The latest articles on DEV Community by EduardoCusihuaman (@eduardocusihuaman). https://dev.to/eduardocusihuaman https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F210363%2F0f5b89c4-e883-4727-b510-f940f8ee0460.png https://dev.to/eduardocusihuaman en EduardoCusihuaman Mon, 19 Aug 2024 15:15:19 +0000 https://dev.to/eduardocusihuaman/containers-containers-containers-40mc https://dev.to/eduardocusihuaman/containers-containers-containers-40mc <p><strong>Yep, you already know how to build your container.</strong> But now you want to get that container running on AWS with as little fuss as possible, right? <strong>No problem.</strong> ⚡</p> <p>In this quick guide, I'll show you how to deploy your container to <code>AWS Fargate</code> using <code>CloudFormation</code>. It’s fast, easy, and doesn’t require you to wade through endless steps. <strong>Just the essentials</strong> to get your container online.</p> <p><a href="https://i.giphy.com/media/H6CW8SL6vgVb2/giphy.gif" class="article-body-image-wrapper"><img src="https://i.giphy.com/media/H6CW8SL6vgVb2/giphy.gif" alt="SI" width="400" height="157"></a></p> <h3> Before We Begin </h3> <p>We’re using <code>CloudFormation</code> here because it’s perfect for quickly spinning up your infrastructure with minimal hassle. Sure, there are other tools like Terraform or CDK, but for a straightforward ECS setup, <code>CloudFormation</code> is your go-to.</p> <p>We’re keeping it simple: we’ll create a <code>VPC</code>, a couple of <code>public subnets</code>, an <code>ECS cluster</code>, and a <code>load balancer</code> to get your containers up and running. No need for extra complexity—just the basics to get your containerized app deployed fast. And yes, we’ve got <code>IAM roles</code> to keep everything secure. <strong>Let’s dive in!</strong></p> <h2> Table of Contents </h2> <ol> <li><strong>Architecture Boring Stuff</strong></li> <li> <strong>LET'S KICK IT OFF!</strong> <ul> <li><strong>Step-01: Deploy CloudFormation Stack for ECS Fargate</strong></li> <li><strong>Step-02: Create AWS IAM User for Pipeline</strong></li> <li><strong>Step-03: Add Secrets to GitHub Secrets</strong></li> <li><strong>Step-04: Github Actions</strong></li> <li><strong>Step-05: Cleaning Up</strong></li> </ul> </li> <li><strong>Pricing</strong></li> <li><strong>Conclusion</strong></li> </ol> <p>This table of contents should make it easy to navigate through the guide.</p> <h1> Architecture Boring Stuff </h1> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8l63dyd1rjcouw6vrwxn.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8l63dyd1rjcouw6vrwxn.png" alt="aws-architecture" width="800" height="672"></a></p> <h3> User Interaction </h3> <ol> <li> <strong>User Request:</strong> A user sends an HTTP request to the Application Load Balancer (ALB) (<code>ALBDNSName</code>).</li> <li> <strong>ALB Routing:</strong> The ALB routes the request to the ECS service, which runs your containerized application.</li> <li> <strong>ECS Task Handling:</strong> The ECS tasks, running within the Fargate cluster, handle the request, with containers managed by ECS.</li> </ol> <h3> ECS and Load Balancer </h3> <ul> <li> <strong>ECS Fargate Cluster (<code>ECSFargateCluster</code>):</strong> Manages and scales the containers based on defined parameters.</li> <li> <strong>Application Load Balancer (<code>ALB</code>):</strong> Distributes incoming traffic to the appropriate ECS tasks, ensuring availability and responsiveness.</li> <li> <strong>Target Group (<code>ALBTargetGroup</code>):</strong> Monitors the health of your ECS tasks and directs traffic only to healthy instances.</li> </ul> <h3> IAM Roles </h3> <ul> <li> <strong><code>IAMRoleForECS</code>:</strong> Grants permissions for ECS tasks to pull images from ECR, send logs to CloudWatch, and perform other necessary actions.</li> <li> <strong><code>ECRCleanupLambdaRole</code>:</strong> Allows the Lambda function to delete images from the ECR repository during the cleanup process.</li> </ul> <h3> Pipeline User for GitHub Actions </h3> <p>The GitHub Actions workflow uses an IAM user (<code>PipelineUser</code>) to deploy updates to the ECS service. The workflow includes steps for:</p> <ul> <li>Checking out the code.</li> <li>Building the container image.</li> <li>Pushing the image to ECR.</li> <li>Configuring AWS credentials.</li> <li>Updating the ECS task definition with the new image.</li> <li>Triggering a new deployment of the ECS service.</li> </ul> <h3> Flow </h3> <ol> <li> <strong>User</strong> -&gt; <strong>Application Load Balancer</strong> -&gt; <strong>ECS Service</strong> -&gt; <strong>ECS Task (Container)</strong> </li> <li> <strong>ECS Tasks</strong> -&gt; <strong>Fargate Cluster</strong> (for running containers)</li> <li> <strong>Pipeline User</strong> -&gt; <strong>GitHub Actions</strong> -&gt; <strong>ECR and ECS</strong> (for deployment)</li> </ol> <p><strong>cloudformation-template.yaml</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2010-09-09"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">AWS ECS Infrastructure setup using a new VPC</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">VpcCidr</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CIDR</span><span class="nv"> </span><span class="s">block</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">VPC"</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">30.0.0.0/16"</span> <span class="na">PublicSubnet1Cidr</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CIDR</span><span class="nv"> </span><span class="s">block</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">public</span><span class="nv"> </span><span class="s">subnet</span><span class="nv"> </span><span class="s">1"</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">30.0.1.0/24"</span> <span class="na">PublicSubnet2Cidr</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CIDR</span><span class="nv"> </span><span class="s">block</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">public</span><span class="nv"> </span><span class="s">subnet</span><span class="nv"> </span><span class="s">2"</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">30.0.2.0/24"</span> <span class="na">ECRRepositoryName</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The name of the ECR repository</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">application-repository"</span> <span class="na">ClusterName</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The name of the ECS Fargate Cluster</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">EcsFargateCluster"</span> <span class="na">ServiceName</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The name of the ECS Service</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">EcsService"</span> <span class="na">TaskFamilyName</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The family name of the ECS Task Definition</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">TaskDefinition"</span> <span class="na">ContainerName</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The name of the container in the ECS Task Definition</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">application-container"</span> <span class="na">Resources</span><span class="pi">:</span> <span class="c1"># VPC and Networking resources</span> <span class="na">VPC</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::VPC</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">VpcCidr</span> <span class="na">EnableDnsSupport</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">EnableDnsHostnames</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">vpc</span> <span class="c1"># Internet Gateway</span> <span class="na">InternetGateway</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::InternetGateway</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">igw</span> <span class="na">AttachGateway</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::VPCGatewayAttachment</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">VPC</span> <span class="na">InternetGatewayId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">InternetGateway</span> <span class="c1"># Public Subnets</span> <span class="na">PublicSubnet1</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Subnet</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">VPC</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicSubnet1Cidr</span> <span class="na">AvailabilityZone</span><span class="pi">:</span> <span class="kt">!Select</span> <span class="pi">-</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">Fn::GetAZs</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">AWS::Region"</span> <span class="na">MapPublicIpOnLaunch</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">public-subnet-1</span> <span class="na">PublicSubnet2</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Subnet</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">VPC</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicSubnet2Cidr</span> <span class="na">AvailabilityZone</span><span class="pi">:</span> <span class="kt">!Select</span> <span class="pi">-</span> <span class="m">1</span> <span class="pi">-</span> <span class="na">Fn::GetAZs</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">AWS::Region"</span> <span class="na">MapPublicIpOnLaunch</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">public-subnet-2</span> <span class="c1"># Route Tables and Routes</span> <span class="na">PublicRouteTable</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::RouteTable</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">VPC</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">public-rt</span> <span