#75 - Add task definition with GHA to render definition and push env file (#149)

coreycarvalho · EvanParish · web-flow · commit f48c879908f8 · 2025-01-24T19:45:08.000Z
Co-authored-by: Evan Parish &lt;104009494+EvanParish@users.noreply.github.com&gt;
diff --git a/.github/actions/ecs-task-render-deploy/action.yml b/.github/actions/ecs-task-render-deploy/action.yml
@@ -0,0 +1,61 @@
+name: "ECS Task Render & Deploy"
+description: "Renders an ECS task definition from a template (with secret substitutions) and deploys it to ECS. Additionally uploads an environment file."
+inputs:
+  task-definition-path:
+    description: "Path to the ECS Task Definition template file (e.g. task-definition.template.json)"
+    required: true
+  container-name:
+    description: "The container name to update"
+    required: true
+  image:
+    description: "The container image to substitute in the task definition"
+    required: true
+  aws-access-key-id:
+    description: 'AWS Access Key ID'
+    required: true
+  aws-secret-access-key:
+    description: 'AWS Secret Access Key'
+    required: true
+  aws-region:
+    description: "The AWS region to render and deploy to."
+    required: true
+  role-to-assume:
+    description: 'AWS role to assume'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v3
+          
+    - name: Configure VAEC AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-access-key-id: ${{ inputs.aws-access-key-id }}
+        aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
+        aws-region: ${{ inputs.aws-region }}
+        role-to-assume: ${{ inputs.role-to-assume }}
+        role-skip-session-tagging: true
+        role-duration-seconds: 900
+
+    - name: Upload Env File to S3
+      shell: bash
+      run: |
+        aws s3 cp cd/${ENV}.env s3://vanotify-environment-variables-dev/va-enp-api/
+
+    - name: Pre-render Task Definition
+      id: pre_render
+      shell: bash
+      run: |
+        echo "Rendering template with envsubst..."
+        # Substitute environment variables in the task definition file
+        envsubst < "${{ inputs.task-definition-path }}" > task-definition.json
+
+    - name: Render Task Definition
+      id: render
+      uses: aws-actions/amazon-ecs-render-task-definition@v1
+      with:
+        task-definition: ./task-definition.json
+        container-name: ${{ inputs.container-name }}
+        image: ${{ inputs.image }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,46 @@
+name: Deploy to ENV
+ ## Right now, this workflow is being used to test the rendering of task definitions. This will be extended to be
+ ## the workflow used that deploys to any arbitrary environment as part of https://github.com/department-of-veterans-affairs/va-enp-api/issues/76#issue-2669422105
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        description: Environment to deploy
+        default: dev
+        options:
+          - dev
+          - perf
+      ref:
+        description: "Branch or Commit"
+        default: main
+        required: true
+        type: string
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+
+      - name: Renders task definition for ${{ inputs.environment }}
+        uses: ./.github/actions/ecs-task-render-deploy
+        with:
+          task-definition-path: "./cd/va-enp-api-task-definition.json"
+          container-name: "${{ inputs.environment }}-va-enp-api"
+          image: nginx:latest ## using this for now because we don't have ENP images yet
+          aws-access-key-id: ${{ secrets.VAEC_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.VAEC_AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.VAEC_DEPLOY_ROLE }}
+        env:
+          AWS_ARN_REGION: ${{ secrets.AWS_ARN_REGION }}
+          AWS_ACCOUNT_NUMBER: ${{ secrets.AWS_ACCOUNT_NUMBER }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          TASK_DEFINITION_SECRETS_JSON: ${{ secrets.DEV_TASK_DEFINITION_SECRETS_JSON }}
+          DD_API_KEY: ${{ secrets.DD_API_KEY }}
+          ENV: ${{ inputs.environment }}
diff --git a/cd/dev.env b/cd/dev.env
@@ -0,0 +1,4 @@
+ENP_ALGORITHM=HS256
+ENP_ACCESS_TOKEN_EXPIRE_SECONDS=60
+MAX_RETRIES=2886
+DB_NAME=va_enp_api
diff --git a/cd/perf.env b/cd/perf.env
