From 3329358914f00d72bfe7ef3e360e4854610a9d2f Mon Sep 17 00:00:00 2001
From: Ryosuke Tomita <>
Date: Sun, 17 Dec 2023 00:50:33 +0900
Subject: [PATCH] add pipeline

---
 Dockerfile                                    |  12 +--
 README.md                                     | 102 +++++++++++++++++-
 copilot/.workspace                            |   2 +-
 copilot/dev-svc/manifest.yml                  |   6 +-
 .../environments/app-scanner-env/manifest.yml |  30 ------
 copilot/environments/dev-env/manifest.yml     |  15 +--
 copilot/environments/prod-env/manifest.yml    |  12 +--
 .../buildspec.yml                             |   2 +-
 .../manifest.yml                              |   7 +-
 copilot/prod-svc/manifest.yml                 |   2 +-
 nginx.conf                                    |   7 +-
 11 files changed, 123 insertions(+), 74 deletions(-)
 delete mode 100644 copilot/environments/app-scanner-env/manifest.yml
 rename copilot/pipelines/{tomita-pipeline => react-app-pipeline}/buildspec.yml (94%)
 rename copilot/pipelines/{tomita-pipeline => react-app-pipeline}/manifest.yml (88%)

diff --git a/Dockerfile b/Dockerfile
index 762961f..13e7e08 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,23 +9,15 @@ RUN npm install && npm run build
 FROM public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nginx:latest-al23
 COPY --from=build /app/build /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/nginx.conf
-#COPY default.conf /etc/nginx/conf.d/default.conf
-
 
 # Change owner to allow non-root users to start the service
 USER root
-# RUN <<EOF
-# mkdir -p /var/log/nginx
-# chown -R nginx:nginx /var/log/nginx
-# touch /run/nginx.pid
-# chown -R nginx:nginx /run/nginx.pid
-# EOF
 RUN mkdir -p /var/log/nginx \
     && chown -R nginx:nginx /var/log/nginx \
     && touch /run/nginx.pid \
     && chown -R nginx:nginx /run/nginx.pid
 
-
-EXPOSE 80
+# Use 8080 instead of 80 to avoid the `nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)` when using ECS.
+EXPOSE 8080
 USER nginx
 CMD ["nginx", "-g", "daemon off;"]
diff --git a/README.md b/README.md
index 018302f..808d6b3 100644
--- a/README.md
+++ b/README.md
@@ -1,13 +1,113 @@
 # INDEX
-
 - [ABOUT](#ABOUT)
 - [ENVIRONMENT](#ENVIRONMENT)
 - [PREPARING](#PREPARING)
 - [HOW TO USE](#HOW-TO-USE)
 - [REFERENCE](#REFERENCE)
+******
+
 
 # ABOUT
+Sample for DevSecOps environment.
+See [./doc/tools_doc](./doc/tools_doc)
+******
+
+
 # ENVIRONMENT
+- AWS
+- Github Actions
+- node:20
+******
+
+
 # PREPARING
+## AWSの設定
+copilot cliを使って環境構築を行う。
+### appの作成
+- 名前は任意だが，自分はreact-appとした
+- ここで必用なIAMロールの一部やKMSのキーやCodePipelineに使うS3やそのポリシーが作成されている。
+
+```shell
+copilot app init
+cat ./copilot/.workspace
+application: react-app
+```
+### development用のenvironmentとserviceをまとめて作成する。
+- amd64を指定しないとなぜかビルドエラーになる。
+
+```shell
+DOCKER_DEFAULT_PLATFORM=linux/amd64 copilot init
+```
+- 名前は任意だが，dev-envとdev-svcとした。
+- copilot/以下のファイルを編集することで設定を変更できる。
+- 新しいVPCや，ECSのCluster，Load Balancerや権限周りが作成される。
+
+### production用のenvironmentとserviceをまとめて作成する。
+- vpcをいくつも作りたくない場合はenvironment単体で作成すると既存リソースの使用が選択できる。
+
+```shell
+copilot env init # prod-envと命名してcopilot-react-app-dev-vpcを選択する。
+```
+<details>
+<summary>see detail</summary>
+
+```shell
+copilot env init
+Environment name: prod-env
+
+  Which credentials would you like to use to create hoge?  [Use arrows to move, type to filter, ? for more help]
+    Enter temporary credentials
+  > [profile default]
+
+
+Environment name: prod-env
+Credential source: [profile default]
+Would you like to use the default configuration for a new environment?
+    - A new VPC with 2 AZs, 2 public subnets and 2 private subnets
+    - A new ECS Cluster
+    - New IAM Roles to manage services and jobs in your environment
+  [Use arrows to move, type to filter]
+    Yes, use default.
+    Yes, but I'd like configure the default resources (CIDR ranges, AZs).
+  > No, I'd like to import existing resources (VPC, subnets).
+
+
+Environment name: prod-env
+Credential source: [profile default]
+Default environment configuration? No, I'd like to import existing resources
+
+  Which VPC would you like to use?  [Use arrows to move, type to filter]
+  > vpc-xxxxxxxxxxxxxxxxx (copilot-react-app-dev-env)
+```
+</details>
+- environmentをデプロイ
+
+```shell
+copilot env deploy
+```
+
+- prod用のserviceを作成してデプロイする。
+この際に間違えてdev-svcやdev-envを選ばないように注意する。
+
+```shell
+DOCKER_DEFAULT_PLATFORM=linux/amd64 copilot svc init
+copilot svc deploy
+```
+
+### CodePipelineの作成
+
+## その他の設定
+- ローカルでのインストールが必須なのはpre-commitくらい
+
+```shell
+cd devsecops-demo-aws-ecs
+pre-commit install
+```
+- VSCodeのExtensionsもお好みで。Dockerのhadolintはおすすめ。
+******
+
+
 # HOW TO USE
 # REFERENCE
+- [ECSの仕様で非特権ユーザを使用したコンテナでは80番ポートが使えないっぽい](https://repost.aws/questions/QU1bCV9wT4T5iBrrP1c2ISfg/container-cannot-bind-to-port-80-running-as-non-root-user-on-ecs-fargate) --> つまり，localのdockerで80でサービスが起動できてもECSだと権限エラーになる。
+> nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
diff --git a/copilot/.workspace b/copilot/.workspace
index 535c93c..a9afdd4 100644
--- a/copilot/.workspace
+++ b/copilot/.workspace
@@ -1 +1 @@
-application: roulette-app
+application: react-app
diff --git a/copilot/dev-svc/manifest.yml b/copilot/dev-svc/manifest.yml
index 05dd2e3..fe3a5f3 100644
--- a/copilot/dev-svc/manifest.yml
+++ b/copilot/dev-svc/manifest.yml
@@ -19,13 +19,11 @@ image:
   # Docker build arguments. For additional overrides: https://aws.github.io/copilot-cli/docs/manifest/lb-web-service/#image-build
   build: Dockerfile
   # Port exposed through your container to route traffic to it.
-  port: 80
+  port: 8080
 