class="na">PublicRoute</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Route</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicRouteTable</span> <span class="na">DestinationCidrBlock</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="na">GatewayId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">InternetGateway</span> <span class="na">PublicSubnet1RouteTableAssociation</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SubnetRouteTableAssociation</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicSubnet1</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicRouteTable</span> <span class="na">PublicSubnet2RouteTableAssociation</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SubnetRouteTableAssociation</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicSubnet2</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">PublicRouteTable</span> <span class="c1"># Security Group</span> <span class="na">SecurityGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">GroupDescription</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Default</span><span class="nv"> </span><span class="s">security</span><span class="nv"> </span><span class="s">group</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">VPC"</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">VPC</span> <span class="na">SecurityGroupIngress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">22</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">22</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="na">SecurityGroupEgress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-1"</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">default-sg</span> <span class="c1"># ECS Fargate Cluster</span> <span class="na">ECSFargateCluster</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECS::Cluster</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ClusterName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ClusterName</span> <span class="c1"># ECR Repository</span> <span class="na">ECRRepository</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECR::Repository</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RepositoryName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ECRRepositoryName</span> <span class="c1"># Custom Resource Hook for ECR Cleanup</span> <span class="na">ECRCleanupHook</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Custom::ECRCleanup"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ServiceToken</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">ECRCleanupLambdaFunction.Arn</span> <span class="na">RepositoryName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ECRRepositoryName</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="s">ECRRepository</span> <span class="c1"># ECS Task Definition</span> <span class="na">ECSTaskDefinition</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECS::TaskDefinition</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Family</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">TaskFamilyName</span> <span class="na">NetworkMode</span><span class="pi">:</span> <span class="s">awsvpc</span> <span class="na">RequiresCompatibilities</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">FARGATE</span> <span class="na">Cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">512"</span> <span class="na">Memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1024"</span> <span class="na">ExecutionRoleArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">IAMRoleForECS</span> <span class="na">TaskRoleArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">IAMRoleForECS</span> <span class="na">ContainerDefinitions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ContainerName</span> <span class="na">Image</span><span class="pi">:</span> <span class="s2">"</span><span class="s">nginx:latest"</span> <span class="na">PortMappings</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ContainerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">Environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">ENVIRONMENT</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">production"</span> <span class="na">LogConfiguration</span><span class="pi">:</span> <span class="na">LogDriver</span><span class="pi">:</span> <span class="s">awslogs</span> <span class="na">Options</span><span class="pi">:</span> <span class="na">awslogs-group</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">CloudWatchLogGroup</span> <span class="na">awslogs-region</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s2">"</span><span class="s">AWS::Region"</span> <span class="na">awslogs-stream-prefix</span><span class="pi">:</span> <span class="s">ecs</span> <span class="c1"># ECS Service</span> <span class="na">ECSService</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ECS::Service</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="s">ALB</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Cluster</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ECSFargateCluster</span> <span class="na">ServiceName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ServiceName</span> <span class="na">DesiredCount</span><span class="pi">:</span> <span class="m">2</span> <span class="na">LaunchType</span><span class="pi">:</span> <span class="s">FARGATE</span> <span class="na">TaskDefinition</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ECSTaskDefinition</span> <span class="na">NetworkConfiguration</span><span class="pi">:</span> <span class="na">AwsvpcConfiguration</span><span class="pi">:</span> <span class="na">AssignPublicIp</span><span class="pi">:</span> <span class="s">ENABLED</span> <span class="na">SecurityGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">SecurityGroup</span> <span class="na">Subnets</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">PublicSubnet1</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">PublicSubnet2</span> <span class="na">LoadBalancers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ContainerName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ContainerName</span> <span class="na">ContainerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">TargetGroupArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ALBTargetGroup</span> <span class="c1"># ALB</span> <span class="na">ALB</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ElasticLoadBalancingV2::LoadBalancer</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ALB"</span> <span class="na">Subnets</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">PublicSubnet1</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">PublicSubnet2</span> <span class="na">SecurityGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">SecurityGroup</span> <span class="na">LoadBalancerAttributes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">idle_timeout.timeout_seconds</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">60"</span> <span class="na">ALBListener</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ElasticLoadBalancingV2::Listener</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">LoadBalancerArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ALB</span> <span class="na">Port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">Protocol</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">DefaultActions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">forward</span> <span class="na">TargetGroupArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ALBTargetGroup</span> <span class="na">ALBTargetGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::ElasticLoadBalancingV2::TargetGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">VPC</span> <span class="na">Protocol</span><span class="pi">:</span> <span class="s">HTTP</span> <span class="na">Port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">TargetType</span><span class="pi">:</span> <span class="s">ip</span> <span class="na">HealthCheckEnabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">HealthCheckPath</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/"</span> <span class="c1"># Set to a valid endpoint in your application</span> <span class="na">HealthCheckIntervalSeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">HealthCheckTimeoutSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">HealthyThresholdCount</span><span class="pi">:</span> <span class="m">2</span> <span class="na">UnhealthyThresholdCount</span><span class="pi">:</span> <span class="m">3</span> <span class="na">Matcher</span><span class="pi">:</span> <span class="na">HttpCode</span><span class="pi">:</span> <span class="s2">"</span><span class="s">200"</span> <span class="na">Name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">TargetGroup"</span> <span class="c1"># IAM Role for ECS Task</span> <span class="na">IAMRoleForECS</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ecs-tasks.