Skip to content

Commit

Permalink
Merge pull request #119 from kunduso/central-ecr
Browse files Browse the repository at this point in the history 
Create ECS Task container from Docker image in central AWS account (cross AWS account access)
  • Loading branch information
@kunduso
kunduso authored Nov 28, 2024
2 parents 973c821 + 9700426 commit a134504
Show file tree
Hide file tree
Showing 11 changed files with 377 additions and 346 deletions.
296 changes: 148 additions & 148 deletions .github/workflows/app-ci-cd.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,152 +95,152 @@ jobs:
run: echo "IMAGE_ID=$REGISTRY/$REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
outputs:
image-id: ${{ steps.create-output.outputs.IMAGE_ID }}
# deploy:
# needs: build
# name: 'continuous-deployment'
# runs-on: ubuntu-latest
# environment: development
# env:
# IMAGE_ID: ${{ needs.build.outputs.image-id }}
# permissions:
# contents: read
# id-token: write
# pull-requests: write
# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
# defaults:
# run:
# shell: bash
# working-directory: ./deploy
# steps:
# # Checkout the repository to the GitHub Actions runner
# - name: Checkout
# uses: actions/checkout@v3
# - name: Print Image Tag
# run: echo "Tag Name for the Image ${{ env.IMAGE_ID }}"
# - name: Configure AWS Credentials Action For GitHub Actions
# uses: aws-actions/configure-aws-credentials@v1-node16
# with:
# role-to-assume: ${{ secrets.IAM_ROLE }}
# role-session-name: AWSSession
# aws-region: ${{ env.AWS_REGION }}

# # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
# - name: Setup Terraform
# uses: hashicorp/setup-terraform@v1

# - name: Setup Infracost
# uses: infracost/actions/setup@v2
# # See https://github.com/infracost/actions/tree/master/setup for other inputs
# # If you can't use this action, see Docker images in https://infracost.io/cicd
# with:
# api-key: ${{ secrets.INFRACOST_API_KEY }}
# if: github.event_name == 'pull_request'

# # Checkout the base branch of the pull request (e.g. main/master).
# - name: Checkout base branch
# if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
# uses: actions/checkout@v3
# with:
# ref: '${{ github.event.pull_request.base.ref }}'
deploy:
needs: build
name: 'continuous-deployment'
runs-on: ubuntu-latest
environment: development
env:
IMAGE_ID: ${{ needs.build.outputs.image-id }}
permissions:
contents: read
id-token: write
pull-requests: write
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
# Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
defaults:
run:
shell: bash
working-directory: ./deploy
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v3
- name: Print Image Tag
run: echo "Tag Name for the Image ${{ env.IMAGE_ID }}"
- name: Configure AWS Credentials Action For GitHub Actions
uses: aws-actions/configure-aws-credentials@v1-node16
with:
role-to-assume: ${{ secrets.IAM_ROLE }}
role-session-name: AWSSession
aws-region: ${{ env.AWS_REGION }}

# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1

- name: Setup Infracost
uses: infracost/actions/setup@v2
# See https://github.com/infracost/actions/tree/master/setup for other inputs
# If you can't use this action, see Docker images in https://infracost.io/cicd
with:
api-key: ${{ secrets.INFRACOST_API_KEY }}
if: github.event_name == 'pull_request'

# Checkout the base branch of the pull request (e.g. main/master).
- name: Checkout base branch
if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
uses: actions/checkout@v3
with:
ref: '${{ github.event.pull_request.base.ref }}'

# # Generate Infracost JSON file as the baseline.
# - name: Generate Infracost cost estimate baseline
# if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
# run: |
# infracost breakdown --path=. \
# --format=json \
# --out-file=/tmp/infracost-base.json

# # Checkout the current PR branch so we can create a diff.
# - name: Checkout PR branch
# if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
# uses: actions/checkout@v3

# # Generate an Infracost diff and save it to a JSON file.
# - name: Generate Infracost diff
# if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
# run: |
# infracost diff --path=. \
# --format=json \
# --compare-to=/tmp/infracost-base.json \
# --out-file=/tmp/infracost.json

# # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
# - name: Terraform Init
# id: init
# run: terraform init

# # Checks that all Terraform configuration files adhere to a canonical format
# - name: Terraform Format
# id: fmt
# run: terraform fmt -check
# # Checks that all Terraform configuration files are correctly written
# - name: Terraform Validate
# id: validate
# run: terraform validate -no-color
# # Generates an execution plan for Terraform
# - name: Terraform Plan
# id: plan
# if: github.ref != 'refs/heads/main' || github.event_name == 'pull_request'
# run: |
# terraform plan -no-color -input=false \
# -var="image_tag=${{ env.IMAGE_ID }}" \
# -out=TFplan.JSON
# continue-on-error: true

