Add task definition with GHA

Author: coreycarvalho

.github/actions/ecs-task-render-deploy/action.yml

@@ -0,0 +1,59 @@
+name: "ECS Task Render & Deploy"
+description: "Renders an ECS task definition from a template (with secret substitutions) and deploys it to ECS."
+inputs:
+  task-definition-path:
+    description: "Path to the ECS Task Definition template file (e.g. task-definition.template.json)"
+    required: true
+    default: "task-definition.json"
+  container-name:
+    description: "The container name to update"
+    required: true
+  image:
+    description: "The container image to substitute in the task definition"
+    required: true
+  aws-access-key-id:
+    description: 'AWS Access Key ID'
+    required: true
+  aws-secret-access-key:
+    description: 'AWS Secret Access Key'
+    required: true
+  role-to-assume:
+    description: 'AWS role to assume'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v3
+
+    - name: Pre-render Task Definition
+      id: pre_render
+      shell: bash
+      run: |
+        echo "Rendering template with envsubst..."
+        # Substitute environment variables in the task definition file
+        envsubst < "${{ inputs.task-definition-path }}" > task-definition.json
+          
+    - name: Configure VAEC AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-access-key-id: ${{ inputs.aws-access-key-id }}
+        aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
+        aws-region: us-gov-west-1
+        role-to-assume: ${{ inputs.role-to-assume }}
+        role-skip-session-tagging: true
+        role-duration-seconds: 900
+
+    - name: Upload Env File to S3
+      shell: bash
+      run: |
+        aws s3 cp task-definition.json s3://vanotify-environment-variables-dev/va-enp-api/
+
+    - name: Render Task Definition
+      id: render
+      uses: aws-actions/amazon-ecs-render-task-definition@v1
+      with:
+        task-definition: ./task-definition.json
+        container-name: ${{ inputs.container-name }}
+        image: ${{ inputs.image }}

.github/workflows/deploy.yml

@@ -0,0 +1,33 @@
+name: Deploy to ENV
+ ## Right now, this workflow is being used to test the rendering of task definitions. This will be extended to be
+ ## the workflow used that deploys to any arbitrary environment as part of https://github.com/department-of-veterans-affairs/va-enp-api/issues/76#issue-2669422105
+
+on:
+  push:
+    branches:
+      - "75-task-definitions"
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Renders Task Definition for DEV
+        uses: ./.github/actions/ecs-task-render-deploy
+        with:
+          task-definition-path: "./cd/va-enp-api-task-definition.json"
+          container-name: "dev-va-enp-api"
+          image: nginx:latest
+          aws-access-key-id: ${{ secrets.VAEC_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.VAEC_AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.VAEC_DEPLOY_ROLE }}
+        env:
+          AWS_ARN_REGION: ${{ secrets.AWS_ARN_REGION }}
+          AWS_ACCOUNT_NUMBER: ${{ secrets.AWS_ACCOUNT_NUMBER }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          TASK_DEFINITION_SECRETS_JSON: ${{ secrets.DEV_TASK_DEFINITION_SECRETS_JSON }}
+          DD_API_KEY: ${{ secrets.DD_API_KEY }}
+          ENV: "dev"