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sts:AssumeRole</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ECRPullPolicy"</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ecr:GetAuthorizationToken</span> <span class="pi">-</span> <span class="s">ecr:GetDownloadUrlForLayer</span> <span class="pi">-</span> <span class="s">ecr:BatchGetImage</span> <span class="pi">-</span> <span class="s">ecr:BatchCheckLayerAvailability</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CloudWatchLogsPolicy"</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">logs:CreateLogStream</span> <span class="pi">-</span> <span class="s">logs:PutLogEvents</span> <span class="pi">-</span> <span class="s">logs:CreateLogGroup</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="c1"># CloudWatch Log Group</span> <span class="na">CloudWatchLogGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Logs::LogGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">LogGroupName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/ecs/logs"</span> <span class="na">RetentionInDays</span><span class="pi">:</span> <span class="m">7</span> <span class="c1"># Lambda Function to Delete ECR Images</span> <span class="na">ECRCleanupLambdaRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">lambda.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">sts:AssumeRole</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">LambdaCloudWatchLogsPolicy</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">logs:CreateLogGroup</span> <span class="pi">-</span> <span class="s">logs:CreateLogStream</span> <span class="pi">-</span> <span class="s">logs:PutLogEvents</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">arn:aws:logs:*:*:*</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">ECRDeletePolicy</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ecr:BatchDeleteImage</span> <span class="pi">-</span> <span class="s">ecr:ListImages</span> <span class="na">Resource</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/${ECRRepositoryName}"</span> <span class="na">ECRCleanupLambdaFunction</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Lambda::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">FunctionName</span><span class="pi">:</span> <span class="s">ecr-cleanup-lambda</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">index.handler</span> <span class="na">Runtime</span><span class="pi">:</span> <span class="s">python3.9</span> <span class="na">Role</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">ECRCleanupLambdaRole.Arn</span> <span class="na">Timeout</span><span class="pi">:</span> <span class="m">60</span> <span class="na">Code</span><span class="pi">:</span> <span class="na">ZipFile</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">import boto3</span> <span class="s">def handler(event, context):</span> <span class="s">if event['RequestType'] == 'Delete':</span> <span class="s">ecr = boto3.client('ecr')</span> <span class="s">images_to_delete = ecr.list_images(repositoryName=event['repository_name'])['imageIds']</span> <span class="s">if images_to_delete:</span> <span class="s">ecr.batch_delete_image(</span> <span class="s">repositoryName=event['repository_name'],</span> <span class="s">imageIds=images_to_delete</span> <span class="s">)</span> <span class="s">return 'Cleanup complete'</span> <span class="na">Outputs</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">VPC</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The VPC Id where the ECS Cluster is deployed.</span> <span class="na">ECSFargateCluster</span><span class="pi">:</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">ECSFargateCluster</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The ECS Fargate Cluster created by the template.</span> <span class="na">ALBDNSName</span><span class="pi">:</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">ALB.DNSName</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The DNS name of the Application Load Balancer.</span> <span class="na">ALBEndpoint</span><span class="pi">:</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">http://${ALB.DNSName}"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">The HTTP endpoint of the Application Load Balancer.</span> </code></pre> </div> <p>The same template without creating a new vpc:<br> <a href="https://gist.github.com/LuisCusihuaman/ed550d0c8a78d1c492e37c90d325fcc8" rel="noopener noreferrer">cloudformation-template-with-existing-vpc.yaml</a></p> <p><strong>Note:</strong> It's important to edit the task's port if needed. By default, this is set up with a placeholder using <code>nginx</code> listening on port <code>80</code> and the <code>health check</code> is set to <code>/</code>. However, you can change these settings to fit your requirements.</p> <h1> LET'S KICK IT OFF! </h1> <p>Alright, buckle up! If you've got an AWS account and the AWS CLI locked and loaded, we're ready to roll. <em>(Pro tip: jq is handy, but hey, we won't judge if you skip it.)</em></p> <p><a href="https://i.giphy.com/media/3o7527X9Mvwd7ZmFEI/giphy.gif" class="article-body-image-wrapper"><img src="https://i.giphy.com/media/3o7527X9Mvwd7ZmFEI/giphy.gif" alt="START" width="480" height="268"></a></p> <h3> Step-01: Deploy CloudFormation Stack for ECS Fargate </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">CLUSTER_NAME</span><span class="o">=</span>EcsFargateCluster <span class="nb">export </span><span class="nv">SERVICE_NAME</span><span class="o">=</span>EcsService <span class="nb">export </span><span class="nv">TASK_FAMILY_NAME</span><span class="o">=</span>TaskDefinition <span class="nb">export </span><span class="nv">REPOSITORY_NAME</span><span class="o">=</span>application-repository <span class="nb">export </span><span class="nv">CONTAINER_NAME</span><span class="o">=</span>application-container <span class="nb">export </span><span class="nv">STACK_NAME</span><span class="o">=</span>aws-ecs-fargate-stack aws cloudformation deploy <span class="se">\</span> <span class="nt">--stack-name</span> <span class="nv">$STACK_NAME</span> <span class="se">\</span> <span class="nt">--template-file</span> ecs-fargate-cloudformation.yaml <span class="se">\</span> <span class="nt">--parameter-overrides</span> <span class="se">\</span> <span class="nv">ClusterName</span><span class="o">=</span><span class="nv">$CLUSTER_NAME</span> <span class="se">\</span> <span class="nv">ServiceName</span><span class="o">=</span><span class="nv">$SERVICE_NAME</span> <span class="se">\</span> <span class="nv">TaskFamilyName</span><span class="o">=</span><span class="nv">$TASK_FAMILY_NAME</span> <span class="se">\</span> <span class="nv">ECRRepositoryName</span><span class="o">=</span><span class="nv">$REPOSITORY_NAME</span> <span class="se">\</span> <span class="nv">ContainerName</span><span class="o">=</span><span class="nv">$CONTAINER_NAME</span> <span class="se">\</span> <span class="nt">--capabilities</span> CAPABILITY_NAMED_IAM <span class="se">\</span> <span class="nt">--region</span> us-east-1 </code></pre> </div> <p><strong>Note:</strong> The stack uses predefined default names for easy identification in the pipeline, u can override it:</p> <ul> <li> <strong>ClusterName:</strong> <code>EcsFargateCluster</code> </li> <li> <strong>ServiceName:</strong> <code>EcsService</code> </li> <li> <strong>TaskFamilyName:</strong> <code>TaskDefinition</code> </li> <li> <strong>ECRRepositoryName:</strong> <code>application-repository</code> </li> <li> <strong>ContainerName:</strong> <code>application-container</code> </li> </ul> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgcsy91k6x7npuv562gmi.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgcsy91k6x7npuv562gmi.png" alt="cloudformation-resources" width="800" height="998"></a></p> <h2> Step-02: Create AWS IAM User for Pipeline </h2> <p>In this step, we'll create a <strong>Pipeline User</strong> that GitHub Actions will use. This user will have the necessary policies attached to push container images to ECR and update our ECS service. Here's how to do it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Set user name</span> <span class="nb">export </span><span class="nv">USER_NAME</span><span class="o">=</span><span class="s2">"codepipeline"</span> <span class="c"># Create IAM user</span> aws iam create-user <span class="nt">--user-name</span> <span class="nv">$USER_NAME</span> <span class="c"># Attach necessary policies</span> <span class="c"># ⚠️ THIS IS NOT PRODUCTION READY - USE A LEAST PRIVILEGE ROLE INSTEAD</span> aws iam attach-user-policy <span class="nt">--user-name</span> <span class="nv">$USER_NAME</span> <span class="nt">--policy-arn</span> arn:aws:iam::aws:policy/AmazonECS_FullAccess aws iam attach-user-policy <span class="nt">--user-name</span> <span class="nv">$USER_NAME</span> <span class="nt">--policy-arn</span> arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess <span class="c"># Create access keys for the user</span> <span class="nv">ACCESS_KEYS</span><span class="o">=</span><span class="si">$(</span>aws iam create-access-key <span class="nt">--user-name</span> <span class="nv">$USER_NAME</span><span class="si">)</span> <span class="c"># Extract AccessKeyId and SecretAccessKey</span> <span class="nv">ACCESS_KEY_ID</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$ACCESS_KEYS</span> | jq <span class="nt">-r</span> <span class="s1">'.AccessKey.AccessKeyId'</span><span class="si">)</span> <span class="nv">SECRET_ACCESS_KEY</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$ACCESS_KEYS</span> | jq <span class="nt">-r</span> <span class="s1">'.AccessKey.SecretAccessKey'</span><span class="si">)</span> <span class="c"># ⚠️ Output the Access Key details</span> <span class="nb">echo</span> <span class="s2">"Access Key ID: </span><span class="nv">$ACCESS_KEY_ID</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Secret Access Key: </span><span class="nv">$SECRET_ACCESS_KEY</span><span class="s2">"</span> </code></pre> </div> <h2> Step-03: Add Secrets to GitHub Secrets </h2> <p>After creating the IAM user and generating the access keys, follow these steps to add these credentials to your GitHub<br> repository secrets for use in GitHub Actions:</p> <ol> <li> <p><strong>Navigate to Your GitHub Repository:</strong></p> <ul> <li>Go to the main page of your repository on GitHub.