Skip to content

Commit f48c879

Browse files
#75 - Add task definition with GHA to render definition and push env file (#149)
Co-authored-by: Evan Parish <[email protected]>
1 parent 99ca34a commit f48c879

File tree

5 files changed

+280
-0
lines changed

5 files changed

+280
-0
lines changed
Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
name: "ECS Task Render & Deploy"
2+
description: "Renders an ECS task definition from a template (with secret substitutions) and deploys it to ECS. Additionally uploads an environment file."
3+
inputs:
4+
task-definition-path:
5+
description: "Path to the ECS Task Definition template file (e.g. task-definition.template.json)"
6+
required: true
7+
container-name:
8+
description: "The container name to update"
9+
required: true
10+
image:
11+
description: "The container image to substitute in the task definition"
12+
required: true
13+
aws-access-key-id:
14+
description: 'AWS Access Key ID'
15+
required: true
16+
aws-secret-access-key:
17+
description: 'AWS Secret Access Key'
18+
required: true
19+
aws-region:
20+
description: "The AWS region to render and deploy to."
21+
required: true
22+
role-to-assume:
23+
description: 'AWS role to assume'
24+
required: true
25+
26+
runs:
27+
using: "composite"
28+
steps:
29+
- name: Checkout Repository
30+
uses: actions/checkout@v3
31+
32+
- name: Configure VAEC AWS Credentials
33+
uses: aws-actions/configure-aws-credentials@v4
34+
with:
35+
aws-access-key-id: ${{ inputs.aws-access-key-id }}
36+
aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
37+
aws-region: ${{ inputs.aws-region }}
38+
role-to-assume: ${{ inputs.role-to-assume }}
39+
role-skip-session-tagging: true
40+
role-duration-seconds: 900
41+
42+
- name: Upload Env File to S3
43+
shell: bash
44+
run: |
45+
aws s3 cp cd/${ENV}.env s3://vanotify-environment-variables-dev/va-enp-api/
46+
47+
- name: Pre-render Task Definition
48+
id: pre_render
49+
shell: bash
50+
run: |
51+
echo "Rendering template with envsubst..."
52+
# Substitute environment variables in the task definition file
53+
envsubst < "${{ inputs.task-definition-path }}" > task-definition.json
54+
55+
- name: Render Task Definition
56+
id: render
57+
uses: aws-actions/amazon-ecs-render-task-definition@v1
58+
with:
59+
task-definition: ./task-definition.json
60+
container-name: ${{ inputs.container-name }}
61+
image: ${{ inputs.image }}

.github/workflows/deploy.yml

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
name: Deploy to ENV
2+
## Right now, this workflow is being used to test the rendering of task definitions. This will be extended to be
3+
## the workflow used that deploys to any arbitrary environment as part of https://github.com/department-of-veterans-affairs/va-enp-api/issues/76#issue-2669422105
4+
5+
on:
6+
workflow_dispatch:
7+
inputs:
8+
environment:
9+
type: choice
10+
description: Environment to deploy
11+
default: dev
12+
options:
13+
- dev
14+
- perf
15+
ref:
16+
description: "Branch or Commit"
17+
default: main
18+
required: true
19+
type: string
20+
21+
jobs:
22+
deploy:
23+
runs-on: ubuntu-latest
24+
25+
steps:
26+
- uses: actions/checkout@v4
27+
with:
28+
ref: ${{ inputs.ref }}
29+
30+
- name: Renders task definition for ${{ inputs.environment }}
31+
uses: ./.github/actions/ecs-task-render-deploy
32+
with:
33+
task-definition-path: "./cd/va-enp-api-task-definition.json"
34+
container-name: "${{ inputs.environment }}-va-enp-api"
35+
image: nginx:latest ## using this for now because we don't have ENP images yet
36+
aws-access-key-id: ${{ secrets.VAEC_AWS_ACCESS_KEY_ID }}
37+
aws-secret-access-key: ${{ secrets.VAEC_AWS_SECRET_ACCESS_KEY }}
38+
aws-region: ${{ secrets.AWS_REGION }}
39+
role-to-assume: ${{ secrets.VAEC_DEPLOY_ROLE }}
40+
env:
41+
AWS_ARN_REGION: ${{ secrets.AWS_ARN_REGION }}
42+
AWS_ACCOUNT_NUMBER: ${{ secrets.AWS_ACCOUNT_NUMBER }}
43+
AWS_REGION: ${{ secrets.AWS_REGION }}
44+
TASK_DEFINITION_SECRETS_JSON: ${{ secrets.DEV_TASK_DEFINITION_SECRETS_JSON }}
45+
DD_API_KEY: ${{ secrets.DD_API_KEY }}
46+
ENV: ${{ inputs.environment }}

cd/dev.env

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
ENP_ALGORITHM=HS256
2+
ENP_ACCESS_TOKEN_EXPIRE_SECONDS=60
3+
MAX_RETRIES=2886
4+
DB_NAME=va_enp_api

cd/perf.env

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
ENP_ALGORITHM=HS256
2+
ENP_ACCESS_TOKEN_EXPIRE_SECONDS=60
3+
MAX_RETRIES=2886
4+
DB_NAME=va_enp_api

