DEV Community: Jones Ndzenyuy

AWS community day Workshop: Building Your First DevOps Blue/Green Pipeline with ECS

Jones Ndzenyuy — Fri, 21 Nov 2025 21:49:20 +0000

In this workshop, I will guide you step by step how to build a Blue-Green deployment pipeline with AWS pipeline and deploys on AWS ECS with EC2. This deployment strategy helps teams to first test an app while routing traffic to a non-prod route, when confirmed that the app functions as expected, then the traffic is routed to prod. In case of any failure, a rollback is initiated for the previously working version hence avoiding downtime.

Architecture

App Flow

The Infrastructure consists of an Application Load Balancer which exposes the app on Port 80, routes traffic to the autoscaling group managed by ECS, a fleet of EC2 instances running in two AZs for High availability. Each of these instances have ECS agent installed and the necessary software for running our Docker containers. These interact with Aurora PostgreSQL database in RDS for data storage. Aurora PostgreSQL database is configured to replicate data in another availability zone for a resilient database configuration. When there is a spike in traffic, ECS will launch other containers in order to accommodate the load.

Deployment Flow

Provided the developers do changes and want to update the deployed app, our CI/CD pipeline is configured to automate the deployment. With code stored in GitLab, once there is a push, AWS CodePipeline is triggered via a connection app setup and authenticated to Gitlab, Codebuild builds, containerize and push the image to ECR, next Codedeploy deploys the new app, first will deploy it with port 8080 for tests, if the team is happy with their changes, they can approve for traffic to be switch to the newly deployed container and terminate the former. The former containers can be configured to still run for some time while the newly deployed is tested, if everything is fine, then the last version of the deployed app can be terminated.

Build it step by step

**Note**: _If you face issues putting it up and working, go to the optional stage and deploy with Cloudformation_

Ensure you have a code editor like VScode, you have a Gitlab account, an AWS account will appropriate permissions(full access to RDS, ECS, ECR, IAM), configure awscli on you terminal with access keys

Clone the Code

On your local computer terminal(i use wsl with ubuntu os) run

git clone https://gitlab.com/ndzenyuy/tripmgmt.git
cd tripmgmt
rm -rf .git
git init
code .

It will clone the repository that has the application code to your local machine, enter the folder and remove the .git file so as to remove the url for the repository from whence the code was pulled, therefore making it possible to use the code and push to your own repository.

On the browser, go to GitLab and create an account if you don't have one, in it, create a repository named "tripmgmt", you can make the project public and don't create it with a READme.md file. Now copy the repository http url and go back to your terminal and run the following:

git remote add origin <your repo url>
git add .
git commit -m "Initial commit"
git push --set-upstream origin main

These will push the code to the newly created repository.

Setup AWS Resources

Create required AWS IAM Roles

Task Execution Role: Grants the Amazon ECS container and Fargate agents permission to make AWS API calls on your behalf.

To create the ecsTaskExecutionRole IAM role

Open the IAM console
In the navigation pane, choose Roles, Create role.
In the Trusted entity type, select AWS Service
Under Use case, select Elastic Container Service and Elastic Container Service Task, then choose Next: Permissions.
In the Attach permissions policy section, search for AmazonECSTaskExecutionRolePolicy, select the policy, and then choose Next: Review.
For Role Name, type ecsTaskExecutionRole and choose Create role.
Please save value of the Role ARN in the open text file to use in the later section of the workshop.

ECS Container Instance Role: This IAM role is required for the EC2 launch type. The Amazon ECS container agent makes calls to the Amazon ECS API on your behalf. Container instances that run the agent require an IAM policy and role for the service to know that the agent belongs to you.

To create the ecsInstanceRole IAM role

In the navigation pane, choose Roles, Create role.
In the Trusted entity type, select AWS Service
Under Use case, select EC2, then choose Next: Permissions.
In the Attach permissions policy section, search for AmazonEC2ContainerServiceforEC2Role, select the policy, and then choose Next: Review.
For Role Name, type ecsInstanceRole and choose Create role.

ECS CodeDeploy Role: Before you can use the CodeDeploy blue/green deployment type with Amazon ECS, the CodeDeploy service needs permissions to update your Amazon ECS service on your behalf. These permissions are provided by the CodeDeploy IAM role.