# # Generate an Infracost diff and save it to a JSON file.
# - name: Generate Infracost diff
# if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'tf_plan') }}
# run: |
# infracost diff --path=TFplan.JSON \
# --format=json \
# --out-file=/tmp/infracost.json

# - name: Post Infracost estimate
# if: github.event_name == 'pull_request'
# run: |
# infracost comment github --path=/tmp/infracost.json \
# --repo=$GITHUB_REPOSITORY \
# --github-token=${{github.token}} \
# --pull-request=${{github.event.pull_request.number}} \
# --show-skipped \
# --behavior=update

# - name: Post Terraform Plan output
# uses: actions/github-script@v6
# if: github.event_name == 'pull_request'
# env:
# PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
# with:
# github-token: ${{ secrets.GITHUB_TOKEN }}
# script: |
# const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
# #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
# #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
# #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`

# <details><summary>Show Plan</summary>

# \`\`\`\n
# ${process.env.PLAN}
# \`\`\`

# </details>

# *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;

# github.rest.issues.createComment({
# issue_number: context.issue.number,
# owner: context.repo.owner,
# repo: context.repo.repo,
# body: output
# })

# # On push to "main", build or change infrastructure according to Terraform configuration files
# # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
# - name: Terraform Apply
# if: github.ref == 'refs/heads/main'
# run: |
# terraform apply -auto-approve -input=false \
# -var="image_tag=${{ env.IMAGE_ID }}"
# Generate Infracost JSON file as the baseline.
- name: Generate Infracost cost estimate baseline
if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
run: |
infracost breakdown --path=. \
--format=json \
--out-file=/tmp/infracost-base.json
# Checkout the current PR branch so we can create a diff.
- name: Checkout PR branch
if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
uses: actions/checkout@v3

# Generate an Infracost diff and save it to a JSON file.
- name: Generate Infracost diff
if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'hcl_code') }}
run: |
infracost diff --path=. \
--format=json \
--compare-to=/tmp/infracost-base.json \
--out-file=/tmp/infracost.json
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
id: init
run: terraform init

# Checks that all Terraform configuration files adhere to a canonical format
- name: Terraform Format
id: fmt
run: terraform fmt -check
# Checks that all Terraform configuration files are correctly written
- name: Terraform Validate
id: validate
run: terraform validate -no-color
# Generates an execution plan for Terraform
- name: Terraform Plan
id: plan
if: github.ref != 'refs/heads/main' || github.event_name == 'pull_request'
run: |
terraform plan -no-color -input=false \
-var="image_tag=${{ env.IMAGE_ID }}" \
-out=TFplan.JSON
continue-on-error: true

# Generate an Infracost diff and save it to a JSON file.
- name: Generate Infracost diff
if: ${{ (github.event_name == 'pull_request') && (vars.INFRACOST_SCAN_TYPE == 'tf_plan') }}
run: |
infracost diff --path=TFplan.JSON \
--format=json \
--out-file=/tmp/infracost.json
- name: Post Infracost estimate
if: github.event_name == 'pull_request'
run: |
infracost comment github --path=/tmp/infracost.json \
--repo=$GITHUB_REPOSITORY \
--github-token=${{github.token}} \
--pull-request=${{github.event.pull_request.number}} \
--show-skipped \
--behavior=update
- name: Post Terraform Plan output
uses: actions/github-script@v6
if: github.event_name == 'pull_request'
env:
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`\n
${process.env.PLAN}
\`\`\`
</details>
*Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
# On push to "main", build or change infrastructure according to Terraform configuration files
# Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
- name: Terraform Apply
if: github.ref == 'refs/heads/main'
run: |
terraform apply -auto-approve -input=false \
-var="image_tag=${{ env.IMAGE_ID }}"
4 changes: 3 additions & 1 deletion .github/workflows/code-scan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,13 @@ on:
paths:
- 'infra/**'
- 'deploy/**'
- 'app/tf/**'
pull_request:
branches: [ "main" ]
paths:
- 'infra/**'
- 'deploy/**'
- 'app/tf/**'
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
permissions: read-all
Expand All @@ -29,7 +31,7 @@ jobs:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./infra
working-directory: .
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/terraform.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
terraform:
name: 'continuous-integration'
runs-on: ubuntu-latest
environment: production
environment: development
permissions:
contents: read
id-token: write
Expand Down
Loading

0 comments on commit a134504

Please sign in to comment.