This repository contains code and resources related to various use cases involving Amazon Elastic Container Service (ECS), Docker, and infrastructure provisioning using Terraform and GitHub Actions.
- Use Case 1: Create Infrastructure for Amazon ECS
- Use Case 2: Build, Scan, and Push Docker Images to Amazon ECR
- Use Case 3: Deploy to Amazon ECS Services
- Use Case 4: Enable Health Checks and CloudWatch Logs for AWS Fargate Tasks
- Use Case 5: Protecting Credentials and Variables in AWS Fargate Containers using AWS Secrets Manager
- Use Case 6: Blue-Green Deployments for Amazon ECS Fargate with CodeDeploy, Terraform, and GitHub Actions
- Use Case 7: Setup cross-account Amazon Elastic Container Registry (ECR) access using Terraform and GitHub Actions
- Prerequisites
- Usage
- Contributing
- License
This use case covers the creation of all necessary infrastructure components required to host an Amazon Elastic Container Service (ECS) using Terraform and GitHub Actions.
π Attention: The code for this specific use case is located in the create-ecs-service
branch. Please refer to this branch instead of the default main
branch. π
- Amazon Virtual Private Cloud (VPC): A logically isolated virtual network where your resources are deployed.
- Security Groups: Virtual firewalls that control inbound and outbound traffic to your resources.
- VPC Endpoints: Gateways that enable secure and private connections between your VPC and AWS services.
- ECS Cluster: A group of EC2 instances or Fargate tasks that run your containerized applications.
- Elastic Container Registry (ECR): A fully-managed Docker container registry for storing and retrieving Docker images.
- Application Load Balancer (ALB): A load balancer that distributes incoming traffic across your ECS tasks.
- AWS Key Management Service (KMS) Key: A secure and managed key for encrypting sensitive data.
- CloudWatch Log groups: A monitoring service that collects and stores logs from your containerized applications.
- AWS Secrets Manager Secret: A cloud native solution to securely manage credentials. This resource was added into the repository as part of use case #5.
The Terraform configurations and GitHub Actions workflow automate the provisioning and configuration of these components, ensuring a consistent and repeatable deployment process. Here is a detailed note explaining the same - create-infrastructure-to-host-an-amazon-ecs-service-using-terraform.
This use case demonstrates how to build, scan, and push Docker images to Amazon Elastic Container Registry (ECR) using GitHub Actions.
π Attention: The code for this specific use case is located in the create-ecs-service
branch. Please refer to this branch instead of the default main
branch. π
The steps involved include:
- Building a Docker image from a Dockerfile
- Scanning the Docker image for vulnerabilities
- Pushing the Docker image to Amazon ECR
The provided GitHub Actions workflows automate the entire process, enabling continuous integration and delivery of Docker images to Amazon ECR. Here is a detailed note explaining the same - push-docker-image-to-amazon-ecr-using-github-actions.
π Attention: The code for this specific use case is located in the create-ecs-service
branch. Please refer to this branch instead of the default main
branch. π
This use case focuses on deploying Amazon ECS services using Terraform and GitHub Actions. It includes the following steps:
- Provisioning the necessary infrastructure components (as covered in Use Case 1)
- Creating the ECS execution role and the ECS task role
- Creating the ECS task definition
- Creating an ECS Service
- Configuring Load Balancing
- Deploying the Docker image to the ECS Service (using the image pushed in Use Case 2)
The Terraform configurations and GitHub Actions workflows handle the deployment and management of the ECS services, ensuring a streamlined and automated process. Here is a detailed note explaining the same - continuous-deployment-of-amazon-ecs-service-using-terraform-and-github-actions.
π Attention: The code for this specific use case is located in the create-ecs-service
branch. Please refer to this branch instead of the default main
branch. π
In AWS Fargate, ensuring the health and monitoring of your tasks is crucial for maintaining reliability and performance. By enabling health checks, you can automatically verify the status of your Fargate tasks, allowing AWS to replace any instances that fail these checks, thereby ensuring seamless operation. Additionally, integrating CloudWatch Logs provides real-time monitoring and centralized logging, capturing logs from each Fargate task and enabling detailed analysis, troubleshooting, and auditing. Together, these features empower you to maintain high availability and streamline operational management within your AWS Fargate environment. This use case has two steps:
- Add HealthCheck to the AWS Fargate task
- Monitor logs with Amazon CloudWatch
Here is a detailed note on how to enable that in AWS Fargate -enabling-health-checks-and-cloudwatch-logs-for-aws-fargate-tasks.
