4 aws ecs

.github/workflows/deploy.yaml

@@ -12,19 +12,30 @@ on:
 jobs:
   deploy:
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     permissions:
       id-token: write
     steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1-node16
         with:
           role-to-assume: arn:aws:iam::200049542062:role/gocapture/GithubRole
           aws-region: us-west-1
 
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+
       - name: Deploy ECS Cluster
+        env:
+          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          REPOSITORY: go-capture
+          IMAGE_TAG: ${{ github.sha }}
         uses: aws-actions/aws-cloudformation-github-deploy@v1
         with:
           name: GoCaptureECSCluster
+          capabilities: CAPABILITY_NAMED_IAM
+          parameter-overrides: "TaskImage=${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ env.IMAGE_TAG }}"
           template: cloud-formation/ecs.yaml
           no-fail-on-empty-changeset: 1

cloud-formation/ecs.yaml

@@ -1,5 +1,113 @@
+Parameters:
+  TaskImage:
+    Type: String
 Resources:
+  ExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: GoCaptureExecutionRole
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRole
+            Principal:
+              Service: ecs-tasks.amazonaws.com
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
+  TaskRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: GoCaptureTaskRole
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRole
+            Principal:
+              Service: ecs-tasks.amazonaws.com
+  Vpc:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+  InternetGateway:
+    Type: AWS::EC2::InternetGateway
+  VPCGatewayAttachment:
+    Type: AWS::EC2::VPCGatewayAttachment
+    Properties:
+      InternetGatewayId: !Ref InternetGateway
+      VpcId: !Ref Vpc
+  SecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupName: GoCaptureSecurityGroup
+      GroupDescription: Security Group for Go Capture ECS Service
+      VpcId: !Ref Vpc
+  PublicSubnet:
+    Type: AWS::EC2::Subnet
+    Properties:
+      CidrBlock: 10.0.0.0/16
+      MapPublicIpOnLaunch: true
+      VpcId: !Ref Vpc
   Cluster:
     Type: AWS::ECS::Cluster
     Properties:
       ClusterName: GoCaptureCluster
+  Service:
+    Type: AWS::ECS::Service
+    Properties:
+      Cluster: !Ref Cluster
+      DesiredCount: 1
+      LaunchType: FARGATE
+      NetworkConfiguration:
+        AwsvpcConfiguration:
+          AssignPublicIp: ENABLED
+          SecurityGroups:
+            - !Ref SecurityGroup
+          Subnets:
+            - !Ref PublicSubnet
+      ServiceName: GoCaptureECSService
+      TaskDefinition: !Ref TaskDefinition
+  TaskDefinition:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      ContainerDefinitions:
+        - Name: GoCaptureContainer
+          Image: !Ref TaskImage
+          LogConfiguration:
+            LogDriver: awslogs
+            Options:
+              awslogs-region: us-west-1
+              awslogs-group: !Ref LogGroup
+      Cpu: .25 vCPU
+      ExecutionRoleArn: !Ref ExecutionRole
+      Family: GoCapture
+      Memory: 0.5 GB
+      NetworkMode: awsvpc
+      RuntimePlatform:
+        CpuArchitecture: X86_64
+        OperatingSystemFamily: LINUX
+      TaskRoleArn: !Ref TaskRole
+  GatewayAttachment:
+    Type: 'AWS::EC2::VPCGatewayAttachment'
+    Properties:
+      InternetGatewayId: !Ref InternetGateway
+      VpcId: !Ref Vpc
+  PublicRoute:
+    Type: 'AWS::EC2::Route'
+    DependsOn: GatewayAttachment
+    Properties:
+      DestinationCidrBlock: '0.0.0.0/0'
+      GatewayId: !Ref InternetGateway
+      RouteTableId: !Ref PublicRouteTable
+  PublicRouteTable:
+    Type: 'AWS::EC2::RouteTable'
+    Properties:
+      VpcId: !Ref Vpc
+  PublicSubnetRouteTableAssociation:
+    Type: 'AWS::EC2::SubnetRouteTableAssociation'
+    Properties:
+      RouteTableId: !Ref PublicRouteTable
+      SubnetId: !Ref PublicSubnet
+  LogGroup:
+    Type: AWS::Logs::LogGroup
+    Properties:
+      LogGroupName: GoCaptureLogs

