Skip to content

Commit

Permalink
#75 - Add task definition with GHA to render definition and push env …
Browse files Browse the repository at this point in the history 
…file (#149)

Co-authored-by: Evan Parish <[email protected]>
  • Loading branch information
@coreycarvalho @EvanParish
coreycarvalho and EvanParish authored Jan 24, 2025
1 parent 99ca34a commit f48c879
Show file tree
Hide file tree
Showing 5 changed files with 280 additions and 0 deletions.
61 changes: 61 additions & 0 deletions .github/actions/ecs-task-render-deploy/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
name: "ECS Task Render & Deploy"
description: "Renders an ECS task definition from a template (with secret substitutions) and deploys it to ECS. Additionally uploads an environment file."
inputs:
task-definition-path:
description: "Path to the ECS Task Definition template file (e.g. task-definition.template.json)"
required: true
container-name:
description: "The container name to update"
required: true
image:
description: "The container image to substitute in the task definition"
required: true
aws-access-key-id:
description: 'AWS Access Key ID'
required: true
aws-secret-access-key:
description: 'AWS Secret Access Key'
required: true
aws-region:
description: "The AWS region to render and deploy to."
required: true
role-to-assume:
description: 'AWS role to assume'
required: true

runs:
using: "composite"
steps:
- name: Checkout Repository
uses: actions/checkout@v3

- name: Configure VAEC AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ inputs.aws-access-key-id }}
aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
aws-region: ${{ inputs.aws-region }}
role-to-assume: ${{ inputs.role-to-assume }}
role-skip-session-tagging: true
role-duration-seconds: 900

- name: Upload Env File to S3
shell: bash
run: |
aws s3 cp cd/${ENV}.env s3://vanotify-environment-variables-dev/va-enp-api/
- name: Pre-render Task Definition
id: pre_render
shell: bash
run: |
echo "Rendering template with envsubst..."
# Substitute environment variables in the task definition file
envsubst < "${{ inputs.task-definition-path }}" > task-definition.json
- name: Render Task Definition
id: render
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: ./task-definition.json
container-name: ${{ inputs.container-name }}
image: ${{ inputs.image }}
46 changes: 46 additions & 0 deletions .github/workflows/deploy.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
name: Deploy to ENV
## Right now, this workflow is being used to test the rendering of task definitions. This will be extended to be
## the workflow used that deploys to any arbitrary environment as part of https://github.com/department-of-veterans-affairs/va-enp-api/issues/76#issue-2669422105

on:
workflow_dispatch:
inputs:
environment:
type: choice
description: Environment to deploy
default: dev
options:
- dev
- perf
ref:
description: "Branch or Commit"
default: main
required: true
type: string