cd/dev.env

@@ -0,0 +1,55 @@
+ACCEPT_RECIPIENT_IDENTIFIERS_ENABLED=True
+API_HOST_NAME=https://dev.api.notifications.va.gov
+API_MESSAGE_LIMIT_ENABLED=True
+API_RATE_LIMIT_ENABLED=True
+ATTACHMENTS_BUCKET=dev-notifications-va-gov-attachments
+AWS_PINPOINT_APP_ID=df55c01206b742d2946ef226410af94f
+AWS_SES_EMAIL_FROM_USER=dev-do-not-reply
+CHECK_GITHUB_SCOPE_ENABLED=True
+CHECK_TEMPLATE_NAME_EXISTS_ENABLED=True
+COMP_AND_PEN_DYNAMODB_NAME=dev-bip-payment-notification-table
+DD_ENV=dev
+DD_PROFILING_ENABLED=True
+DD_PROFILING_ENABLE_CODE_PROVENANCE=True
+DD_INSTRUMENTATION_TELEMETRY_ENABLED=False
+DD_SERVICE=celery-beat
+DD_SITE=ddog-gov.com
+EMAIL_ATTACHMENTS_ENABLED=True
+EMAIL_PASSWORD_LOGIN_ENABLED=True
+EMAIL_PROVIDER_SELECTION_STRATEGY_LABEL=LOAD_BALANCING
+FLASK_APP=run_celery_beat.py
+GA4_URL=https://www.google-analytics.com/mp/collect
+GITHUB_LOGIN_ENABLED=True
+GOOGLE_ANALYTICS_ENABLED=True
+GRANICUS_URL=https://stage-tms.govdelivery.com
+MPI_URL=https://int.services.eauth.va.gov:9303/int
+NIGHTLY_NOTIF_CSV_ENABLED=True
+NOTIFICATION_FAILURE_REASON_ENABLED=True
+NOTIFICATION_QUEUE_PREFIX=dev-notification-
+NOTIFY_EMAIL_FROM_USER=stage-notifications
+NOTIFY_ENVIRONMENT=development
+PINPOINT_INBOUND_SMS_ENABLED=True
+PINPOINT_RECEIPTS_ENABLED=True
+PLATFORM_STATS_ENABLED=True
+PROVIDER_STRATEGIES_ENABLED=True
+PUSH_NOTIFICATIONS_ENABLED=True
+REDIS_ENABLED=True
+SESSION_COOKIE_SECURE=True
+SMS_PROVIDER_SELECTION_STRATEGY_LABEL=HIGHEST_PRIORITY
+SMS_SENDER_RATE_LIMIT_ENABLED=True
+STATSD_HOST=localhost
+TEMPLATE_SERVICE_PROVIDERS_ENABLED=True
+TWILIO_ACCOUNT_SID=fake
+TWILIO_AUTH_TOKEN=fake
+UI_HOST_NAME=https://dev.notifications.va.gov
+VANOTIFY_SSL_CERT_PATH=/app/certs/vanotify_ssl_cert.pem
+VANOTIFY_SSL_KEY_PATH=/app/certs/vanotify_ssl_key.pem
+VA_FLAGSHIP_APP_SID=A20623E2321D4053A6C34C9307C6C221
+VA_ONSITE_URL=https://staging-api.va.gov
+VA_PROFILE_SMS_STATUS_ENABLED=True
+VA_PROFILE_URL=https://int.vaprofile.va.gov
+VA_SSO_ACCESS_TOKEN_URL=https://int.fed.eauth.va.gov/oauthi/sps/oauth/oauth20/token
+VA_SSO_AUTHORIZE_URL=https://int.fed.eauth.va.gov/oauthi/sps/oauth/oauth20/authorize
+VA_SSO_ENABLED=True
+VA_SSO_SERVER_METADATA_URL=https://int.fed.eauth.va.gov/oauthi/sps/oauth/oauth20/metadata/ISAMOP/.well-known/oauth-authorization-server
+VETEXT_SID=C9BEC63F53CE4C1D992CE73E8D1D8D94