Use Case 5: Protecting Credentials and Variables in AWS Fargate Containers using AWS Secrets Manager
π Attention: The code for this specific use case is located in the create-ecs-service
branch. Please refer to this branch instead of the default main
branch. π
This use case focuses on how to store sensitive variables in the AWS Secrets Manager secret and securely access them from an AWS Fargate task container. This use case has five steps:
- Store a sensitive variable as a secret in AWS Secrets Manager
- Create a VPC Endpoint to access AWS Secrets Manager
- Update the IAM policy attached to the task role to access the secret
- Update the Amazon ECS task definition to access the secret
- Update the Node.js application to access and display the secret
For more details, please choose - protecting-credentials-and-variables-in-aws-fargate-containers-using-aws-secrets-manager.
Use Case 6: Blue-Green Deployments for Amazon ECS Fargate with CodeDeploy, Terraform, and GitHub Actions
π Attention: The code for this specific use case is located in the enable-blue-green-deployment
branch. Please refer to this branch instead of the default main
branch. π
This use case focuses on how to use a blue-green deployment pattern to release updates to an Amazon ECS service using Terraform and AWS CodeDeploy. This use case has four steps:
- Create Amazon ECS resources
- Create an IAM role for AWS Code Deploy
- Create a CodeDeploy application and deployment group
- Create the CodeDeploy deployment
For more details, please choose - blue-green-deployments-for-amazon-ecs-fargate-with-codedeploy-terraform-and-github-actions.
Use Case 7: Setup cross-account Amazon Elastic Container Registry (ECR) access using Terraform and GitHub Actions
π Attention: The code for this specific use case is located in the central-ecr
branch. Please refer to this branch instead of the default main
branch. π
Application development teams manage multiple product environmentsβDev, Test, Stage, and Prodβto ensure isolation, security, governance, and management. In this setup, it is common to adopt a spoke-and-wheel architecture, where an Amazon ECR repository (acting as the hub) is shared across various container hosting environments (such as Amazon ECS clusters) located in different AWS accounts.
This architecture is achieved by hosting the ECR repository in one AWS account and deploying ECS services for each environment in separate AWS accounts. To enable cross-account access, specific AWS IAM permissions must be configured in both the ECR and ECS accounts. In this use-case, I explain the Terraform configuration to apply to the AWS account hosting the Amazon ECR repository and the AWS account hosting the Amazon ECS service. To read more, choose -setup-cross-account-amazon-elastic-container-registry-ecr-access-using-terraform-and-github-actions.
Additionally, this repository includes:
- Checkov pipeline for scanning the Terraform code for security and compliance issues.
The entire setup and deployment process is automated via the GitHub Actions pipelines, eliminating the need for manual steps.
For this code to function without errors, create an OpenID connect identity provider in Amazon Identity and Access Management that has a trust relationship with your GitHub repository. You can read about it here to get a detailed explanation with steps.
Store the ARN
of the IAM Role
as a GitHub secret which is referred in the terraform.yml
and app-cd-cd.yml
file.
For the Infracost integration, create an INFRACOST_API_KEY
and store that as a GitHub Actions secret. You can manage the cost estimate process using a GitHub Actions variable INFRACOST_SCAN_TYPE
where the value is either hcl_code
or tf_plan
, depending on the type of scan desired.
You can read about that at - integrate-Infracost-with-GitHub-Actions.
Ensure that the policy/ies attached to the IAM role whose credentials are being used in this repository has permission to create and manage all the resources that are included in this repository and push the Docker image to Amazon ECR repository.
If you want to check the pipeline logs, click on the Build Badges above the image in this ReadMe.
If you find any issues or have suggestions for improvement, feel free to open an issue or submit a pull request. Contributions are always welcome!
This code is released under the Unlicense License. See LICENSE.