</li> </ul> </li> <li> <p><strong>Access Repository Settings:</strong></p> <ul> <li>Click on the <strong>Settings</strong> tab at the top of the repository page.</li> </ul> </li> <li> <p><strong>Navigate to Secrets:</strong></p> <ul> <li>In the left sidebar, click on <strong>Secrets and variables</strong> &gt; <strong>Actions</strong>.</li> </ul> </li> <li> <p><strong>Add New Repository Secrets:</strong></p> <ul> <li>Click <strong>New repository secret</strong> and add the following:</li> </ul> </li> </ol> <ul> <li> <strong>AWS_ACCESS_KEY_ID:</strong> Enter your <code>AccessKeyId</code> value.</li> <li> <strong>AWS_SECRET_ACCESS_KEY:</strong> Enter your <code>SecretAccessKey</code> value.</li> </ul> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgza5wf9kpmm74yo6tz1p.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgza5wf9kpmm74yo6tz1p.png" alt="secrets" width="800" height="747"></a></p> <p>By doing this, you'll securely store the necessary credentials for your GitHub Actions workflow.</p> <h2> Step-04: Github Actions </h2> <p>Time to automate the deployment with GitHub Actions! Here's how you can set up your pipeline:</p> <p>Copy the following YAML content into <code>.github/workflows/deploy.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Build, Push to ECR, and Deploy to ECS Fargate</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build-and-deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="c1"># Step 1: Checkout the latest code from the main branch</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="c1"># Step 2: Configure AWS credentials for the GitHub Actions runner</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="c1"># Change to your region</span> <span class="c1"># Step 3: Login to Amazon ECR to push Docker images</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to Amazon ECR</span> <span class="na">id</span><span class="pi">:</span> <span class="s">login-ecr</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecr-login@v1</span> <span class="c1"># Step 4: Build the Docker image, tag it, and push it to Amazon ECR</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build, tag, and push image to Amazon ECR</span> <span class="na">id</span><span class="pi">:</span> <span class="s">build-image</span> <span class="na">env</span><span class="pi">:</span> <span class="na">ECR_REGISTRY</span><span class="pi">:</span> <span class="s">${{ steps.login-ecr.outputs.registry }}</span> <span class="na">ECR_REPOSITORY</span><span class="pi">:</span> <span class="s">application-repository</span> <span class="c1"># Change this to your ECR repository name</span> <span class="na">IMAGE_TAG</span><span class="pi">:</span> <span class="s">${{ github.sha }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .</span> <span class="s">docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG</span> <span class="s">echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" &gt;&gt; $GITHUB_OUTPUT</span> <span class="c1"># Step 5: Download the current ECS task definition to update it with the new image</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Download current task definition</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws ecs describe-task-definition --task-definition TaskDefinition \ # Change this to your Task Family Name</span> <span class="s">--query taskDefinition &gt; ecs-task-definition.json</span> <span class="c1"># Step 6: Replace the image in the ECS task definition with the newly built image</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Fill in the new image ID in the Amazon ECS task definition</span> <span class="na">id</span><span class="pi">:</span> <span class="s">task-def</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecs-render-task-definition@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">task-definition</span><span class="pi">:</span> <span class="s">ecs-task-definition.json</span> <span class="na">container-name</span><span class="pi">:</span> <span class="s">application-container</span> <span class="c1"># Change this to your container name</span> <span class="na">image</span><span class="pi">:</span> <span class="s">${{ steps.build-image.outputs.image }}</span> <span class="c1"># Step 7: Deploy the updated task definition to the ECS Fargate service</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy updated task definition to ECS Fargate</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecs-deploy-task-definition@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">task-definition</span><span class="pi">:</span> <span class="s">${{ steps.task-def.outputs.task-definition }}</span> <span class="na">service</span><span class="pi">:</span> <span class="s">EcsService</span> <span class="c1"># Change this to your ECS service name</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">EcsFargateCluster</span> <span class="c1"># Change this to your ECS Fargate cluster name</span> <span class="na">wait-for-service-stability</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p><strong>Important:</strong> The container image in the ECR repository is updated with each push to the <code>main</code> branch. The service name <code>EcsService</code>, cluster name <code>EcsFargateCluster</code>, and other values are predefined in your CloudFormation stack, ensuring smooth integration with your AWS infrastructure.</p> <p>Now, commit and push your changes to trigger the pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git commit <span class="nt">-am</span> “feat<span class="o">(</span>ci<span class="o">)</span>: deployment” git push origin main </code></pre> </div> <p>Once pushed, the pipeline will automatically build, push your Docker image to ECR, and update your ECS Fargate service with the latest code. 🚀</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fra17k6z9g2m6yolvqr0w.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fra17k6z9g2m6yolvqr0w.png" alt="github-action" width="800" height="581"></a></p> <h2> Cleaning Up </h2> <p>To delete the CloudFormation stack, use the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Set the stack name</span> <span class="nb">export </span><span class="nv">STACK_NAME</span><span class="o">=</span><span class="s2">"aws-ecs-fargate-stack"</span> <span class="c"># Delete the CloudFormation stack</span> aws cloudformation delete-stack <span class="nt">--stack-name</span> <span class="nv">$STACK_NAME</span> <span class="c"># Delete the IAM user</span> aws iam delete-user <span class="nt">--user-name</span> <span class="nv">$USER_NAME</span> </code></pre> </div> <h1> BLAZINGGG ENJOYY 🎉🔥 </h1> <p><a href="https://i.giphy.com/media/VpysUTI25mTlK/giphy.gif" class="article-body-image-wrapper"><img src="https://i.giphy.com/media/VpysUTI25mTlK/giphy.gif" alt="Success GIF" width="500" height="344"></a></p> <p>You can see your pipeline triggered, the Docker image built, pushed to ECR, and your ECS Fargate service updated. This workflow will automatically deploy your changes to the Fargate cluster every time you push to the main branch. 🚀</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F447ewjd8bw3w41vb4v8k.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F447ewjd8bw3w41vb4v8k.png" alt="ecs-service" width="800" height="906"></a></p> <p>To check if everything's working, grab the <strong>ALB DNS Name</strong> from the stack output or the AWS console and make an HTTP request to your application. 🌐<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>~/edu curl http://your-alb-dns-name/ <span class="c"># Replace with your actual ALB DNS name</span> </code></pre> </div> <h1> Pricing </h1> <p>Here’s an estimated cost breakdown for the AWS ECS infrastructure setup you provided, considering that you have a single ECS Fargate task running:</p> <h4> 1. <strong>VPC and Subnets</strong> </h4> <ul> <li> <strong>VPC</strong>: No additional cost.</li> <li> <strong>Subnets</strong>: No direct cost for subnets.</li> </ul> <h4> 2. <strong>Internet Gateway</strong> </h4> <ul> <li> <strong>Cost</strong>: $0.045 per hour.</li> </ul> <h4> 3. <strong>ECS Fargate</strong> </h4> <ul> <li> <strong>vCPU (0.5 vCPU)</strong>: $0.04048 per vCPU-hour.</li> <li> <strong>Memory (1 GB)</strong>: $0.004445 per GB-hour.</li> </ul> <p>For a single task running 24/7:</p> <ul> <li> <strong>vCPU Cost (0.5 vCPU)</strong>: 0.5 * 24 * 30 * $0.04048 = <strong>$14.58 per month</strong>.</li> <li> <strong>Memory Cost (1 GB)</strong>: 1 * 24 * 30 * $0.004445 = <strong>$3.20 per month</strong>.</li> </ul> <h4> 4. <strong>Application Load Balancer (ALB)</strong> </h4> <ul> <li> <strong>ALB</strong>: $0.0225 per hour.</li> <li> <strong>Data Processed by ALB</strong>: $0.008 per GB.</li> </ul> <p>For 24/7 operation:</p> <ul> <li> <strong>ALB Cost</strong>: 24 * 30 * $0.0225 = <strong>$16.20 per month</strong>.</li> </ul> <h4> 5. <strong>ECR Storage</strong> </h4> <ul> <li> <strong>Cost</strong>: $0.10 per GB per month.</li> </ul> <h4> 6. <strong>CloudWatch Logs</strong> </h4> <ul> <li> <strong>Storage</strong>: $0.03 per GB.</li> <li> <strong>Ingested Logs</strong>: $0.50 per GB.</li> </ul> <h4> <strong>Total Estimated Monthly Cost</strong> </h4> <p>Adding up the individual components, here’s an estimated monthly cost:</p> <ul> <li> <strong>ECS Fargate</strong>: ~$17.78</li> <li> <strong>ALB</strong>: ~$16.20</li> <li> <strong>Internet Gateway</strong>: ~$32.40 (if used)</li> <li> <strong>ECR Storage</strong>: Variable depending on image size.