cd/va-enp-api-task-definition.json

@@ -0,0 +1,165 @@
+{
+  "family": "${ENV}-va-enp-api-task",
+  "executionRoleArn": "arn:${AWS_ARN_REGION}:iam::${AWS_ACCOUNT_NUMBER}:role/project/project-${ENV}-notification-api-task-execution-role",
+  "taskRoleArn": "arn:${AWS_ARN_REGION}:iam::${AWS_ACCOUNT_NUMBER}:role/project/project-${ENV}-notification-api-task-role",
+  "networkMode": "awsvpc",
+  "containerDefinitions": [
+    {
+      "name": "${ENV}-va-enp-api",
+      "essential": true,
+      "image": "{will-be-replaced-by-ci}",
+      "logConfiguration": {
+        "logDriver": "awslogs",
+        "options": {
+          "awslogs-group": "${ENV}-va-enp-api-log-group",
+          "awslogs-region": "${AWS_REGION}",
+          "awslogs-stream-prefix": "ecs"
+        }
+      },
+      "portMappings": [
+        {
+          "containerPort": 6011,
+          "hostPort": 6011
+        }
+      ],
+      "environmentFiles": [
+        {
+          "type": "s3",
+          "value": "arn:${AWS_ARN_REGION}:s3:::vanotify-environment-variables-${ENV}/va-enp-api/${ENV}.env"
+        }
+      ],
+      "environment": [
+        {
+          "name": "DD_SERVICE",
+          "value": "va-enp-api"
+        },
+        {
+          "name": "FLASK_APP",
+          "value": "application.py"
+        }
+      ],
+      "secrets": ${TASK_DEFINITION_SECRETS_JSON},
+      "healthCheck": {
+        "command": [
+          "CMD-SHELL",
+          "./scripts/wait_for_it.sh 127.0.0.1:6011 -t 0 || exit 1"
+        ],
+        "interval": 30,
+        "retries": 5,
+        "timeout": 10
+      }
+    },
+    {
+      "name": "datadog-agent",
+      "image": "${AWS_ACCOUNT_NUMBER}.dkr.ecr.${AWS_REGION}.amazonaws.com/datadog/agent:7.57.2",
+      "logConfiguration": {
+        "logDriver": "awslogs",
+        "options": {
+          "awslogs-group": "${ENV}-va-enp-api-datadog-log-group",
+          "awslogs-region": "${AWS_REGION}",
+          "awslogs-stream-prefix": "ecs"
+        }
+      },
+      "portMappings": [
+        {
+          "containerPort": 8125,
+          "hostPort": 8125,
+          "protocol": "udp"
+        },
+        {
+          "containerPort": 8126,
+          "hostPort": 8126,
+          "protocol": "tcp"
+        }
+      ],
+      "environment": [
+        {
+          "name": "DD_APM_NON_LOCAL_TRAFFIC",
+          "value": "true"
+        },
+        {
+          "name": "DD_LOGS_ENABLED",
+          "value": "true"
+        },
+        {
+          "name": "DD_APM_TELEMETRY_ENABLED",
+          "value": "false"
+        },
+        {
+          "name": "DD_PROCESS_AGENT_ENABLED",
+          "value": "true"
+        },
+        {
+          "name": "ECS_FARGATE",
+          "value": "true"
+        },
+        {
+          "name": "DD_SITE",
+          "value": "ddog-gov.com"
+        },
+        {
+          "name": "DD_APM_ENABLED",
+          "value": "true"
+        },
+        {
+          "name": "DD_ENV",
+          "value": "${ENV}"
+        },
+        {
+          "name": "DD_SERVICE",
+          "value": "va-enp-api"
+        },
+        {
+          "name": "DD_APM_FEATURES",
+          "value": "enable_cid_stats"
+        },
+        {
+          "name": "DD_PROFILING_ENABLE_CODE_PROVENANCE",
+          "value": "true"
+        }
+      ],
+      "secrets": [
+        {
+          "name": "DD_API_KEY",
+          "valueFrom": "${DD_API_KEY}"
+        }
+      ]
+    }
+  ],
+  "requiresCompatibilities": [
+    "FARGATE"
+  ],
+  "cpu": "2048",
+  "pidMode": "task",
+  "memory": "4096",
+  "tags": [
+    {
+      "key": "Stack",
+      "value": "application-deployment"
+    },
+    {
+      "key": "Environment",
+      "value": "${ENV}"
+    },
+    {
+      "key": "Team",
+      "value": "vanotify"
+    },
+    {
+      "key": "ManagedBy",
+      "value": "CI"
+    },
+    {
+      "key": "VAECID",
+      "value": "AWG20200714002"
+    },
+    {
+      "key": "ProjectName",
+      "value": "VA Notify"
+    },
+    {
+      "key": "ProjectShort",
+      "value": "NOTIFY"
+    }
+  ]
+}