Skip to content

Commit

Permalink
use beta registry for prod
Browse files Browse the repository at this point in the history
  • Loading branch information
zhelezovartem authored Mar 12, 2024
2 parents 1d450af + f6366ce commit 9f97a26
Show file tree
Hide file tree
Showing 4 changed files with 50 additions and 32 deletions.
31 changes: 2 additions & 29 deletions .github/workflows/sub_deploy_to_prod.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,39 +40,12 @@ jobs:
echo "service_name=${{ env.SERVICE_NAME }}" >> ${GITHUB_OUTPUT}
echo "image_tag=${{ inputs.IMAGE_TAG }}" >> ${GITHUB_OUTPUT}
echo "aws_account_id=274425519734" >> ${GITHUB_OUTPUT}
echo "ecr_registry=274425519734.dkr.ecr.eu-central-1.amazonaws.com" >> ${GITHUB_OUTPUT}
echo "ecr_registry=244531986313.dkr.ecr.eu-central-1.amazonaws.com" >> ${GITHUB_OUTPUT}
echo "aws_region=eu-central-1" >> ${GITHUB_OUTPUT}
echo "gh_actions_iam_role_name=gh_actions_services" >> ${GITHUB_OUTPUT}
push-image-to-prod-ecr:
needs: [variables]
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ needs.variables.outputs.aws_region }}
role-duration-seconds: 2400
role-session-name: ${{ github.event.repository.name }}
role-to-assume: arn:aws:iam::${{ needs.variables.outputs.aws_account_id }}:role/${{ needs.variables.outputs.gh_actions_iam_role_name }}

- name: Login to Amazon ECR (Elastic Container Registry)
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2

- name: Push image to private prod-ECR
run: |
PUBLIC_IMAGE_NAME=cyberdojo/${{ needs.variables.outputs.service_name }}:${{ inputs.IMAGE_TAG }}
PRIVATE_IMAGE_NAME=${{ needs.variables.outputs.ecr_registry }}/${{ needs.variables.outputs.service_name }}:${{ inputs.IMAGE_TAG }}
docker pull ${PUBLIC_IMAGE_NAME}
docker tag ${PUBLIC_IMAGE_NAME} ${PRIVATE_IMAGE_NAME}
docker push ${PRIVATE_IMAGE_NAME}
deploy-to-aws-prod:
needs: [variables, push-image-to-prod-ecr]
needs: [variables]
permissions:
id-token: write
contents: write
Expand Down
1 change: 1 addition & 0 deletions deployment/terraform/data.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
data "aws_organizations_organization" "org" {}
4 changes: 1 addition & 3 deletions deployment/terraform/deployment.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
module "ecs-service" {
source = "s3::https://s3-eu-central-1.amazonaws.com/terraform-modules-9d7e951c290ec5bbe6506e0ddb064808764bc636/terraform-modules.zip//ecs-service/v3"
source = "s3::https://s3-eu-central-1.amazonaws.com/terraform-modules-9d7e951c290ec5bbe6506e0ddb064808764bc636/terraform-modules.zip//ecs-service/v4"
service_name = var.service_name
TAGGED_IMAGE = var.TAGGED_IMAGE
enable_execute_command = "true"
Expand All @@ -9,8 +9,6 @@ module "ecs-service" {
mem_reservation = var.mem_reservation
mem_limit = var.mem_limit
app_env_vars = local.app_env_vars
ecr_replication_targets = var.ecr_replication_targets
ecr_replication_origin = var.ecr_replication_origin
ecs_wait_for_steady_state = true
volumes = [
{
Expand Down
46 changes: 46 additions & 0 deletions deployment/terraform/ecr.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
module "aws_ecr_repository" {
# count = var.env == "staging" ? 1 : 0
# source = "s3::https://s3-eu-central-1.amazonaws.com/terraform-modules-dacef8339fbd41ce31c346f854a85d0c74f7c4e8/terraform-modules.zip//ecr/v6"
source = "s3::https://s3-eu-central-1.amazonaws.com/terraform-modules-9d7e951c290ec5bbe6506e0ddb064808764bc636/terraform-modules.zip//ecr/v1"
ecr_repository_name = var.service_name
ecr_replication_targets = var.ecr_replication_targets
ecr_replication_origin = var.ecr_replication_origin
tags = module.tags.result
}

# Allow pull dev image for all Kosli org
data "aws_iam_policy_document" "allow_pull_from_org" {
count = var.env == "staging" ? 1 : 0
statement {
sid = "AllowPullFromOrg"
effect = "Allow"

principals {
type = "AWS"
identifiers = ["*"]
}

actions = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]

condition {
test = "ForAnyValue:StringLike"
variable = "aws:PrincipalOrgID"
values = [data.aws_organizations_organization.org.id]
}
}
}

resource "aws_ecr_repository_policy" "allow_pull" {
count = var.env == "staging" ? 1 : 0
# repository = module.aws_ecr_repository[0].ecr_repository_name
repository = var.service_name
policy = data.aws_iam_policy_document.allow_pull_from_org[0].json
}

0 comments on commit 9f97a26

Please sign in to comment.