</li> <li> <strong>CloudWatch Logs</strong>: Variable depending on log volume.</li> </ul> <p><strong>Estimated Total</strong>: <strong>~$66.38 per month</strong> (excluding data transfer and storage variations).</p> <p><strong>Alternative Pricing without Internet Gateway</strong>:<br> If you use the default AWS network configuration and don’t need an Internet Gateway:</p> <ul> <li> <strong>Estimated Total</strong>: <strong>~$34.58 per month</strong> (excluding Internet Gateway cost).</li> </ul> <h1> Conclusion </h1> <p>While <strong>serverless</strong> and <strong>Fargate</strong> offer great convenience, costs can escalate quickly. For instance, running a <code>0.5 vCPU</code> and <code>1GB</code> memory task costs around <strong>$18/month</strong> just for compute. Additional services like the <strong>Application Load Balancer (ALB)</strong> and <strong>CloudWatch Logs</strong> further increase expenses. If you're working on smaller projects or development environments, consider skipping features like the <strong>Internet Gateway</strong> or <strong>ALB</strong> to save costs. Always tailor your setup to your specific needs to optimize <strong>cloud spending</strong>.</p> <p>And there you have it! A blazing fast, simple way to deploy your containers on AWS ECS Fargate. Enjoy!</p> <p><strong>Happy deploying :)</strong></p> aws github cicd containers EduardoCusihuaman Mon, 05 Aug 2024 16:07:32 +0000 https://dev.to/eduardocusihuaman/how-on-earth-do-you-deploy-aws-lambdas-5204 https://dev.to/eduardocusihuaman/how-on-earth-do-you-deploy-aws-lambdas-5204 <p>Hey there, if you've landed here, you're probably a developer interested in deploying an AWS Lambda as quickly and simply as possible. ⚡</p> <p>You’ve come to the right place! Let me share some of my thoughts on Lambda and serverless. Many tutorials out there involve a lot of manual steps and can be hard to maintain or even set up if you just want to try out AWS services as quickly as possible.</p> <p><a href="https://i.giphy.com/media/H6CW8SL6vgVb2/giphy.gif" class="article-body-image-wrapper"><img src="https://i.giphy.com/media/H6CW8SL6vgVb2/giphy.gif" alt="SI" width="400" height="157"></a></p> <h1> Before Everything </h1> <p>This example uses <strong>CloudFormation</strong> because, although it isn't the best IaC tool, it's the quickest for a <strong>one-click deployment POC</strong>. Even though <strong>Terraform</strong> isn’t ideal for this, <strong>CDK</strong> or <strong>SAM</strong> may be easy to maintain.</p> <p>The resources involved are minimal: a <strong>bucket</strong> where we'll store our code as a zip file, a <strong>helper Lambda</strong> to create an empty zip as a placeholder and then clean the bucket when we delete it, and our actual <strong>Lambda with a public endpoint URL</strong>. There is no <strong>API Gateway</strong> here—too much complexity for a simple POC. Of course, there are <strong>IAM roles</strong> for each Lambda.</p> <h1> Content </h1> <ol> <li>Architecture Boring Stuff</li> <li> LET’S START! <ul> <li>Step-01: 🚀 Deploy CloudFormation Stack for Code</li> <li>Step-02: 🛠️ Create AWS IAM User for Pipeline</li> <li>Step-03: 🔒 Add Secrets to GitHub Secrets</li> <li>Step-04: 📦 Dependencies</li> <li>Step-05: 🤖 Pipeline Magic</li> <li>Cleaning Up</li> </ul> </li> </ol> <h1> Architecture Boring Stuff </h1> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu0csy7tqmhsaa56e1glq.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu0csy7tqmhsaa56e1glq.png" alt="architecture" width="800" height="642"></a></p> <p><strong>User Interaction</strong></p> <ol> <li> <strong>A user sends an HTTP request</strong> to the Lambda function URL (<code>LambdaFunctionUrl</code>).</li> <li> <strong>The LambdaFunction handles the HTTP request</strong>, assuming the <code>LambdaExecutionRole</code> IAM role for the necessary permissions.</li> <li> <strong>It generates a URL and interacts with an S3 bucket</strong> (<code>codebucket</code>), which stores the .NET code.</li> </ol> <p><strong>S3 and Helper Lambda</strong></p> <ol> <li> <strong>The S3 bucket</strong> (<code>codebucket</code>) <strong>stores the .NET code</strong>.</li> <li> <strong>A helper Lambda function</strong> (<code>HelperS3ObjectsFunction</code>) <strong>manages S3 objects</strong> within this bucket, such as creating and deleting objects.</li> <li> <strong>The helper Lambda function assumes the <code>HelperS3ObjectsWriteRole</code> IAM role</strong> to manage these S3 operations.</li> </ol> <p><strong>IAM Roles</strong></p> <ul> <li> <strong>LambdaExecutionRole</strong>: Provides the necessary permissions for the primary Lambda function.</li> <li> <strong>HelperS3ObjectsWriteRole</strong>: Provides permissions for the helper Lambda function to manage S3 objects.</li> </ul> <p><strong>Pipeline User for GitHub Actions</strong><br> The GitHub Actions workflow uses an IAM user (<code>PipelineUser</code>) to deploy updates to the Lambda function and upload the packaged code to the S3 bucket. The workflow includes steps for:</p> <ul> <li>Checking out the code</li> <li>Setting up .NET</li> <li>Installing dependencies</li> <li>Building the project</li> <li>Zipping the Lambda package</li> <li>Configuring AWS credentials</li> <li>Uploading the package to S3</li> <li>Updating the Lambda function code</li> </ul> <p><strong>Flow</strong></p> <ul> <li> <strong>User</strong> -&gt; <strong>Lambda Function URL</strong> -&gt; <strong>Lambda Function</strong> -&gt; <strong>S3 Bucket</strong> </li> <li> <strong>Helper Lambda</strong> -&gt; <strong>S3 Bucket</strong> (for management tasks)</li> <li> <strong>Pipeline User</strong> -&gt; <strong>GitHub Actions</strong> -&gt; <strong>S3 Bucket and Lambda Function</strong> (for deployment)</li> </ul> <p><strong>cloudformation-template.yaml</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Code Bucket with CodeLambda and Helper</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">S3BucketName</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Name for the code bucket</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s">blazing-lambda-code-bucket</span> <span class="na">AllowedPattern</span><span class="pi">:</span> <span class="s2">"</span><span class="s">^[a-z0-9-]{3,63}$"</span> <span class="na">ConstraintDescription</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Bucket</span><span class="nv"> </span><span class="s">name</span><span class="nv"> </span><span class="s">must</span><span class="nv"> </span><span class="s">be</span><span class="nv"> </span><span class="s">between</span><span class="nv"> </span><span class="s">3</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">63</span><span class="nv"> </span><span class="s">characters</span><span class="nv"> </span><span class="s">long</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">contain</span><span class="nv"> </span><span class="s">only</span><span class="nv"> </span><span class="s">lowercase</span><span class="nv"> </span><span class="s">letters,</span><span class="nv"> </span><span class="s">numbers,</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">hyphens."</span> <span class="na">LambdaExecutionRoleName</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">The</span><span class="nv"> </span><span class="s">name</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">IAM</span><span class="nv"> </span><span class="s">role</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">Lambda</span><span class="nv"> </span><span class="s">function"</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">LambdaExecutionRole"</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">codebucket</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::Bucket</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">BucketName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">S3BucketName</span> <span class="na">HelperS3ObjectsWriteRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s">2012-10-17</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">lambda.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">sts:AssumeRole</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">S3Access</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s">2012-10-17</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">AllowLogging</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">logs:CreateLogGroup"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">logs:CreateLogStream"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">logs:PutLogEvents"</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">S3BucketAccess</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:ListBucket"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:GetObject"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:DeleteObject"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:DeleteObjectVersion"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:PutObject"</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">arn:aws:s3:::${S3BucketName}"</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">arn:aws:s3:::${S3BucketName}/*"</span> <span class="na">helpers3objectshook</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Custom::S3Objects"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ServiceToken</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">HelperS3ObjectsFunction.Arn</span> <span class="na">Bucket</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">S3BucketName</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="s">codebucket</span> <span