To create the ecsCodeDeployRole IAM role

In the navigation pane, choose Roles, Create role.
In the Trusted entity type, select AWS Service
Under Use case, select CodeDeploy and CodeDeploy - ECS, then choose Next: Permissions.
In the Attach permissions policy section, AWSCodeDeployRoleForECS policy should come as selected, choose Next: Review.
For Role Name, type ecsCodeDeployRole and choose Create role

Create Container Repository

Open the Amazon ECR console.
In the navigation pane, under Private Registry choose Repositories.
On the Repositories page, choose Create repository.
For Repository name, enter a name for your repository like devops/tripmgmtdemo
For Tag immutability, keep it Mutable for this workshop. Repositories configured with immutable tags will prevent image tags from being overwritten. For more information, see Image Tag Mutability.
For Encryption settings, select AWS Key Management Service (KMS). Use an AWS managed key. To read more about encrypting at rest, see ECR Encryption at Rest.
For Scan on push, keep it Disabled for this workshop. Repositories configured to scan on push will start an image scan whenever an image is pushed, otherwise image scans need to be started manually. For more information, see Image Scanning.
Choose Create repository.
Please save value of the Repository URL in the open text file to use in the later section of the workshop.

Setup Aurora PostgreSQL RDS Database

In this section, we will setup Aurora PostgreSQL RDS with Multi-AZ configuration.

Go to the AWS Management Console and open the Amazon RDS console.
In the navigation pane, choose Databases.
Choose Create database.
In Choose a database creation method, choose Standard Create.
In Engine options, choose Aurora (PostgreSQL Compatible).
In Templates, choose Dev/Test template.
1. Clear Auto generate a password check box.
2. Enter Master password value as SuperSecretPGSqlPwd##2006 and enter the same password in Confirm password.
In the DB cluster identifier field, give Aurora DB cluster name, tripmgmtdb-cluster
To enter your master password, do the following in Credential Settings
For Instance configuration, choose db.t4g.medium under Burstable classes (includes t classes)
For Availability & durability, choose Create an Aurora Replica/Reader node in a different AZ (recommended for scaled availability)
Keep defaults for Connectivity, Babelfish settings, Database authentication, Monitoring sections.
For Additional configuration, enter tripmgmt under Initial database name.
Choose Create database.
For Databases, choose the name of the new Aurora DB cluster. On the RDS console, the details for new DB cluster appear. The DB cluster and its DB instance have a status of creating until the DB cluster is ready to use. When the state changes to available for both, you can connect to the DB cluster. Depending on the DB instance class and the amount of storage, it can take up to 20 minutes before the new DB cluster is available.
On the Connectivity & security tab, note the port and the endpoint of the writer DB instance. Please save value of the endpoint and port of the cluster in the open text file to use in the later section of the workshop. Endpoint URL should be of format tripmgmtdb-cluster.cluster-UNIQUEID.AWSREGION.rds.amazonaws.com
Click on Writer Node and on the Connectivity & security tab, please save value of the Security Group Id under Security section (i.e. sg-xxxxxxxx) in the open text file to use in the later section of the workshop.

Create Application Load Balancer and Target Groups

We will create an Amazon EC2 application load balancer. This will be the public endpoint to access Trip Management Monolith Application. The load balancer must use a VPC with two public subnets in different Availability Zones.
First create Target groups for your load balancer

Sign in to the AWS Management Console and open the Amazon EC2 console
In the navigation pane, choose Target groups and select Create target group.
Under Basic configuration, select IP addresses target type.
In Name, enter a target group name alb-tg-tripmgmtdemo-1
In Protocol choose HTTP. In Port, enter 80.
Keep rest of the settings as defaults.
Select Next: Register Targets.
Select Create target group.
Repeat above steps to create another target group for Protocol HTTP and Port 8080, name it alb-tg-tripmgmtdemo-2