@@ -0,0 +1,4 @@
+ENP_ALGORITHM=HS256
+ENP_ACCESS_TOKEN_EXPIRE_SECONDS=60
+MAX_RETRIES=2886
+DB_NAME=va_enp_api
diff --git a/cd/va-enp-api-task-definition.json b/cd/va-enp-api-task-definition.json
@@ -0,0 +1,165 @@
+{
+  "family": "${ENV}-va-enp-api-task",
+  "executionRoleArn": "arn:${AWS_ARN_REGION}:iam::${AWS_ACCOUNT_NUMBER}:role/project/project-${ENV}-notification-api-task-execution-role",
+  "taskRoleArn": "arn:${AWS_ARN_REGION}:iam::${AWS_ACCOUNT_NUMBER}:role/project/project-${ENV}-notification-api-task-role",
+  "networkMode": "awsvpc",
+  "containerDefinitions": [
+    {
+      "name": "${ENV}-va-enp-api",
+      "essential": true,
+      "image": "{will-be-replaced-by-ci}",
+      "logConfiguration": {
+        "logDriver": "awslogs",
+        "options": {
+          "awslogs-group": "${ENV}-va-enp-api-log-group",
+          "awslogs-region": "${AWS_REGION}",
+          "awslogs-stream-prefix": "ecs"
+        }
+      },
+      "portMappings": [
+        {
+          "containerPort": 6011,
+          "hostPort": 6011
+        }
+      ],
+      "environmentFiles": [
+        {
+          "type": "s3",
+          "value": "arn:${AWS_ARN_REGION}:s3:::vanotify-environment-variables-${ENV}/va-enp-api/${ENV}.env"
+        }
+      ],
+      "environment": [
+        {
+          "name": "DD_SERVICE",
+          "value": "va-enp-api"
+        },
+        {
+          "name": "FLASK_APP",
+          "value": "application.py"
+        }
+      ],
+      "secrets": ${TASK_DEFINITION_SECRETS_JSON},
+      "healthCheck": {
+        "command": [
+          "CMD-SHELL",
+          "./scripts/wait_for_it.sh 127.0.0.1:6011 -t 0 || exit 1"
+        ],
+        "interval": 30,
+        "retries": 5,
+        "timeout": 10
+      }
+    },
+    {
+      "name": "datadog-agent",
+      "image": "${AWS_ACCOUNT_NUMBER}.dkr.ecr.${AWS_REGION}.amazonaws.com/datadog/agent:7.57.2",
+      "logConfiguration": {
+        "logDriver": "awslogs",
+        "options": {
+          "awslogs-group": "${ENV}-va-enp-api-datadog-log-group",
+          "awslogs-region": "${AWS_REGION}",
+          "awslogs-stream-prefix": "ecs"
+        }
+      },
+      "portMappings": [
+        {
+          "containerPort": 8125,
+          "hostPort": 8125,
+          "protocol": "udp"
+        },
+        {
+          "containerPort": 8126,
+          "hostPort": 8126,
+          "protocol": "tcp"
+        }
+      ],
+      "environment": [
+        {
+          "name": "DD_APM_NON_LOCAL_TRAFFIC",
+          "value": "true"
+        },
+        {
+          "name": "DD_LOGS_ENABLED",
+          "value": "true"
+        },
+        {
+          "name": "DD_APM_TELEMETRY_ENABLED",
+          "value": "false"
+        },
+        {
+          "name": "DD_PROCESS_AGENT_ENABLED",
+          "value": "true"
+        },
+        {
+          "name": "ECS_FARGATE",
+          "value": "true"
+        },
+        {
+          "name": "DD_SITE",
+          "value": "ddog-gov.com"
+        },
+        {
+          "name": "DD_APM_ENABLED",
+          "value": "true"
+        },
+        {
+          "name": "DD_ENV",
+          "value": "${ENV}"
+        },
+        {
+          "name": "DD_SERVICE",
+          "value": "va-enp-api"
+        },
+        {
+          "name": "DD_APM_FEATURES",
+          "value": "enable_cid_stats"
+        },
+        {
+          "name": "DD_PROFILING_ENABLE_CODE_PROVENANCE",
+          "value": "true"
+        }
+      ],
+      "secrets": [
+        {
+          "name": "DD_API_KEY",
+          "valueFrom": "${DD_API_KEY}"
+        }
+      ]
+    }
+  ],
+  "requiresCompatibilities": [
+    "FARGATE"
+  ],
+  "cpu": "2048",
+  "pidMode": "task",
+  "memory": "4096",
+  "tags": [
+    {
+      "key": "Stack",
+      "value": "application-deployment"
+    },
+    {
+      "key": "Environment",
+      "value": "${ENV}"
+    },
+    {
+      "key": "Team",
+      "value": "vanotify"
+    },
+    {
+      "key": "ManagedBy",
+      "value": "CI"
+    },
+    {
+      "key": "VAECID",
+      "value": "AWG20200714002"
+    },
+    {
+      "key": "ProjectName",
+      "value": "VA Notify"
+    },
+    {
+      "key": "ProjectShort",
+      "value": "NOTIFY"
+    }
+  ]
+}