 cpu: 256       # Number of CPU units for the task.
 memory: 512    # Amount of memory in MiB used by the task.
-count:       # Number of tasks that should be running in your service.
-  range: 1-2
-  cpu_percentage: 50
+count: 1       # Number of tasks that should be running in your service.
 exec: true     # Enable running commands in your container.
 network:
   connect: true # Enable Service Connect for intra-environment traffic between services.
diff --git a/copilot/environments/app-scanner-env/manifest.yml b/copilot/environments/app-scanner-env/manifest.yml
deleted file mode 100644
index d2d5f23..0000000
--- a/copilot/environments/app-scanner-env/manifest.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-# The manifest for the "app-scanner-env" environment.
-# Read the full specification for the "Environment" type at:
-#  https://aws.github.io/copilot-cli/docs/manifest/environment/
-
-# Your environment name will be used in naming your resources like VPC, cluster, etc.
-name: app-scanner-env
-type: Environment
-
-# Import your own VPC and subnets or configure how they should be created.
-network:
-  vpc:
-    id: vpc-03581f28225eebcf8
-    subnets:
-      public:
-        - id: subnet-02af5dce7bdaae4c9
-        - id: subnet-070a378ffc7a92766
-        - id: subnet-0bfd16c35ed005f62
-      private:
-        - id: subnet-059ce9420f335d7b0
-        - id: subnet-0cb914099ba5f287b
-        - id: subnet-003d479c3698684de
-
-# Configure the load balancers in your environment, once created.
-# http:
-#   public:
-#   private:
-
-# Configure observability for your environment resources.
-observability:
-  container_insights: false
diff --git a/copilot/environments/dev-env/manifest.yml b/copilot/environments/dev-env/manifest.yml
index 2dace23..1c14f97 100644
--- a/copilot/environments/dev-env/manifest.yml
+++ b/copilot/environments/dev-env/manifest.yml
@@ -7,18 +7,9 @@ name: dev-env
 type: Environment
 
 # Import your own VPC and subnets or configure how they should be created.
-network:
-  vpc:
-    id: vpc-03581f28225eebcf8
-    subnets:
-      public:
-        - id: subnet-02af5dce7bdaae4c9
-        - id: subnet-070a378ffc7a92766
-        - id: subnet-0bfd16c35ed005f62
-      private:
-        - id: subnet-059ce9420f335d7b0
-        - id: subnet-0cb914099ba5f287b
-        - id: subnet-003d479c3698684de
+# network:
+#   vpc:
+#     id:
 