class="na">HelperS3ObjectsFunction</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Lambda::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Delete objects from bucket and create my-lambda.zip</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">index.handler</span> <span class="na">Runtime</span><span class="pi">:</span> <span class="s">python3.9</span> <span class="na">Role</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">HelperS3ObjectsWriteRole.Arn</span> <span class="na">Timeout</span><span class="pi">:</span> <span class="m">120</span> <span class="na">Code</span><span class="pi">:</span> <span class="na">ZipFile</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">import os</span> <span class="s">import json</span> <span class="s">import cfnresponse</span> <span class="s">import boto3</span> <span class="s">import logging</span> <span class="s">from zipfile import ZipFile</span> <span class="s">from botocore.exceptions import ClientError</span> <span class="s">client = boto3.client('s3')</span> <span class="s">logger = logging.getLogger()</span> <span class="s">logger.setLevel(logging.INFO)</span> <span class="s">def handler(event, context):</span> <span class="s">logger.info("Received event: %s" % json.dumps(event))</span> <span class="s">bucket = event['ResourceProperties']['Bucket']</span> <span class="s">result = cfnresponse.SUCCESS</span> <span class="s">try:</span> <span class="s">if event['RequestType'] == 'Delete':</span> <span class="s">result = delete_objects(bucket)</span> <span class="s">elif event['RequestType'] == 'Create':</span> <span class="s">result = create_zip_and_upload(bucket)</span> <span class="s">except ClientError as e:</span> <span class="s">logger.error('Error: %s', e)</span> <span class="s">result = cfnresponse.FAILED</span> <span class="s">cfnresponse.send(event, context, result, {})</span> <span class="s">def delete_objects(bucket):</span> <span class="s">paginator = client.get_paginator('list_objects_v2')</span> <span class="s">page_iterator = paginator.paginate(Bucket=bucket)</span> <span class="s">objects = [{'Key': x['Key']} for page in page_iterator for x in page['Contents']]</span> <span class="s">client.delete_objects(Bucket=bucket, Delete={'Objects': objects})</span> <span class="s">return cfnresponse.SUCCESS</span> <span class="s">def create_zip_and_upload(bucket):</span> <span class="s">zip_file_path='/tmp/my-lambda.zip'</span> <span class="s">dummy_file_path='/tmp/dummy.txt'</span> <span class="s">with open(dummy_file_path,'w') as dummy_file:</span> <span class="s">dummy_file.write("This is a placeholder text.")</span> <span class="s">with ZipFile(zip_file_path,'w') as zipf:</span> <span class="s">zipf.write(dummy_file_path,arcname='dummy.txt')</span> <span class="s">boto3.client('s3').upload_file(zip_file_path,bucket,'my-lambda.zip')</span> <span class="s">client.upload_file(zip_file_path, bucket, 'my-lambda.zip')</span> <span class="s">return cfnresponse.SUCCESS</span> <span class="na">LambdaExecutionRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::IAM::Role'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">LambdaExecutionRoleName</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">lambda.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">sts:AssumeRole</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">LambdaS3AccessPolicy</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">s3:GetObject</span> <span class="pi">-</span> <span class="s">s3:ListBucket</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">arn:aws:s3:::${S3BucketName}"</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">arn:aws:s3:::${S3BucketName}/*"</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">LambdaCloudWatchLogsPolicy</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">logs:CreateLogGroup</span> <span class="pi">-</span> <span class="s">logs:CreateLogStream</span> <span class="pi">-</span> <span class="s">logs:PutLogEvents</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">arn:aws:logs:*:*:*</span> <span class="na">CodeLambdaFunction</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::Lambda::Function'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">FunctionName</span><span class="pi">:</span> <span class="s1">'</span><span class="s">aws-lambda-code'</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s1">'</span><span class="s">ChauMundo::ChauMundo.LambdaEntryPoint::FunctionHandlerAsync'</span> <span class="na">Runtime</span><span class="pi">:</span> <span class="s1">'</span><span class="s">dotnet8'</span> <span class="na">Role</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">LambdaExecutionRole.Arn</span> <span class="na">Code</span><span class="pi">:</span> <span class="na">S3Bucket</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">S3BucketName</span> <span class="na">S3Key</span><span class="pi">:</span> <span class="s1">'</span><span class="s">my-lambda.zip'</span> <span class="na">Environment</span><span class="pi">:</span> <span class="na">Variables</span><span class="pi">:</span> <span class="na">ASPNETCORE_ENVIRONMENT</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Production'</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="s">HelperS3ObjectsFunction</span> <span class="na">CodeLambdaFunctionUrl</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::Lambda::Url'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AuthType</span><span class="pi">:</span> <span class="s">NONE</span> <span class="na">TargetFunctionArn</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">CodeLambdaFunction.Arn</span> <span class="na">CodeLambdaInvokePermission</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS::Lambda::Permission'</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">FunctionName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">CodeLambdaFunction</span> <span class="na">Action</span><span class="pi">:</span> <span class="s1">'</span><span class="s">lambda:InvokeFunctionUrl'</span> <span class="na">Principal</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">FunctionUrlAuthType</span><span class="pi">:</span> <span class="s1">'</span><span class="s">NONE'</span> <span class="na">Outputs</span><span class="pi">:</span> <span class="na">LambdaFunctionUrl</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">The</span><span class="nv"> </span><span class="s">URL</span><span class="nv"> </span><span class="s">endpoint</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">Lambda</span><span class="nv"> </span><span class="s">function"</span> <span class="na">Value</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">CodeLambdaFunctionUrl.FunctionUrl</span> </code></pre> </div> <h1> LET’S START! </h1> <p>Let's get going if you already have an AWS account and the AWS CLI installed <em>(jq is also necessary but not mandatory)</em>.</p> <p><a href="https://i.giphy.com/media/3o7527X9Mvwd7ZmFEI/giphy.gif" class="article-body-image-wrapper"><img src="https://i.giphy.com/media/3o7527X9Mvwd7ZmFEI/giphy.gif" alt="START" width="480" height="268"></a></p> <h3> Step-01: 🚀 Deploy CloudFormation Stack for Code </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">S3_BUCKET_NAME</span><span class="o">=</span>blazing-lambda-code-bucket <span class="nb">export </span><span class="nv">STACK_NAME</span><span class="o">=</span>aws-serverless-stack aws cloudformation deploy <span class="se">\</span> <span class="nt">--stack-name</span> <span class="nv">$STACK_NAME</span> <span class="se">\</span> <span class="nt">--template-file</span> cloudformation-template.yaml <span class="se">\</span> <span class="nt">--parameter-overrides</span> <span class="nv">S3BucketName</span><span class="o">=</span><span class="nv">$S3_BUCKET_NAME</span> <span class="se">\</span> <span class="nt">--capabilities</span> CAPABILITY_NAMED_IAM <span class="se">\</span> <span class="nt">--region</span> us-east-1 </code></pre> </div> <p><strong>Note:</strong> The Lambda has a predefined name for easy identification in the pipeline: <code>aws-lambda-code</code>. The Lambda's zip file is called <code>my-lambda.zip</code>—important as it serves as a placeholder for deploying our empty Lambda.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcmoh8a2fomegrgwn0p1c.