cloud-formation/github-role.yaml

@@ -23,7 +23,7 @@ Resources:
             "Version": "2012-10-17",
             "Statement": [
               {
-                "Effect": Allow,
+                "Effect": "Allow",
                 "Action": [
                   cloudformation:CreateChangeSet,
                   cloudformation:CreateStack,
@@ -33,17 +33,20 @@ Resources:
                   cloudformation:ExecuteChangeSet,
                 ],
                 "Resource": "*"
-              },
+              }
             ]
           }
         - PolicyName: IamPolicy
           PolicyDocument: {
             "Version": "2012-10-17",
             "Statement": [
               {
-                "Effect": Allow,
+                "Effect": "Allow",
                 "Action": [
+                  iam:CreateRole,
                   iam:CreateUser,
+                  iam:DeleteRole,
+                  iam:DeleteRolePolicy,
                   iam:DeleteUser,
                   iam:DeleteUserPolicy,
                   iam:GetRole,
@@ -55,15 +58,15 @@ Resources:
                   iam:UpdateAssumeRolePolicy,
                 ],
                 "Resource": "*"
-              },
+              }
             ]
           }
         - PolicyName: EcrPolicy
           PolicyDocument: {
             "Version": "2012-10-17",
             "Statement": [
               {
-                "Effect": Allow,
+                "Effect": "Allow",
                 "Action": [
                   ecr:BatchCheckLayerAvailability,
                   ecr:BatchGetImage,
@@ -81,7 +84,68 @@ Resources:
                   ecr:UploadLayerPart
                 ],
                 "Resource": "*"
-              },
+              }
+            ]
+          }
+        - PolicyName: EcsPolicy
+          PolicyDocument: {
+            "Version": "2012-10-17",
+            "Statement": [
+              {
+                "Effect": "Allow",
+                "Action": [
+                  ecs:CreateCluster,
+                  ecs:CreateService,
+                  ecs:DeleteCluster,
+                  ecs:DeleteService,
+                  ecs:DeregisterTaskDefinition,
+                  ecs:DescribeClusters,
+                  ecs:DescribeServices,
+                  ecs:RegisterTaskDefinition,
+                  ecs:UpdateService,
+                  iam:AttachRolePolicy,
+                  iam:DetachRolePolicy,
+                  iam:PassRole,
+                  logs:CreateLogGroup,
+                  logs:DeleteLogGroup
+                ],
+                "Resource": "*"
+              }
+            ]
+          }
+        - PolicyName: Ec2Policy
+          PolicyDocument: {
+            "Version": "2012-10-17",
+            "Statement": [
+              {
+                "Effect": "Allow",
+                "Action": [
+                  ec2:AssociateRouteTable,
+                  ec2:AttachInternetGateway,
+                  ec2:CreateInternetGateway,
+                  ec2:CreateRoute,
+                  ec2:CreateRouteTable,
+                  ec2:CreateSecurityGroup,
+                  ec2:CreateSubnet,
+                  ec2:CreateTags,
+                  ec2:CreateVpc,
+                  ec2:DeleteInternetGateway,
+                  ec2:DeleteRouteTable,
+                  ec2:DeleteSecurityGroup,
+                  ec2:DeleteSubnet,
+                  ec2:DeleteVpc,
+                  ec2:DescribeInternetGateways,
+                  ec2:DescribeRouteTables,
+                  ec2:DescribeSecurityGroups,
+                  ec2:DescribeSubnets,
+                  ec2:DescribeVpcs,
+                  ec2:DetachInternetGateway,
+                  ec2:DisassociateRouteTable,
+                  ec2:ModifySubnetAttribute,
+                  ec2:ModifyVpcAttribute
+                ],
+                "Resource": "*"
+              }
             ]
           }