Skip to content

Commit 3f81ddf

Browse files
coreycarvalhocoreycarvalho
committed
Add task definition with GHA
1 parent 99ca34a commit 3f81ddf

File tree

5 files changed

+281
-0
lines changed

5 files changed

+281
-0
lines changed

.github/actions/ecs-task-render-deploy/action.yml

+59
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
name: "ECS Task Render & Deploy"
2+
description: "Renders an ECS task definition from a template (with secret substitutions) and deploys it to ECS. Additionally uploads an environment file."
3+
inputs:
4+
task-definition-path:
5+
description: "Path to the ECS Task Definition template file (e.g. task-definition.template.json)"
6+
required: true
7+
default: "task-definition.json"
8+
container-name:
9+
description: "The container name to update"
10+
required: true
11+
image:
12+
description: "The container image to substitute in the task definition"
13+
required: true
14+
aws-access-key-id:
15+
description: 'AWS Access Key ID'
16+
required: true
17+
aws-secret-access-key:
18+
description: 'AWS Secret Access Key'
19+
required: true
20+
role-to-assume:
21+
description: 'AWS role to assume'
22+
required: true
23+
24+
runs:
25+
using: "composite"
26+
steps:
27+
- name: Checkout Repository
28+
uses: actions/checkout@v3
29+
30+
- name: Configure VAEC AWS Credentials
31+
uses: aws-actions/configure-aws-credentials@v4
32+
with:
33+
aws-access-key-id: ${{ inputs.aws-access-key-id }}
34+
aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
35+
aws-region: us-gov-west-1
36+
role-to-assume: ${{ inputs.role-to-assume }}
37+
role-skip-session-tagging: true
38+
role-duration-seconds: 900
39+
40+
- name: Upload Env File to S3
41+
shell: bash
42+
run: |
43+
aws s3 cp cd/${ENV}.env s3://vanotify-environment-variables-dev/va-enp-api/
44+
45+
- name: Pre-render Task Definition
46+
id: pre_render
47+
shell: bash
48+
run: |
49+
echo "Rendering template with envsubst..."
50+
# Substitute environment variables in the task definition file
51+
envsubst < "${{ inputs.task-definition-path }}" > task-definition.json
52+
53+
- name: Render Task Definition
54+
id: render
55+
uses: aws-actions/amazon-ecs-render-task-definition@v1
56+
with:
57+
task-definition: ./task-definition.json
58+
container-name: ${{ inputs.container-name }}
59+
image: ${{ inputs.image }}

.github/workflows/deploy.yml

+49
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
name: Deploy to ENV
2+
## Right now, this workflow is being used to test the rendering of task definitions. This will be extended to be
3+
## the workflow used that deploys to any arbitrary environment as part of https://github.com/department-of-veterans-affairs/va-enp-api/issues/76#issue-2669422105
4+
5+
on:
6+
push:
7+
branches:
8+
- "75-task-definitions"
9+
workflow_dispatch:
10+
inputs:
11+
environment:
12+
type: choice
13+
description: Environment to deploy
14+
default: dev
15+
options:
16+
- dev
17+
- perf
18+
- staging
19+
- prod
20+
ref:
21+
description: "Branch or Commit"
22+
default: main
23+
required: true
24+
type: string
25+
26+
jobs:
27+
deploy:
28+
runs-on: ubuntu-latest
29+
30+
steps:
31+
- uses: actions/checkout@v4
32+
33+
- name: Renders task definition and deploys to
34+
uses: ./.github/actions/ecs-task-render-deploy
35+
with:
36+
task-definition-path: "./cd/va-enp-api-task-definition.json"
37+
container-name: "dev-va-enp-api"
38+
image: nginx:latest ## using this for now because we don't have ENP images yet
39+
aws-access-key-id: ${{ secrets.VAEC_AWS_ACCESS_KEY_ID }}
40+
aws-secret-access-key: ${{ secrets.VAEC_AWS_SECRET_ACCESS_KEY }}
41+
aws-region: ${{ secrets.AWS_REGION }}
42+
role-to-assume: ${{ secrets.VAEC_DEPLOY_ROLE }}
43+
env:
44+
AWS_ARN_REGION: ${{ secrets.AWS_ARN_REGION }}
45+
AWS_ACCOUNT_NUMBER: ${{ secrets.AWS_ACCOUNT_NUMBER }}
46+
AWS_REGION: ${{ secrets.AWS_REGION }}
47+
TASK_DEFINITION_SECRETS_JSON: ${{ secrets.DEV_TASK_DEFINITION_SECRETS_JSON }}
48+
DD_API_KEY: ${{ secrets.DD_API_KEY }}
49+
ENV: "dev"

cd/dev.env

+4
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
ENP_ALGORITHM=foo
2+
ENP_ACCESS_TOKEN_EXPIRE_SECONDS=bar
3+
MAX_RETRIES=foo
4+
DB_NAME=va_enp_api

cd/perf.env

+4
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
ENP_ALGORITHM=foo
2+
ENP_ACCESS_TOKEN_EXPIRE_SECONDS=bar
3+
MAX_RETRIES=foo
4+
DB_NAME=va_enp_api