To create an Amazon EC2 application load balancer

Sign in to the AWS Management Console and open the Amazon EC2 console
In the navigation pane, choose Load Balancers, choose Create Load Balancer.
Choose Application Load Balancer, and then choose Create.
In Name, enter the name of your load balancer tripmgmtdemo-alb
In Scheme, choose internet-facing.
In IP address type, choose ipv4.
Under Network mapping, in VPC, choose the default VPC, and then choose any two availability zones under Mappings. Please save value of the Availability Zone / Subnet ids in the open text file to use in the later section of the workshop.
Under Security groups, choose Create new security group
1. Give it the name ALBSecurityGroup in the Security group name field.
2. Give it the description in the Description field.
3. Add Inbound Rule, Allow 80 port (HTTP) inbound traffic from My IP
4. Add Inbound Rule, Allow 8080 port (CustomTCPPort) inbound traffic from My IP
5. Select Create security group
6. Please save value of the newly created Security Group Id (i.e. sg-xxxxxxxx..) in the open text file to use in the later section of the workshop.
7. Come back to Create Application Load Balancer tab, refresh Security groups and select newly created Security group, removing any existing pre-selected Security groups.
Under Listeners and routing, configure two listener ports for your load balancer:
1. Under Protocol, choose HTTP, and Under Port, enter 80.
2. Under Default action, select alb-tg-tripmgmtdemo-1 Target Group.
3. Choose Add listener.
4. Under Protocol, choose HTTP, and Under Port, enter 8080.
5. Under Default action, select alb-tg-tripmgmtdemo-2 Target Group.
Choose Create load balancer.
Go to Load Balancers and click on the newly created load balancer. From the Description tab, please save value of the DNS name of the Load Balancer in the open text file to use in the later section of the workshop.

Setup ECS Cluster

Create ECS Cluster

Amazon ECS creates an Amazon EC2 Auto Scaling launch template and Auto Scaling group on your behalf as part of the AWS CloudFormation stack.

Open the Amazon ECS console.
In the navigation pane, choose Clusters.
On the Clusters page, choose Create Cluster.
Under Cluster configuration, for Cluster name, enter ecs-cluster-tripmgmtdemo
Under Infrastructure, keep AWS Fargate (serverless) selected and also select Amazon EC2 instances. Next, configure the Auto Scaling group which acts as the capacity provider.

Select Create new group, and then provide the following details about the group:

For Operating system/Architecture, choose Amazon Linux 2.
For EC2 instance type, choose t3.large. Here, t3.large selected as required for this workshop to complete in given time.
For Capacity, enter 2 for the minimum number and 4 for the maximum number of instances to launch in the Auto Scaling group.
Under Network settings for Amazon EC2 instances, choose default VPC and same two subnets, which were selected at that time of creating Application Load Balancer in previous section.
Choose Create

Create Security Group for EC2 Container Instance

Open the Amazon EC2 console.
On the navigation pane, under Network & Security, choose Security Groups
On the next page, choose Create security group.
For Security group name, enter ECS-ALB-SecurityGroup for the security group name and give meaningful description under Description.
Choose default VPC
Add Inbound Rule, Allow 80 port (HTTP) inbound traffic from Application Loadbalancer Security Group you have created in earlier section (i.e. sg-xxxxx).
Add Inbound Rule, Allow 8080 port (CustomTCPPort) inbound traffic from Application Loadbalancer Security Group you have created in earlier section (i.e. sg-xxxxx).
Select Create security group
Please save value of the newly created Security Group Id (i.e. sg-xxxxxxxx..) in the open text file to use in the later section of the workshop.

Create ECS Task

First create Amazon CloudWatch Log Group, where taskdef is configured to send all logs.
1. Go to CloudWatch Console
2. Select Log Groups,
3. Click Create log group button,
4. Log Group Name: enter tripmgmt-demo-ecstask-loggrp and Retention setting select 5 days
5. Choose Create
In order to create an ECS Task, we will need to create a ECS Task Definition file. Go to you cli, make sure it is pointing to the folder tripmgmt and delete the file taskdef.json by running the command

rm taskdef.json

Copy below given environment variables in plain text-file and change respective environment variable values as per the workshop resources created by you in the previous sections. After modifying values of respective environment variables, execute these export commands on the commandline.

export LOG_GROUP=tripmgmt-demo-ecstask-loggrp
export DB_USERNAME=postgres
export DB_PASSWORD=SuperSecretPGSqlPwd##2006
export AWS_DEFAULT_REGION=<<AWS-REGION>>

export TASK_EXECUTION_ROLE_ARN="arn:aws:iam::<<AccountID>>:role/ecsTaskExecutionRole"
export AURORA_PGSQL_RDS_URL="tripmgmtdb-cluster.cluster-<<UNIQUEID>>.<<AWS-REGION>>.rds.amazonaws.com"
export ECR_LATEST_IMAGE_URL="<<AccountID>>.dkr.ecr.<<AWS-REGION>>.amazonaws.com/devops/tripmgmtdemo:latest"