 # Configure the load balancers in your environment, once created.
 # http:
diff --git a/copilot/environments/prod-env/manifest.yml b/copilot/environments/prod-env/manifest.yml
index e96aa53..8102c47 100644
--- a/copilot/environments/prod-env/manifest.yml
+++ b/copilot/environments/prod-env/manifest.yml
@@ -9,16 +9,14 @@ type: Environment
 # Import your own VPC and subnets or configure how they should be created.
 network:
   vpc:
-    id: vpc-03581f28225eebcf8
+    id: vpc-0e2c3939c6159987c
     subnets:
       public:
-        - id: subnet-02af5dce7bdaae4c9
-        - id: subnet-070a378ffc7a92766
-        - id: subnet-0bfd16c35ed005f62
+        - id: subnet-077af848ce2255562
+        - id: subnet-074c71e5fac150d04
       private:
-        - id: subnet-059ce9420f335d7b0
-        - id: subnet-0cb914099ba5f287b
-        - id: subnet-003d479c3698684de
+        - id: subnet-0c572ccc92f2f825f
+        - id: subnet-0209edab730676d3e
 
 # Configure the load balancers in your environment, once created.
 # http:
diff --git a/copilot/pipelines/tomita-pipeline/buildspec.yml b/copilot/pipelines/react-app-pipeline/buildspec.yml
similarity index 94%
rename from copilot/pipelines/tomita-pipeline/buildspec.yml
rename to copilot/pipelines/react-app-pipeline/buildspec.yml
index 5ad0c4b..a84fc8e 100644
--- a/copilot/pipelines/tomita-pipeline/buildspec.yml
+++ b/copilot/pipelines/react-app-pipeline/buildspec.yml
@@ -17,7 +17,7 @@ phases:
       - ls -l
       - export COLOR="false"
       - export CI="true"
-      - pipeline=$(cat $CODEBUILD_SRC_DIR/copilot/pipelines/tomita-pipeline/manifest.yml | ruby -ryaml -rjson -e 'puts JSON.pretty_generate(YAML.load(ARGF))')
+      - pipeline=$(cat $CODEBUILD_SRC_DIR/copilot/pipelines/react-app-pipeline/manifest.yml | ruby -ryaml -rjson -e 'puts JSON.pretty_generate(YAML.load(ARGF))')
       - pl_envs=$(echo $pipeline | jq -r '.stages[].name')
       # Find all the local services in the workspace.
       - svc_ls_result=$(./copilot-linux svc ls --local --json)
diff --git a/copilot/pipelines/tomita-pipeline/manifest.yml b/copilot/pipelines/react-app-pipeline/manifest.yml
similarity index 88%
rename from copilot/pipelines/tomita-pipeline/manifest.yml
rename to copilot/pipelines/react-app-pipeline/manifest.yml
index 09d0424..3bd89b3 100644
--- a/copilot/pipelines/tomita-pipeline/manifest.yml
+++ b/copilot/pipelines/react-app-pipeline/manifest.yml
@@ -1,9 +1,9 @@
-# The manifest for the "tomita-pipeline" pipeline.
+# The manifest for the "react-app-pipeline" pipeline.
 # This YAML file defines your pipeline: the source repository it tracks and the order of the environments to deploy to.
 # For more info: https://aws.github.io/copilot-cli/docs/manifest/pipeline/
 
 # The name of the pipeline.
-name: tomita-pipeline
+name: react-app-pipeline
 
 # The version of the schema used in this template.
 version: 1
@@ -16,7 +16,7 @@ source:
   # Additional properties that further specify the location of the artifacts.
   properties:
     branch: master
-    repository: https://github.com/RyosukeDTomita/react-roulette-frontend
+    repository: https://github.com/RyosukeDTomita/devsecops-demo-aws-ecs
     # Optional: specify the name of an existing CodeStar Connections connection.
     # connection_name: a-connection
 
@@ -28,7 +28,6 @@ stages:
     # requires_approval: true
     # Optional: use test commands to validate this stage of your build.
     # test_commands: [echo 'running tests', make test]
-    test_commands: [echo 'hogehogehoge']
 
   - # The name of the environment.
     name: prod-env
diff --git a/copilot/prod-svc/manifest.yml b/copilot/prod-svc/manifest.yml
index b242507..79d94e4 100644
--- a/copilot/prod-svc/manifest.yml
+++ b/copilot/prod-svc/manifest.yml
@@ -19,7 +19,7 @@ image:
   # Docker build arguments. For additional overrides: https://aws.github.io/copilot-cli/docs/manifest/lb-web-service/#image-build
   build: Dockerfile
   # Port exposed through your container to route traffic to it.
-  port: 80
+  port: 8080
 
 cpu: 256       # Number of CPU units for the task.
 memory: 512    # Amount of memory in MiB used by the task.
diff --git a/nginx.conf b/nginx.conf
index 890043b..c5e19cc 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -1,4 +1,3 @@
-
 # For more information on configuration, see:
 #   * Official English Documentation: http://nginx.org/en/docs/
 #   * Official Russian Documentation: http://nginx.org/ru/docs/
@@ -35,9 +34,11 @@ http {
     # for more information.
     include /etc/nginx/conf.d/*.conf;
 
+
+    # Use 8080 instead of 80 to avoid the `nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)` when using ECS.
     server {
-        listen       80;
-        listen       [::]:80;
+        listen       8080;
+        listen       [::]:8080;
         server_name  _;
         root         /usr/share/nginx/html;