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# aws-region: ${{ env.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build and tag image
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
IMAGE_TAG: ${{ steps.prep.outputs.BUILD_ID }}
LATEST_ID: ${{ steps.prep.outputs.LATEST_ID }}
ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
HOST: ${API_HOST:-http://localhost}
PORT: ${API_CONTAINER_PORT:-8081}
ELASTIC_URL: ${ELASTIC_URL:-https://dev-discovery-index.es.ap-southeast-2.aws.found.io}
ELASTIC_KEY: ${ELASTIC_KEY}
run: |
# Build a docker container and
# be deployed to ECS.
# docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
# echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
# aws ecr get-login-password --region ap-southeast-2 | docker login --username AWS --password-stdin $ACCOUNT_ID
docker build -t $ECR_REPOSITORY:$IMAGE_TAG .
echo "image=$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
- name: Run Trivy vulnerability scanner in docker mode
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.build-image.outputs.image }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
exit-code: 1
ignore-unfixed: true
continue-on-error: true
- name: Push image to Amazon ECR
id: push-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
IMAGE_TAG: ${{ steps.prep.outputs.BUILD_ID }}
LATEST_ID: ${{ steps.prep.outputs.LATEST_ID }}
ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
run: |
# Build a docker container and
# be deployed to ECS.
# docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
# echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
# aws ecr get-login-password --region ap-southeast-2 | docker login --username AWS --password-stdin $ACCOUNT_ID
docker push $ECR_REPOSITORY:$IMAGE_TAG
echo "image=$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: ${{ env.ECS_TASK_DEFINITION }}
container-name: ${{ env.CONTAINER_NAME }}
image: ${{ steps.push-image.outputs.image }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@v1
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
cluster: ${{ env.ECS_CLUSTER }}
wait-for-service-stability: true