jobs:
deploy:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}

- name: Renders task definition for ${{ inputs.environment }}
uses: ./.github/actions/ecs-task-render-deploy
with:
task-definition-path: "./cd/va-enp-api-task-definition.json"
container-name: "${{ inputs.environment }}-va-enp-api"
image: nginx:latest ## using this for now because we don't have ENP images yet
aws-access-key-id: ${{ secrets.VAEC_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.VAEC_AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
role-to-assume: ${{ secrets.VAEC_DEPLOY_ROLE }}
env:
AWS_ARN_REGION: ${{ secrets.AWS_ARN_REGION }}
AWS_ACCOUNT_NUMBER: ${{ secrets.AWS_ACCOUNT_NUMBER }}
AWS_REGION: ${{ secrets.AWS_REGION }}
TASK_DEFINITION_SECRETS_JSON: ${{ secrets.DEV_TASK_DEFINITION_SECRETS_JSON }}
DD_API_KEY: ${{ secrets.DD_API_KEY }}
ENV: ${{ inputs.environment }}
4 changes: 4 additions & 0 deletions cd/dev.env
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
ENP_ALGORITHM=HS256
ENP_ACCESS_TOKEN_EXPIRE_SECONDS=60
MAX_RETRIES=2886
DB_NAME=va_enp_api
4 changes: 4 additions & 0 deletions cd/perf.env
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
ENP_ALGORITHM=HS256
ENP_ACCESS_TOKEN_EXPIRE_SECONDS=60
MAX_RETRIES=2886
DB_NAME=va_enp_api
165 changes: 165 additions & 0 deletions cd/va-enp-api-task-definition.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
{
"family": "${ENV}-va-enp-api-task",
"executionRoleArn": "arn:${AWS_ARN_REGION}:iam::${AWS_ACCOUNT_NUMBER}:role/project/project-${ENV}-notification-api-task-execution-role",
"taskRoleArn": "arn:${AWS_ARN_REGION}:iam::${AWS_ACCOUNT_NUMBER}:role/project/project-${ENV}-notification-api-task-role",
"networkMode": "awsvpc",
"containerDefinitions": [
{
"name": "${ENV}-va-enp-api",
"essential": true,
"image": "{will-be-replaced-by-ci}",
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "${ENV}-va-enp-api-log-group",
"awslogs-region": "${AWS_REGION}",
"awslogs-stream-prefix": "ecs"
}
},
"portMappings": [
{
"containerPort": 6011,
"hostPort": 6011
}
],
"environmentFiles": [
{
"type": "s3",
"value": "arn:${AWS_ARN_REGION}:s3:::vanotify-environment-variables-${ENV}/va-enp-api/${ENV}.env"
}
],
"environment": [
{
"name": "DD_SERVICE",
"value": "va-enp-api"
},
{
"name": "FLASK_APP",
"value": "application.py"
}
],
"secrets": ${TASK_DEFINITION_SECRETS_JSON},
"healthCheck": {
"command": [
"CMD-SHELL",
"./scripts/wait_for_it.sh 127.0.0.1:6011 -t 0 || exit 1"
],
"interval": 30,
"retries": 5,
"timeout": 10
}
},
{
"name": "datadog-agent",
"image": "${AWS_ACCOUNT_NUMBER}.dkr.ecr.${AWS_REGION}.amazonaws.com/datadog/agent:7.57.2",
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "${ENV}-va-enp-api-datadog-log-group",
"awslogs-region": "${AWS_REGION}",
"awslogs-stream-prefix": "ecs"
}
},
"portMappings": [
{
"containerPort": 8125,
"hostPort": 8125,
"protocol": "udp"
},
{
"containerPort": 8126,
"hostPort": 8126,
"protocol": "tcp"
}
],
"environment": [
{
"name": "DD_APM_NON_LOCAL_TRAFFIC",
"value": "true"
},
{
"name": "DD_LOGS_ENABLED",
"value": "true"
},
{
"name": "DD_APM_TELEMETRY_ENABLED",
"value": "false"
},
{
"name": "DD_PROCESS_AGENT_ENABLED",
"value": "true"
},
{
"name": "ECS_FARGATE",
"value": "true"
},
{
"name": "DD_SITE",
"value": "ddog-gov.com"
},
{
"name": "DD_APM_ENABLED",
"value": "true"
},
{
"name": "DD_ENV",
"value": "${ENV}"
},
{
"name": "DD_SERVICE",
"value": "va-enp-api"
},
{
"name": "DD_APM_FEATURES",
"value": "enable_cid_stats"
},
{
"name": "DD_PROFILING_ENABLE_CODE_PROVENANCE",
"value": "true"
}
],
"secrets": [
{
"name": "DD_API_KEY",
"valueFrom": "${DD_API_KEY}"
}
]
}
],
"requiresCompatibilities": [
"FARGATE"
],
"cpu": "2048",
"pidMode": "task",
"memory": "4096",
"tags": [
{
"key": "Stack",
"value": "application-deployment"
},
{
"key": "Environment",
"value": "${ENV}"
},
{
"key": "Team",
"value": "vanotify"
},
{
"key": "ManagedBy",
"value": "CI"
},
{
"key": "VAECID",
"value": "AWG20200714002"
},
{
"key": "ProjectName",
"value": "VA Notify"
},
{
"key": "ProjectShort",
"value": "NOTIFY"
}
]
}

0 comments on commit f48c879

Please sign in to comment.