GitHub Action
Sourcetoad - AWS CodeDeploy for GitHub Actions
To automatically deploy applications to EC2 via CodeDeploy. Looking for ECS?
The best example is just a snippet of the workflow with all options.
Laravel (All Properties) Example
- name: AWS CodeDeploy
uses: sourcetoad/aws-codedeploy-action@v1
with:
aws_access_key: ${{ secrets.AWS_ACCESS_KEY }}
aws_secret_key: ${{ secrets.AWS_SECRET_KEY }}
aws_region: us-east-1
codedeploy_name: project
codedeploy_group: prod
codedeploy_register_only: true
s3_bucket: project-codedeploy
s3_folder: production
excluded_files: '.git/* .env storage/framework/cache/* node_modules/*'
max_polling_iterations: 60
directory: ./
Laravel (Only Required) Example
- This leverages the official GitHub Action for AWS Credentials
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::123456789100:role/my-github-actions-role
aws-region: us-east-2
- name: AWS CodeDeploy
uses: sourcetoad/aws-codedeploy-action@v1
with:
codedeploy_name: project
codedeploy_group: prod
s3_bucket: project-codedeploy
s3_folder: production
- Remember to set specific permissions so we can communicate with the GitHub OIDC Endpoint.
permissions:
id-token: write
contents: read
Following inputs can be used as step.with
keys
Name | Required | Type | Description |
---|---|---|---|
aws_access_key |
No | String | IAM Access Key. |
aws_secret_key |
No | String | IAM Secret Key. |
aws_region |
No | String | AWS Region (default: us-east-1 ). |
codedeploy_name |
Yes | String | CodeDeploy Project Name. |
codedeploy_group |
Yes | String | CodeDeploy Project Group. |
codedeploy_config_name |
No | String | If provided, override the default CodeDeploy Configuration name |
codedeploy_register_only |
No | Boolean | If true, revision is registered not deployed. |
codedeploy_file_exists_behavior |
No | String | If provided, override the default CodeDeploy File Exists Behavior |
s3_bucket |
Yes | String | S3 Bucket for archive to be uploaded. |
s3_folder |
Yes | String | S3 Folder for archive to be uploaded within bucket. |
excluded_files |
No | String | Space delimited list of patterns to exclude from archive |
directory |
No | String | Directory to archive. Defaults to root of project. |
custom_zip_flags |
No | String | Flags to pass to zip command. (ie zip "$FLAGS" ... ) |
archive |
No | String | Zip to deploy. Defaults to empty (thus ignored) |
max_polling_iterations |
No | Number | Number of 15s iterations to poll max. (default: 60 ) |
dry_run |
No | Boolean | If true, no connection to AWS is made. Just local zip creation. |
Following outputs can be used after execution of the job.
Name | Description |
---|---|
zip_filename |
Filename of generated zip file. |
etag |
ETag for the generated zip file reported by AWS. |
deployment_id |
The CodeDeploy deployment id |
Some projects may not want to poll for a completion of a build. Setting max_polling_iterations
to 0
will exit
the script after the deployment was kicked off. Progress will have to be monitored elsewhere.
Some projects may have a complex build system or even build the archive in a previous step. This is where
directory
and archive
come into play:
- By default,
directory
will be used to zip that directory and deployed. - If
archive
is non-empty, it will be used in place ofdirectory
archive
must be zip filename including extension (ieprod-backend-20220202.zip
).
You shouldn't be using a root user. Below are snippets of an inline policies with suggested permissions for the action.
- You might need to adapt these to fit your use case.
- You will need to insert proper resources/ARNs to make the snippets below valid.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::project-codedeploy/*"
]
}
]
}
- This restricts the action to uploading an object and listing/getting the object so it can obtain the location for CodeDeploy
- It is restricted to a specific bucket.
For deploying via CodeDeploy you will need another set of permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"codedeploy:CreateDeployment"
],
"Effect": "Allow",
"Resource": [
"arn:aws:codedeploy:codedeploy-arn"
]
},
{
"Action": [
"codedeploy:Batch*",
"codedeploy:Get*",
"codedeploy:List*",
"codedeploy:RegisterApplicationRevision"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
- These permissions are a rough example of allowing the user to list/get/register a revision for all resources
- A specific permission statement exists to lock creating the deployment to a specific resource