LOG_GROUP : Verify name as you have created in Step No 1 in this section, only change if you have used different log group name.
DB_USERNAME: Database username set while creating Aurora PostgreSQL DB Cluster.
DB_PASSWORD: Database password set while creating Aurora PostgreSQL DB Cluster.
TASK_EXECUTION_ROLE_ARN: Task Execution Role created in Create IAM Roles section.
AURORA_PGSQL_RDS_URL: Aurora PostgreSQL RDS Cluster URL as created in Create Aurora PostgreSQL DB section.
ECR_LATEST_IMAGE_URL: Elastic Container Registry Image URL from Create Container Repository section.
Create the task definition from the command line by running

envsubst < "taskdef_src.json" > "taskdef.json"
aws ecs register-task-definition --cli-input-json file://taskdef.json

Please save the value of the TaskDefinition ARN from output in the open text file to use in the later section of the workshop. It is at the very top of the output and should look something like arn:aws:ecs:<>:<>:task-definition/task-tripmgmt:1.
Commit taskdef.json in repository.

git add taskdef.json
git commit -m "Updated Taskdef"

You can also verify the Task Definition in the Amazon ECS console , left navigation bar under Amazon ECS, Task Definitions.

Prepare AppSpec File
AWS CodeDeploy requires AppSpec YAML-formatted file to manage deployment. In the project folder on the terminal, run the code below and edit the value of the taskdefinition arn to reflect what you had in step 4 above(similar to: arn:aws:ecs:<>:<>:task-definition/task-tripmgmt:1.)

nano appspec.yaml

Commit appspec.yaml in repository

git add appspec.yaml
git commit -m "appspec file with Taskdef url"
git push

Optional: Deploy the infrastructure with Cloudformation (Recommended)

Login to the console and search for cloudformation
Create a new stack
Prerequisite - Prepare template: Choose existing stack
Specify template: Upload a template file
Upload a template file: Choose file -> search on your computer, in the tripmgmt/cloudformation-infra folder/subfolder and choose tripmgmt.yml

On specify Stack details
Stack name: tripmgmt KeyPairName: <select a keypair in you account or create on if absent> PublicSubnet1Id: <select a public subnet> PublicSubnet2Id: <select a public subnet> VpcId: <select the default vpc id> click next
Scroll down and acknowledge,

and click next scroll and click submit

This will create the infrastructure needed to run our Pipeline.

DevOps Pipeline with Blue/Green Deployment

The Engineering team commit changes to code base and then push those changes to a git repository. It triggers AWS CodePipeline action. AWS CodeBuild will compile source code and build & store container image in an Elastic Container Registry. AWS CodeDeploy will initiate Blue/Green deployment of ECS Task(s) in an ECS Cluster through ECS Service.

Setup CodeBuild with GitLab Integration

To setup AWS CodeBuild, first we need to create/modify buildspec.yml file to describe build steps. After that, we need to configure the CodeBuild Project linking with the GitLab Repository.
On the cli, run the code below and edit the values of the following parameters to suite those you have:

AWS_ACCOUNT_ID
AWS_DEFAULT_REGION
REPOSITORY_URI

nano buildspec.yml

After editing, run ctrl + x, when prompted to save changes press Y then press enter to confirm.

Setup CodeBuild Project

Open the CodeBuild console.
On the Build projects page, choose Create build project.

In Project configuration: Enter a name for this build project tripmgmt-demo-build. Build project names must be unique across each AWS account. You can also include an optional description of the build project to help other users understand what this project is used for.

If required, Select Build badge to make your project's build status visible and embeddable.
In Source: For Source provider, choose GitLab.
You will then get an error stating that you have not connected to GitLab.
Press the Manage account credentials link.
Select GitLab as your credential type.
In Connection, press create a new GitLab connection.
Give the connection the name tripmgmt-connection.
Press the Connect to GitLab button and authenticate.
Authorize AWS Connector for GitLab.
After being redirected back to the AWS Console, press Connect.
You should now be able to save and add your new GitLab connection.
From Repository, choose the repository you have created for this project demo.