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcmoh8a2fomegrgwn0p1c.png" alt="Image description" width="800" height="700"></a></p> <h2> Step-02: 🛠️ Create AWS IAM User for Pipeline </h2> <p>In this step, we'll create a <strong>Pipeline User</strong> that GitHub Actions will use. This user will have the necessary policies attached to copy files to our bucket and update our Lambda function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Set user name</span> <span class="nb">export </span><span class="nv">USER_NAME</span><span class="o">=</span><span class="s2">"codepipeline"</span> <span class="c"># Create IAM user</span> aws iam create-user <span class="nt">--user-name</span> <span class="nv">$USER_NAME</span> <span class="c"># Attach necessary policies</span> <span class="c"># ⚠️ THIS IS NOT PRODUCTION READY - USE A LEAST PRIVILEGE ROLE INSTEAD</span> aws iam attach-user-policy <span class="nt">--user-name</span> <span class="nv">$USER_NAME</span> <span class="nt">--policy-arn</span> arn:aws:iam::aws:policy/AmazonS3FullAccess aws iam attach-user-policy <span class="nt">--user-name</span> <span class="nv">$USER_NAME</span> <span class="nt">--policy-arn</span> arn:aws:iam::aws:policy/AWSLambda_FullAccess <span class="c"># Create access keys for the user</span> <span class="nv">ACCESS_KEYS</span><span class="o">=</span><span class="si">$(</span>aws iam create-access-key <span class="nt">--user-name</span> <span class="nv">$USER_NAME</span><span class="si">)</span> <span class="o">{</span> <span class="s2">"AccessKey"</span>: <span class="o">{</span> <span class="s2">"UserName"</span>: <span class="s2">"codepipeline"</span>, <span class="s2">"AccessKeyId"</span>: <span class="s2">"AKI***NWJVT"</span>, <span class="s2">"Status"</span>: <span class="s2">"Active"</span>, <span class="s2">"SecretAccessKey"</span>: <span class="s2">"ZVAf261Bu***JEaTbiIkQckj"</span>, <span class="s2">"CreateDate"</span>: <span class="s2">"2024-08-05T13:41:48+00:00"</span> <span class="o">}</span> <span class="o">}</span> <span class="c"># Extract AccessKeyId and SecretAccessKey</span> <span class="nv">ACCESS_KEY_ID</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$ACCESS_KEYS</span> | jq <span class="nt">-r</span> <span class="s1">'.AccessKey.AccessKeyId'</span><span class="si">)</span> <span class="nv">SECRET_ACCESS_KEY</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nv">$ACCESS_KEYS</span> | jq <span class="nt">-r</span> <span class="s1">'.AccessKey.SecretAccessKey'</span><span class="si">)</span> <span class="c"># ⚠️ Output the Access Key details</span> <span class="nb">echo</span> <span class="s2">"Access Key ID: </span><span class="nv">$ACCESS_KEY_ID</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"Secret Access Key: </span><span class="nv">$SECRET_ACCESS_KEY</span><span class="s2">"</span> </code></pre> </div> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6tjl3xe6smjy387cwyyy.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6tjl3xe6smjy387cwyyy.png" alt="Image description" width="800" height="741"></a></p> <h2> Step-03: 🔒 Add Secrets to GitHub Secrets </h2> <p>After creating the IAM user and generating the access keys, follow these steps to add these credentials to your GitHub repository secrets for use in GitHub Actions:</p> <ol> <li> <p><strong>Navigate to Secrets in Your GitHub Repository</strong>:</p> <ul> <li>Go to the main page of your repository on GitHub.</li> <li>Click on the <strong>Settings</strong> tab at the top of the repository page.</li> <li>In the left sidebar, click on <strong>Secrets and variables</strong> &gt; <strong>Actions</strong>.</li> </ul> </li> <li> <p><strong>Add New Repository Secret</strong>:</p> <ul> <li>Click the <strong>New repository secret</strong> button.</li> <li> <strong>AWS_ACCESS_KEY_ID</strong>: <ul> <li> <strong>Name</strong>: <code>AWS_ACCESS_KEY_ID</code> </li> <li> <strong>Value</strong>: Enter the <code>AccessKeyId</code> value you obtained.</li> <li>Click <strong>Add secret</strong>.</li> </ul> </li> <li> <strong>AWS_SECRET_ACCESS_KEY</strong>: <ul> <li> <strong>Name</strong>: <code>AWS_SECRET_ACCESS_KEY</code> </li> <li> <strong>Value</strong>: Enter the <code>SecretAccessKey</code> value you obtained.</li> <li>Click <strong>Add secret</strong>.</li> </ul> </li> <li> <strong>S3_BUCKET_NAME</strong>: <ul> <li> <strong>Name</strong>: <code>S3_BUCKET_NAME</code> </li> <li> <strong>Value</strong>: Enter your S3 bucket name (e.g., <code>blazing-lambda-code-bucket</code>).</li> <li>Click <strong>Add secret</strong>.</li> </ul> </li> </ul> </li> </ol> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgza5wf9kpmm74yo6tz1p.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgza5wf9kpmm74yo6tz1p.png" alt="Image description" width="800" height="747"></a></p> <p>Following these steps, you'll securely add the credentials to your GitHub repository for use in your GitHub Actions workflow.</p> <h2> Step-04: 📦 Dependencies </h2> <p>Some compiled languages, like in this C# example, need some dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dotnet add package Amazon.Lambda.AspNetCoreServer dotnet add package Amazon.Lambda.AspNetCoreServer.Hosting dotnet add package Amazon.Lambda.Serialization.SystemTextJson </code></pre> </div> <p>And a small entry point:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Amazon.Lambda.APIGatewayEvents</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Amazon.Lambda.AspNetCoreServer</span><span class="p">;</span> <span class="k">using</span> <span class="nn">Amazon.Lambda.Core</span><span class="p">;</span> <span class="k">namespace</span> <span class="nn">HelloWorld</span> <span class="p">{</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">LambdaEntryPoint</span> <span class="p">:</span> <span class="n">APIGatewayHttpApiV2ProxyFunction</span> <span class="p">{</span> <span class="k">protected</span> <span class="k">override</span> <span class="k">void</span> <span class="nf">Init</span><span class="p">(</span><span class="n">IWebHostBuilder</span> <span class="n">builder</span><span class="p">)</span> <span class="p">{</span> <span class="n">builder</span><span class="p">.</span><span class="n">UseStartup</span><span class="p">&lt;</span><span class="n">Startup</span><span class="p">&gt;();</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">Startup</span> <span class="p">{</span> <span class="k">public</span> <span class="nf">Startup</span><span class="p">(</span><span class="n">IConfiguration</span> <span class="n">configuration</span><span class="p">)</span> <span class="p">{</span> <span class="n">Configuration</span> <span class="p">=</span> <span class="n">configuration</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="n">IConfiguration</span> <span class="n">Configuration</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">void</span> <span class="nf">ConfigureServices</span><span class="p">(</span><span class="n">IServiceCollection</span> <span class="n">services</span><span class="p">)</span> <span class="p">{</span> <span class="n">services</span><span class="p">.</span><span class="nf">AddEndpointsApiExplorer</span><span class="p">();</span> <span class="n">services</span><span class="p">.</span><span class="nf">AddSwaggerGen</span><span class="p">();</span> <span class="p">}</span> <span class="k">public</span> <span class="k">void</span> <span class="nf">Configure</span><span class="p">(</span><span class="n">IApplicationBuilder</span> <span class="n">app</span><span class="p">,</span> <span class="n">IWebHostEnvironment</span> <span class="n">env</span><span class="p">)</span> <span class="p">{</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseHttpsRedirection</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseRouting</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseEndpoints</span><span class="p">(</span><span class="n">endpoints</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">endpoints</span><span class="p">.</span><span class="nf">MapGet</span><span class="p">(</span><span class="s">"/hello"</span><span class="p">,</span> <span class="p">()</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="n">Results</span><span class="p">.</span><span class="nf">Ok</span><span class="p">(</span><span class="s">"hi"</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Docs: <a href="https://docs.aws.amazon.com/lambda/latest/dg/csharp-package-asp.html" rel="noopener noreferrer">AWS Lambda C#</a></p> <p>For Java, it's similar:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">import</span> <span class="nn">org.springframework.cloud.function.adapter.aws.SpringBootRequestHandler</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">HelloHandler</span> <span class="kd">extends</span> <span class="nc">SpringBootRequestHandler</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;</span> <span class="o">{}</span> </code></pre> </div> <p>Docs: <a href="https://cloud.spring.io/spring-cloud-function/multi/multi__serverless_platform_adapters.html#_aws_lambda" rel="noopener noreferrer">Spring Cloud Function AWS Lambda</a></p> <h2> Step-05: 🤖 Pipeline Magic </h2> <p>Copy the pipeline into <code>.github/workflows/deploy.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to AWS Lambda</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">main'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">master'</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup .NET</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-dotnet@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">dotnet-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">8.0.x'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">dotnet restore ./HelloWorld/HelloWorld.csproj</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build project</span> <span class="na">run</span><span class="pi">:</span> <span class="s">dotnet publish ./HelloWorld/HelloWorld.csproj -c Release -o ./publish</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Zip Lambda package</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd publish</span> <span class="s">zip -r ../my-lambda.zip .</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">aws-access-key-id</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">aws-secret-access-key</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">us-east-1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload to S3</span> <span class="na">run</span><span class="pi">:</span> <span class="s">aws s3 cp my-lambda.zip s3://${{ secrets.S3_BUCKET_NAME }}/my-lambda.zip</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Update Lambda function code</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">aws lambda update-function-code --function-name aws-lambda-code --s3-bucket ${{ secrets.S3_BUCKET_NAME }} --s3-key my-lambda.zip</span> </code></pre> </div> <p><strong>Important:</strong> The <code>my-lambda.zip</code> was named to overwrite the previous zip with our actual code. <code>aws-lambda-code</code> is predefined in the CloudFormation stack.