AWS App Runner is a fully managed container application service offered by Amazon Web Services (AWS). It is designed to simplify the process of building, deploying, and scaling containerized web applications and API services.
In this demo, we will deploy a containerised golang app with a mongodb database running on EC2, to AWS AppRunner.
To begin, we will clone the project repo on github to our local machine. The project is a task management app that saves data to a mongodb database.
The project contains a dockerfile. We will use github actions to build and push the docker image to Amazon ECR. Ensure you have created the ecr repository.
name: Build and Push to ECR
on:
push:
branches: ['main']
env:
AWS_REGION: 'eu-west-1'
ECR_REPOSITORY: 'tasky'
ACCOUNT_ID: '<fill in>'
ROLE_NAME: 'github-actions-role'
permissions:
id-token: write
contents: read
jobs:
build-and-push:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ env.ACCOUNT_ID }}:role/${{ env.ROLE_NAME }}
role-session-name: github_action_session
aws-region: ${{ env.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Build and push image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:latest .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
Since AWS strongly recommends OIDC (OpenID Connect) over long-term access keys, we will configure oidc for the role 'github-actions-role'.
First, Create the OIDC provider:
aws iam create-open-id-connect-provider \
--url https://token.actions.githubusercontent.com \
--client-id-list sts.amazonaws.com \
--thumbprint-list 6938fd4d98bab03faadb97b34396831e3780aea1 \
--profile
Next, configure an IAM role “github-actions-role“ with an IAM policy that gives github actions runner the required permssion to push to ECR, add a trust policy similar to the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<Account-ID>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:<github-username>/tasky:ref:refs/heads/main"
}
}
}
]
}
Push your changes to the github repo and the workflow should be triggered.
Navigate to the ECR console to view the docker image in the repository.
Deploying The MongoDB instance on EC2
Navigating to the EC2 console and launch a t3.micro ubuntu instance. Ensure to have the following in your Security Group Configuration apart from SSH port 22:
Type: Custom TCP
Port: 27017
Source: 0.0.0.0/0
Connect to the instance terminal and use the following commands to install MongoDB.
First, Install the public key using the following command.
curl -fsSL https://pgp.mongodb.com/server-7.0.asc | sudo gpg --dearmor -o /usr/share/keyrings/mongodb-server-7.0.gpg
Next, Add sources (Mongo 7.0 repo).
echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list
Reload the local package database and install the MongoDB packages using the command.
sudo apt update
sudo apt install -y mongodb-org
To check if MongoDB is installed or not, verify using the following command.
mongod --version
Run the following commands to start mongodb.
sudo systemctl start mongod
sudo systemctl enable mongod
sudo systemctl status mongod
You should see an output similar to the following;
Creating a MongoDB User and Password
MongoDB doesn't have a default password when installed on Ubuntu. By default, MongoDB runs without authentication enabled.
Connect to MongoDB (no password needed initially):
mongosh
Create an admin user:
use admin
db.createUser({
user: "admin",
pwd: "yourstrongpassword",
roles: ["userAdminAnyDatabase", "readWriteAnyDatabase"]
})
MongoDB Configuration:
By default, the MongoDB server (mongod) only allows loopback connections from IP address 127.0.0.1 (localhost). To allow connections from elsewhere in your Amazon VPC, do the following:
Edit the /etc/mongod.conf file and look for the following lines.
# network interfaces
net:
port: 27017
bindIp: public-dns-name # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses
NB: Replace public-dns-name with the actual public DNS name for your instance, for example ec2-11-22-33-44.us-west-2.compute.amazonaws.com.
To enable authentication in config, Add:
security:
authorization: enabled
Then, Restart MongoDB:
sudo systemctl restart mongod
Creating The AppRunner Service
Navigate to the Apprunner console, click “Create Service“ button
Click “Next” and on the “Configure service” page, fill in the required environment variables such as below;
NOTE:
When specifying the hostname in the MONGODB_URI, ensure you use the Private IP and NOT the Public IP of the host EC2 instance
Also, update the Port as necessary (our golang app is exposed on port 8080)
Navigate to the “Networking” section and under “Outgoing network traffic”, click “Custom VPC”.
To create custom vpc endpoint, follow this guide
If the deployment is successful and service status changes to “Running” state as shown below.
Copy the Default Domain URL and paste on your browser
Proceed to sign up and you will see a daily task management app like so;
Go ahead to play around with it. Data is persisted in mongodb so you can log out and back in.
Clean Up
To clean up resources, simply delete the EC2 instance as well as the App Runner service.
References
https://docs.aws.amazon.com/dms/latest/sbs/chap-mongodb2documentdb.02.html
https://www.geeksforgeeks.org/installation-guide/how-to-install-mongodb-on-aws-ec2-instance/
Top comments (0)