For Source version, type main.
In Environment: choose Managed Image with Operating system as Ubuntu,
For Runtime(s) choose Standard and Image choose the one with Standard:5, having Image Version as Always use the latest image for this runtime version

For Service role choose New service role and give it a meaningful name codebuild-tripmgmt-demo-build-service-role
Open Aditional configuration in the same section. Check mark Privileged action.
For Buildspec, select that you want to Use a buildspec file, add the buildspec.yml file location and name - buildspec.yml

For Logs, check mark CloudWatch logs and give Group name as codebuild-logs, Stream name as tripmgmtdemo-build.
Click Create build project.

Now edit newly created service role codebuild-tripmgmt-demo-build-service-role to allow accessing ECR repository through AmazonEC2ContainerRegistryPowerUser managed policy.
1. Open codebuild-tripmgmt-demo-build-service-role role from IAM console .
2. Choose Attach policies.
3. To narrow the available policies to attach, for Filter, type AmazonEC2ContainerRegistryPowerUser
4. Check the box to the left of the AWS managed policy and choose Attach policy and Update.
Select the build project and Start build to test GitLab and CodeBuild integration.
Post successful build, you can verify new docker image in Amazon ECR console.

Deploy on Amazon ECS with EC2

As per the architectural diagram, Engineering team commit changes to code base and then push those changes to a Git repository. It triggers AWS CodePipeline action, AWS CodeBuild will compile source code and build & store container image in an Elastic Container Registry. AWS CodeDeploy will initiate Blue/Green deployment of ECS Task(s) in an ECS Cluster through ECS Service. Upon successful deployment of ECS Task(s), users can access Web Portal through DNS URL pointing to ALB endpoint. ALB endpoint serves client requests from ECS Cluster after automatically adjusting capacity to maintain steady state.

Create CodeDeploy Application

To create a CodeDeploy application

Open the CodeDeploy console and choose Create application.
In Application name, enter the name you want to use Deploy-Tripmgmt-Demo-App
In Compute platform, choose Amazon ECS.
Choose Create application.

To create a CodeDeploy deployment group

On your application page's Deployment groups tab, choose Create deployment group.
In Deployment group name, enter a name that describes the deployment group deploygrp-tripmgmt-demo
In Service role, choose a service role ecsCodeDeployRole, which was created in earlier section Create required AWS IAM Roles and grants CodeDeploy access to Amazon ECS.
In Environment configuration, choose your Amazon ECS cluster name and service name.
From Load balancers, choose the name of the load balancer that serves traffic to your Amazon ECS service.
From Production listener port, choose the port and protocol for the listener that serves production traffic to your Amazon ECS service. (Production listener port : 80 and Test listener port : 8080)
From Target group 1 name and Target group 2 name, choose the target groups used to route traffic during your deployment. Make sure that these are the target groups you created for your load balancer.
Under Deployment settings,
- Choose Specify when to reroute traffic and choose 0 days, 0 hours, and 5 minutes. This will reroute the traffic to successfully deployed updated tasks after 5 Minutes. This is the time required by you to verify the successfully deployed updated tasks and decide whether to rollback or continue reroute the traffic.
- Under Deployment configuration, choose CodeDeployDefault:ECSAllAtOnce. It will configure CodeDeploy to shift all traffic to the updated Amazon ECS container at once.
- Under Original revision termination, and choose 0 days, 0 hours, and 0 minutes. It will configure CodeDeploy to terminate the original tasks immediately after rerouting the traffic. You can choose to keep the original tasks for a desired duration as required. After termination of original tasks, you cannot rollback manually or automatically.
Choose Create deployment group.

Create CodePipeline

In this section, we will create a DevOps pipeline with the following actions:

A source stage with a GitLab action
A build stage with a CodeBuild action
A deployment stage with an Amazon ECS deploy action with Blue/Green Deployment.