cd/va-enp-api-task-definition.json

Lines changed: 165 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,165 @@
1+
{
2+
"family": "${ENV}-va-enp-api-task",
3+
"executionRoleArn": "arn:${AWS_ARN_REGION}:iam::${AWS_ACCOUNT_NUMBER}:role/project/project-${ENV}-notification-api-task-execution-role",
4+
"taskRoleArn": "arn:${AWS_ARN_REGION}:iam::${AWS_ACCOUNT_NUMBER}:role/project/project-${ENV}-notification-api-task-role",
5+
"networkMode": "awsvpc",
6+
"containerDefinitions": [
7+
{
8+
"name": "${ENV}-va-enp-api",
9+
"essential": true,
10+
"image": "{will-be-replaced-by-ci}",
11+
"logConfiguration": {
12+
"logDriver": "awslogs",
13+
"options": {
14+
"awslogs-group": "${ENV}-va-enp-api-log-group",
15+
"awslogs-region": "${AWS_REGION}",
16+
"awslogs-stream-prefix": "ecs"
17+
}
18+
},
19+
"portMappings": [
20+
{
21+
"containerPort": 6011,
22+
"hostPort": 6011
23+
}
24+
],
25+
"environmentFiles": [
26+
{
27+
"type": "s3",
28+
"value": "arn:${AWS_ARN_REGION}:s3:::vanotify-environment-variables-${ENV}/va-enp-api/${ENV}.env"
29+
}
30+
],
31+
"environment": [
32+
{
33+
"name": "DD_SERVICE",
34+
"value": "va-enp-api"
35+
},
36+
{
37+
"name": "FLASK_APP",
38+
"value": "application.py"
39+
}
40+
],
41+
"secrets": ${TASK_DEFINITION_SECRETS_JSON},
42+
"healthCheck": {
43+
"command": [
44+
"CMD-SHELL",
45+
"./scripts/wait_for_it.sh 127.0.0.1:6011 -t 0 || exit 1"
46+
],
47+
"interval": 30,
48+
"retries": 5,
49+
"timeout": 10
50+
}
51+
},
52+
{
53+
"name": "datadog-agent",
54+
"image": "${AWS_ACCOUNT_NUMBER}.dkr.ecr.${AWS_REGION}.amazonaws.com/datadog/agent:7.57.2",
55+
"logConfiguration": {
56+
"logDriver": "awslogs",
57+
"options": {
58+
"awslogs-group": "${ENV}-va-enp-api-datadog-log-group",
59+
"awslogs-region": "${AWS_REGION}",
60+
"awslogs-stream-prefix": "ecs"
61+
}
62+
},
63+
"portMappings": [
64+
{
65+
"containerPort": 8125,
66+
"hostPort": 8125,
67+
"protocol": "udp"
68+
},
69+
{
70+
"containerPort": 8126,
71+
"hostPort": 8126,
72+
"protocol": "tcp"
73+
}
74+
],
75+
"environment": [
76+
{
77+
"name": "DD_APM_NON_LOCAL_TRAFFIC",
78+
"value": "true"
79+
},
80+
{
81+
"name": "DD_LOGS_ENABLED",
82+
"value": "true"
83+
},
84+
{
85+
"name": "DD_APM_TELEMETRY_ENABLED",
86+
"value": "false"
87+
},
88+
{
89+
"name": "DD_PROCESS_AGENT_ENABLED",
90+
"value": "true"
91+
},
92+
{
93+
"name": "ECS_FARGATE",
94+
"value": "true"
95+
},
96+
{
97+
"name": "DD_SITE",
98+
"value": "ddog-gov.com"
99+
},
100+
{
101+
"name": "DD_APM_ENABLED",
102+
"value": "true"
103+
},
104+
{
105+
"name": "DD_ENV",
106+
"value": "${ENV}"
107+
},
108+
{
109+
"name": "DD_SERVICE",
110+
"value": "va-enp-api"
111+
},
112+
{
113+
"name": "DD_APM_FEATURES",
114+
"value": "enable_cid_stats"
115+
},
116+
{
117+
"name": "DD_PROFILING_ENABLE_CODE_PROVENANCE",
118+
"value": "true"
119+
}
120+
],
121+
"secrets": [
122+
{
123+
"name": "DD_API_KEY",
124+
"valueFrom": "${DD_API_KEY}"
125+
}
126+
]
127+
}
128+
],
129+
"requiresCompatibilities": [
130+
"FARGATE"
131+
],
132+
"cpu": "2048",
133+
"pidMode": "task",
134+
"memory": "4096",
135+
"tags": [
136+
{
137+
"key": "Stack",
138+
"value": "application-deployment"
139+
},
140+
{
141+
"key": "Environment",
142+
"value": "${ENV}"
143+
},
144+
{
145+
"key": "Team",
146+
"value": "vanotify"
147+
},
148+
{
149+
"key": "ManagedBy",
150+
"value": "CI"
151+
},
152+
{
153+
"key": "VAECID",
154+
"value": "AWG20200714002"
155+
},
156+
{
157+
"key": "ProjectName",
158+
"value": "VA Notify"
159+
},
160+
{
161+
"key": "ProjectShort",
162+
"value": "NOTIFY"
163+
}
164+
]
165+
}

0 commit comments

Comments
 (0)