This repository contains code and resources related to various use cases involving Amazon Elastic Container Service (ECS), Docker, and infrastructure provisioning using Terraform and GitHub Actions.
- Use Case 1: Create Infrastructure for Amazon ECS
- Use Case 2: Build, Scan, and Push Docker Images to Amazon ECR
- Use Case 3: Deploy to Amazon ECS Services
- Use Case 4: Enable Health Checks and CloudWatch Logs for AWS Fargate Tasks
- Use Case 5: Protecting Credentials and Variables in AWS Fargate Containers using AWS Secrets Manager
- Use Case 6: Blue-Green Deployments for Amazon ECS Fargate with CodeDeploy, Terraform, and GitHub Actions
- Prerequisites
- Usage
- Contributing
- License
This use case covers the creation of all necessary infrastructure components required to host an Amazon Elastic Container Service (ECS) using Terraform and GitHub Actions.
π Attention: The code for this specific use case is located in the create-ecs-service branch. Please refer to this branch instead of the default main branch. π
- Amazon Virtual Private Cloud (VPC): A logically isolated virtual network where your resources are deployed.
- Security Groups: Virtual firewalls that control inbound and outbound traffic to your resources.
- VPC Endpoints: Gateways that enable secure and private connections between your VPC and AWS services.
- ECS Cluster: A group of EC2 instances or Fargate tasks that run your containerized applications.
- Elastic Container Registry (ECR): A fully-managed Docker container registry for storing and retrieving Docker images.
- Application Load Balancer (ALB): A load balancer that distributes incoming traffic across your ECS tasks.
- AWS Key Management Service (KMS) Key: A secure and managed key for encrypting sensitive data.
- CloudWatch Log groups: A monitoring service that collects and stores logs from your containerized applications.
- AWS Secrets Manager Secret: A cloud native solution to securely manage credentials. This resource was added into the repository as part of use case #5.
The Terraform configurations and GitHub Actions workflow automate the provisioning and configuration of these components, ensuring a consistent and repeatable deployment process. Here is a detailed note explaining the same - create-infrastructure-to-host-an-amazon-ecs-service-using-terraform.
This use case demonstrates how to build, scan, and push Docker images to Amazon Elastic Container Registry (ECR) using GitHub Actions.
π Attention: The code for this specific use case is located in the create-ecs-service branch. Please refer to this branch instead of the default main branch. π
- Building a Docker image from a Dockerfile
- Scanning the Docker image for vulnerabilities
- Pushing the Docker image to Amazon ECR
The provided GitHub Actions workflows automate the entire process, enabling continuous integration and delivery of Docker images to Amazon ECR. Here is a detailed note explaining the same - push-docker-image-to-amazon-ecr-using-github-actions.
π Attention: The code for this specific use case is located in the create-ecs-service branch. Please refer to this branch instead of the default main branch. π
- Provisioning the necessary infrastructure components (as covered in Use Case 1)
- Creating the ECS execution role and the ECS task role
- Creating the ECS task definition
- Creating an ECS Service
- Configuring Load Balancing
- Deploying the Docker image to the ECS Service (using the image pushed in Use Case 2)
The Terraform configurations and GitHub Actions workflows handle the deployment and management of the ECS services, ensuring a streamlined and automated process. Here is a detailed note explaining the same - continuous-deployment-of-amazon-ecs-service-using-terraform-and-github-actions.
π Attention: The code for this specific use case is located in the create-ecs-service branch. Please refer to this branch instead of the default main branch. π
In AWS Fargate, ensuring the health and monitoring of your tasks is crucial for maintaining reliability and performance. By enabling health checks, you can automatically verify the status of your Fargate tasks, allowing AWS to replace any instances that fail these checks, thereby ensuring seamless operation. Additionally, integrating CloudWatch Logs provides real-time monitoring and centralized logging, capturing logs from each Fargate task and enabling detailed analysis, troubleshooting, and auditing. Together, these features empower you to maintain high availability and streamline operational management within your AWS Fargate environment. This use case has two steps:
- Add HealthCheck to the AWS Fargate task
- Monitor logs with Amazon CloudWatch
Here is a detailed note on how to enable that in AWS Fargate -enabling-health-checks-and-cloudwatch-logs-for-aws-fargate-tasks.
Use Case 5: Protecting Credentials and Variables in AWS Fargate Containers using AWS Secrets Manager
π Attention: The code for this specific use case is located in the create-ecs-service branch. Please refer to this branch instead of the default main branch. π
- Store a sensitive variable as a secret in AWS Secrets Manager
- Create a VPC Endpoint to access AWS Secrets Manager
- Update the IAM policy attached to the task role to access the secret
- Update the Amazon ECS task definition to access the secret
- Update the Node.js application to access and display the secret
For more details, please choose - protecting-credentials-and-variables-in-aws-fargate-containers-using-aws-secrets-manager.
Use Case 6: Blue-Green Deployments for Amazon ECS Fargate with CodeDeploy, Terraform, and GitHub Actions
π Attention: The code for this specific use case is located in the enable-blue-green-deployment branch. Please refer to this branch instead of the default main branch. π
This use case focuses on how to use a blue-green deployment pattern to release updates to an Amazon ECS service using Terraform and AWS CodeDeploy. This use case has four steps:
- Create Amazon ECS resources
- Create an IAM role for AWS Code Deploy
- Create a CodeDeploy application and deployment group
- Create the CodeDeploy deployment
For more details, please choose - blue-green-deployments-for-amazon-ecs-fargate-with-codedeploy-terraform-and-github-actions.
Additionally, this repository includes:
- Checkov pipeline for scanning the Terraform code for security and compliance issues.
The entire setup and deployment process is automated via the GitHub Actions pipelines, eliminating the need for manual steps.
For this code to function without errors, create an OpenID connect identity provider in Amazon Identity and Access Management that has a trust relationship with your GitHub repository. You can read about it here to get a detailed explanation with steps.
Store the ARN of the IAM Role as a GitHub secret which is referred in the terraform.yml and app-cd-cd.yml file.
For the Infracost integration, create an INFRACOST_API_KEY and store that as a GitHub Actions secret. You can manage the cost estimate process using a GitHub Actions variable INFRACOST_SCAN_TYPE where the value is either hcl_code or tf_plan, depending on the type of scan desired.
You can read about that at - integrate-Infracost-with-GitHub-Actions.
Ensure that the policy/ies attached to the IAM role whose credentials are being used in this repository has permission to create and manage all the resources that are included in this repository and push the Docker image to Amazon ECR repository.
If you want to check the pipeline logs, click on the Build Badges above the image in this ReadMe.
If you find any issues or have suggestions for improvement, feel free to open an issue or submit a pull request. Contributions are always welcome!
This code is released under the Unlicense License. See LICENSE.