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git commit <span class="nt">-am</span> “feat<span class="o">(</span>ci<span class="o">)</span>: deployment” git push origin main </code></pre> </div> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1d7c2bgvrr6awktlo6c4.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1d7c2bgvrr6awktlo6c4.png" alt="Image description" width="800" height="594"></a></p> <h2> Cleaning Up </h2> <p>To delete the CloudFormation stack, use the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Set the stack name</span> <span class="nb">export </span><span class="nv">STACK_NAME</span><span class="o">=</span><span class="s2">"aws-serverless-stack"</span> <span class="c"># Delete the CloudFormation stack</span> aws cloudformation delete-stack <span class="nt">--stack-name</span> <span class="nv">$STACK_NAME</span> <span class="c"># Delete the IAM user</span> aws iam delete-user <span class="nt">--user-name</span> <span class="nv">$USER_NAME</span> </code></pre> </div> <h1> BLAZINGGG ENJOYY 🎉🔥 </h1> <p><a href="https://i.giphy.com/media/VpysUTI25mTlK/giphy.gif" class="article-body-image-wrapper"><img src="https://i.giphy.com/media/VpysUTI25mTlK/giphy.gif" alt="Success GIF" width="500" height="344"></a></p> <p>You can see your pipeline triggered, the code zipped, uploaded to S3, and the Lambda updated. This workflow will trigger on each commit to the main branch. 🚀</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa01bch86iy4eum4q9iqe.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa01bch86iy4eum4q9iqe.png" alt="Image description" width="800" height="875"></a></p> <p>We take the <strong>Lambda URL</strong> from the stack output or directly from the Lambda interface to make an HTTP request. 🌐<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>~/edu curl https://6u7hqooiek7rasomnytusyjp2i0lecee.lambda-url.us-east-1.on.aws/hello/ hi </code></pre> </div> <p>The best part? You can go to S3 and, if you want to try out <strong>DynamoDB</strong>, go to the <code>LambdaExecutionRole</code> and add more permissions. You can do it in IAM or redeploy the <code>CloudFormation stack</code> if you're brave enough.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg9v7xsvj2kswvbtzpa57.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg9v7xsvj2kswvbtzpa57.png" alt="Image description" width="800" height="924"></a></p> <p><a href="https://github.com/LuisCusihuaman/ChauMundo/blob/feature/aws-lambda/INSTALL.md" rel="noopener noreferrer">C# example code with IaC</a></p> <p>And there you have it! A blazing fast, simple way to deploy AWS Lambdas. Enjoy!</p> <p><strong>Happy deploying :)</strong></p> aws github cicd infrastructureascode EduardoCusihuaman Tue, 23 Feb 2021 16:27:27 +0000 https://dev.to/eduardocusihuaman/cicd-static-website-to-s3-with-github-actions-4627 https://dev.to/eduardocusihuaman/cicd-static-website-to-s3-with-github-actions-4627 <p>Hi!!<br> A few days ago, I worked with a developer on a simple landing page with zero complications. He needed a simple way to visualize his changes, obviously in our current AWS infrastructure.</p> <p>The best way to achieve this was with Github Actions + S3 Static websites, and I'll tell you how I did it.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2u2l30tmslb8iq0cctt2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2u2l30tmslb8iq0cctt2.png" alt="CICD" width="576" height="431"></a></p> <h2> Steps </h2> <ol> <li> Provision an S3 Bucket and IAM User with Cloudformation.</li> <li> Add the AWS secrets from our IAM user to the Github repository.</li> <li> Deploy an app to an S3 Bucket through Github actions. </li> </ol> <h1> 1. Resources provisioning 🏗️ </h1> <p>First, we must deploy our resources by AWS Cloudformation. In the following cf template (main.yml), it's defined:</p> <ul> <li>S3 Bucket</li> <li>Bucket Policy</li> <li>IAM User</li> <li>IAM Policy inline</li> </ul> <div class="ltag_gist-liquid-tag"> </div> <p>If you have already installed AWS CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws cloudformation create-stack <span class="nt">--stack-name</span> your-stack-name <span class="nt">--capabilities</span> CAPABILITY_IAM <span class="nt">--template-body</span> file://main.yml <span class="nt">--parameters</span> <span class="nv">ParameterKey</span><span class="o">=</span>BucketName,ParameterValue<span class="o">=</span>your-unique-bucket-name </code></pre> </div> <p>Otherwise:</p> <p>For this need to login into the AWS Console -&gt; Cloudformation -&gt; Stack -&gt; <em>Create Sack</em> <strong>-&gt; Upload a template file.</strong></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyjhhn8o5vxrdslatqybv.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyjhhn8o5vxrdslatqybv.png" alt="Create Stack" width="607" height="436"></a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvurjo94y0kfmq0y0f3un.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvurjo94y0kfmq0y0f3un.png" alt="CAPABILITY_IAM" width="610" height="343"></a></p> <p><em>It will ask you for confirmation that this cloudformation template will create IAM resources, in this case, a user.</em></p> <h1> 2. Secrets 🤫 </h1> <p>Now, we go for the <code>IAM User</code>: <a href="https://console.aws.amazon.com/iam/" rel="noopener noreferrer">https://console.aws.amazon.com/iam/</a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgyj5bk0rzs1n48g64trz.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgyj5bk0rzs1n48g64trz.png" alt="AWS Credentials" width="537" height="357"></a></p> <p><em>IAM -&gt; Users -&gt; your-new-iam-user -&gt;</em> <strong>Security Credentials</strong><br> <em>Access Key -&gt;</em> <strong>Create access key</strong></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frd75gaarl72ddzy3eh0z.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frd75gaarl72ddzy3eh0z.png" alt="Access keys" width="508" height="219"></a><br> <strong>Download .csv file</strong></p> <p>We need to set <code>AWS_ACCESS_KEY_ID</code> and <code>AWS_SECRET_ACCESS_KEY</code> in the GitHub repository's secrets section required to upload files to our S3 bucket.</p> <p><code>S3_BUCKET</code>: The name of the destination bucket<br> <code>S3_BUCKET_REGION</code>: The destination bucket region </p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg69jcwouh6ywjxyassja.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg69jcwouh6ywjxyassja.png" alt="Github Secrets" width="715" height="459"></a><br> <em>Settings -&gt; Secrets</em> -&gt; <strong>New repository secret</strong></p> <h1> 3. Github Actions 🚀 </h1> <p>I highly recommend using this continuous deployment <strong>only</strong> for stage environments. For that reason, we'll create a QA branch.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git checkout <span class="nt">-b</span> QA </code></pre> </div> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8dules4af9dn5698mxz9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8dules4af9dn5698mxz9.png" alt="Creating branch" width="369" height="368"></a><br> <em>Creating branch from Github UI</em> </p> <p>Next, we'll create our deploy.yml file in the path: <code>.github/workflows</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> .github/workflows <span class="o">&amp;&amp;</span> <span class="nb">touch</span> .github/workflows/deploy.yml </code></pre> </div> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fknpgybjz3t6om5cmmcd4.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fknpgybjz3t6om5cmmcd4.png" alt="create new file" width="800" height="105"></a></p> <p><em>If you want to run it on a specific branch, change</em> <code>branches</code></p> <div class="ltag_gist-liquid-tag"> </div> <p><em>Github action:</em> <a href="https://github.com/Reggionick/s3-deploy" rel="noopener noreferrer">https://github.com/Reggionick/s3-deploy</a>.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwutq0ny9e47ib147tyvo.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwutq0ny9e47ib147tyvo.png" alt="Deployment" width="597" height="354"></a><br> <em>Our app is already deployed by Github Actions!</em></p> <h1> Done! 🙌 </h1> <p>Check your S3 WebsiteURL from the last Cloudformation output:</p> <p><em>http​://your_bucket_name.s3-website-your_region.amazonaws.com/</em></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp527a63kqyfe9keys6en.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp527a63kqyfe9keys6en.png" alt="Static Website" width="800" height="380"></a></p> <p>For HTTPS: <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/website-hosting-custom-domain-walkthrough.html#:~:text=If%20you%20want%20to%20use%20HTTPS,%20you%20can%20use%20Amazon%20CloudFront%20to%20serve%20a%20static%20website%20hosted%20on%20Amazon%20S3" rel="noopener noreferrer">Configuring a static website using a custom domain registered with Route 53</a></p> <h1> Bonus 🎁 </h1> <p>If you work with react, the following pipeline can help you: <br> </p> <div class="ltag_gist-liquid-tag"> </div> <p>react-router 404 errors: <a href="https://via.studio/journal/hosting-a-reactjs-app-with-routing-on-aws-s3" rel="noopener noreferrer">https://via.studio/journal/hosting-a-reactjs-app-with-routing-on-aws-s3</a><br> cors-cloudformation example: <a href="https://git.io/JtQZK" rel="noopener noreferrer">https://git.io/JtQZK</a></p> <p>If you have any comments or improvements for this post, I would be glad to receive them. </p> <p>Thank you for your time 👋👨‍💻.</p> aws cicd hosting cloudformation