Sign in to the AWS Management Console and open the CodePipeline console
On the Welcome page, Getting started page, or the Pipelines page, choose Create pipeline.
In Step 1: Choose creation settings, pick Build custom pipeline
In Step 2: Choose pipeline settings, in Pipeline name, enter codepipeline-tripmgmt-demo.
In Service role, Choose New service role to allow CodePipeline to create a new service role in IAM. Enter name as codepipeline-tripmgmt-demo-service-role

In Artifact store, Choose Default location to use the default artifact store, such as the Amazon S3 artifact bucket designated as the default, for your pipeline in the region you have selected for your pipeline.
Choose Next.
In Step 2: Add source stage, in Source provider, choose GitLab. In Connection select the connection you created earlier. Following this, select the repository and default branch you chose earlier. The rest can be kept at default.
Choose Next.
In Step 3: Add build stage, in Build provider, choose Other build providers and then AWS CodeBuild. In Project name choose the name of the build project. The rest can be kept default.
Choose Next.
Choose Skip test stage at the bottom of the page.
In Step 4: Add deploy stage, in Deploy provider choose Amazon ECS (Blue/Green)

In AWS CodeDeploy application name, choose CodeDeploy Application name. In AWS CodeDeploy deployment group, choose CodeDeploy Application's Deployment Group.
In Amazon ECS task definition, choose BuildArtifact and enter taskdef.json.
In AWS CodeDeploy AppSpec file, choose BuildArtifact and enter appspec.yaml.
Choose Next.

Review the information, and then choose Create pipeline. Immediately, stop the Pipeline Execution with Stop and Abandon pop-up action.
Modify Deploy Stage
1. Open (or remain in) the CodePipeline console & select the Pipeline name, for example codepipeline-tripmgmt-demo.
2. Click Edit, and scroll down at bottom and "Edit Stage" , click on Edit icon of Deploy Action Group.
3. In Input artifacts, choose SourceArtifact and remove BuildArtifact
4. Modify Amazon ECS task definition, choose SourceArtifact and keep taskdef.json.
5. Modify AWS CodeDeploy AppSpec file, choose SourceArtifact and keep appspec.yaml.
6. Choose Done
7. Scroll up and press Save.

DevOps Pipeline in Action

Go to Trip Management Monolith Application code base, preferrably home page and make a visible modification which you can identify after releasing a change. Look at the below screenshot, having (Tripment - New Change) at the end at line#7. File path: src/main/webapp/app/home/home.component.html

Commit applied changes and push changes to the GitLab repository. This will trigger the pipeline:

On the browser where you pasted the DNS of the load balancer, check the app that is deployed, it should still be the one without the changes

After the deployment is complete, before traffic is rerouted, check the browser with the 8080 port, you should see the web page with the changes:

Code deploy still deploying the new container on ECS, traffic is still flowing to the initial deployment. Once the deployment stage is complete, it will forward test traffic to the same alb link but on a different port:8080

The pipeline will wait 5 minutes for the newly deployed app to be tested(as configured in code pipeline). Once the time elapses, the pipeline will automatically route traffic

After tests, the engineer can now reroute traffic by clicking on reroute traffic, after they are sure their changes are as expected:

The traffic will instantly be rerouted to the new tasks, and will keep the former tasks should incase there is need for rollback after live traffic is routed to it, now both links for test and prod will display the same app, while waiting for a termination of the former:

Traffic activity:

During the deployment phase, out of expected 2 task, ECS runs 4 tasks, this will ensure that the newly deployed app is stable before the termination of these can be authorized.

Clean-up

On the console, go to Cloudformation stacks and delete tripmgmt stack, or if you created the resources on the console, then delete them in the order they were created. Go to Developer tools and delete the pipeline, in codebuild, delete the build job.

Deploy an Amazon-Clone App on EKS with Kustomize and ArgoCD with GitOps best practices

Jones Ndzenyuy — Mon, 04 Aug 2025 23:14:23 +0000

In this Tutorial, we will deploy an Amazon Clone App on EKS with DevOps best practices. The App is a React based,so we'll deploy the infrastructure(EKS and OIDC Role) using Cloudformation, the CICD Pipeline will run with GitHub Actions, ArgoCD with Kustomize to deploy the kubernetes manifest files.

