diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 3df5089..7686643 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -12,19 +12,30 @@ on: jobs: deploy: runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.conclusion == 'success' }} permissions: id-token: write steps: + - name: Checkout repo + uses: actions/checkout@v3 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1-node16 with: role-to-assume: arn:aws:iam::200049542062:role/gocapture/GithubRole aws-region: us-west-1 + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + - name: Deploy ECS Cluster + env: + REGISTRY: ${{ steps.login-ecr.outputs.registry }} + REPOSITORY: go-capture + IMAGE_TAG: ${{ github.sha }} uses: aws-actions/aws-cloudformation-github-deploy@v1 with: name: GoCaptureECSCluster + capabilities: CAPABILITY_NAMED_IAM + parameter-overrides: "TaskImage=${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ env.IMAGE_TAG }}" template: cloud-formation/ecs.yaml no-fail-on-empty-changeset: 1 diff --git a/cloud-formation/ecs.yaml b/cloud-formation/ecs.yaml index bf54116..44af186 100644 --- a/cloud-formation/ecs.yaml +++ b/cloud-formation/ecs.yaml @@ -1,5 +1,113 @@ +Parameters: + TaskImage: + Type: String Resources: + ExecutionRole: + Type: AWS::IAM::Role + Properties: + RoleName: GoCaptureExecutionRole + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Action: sts:AssumeRole + Principal: + Service: ecs-tasks.amazonaws.com + ManagedPolicyArns: + - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy + TaskRole: + Type: AWS::IAM::Role + Properties: + RoleName: GoCaptureTaskRole + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Action: sts:AssumeRole + Principal: + Service: ecs-tasks.amazonaws.com + Vpc: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/16 + InternetGateway: + Type: AWS::EC2::InternetGateway + VPCGatewayAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref InternetGateway + VpcId: !Ref Vpc + SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: GoCaptureSecurityGroup + GroupDescription: Security Group for Go Capture ECS Service + VpcId: !Ref Vpc + PublicSubnet: + Type: AWS::EC2::Subnet + Properties: + CidrBlock: 10.0.0.0/16 + MapPublicIpOnLaunch: true + VpcId: !Ref Vpc Cluster: Type: AWS::ECS::Cluster Properties: ClusterName: GoCaptureCluster + Service: + Type: AWS::ECS::Service + Properties: + Cluster: !Ref Cluster + DesiredCount: 1 + LaunchType: FARGATE + NetworkConfiguration: + AwsvpcConfiguration: + AssignPublicIp: ENABLED + SecurityGroups: + - !Ref SecurityGroup + Subnets: + - !Ref PublicSubnet + ServiceName: GoCaptureECSService + TaskDefinition: !Ref TaskDefinition + TaskDefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - Name: GoCaptureContainer + Image: !Ref TaskImage + LogConfiguration: + LogDriver: awslogs + Options: + awslogs-region: us-west-1 + awslogs-group: !Ref LogGroup + Cpu: .25 vCPU + ExecutionRoleArn: !Ref ExecutionRole + Family: GoCapture + Memory: 0.5 GB + NetworkMode: awsvpc + RuntimePlatform: + CpuArchitecture: X86_64 + OperatingSystemFamily: LINUX + TaskRoleArn: !Ref TaskRole + GatewayAttachment: + Type: 'AWS::EC2::VPCGatewayAttachment' + Properties: + InternetGatewayId: !Ref InternetGateway + VpcId: !Ref Vpc + PublicRoute: + Type: 'AWS::EC2::Route' + DependsOn: GatewayAttachment + Properties: + DestinationCidrBlock: '0.0.0.0/0' + GatewayId: !Ref InternetGateway + RouteTableId: !Ref PublicRouteTable + PublicRouteTable: + Type: 'AWS::EC2::RouteTable' + Properties: + VpcId: !Ref Vpc + PublicSubnetRouteTableAssociation: + Type: 'AWS::EC2::SubnetRouteTableAssociation' + Properties: + RouteTableId: !Ref PublicRouteTable + SubnetId: !Ref PublicSubnet + LogGroup: + Type: AWS::Logs::LogGroup + Properties: + LogGroupName: GoCaptureLogs diff --git a/cloud-formation/github-role.yaml b/cloud-formation/github-role.yaml index e7b6125..a8f797f 100644 --- a/cloud-formation/github-role.yaml +++ b/cloud-formation/github-role.yaml @@ -23,7 +23,7 @@ Resources: "Version": "2012-10-17", "Statement": [ { - "Effect": Allow, + "Effect": "Allow", "Action": [ cloudformation:CreateChangeSet, cloudformation:CreateStack, @@ -33,7 +33,7 @@ Resources: cloudformation:ExecuteChangeSet, ], "Resource": "*" - }, + } ] } - PolicyName: IamPolicy @@ -41,9 +41,12 @@ Resources: "Version": "2012-10-17", "Statement": [ { - "Effect": Allow, + "Effect": "Allow", "Action": [ + iam:CreateRole, iam:CreateUser, + iam:DeleteRole, + iam:DeleteRolePolicy, iam:DeleteUser, iam:DeleteUserPolicy, iam:GetRole, @@ -55,7 +58,7 @@ Resources: iam:UpdateAssumeRolePolicy, ], "Resource": "*" - }, + } ] } - PolicyName: EcrPolicy @@ -63,7 +66,7 @@ Resources: "Version": "2012-10-17", "Statement": [ { - "Effect": Allow, + "Effect": "Allow", "Action": [ ecr:BatchCheckLayerAvailability, ecr:BatchGetImage, @@ -81,7 +84,68 @@ Resources: ecr:UploadLayerPart ], "Resource": "*" - }, + } + ] + } + - PolicyName: EcsPolicy + PolicyDocument: { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + ecs:CreateCluster, + ecs:CreateService, + ecs:DeleteCluster, + ecs:DeleteService, + ecs:DeregisterTaskDefinition, + ecs:DescribeClusters, + ecs:DescribeServices, + ecs:RegisterTaskDefinition, + ecs:UpdateService, + iam:AttachRolePolicy, + iam:DetachRolePolicy, + iam:PassRole, + logs:CreateLogGroup, + logs:DeleteLogGroup + ], + "Resource": "*" + } + ] + } + - PolicyName: Ec2Policy + PolicyDocument: { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + ec2:AssociateRouteTable, + ec2:AttachInternetGateway, + ec2:CreateInternetGateway, + ec2:CreateRoute, + ec2:CreateRouteTable, + ec2:CreateSecurityGroup, + ec2:CreateSubnet, + ec2:CreateTags, + ec2:CreateVpc, + ec2:DeleteInternetGateway, + ec2:DeleteRouteTable, + ec2:DeleteSecurityGroup, + ec2:DeleteSubnet, + ec2:DeleteVpc, + ec2:DescribeInternetGateways, + ec2:DescribeRouteTables, + ec2:DescribeSecurityGroups, + ec2:DescribeSubnets, + ec2:DescribeVpcs, + ec2:DetachInternetGateway, + ec2:DisassociateRouteTable, + ec2:ModifySubnetAttribute, + ec2:ModifyVpcAttribute + ], + "Resource": "*" + } ] }