cd/va-enp-api-task-definition.json

+165
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,165 @@
1+
{
2+
"family": "${ENV}-va-enp-api-task",
3+
"executionRoleArn": "arn:${AWS_ARN_REGION}:iam::${AWS_ACCOUNT_NUMBER}:role/project/project-${ENV}-notification-api-task-execution-role",
4+
"taskRoleArn": "arn:${AWS_ARN_REGION}:iam::${AWS_ACCOUNT_NUMBER}:role/project/project-${ENV}-notification-api-task-role",
5+
"networkMode": "awsvpc",
6+
"containerDefinitions": [
7+
{
8+
"name": "${ENV}-va-enp-api",
9+
"essential": true,
10+
"image": "{will-be-replaced-by-ci}",
11+
"logConfiguration": {
12+
"logDriver": "awslogs",
13+
"options": {
14+
"awslogs-group": "${ENV}-va-enp-api-log-group",
15+
"awslogs-region": "${AWS_REGION}",
16+
"awslogs-stream-prefix": "ecs"
17+
}
18+
},
19+
"portMappings": [
20+
{
21+
"containerPort": 6011,
22+
"hostPort": 6011
23+
}
24+
],
25+
"environmentFiles": [
26+
{
27+
"type": "s3",
28+
"value": "arn:${AWS_ARN_REGION}:s3:::vanotify-environment-variables-${ENV}/va-enp-api/${ENV}.env"
29+
}
30+
],
31+
"environment": [
32+
{
33+
"name": "DD_SERVICE",
34+
"value": "va-enp-api"
35+
},
36+
{
37+
"name": "FLASK_APP",
38+
"value": "application.py"
39+
}
40+
],
41+
"secrets": ${TASK_DEFINITION_SECRETS_JSON},
42+
"healthCheck": {
43+
"command": [
44+
"CMD-SHELL",
45+
"./scripts/wait_for_it.sh 127.0.0.1:6011 -t 0 || exit 1"
46+
],
47+
"interval": 30,
48+
"retries": 5,
49+
"timeout": 10
50+
}
51+
},
52+
{
53+
"name": "datadog-agent",
54+
"image": "${AWS_ACCOUNT_NUMBER}.dkr.ecr.${AWS_REGION}.amazonaws.com/datadog/agent:7.57.2",
55+
"logConfiguration": {
56+
"logDriver": "awslogs",
57+
"options": {
58+
"awslogs-group": "${ENV}-va-enp-api-datadog-log-group",
59+
"awslogs-region": "${AWS_REGION}",
60+
"awslogs-stream-prefix": "ecs"
61+
}
62+
},
63+
"portMappings": [
64+
{
65+
"containerPort": 8125,
66+
"hostPort": 8125,
67+
"protocol": "udp"
68+
},
69+
{
70+
"containerPort": 8126,
71+
"hostPort": 8126,
72+
"protocol": "tcp"
73+
}
74+
],
75+
"environment": [
76+
{
77+
"name": "DD_APM_NON_LOCAL_TRAFFIC",
78+
"value": "true"
79+
},
80+
{
81+
"name": "DD_LOGS_ENABLED",
82+
"value": "true"
83+
},
84+
{
85+
"name": "DD_APM_TELEMETRY_ENABLED",
86+
"value": "false"
87+
},
88+
{
89+
"name": "DD_PROCESS_AGENT_ENABLED",
90+
"value": "true"
91+
},
92+
{
93+
"name": "ECS_FARGATE",
94+
"value": "true"
95+
},
96+
{
97+
"name": "DD_SITE",
98+
"value": "ddog-gov.com"
99+
},
100+
{
101+
"name": "DD_APM_ENABLED",
102+
"value": "true"
103+
},
104+
{
105+
"name": "DD_ENV",
106+
"value": "${ENV}"
107+
},
108+
{
109+
"name": "DD_SERVICE",
110+
"value": "va-enp-api"
111+
},
112+
{
113+
"name": "DD_APM_FEATURES",
114+
"value": "enable_cid_stats"
115+
},
116+
{
117+
"name": "DD_PROFILING_ENABLE_CODE_PROVENANCE",
118+
"value": "true"
119+
}
120+
],
121+
"secrets": [
122+
{
123+
"name": "DD_API_KEY",
124+
"valueFrom": "${DD_API_KEY}"
125+
}
126+
]
127+
}
128+
],
129+
"requiresCompatibilities": [
130+
"FARGATE"
131+
],
132+
"cpu": "2048",
133+
"pidMode": "task",
134+
"memory": "4096",
135+
"tags": [
136+
{
137+
"key": "Stack",
138+
"value": "application-deployment"
139+
},
140+
{
141+
"key": "Environment",
142+
"value": "${ENV}"
143+
},
144+
{
145+
"key": "Team",
146+
"value": "vanotify"
147+
},
148+
{
149+
"key": "ManagedBy",
150+
"value": "CI"
151+
},
152+
{
153+
"key": "VAECID",
154+
"value": "AWG20200714002"
155+
},
156+
{
157+
"key": "ProjectName",
158+
"value": "VA Notify"
159+
},
160+
{
161+
"key": "ProjectShort",
162+
"value": "NOTIFY"
163+
}
164+
]
165+
}

0 commit comments

Comments
 (0)