Architecture

First the Cloud Engineer deploys the cloudformation code to deploy the infrastructure to AWS, once the infrastructure is configured with argoCD pointing to the Repo 2 with the manifest files, Prometheus and Grafana setup for monitoring the deployement, the developers can at anytime push an app update through the Repo 1 containing the App code. Once the developer pushes the code, Github actions triggers the pipeline to run tests; Security checks in Sonar Cloud, Dependencies and Vulnerabilities with OWASP, if these checks pass, the image is built and Trivy scans the image for known vulnerabilities, if the code and the docker image passes all the checks, Github actions, configured with OIDC role with policies to push images to ECR, pushes the image, then clones the second repository, updates the kustomization.yml file with the new image version and pushes it to the repository. ArgoCD will pick the changes and update the cluster.

Step by Step Guide

1. Clone the App repository

Clone the code repository, and initialise the code to be hosted on your repository, run the following code on the terminal(make sure you have vscode installed on your machine)

git clone https://github.com/Ndzenyuy/Amazon-FE.git
cd Amazon-FE
rm -rf .git .github
git init
code .

This code will clone the repository, switch into the repository, initialize git for you to be able to create and push to your repository and finally open VSCode.

2. Create and deploy the Cloudformation Stack

On your local machine, create a file named infrastructure.yml and paste the following code:

AWSTemplateFormatVersion: "2010-09-09"
Description: Create an Amazon EKS Cluster with a managed node group.

Parameters:
  ClusterName:
    Type: String
    Default: Amazon-clone

  ClusterVersion:
    Type: String
    Default: "1.31"

  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: "VPC for the EKS cluster"

  SubnetIds:
    Type: List<AWS::EC2::Subnet::Id>
    Description: "Subnets (private/public) for the worker nodes and control plane"

  NodeInstanceType:
    Type: String
    Default: t3.medium

  DesiredCapacity:
    Type: Number
    Default: 2

  GitHubOrg:
    Description: Name of GitHub Username (case sensitive)
    Type: String
    Default: "Ndzenyuy"

  RepositoryName:
    Description: Name of GitHub Repository (case sensitive)
    Type: String
    Default: "Amazon-FE"

  OIDCProviderArn:
    Description: ARN of the GitHub OIDC Provider (Leave blank to create one)
    Type: String
    Default: "arn:aws:iam::997450571655:oidc-provider/token.actions.githubusercontent.com"

  OIDCAudience:
    Description: Audience supplied to configure-aws-credentials.
    Type: String
    Default: "sts.amazonaws.com"

Conditions:
  CreateOIDCProvider: !Equals
    - !Ref OIDCProviderArn
    - ""

Resources:
  # IAM Role for EKS Cluster
  EKSClusterRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: eks.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy

  # EKS Cluster
  EKSCluster:
    Type: AWS::EKS::Cluster
    Properties:
      Name: !Ref ClusterName
      Version: !Ref ClusterVersion
      RoleArn: !GetAtt EKSClusterRole.Arn
      ResourcesVpcConfig:
        SubnetIds: !Ref SubnetIds
        EndpointPrivateAccess: false
        EndpointPublicAccess: true

  # IAM Role for Node Group
  NodeInstanceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
        - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
        - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy

  # Managed Node Group
  NodeGroup:
    Type: AWS::EKS::Nodegroup
    Properties:
      ClusterName: !Ref EKSCluster
      NodeRole: !GetAtt NodeInstanceRole.Arn
      Subnets: !Ref SubnetIds
      ScalingConfig:
        DesiredSize: !Ref DesiredCapacity
        MaxSize: 4
        MinSize: 1
      InstanceTypes:
        - !Ref NodeInstanceType
      AmiType: AL2_x86_64
      NodegroupName: !Sub "${ClusterName}-nodegroup"
      DiskSize: 20

  EKSPublicAccessSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !GetAtt EKSCluster.ClusterSecurityGroupId
      IpProtocol: tcp
      FromPort: 80
      ToPort: 80
      CidrIp: 0.0.0.0/0

  GithubOidc:
    Type: AWS::IAM::OIDCProvider
    Condition: CreateOIDCProvider
    Properties:
      Url: https://token.actions.githubusercontent.com
      ClientIdList:
        - !Ref OIDCAudience
      ThumbprintList:
        - "74f3a68f16524f15424927704c9506f55a9316bd" # Replace with actual thumbprint

  Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action: sts:AssumeRoleWithWebIdentity
            Principal:
              Federated: !If
                - CreateOIDCProvider
                - !Ref GithubOidc
                - !Ref OIDCProviderArn
            Condition:
              StringEquals:
                token.actions.githubusercontent.com:aud: !Ref OIDCAudience
              StringLike:
                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
      Policies:
        - PolicyName: AllowECRAndEKSAccess
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - ecr:GetAuthorizationToken
                  - ecr:BatchCheckLayerAvailability
                  - ecr:CompleteLayerUpload
                  - ecr:GetDownloadUrlForLayer
                  - ecr:InitiateLayerUpload
                  - ecr:PutImage
                  - ecr:UploadLayerPart
                Resource: "*"

              - Effect: Allow
                Action:
                  - eks:DescribeCluster
                  - eks:ListClusters
                Resource: "*"

              - Effect: Allow
                Action:
                  - sts:GetCallerIdentity
                Resource: "*"

              - Effect: Allow
                Action:
                  - eks:Describe*
                  - eks:List*
                  - eks:Update*
                  - eks:AccessKubernetesApi
                Resource: "*"

Outputs:
  ClusterName:
    Value: !Ref EKSCluster
    Description: Name of the EKS Cluster

  ClusterRoleArn:
    Value: !GetAtt EKSClusterRole.Arn

  RoleArn:
    Description: IAM Role ARN for GitHub Actions
    Value: !GetAtt Role.Arn

  NodeGroupRoleArn:
    Value: !GetAtt NodeInstanceRole.Arn

On the Console, search cloudformation,then click -> Create stack -> with new resources, then enter the following parameters:

Prepare template: Choose an existing template
Specify template: Upload a template file
Upload a template file: Choose the infrastructure.yml file
Click Next
Stack name: amazon-clone
Under the parameters, leave the others at their defaults but edit SubnetIds by selecting the first 2 subnets, along with the VpcId, select the default.
Next
scroll down and Click: I acknowledge that AWS CloudFormation might create IAM resources.
Next
Submit. This will create the infrastructure required to run this project, while waiting for the create to complete, go to Sonarcloud.

- Create ECR Repository

On AWS console, create a repository named "amazon-clone". This will match the repo where the images will be pushed to.

3. Create a project in Sonarcloud

Create a sonarcloud organization

Click on the account icon on the top right of the screen
My Organizations and click create organisation
Create one manually
Give it the name "amazon-clone"
select the free plan -> Create Organization

Copy the organization name as it will be needed shortly

Analyse new project
Display name, give it "amazon-clone-project"
Project key: "amazon-clone-project" (copy project key as it will be used)
Project visibility: public
Next The new code for this project will be based on: Previous version choose your analysis method: With Github Actions Copy the SONAR_TOKEN as will be needed in a safe location

4 Prepare Secrets

- AWS_GITHUB_ROLE Return to cloudformation and select outputs, copy the value of the Role arn, this is the OIDC role arn that will be used by Github Actions

- DEPLOY_KEY_PRIVATE We need to create an ssh key pair that will be used to authenticate into Repo 2 containing the manifest files argoCD will be using. In the terminal(ubuntu)

ssh-keygen

Press keyboard enter till the keypair is generated, now run

cd
cat .ssh/id_rsa

This command will output the private key of the key pair file generated, copy it and save it in the DEPLOY_KEY_PRIVATE variable.

Now create a second repository in GitHub, call it Amazon-clone-infra, we have to add the public ssh key file generated to the repository deploy keys in order to authenticate and push code to the repository. So back in our terminal, run

cat .ssh/id_rsa.pub

Copy the keys to github repo 2, under settings -> Deploy keys -> add deploy key:

Title: deploy-infra,
key: paste the content of the private key there and save it

5. Store Secrets in the App Repository

In VSCode, initialize git, create a remote repository and push the code to the repository, make it public. In the repository on Github, we have to store the secrets that will be used by our github actions workflow to successfully deploy the app to Kubernetes. Go to the repository in Github(Amazon-FE) -> Settings -> Secrets and variables -> actions -> New repository secrets. There create the secrets one after the other, the secrets required are:

SONAR_TOKEN
AWS_GITHUB_ROLE
DEPLOY_KEY_PRIVATE
SONAR_HOST_URL
SONAR_ORGANIZATION
SONAR_PROJECT_KEY

After creating, we should have something like:

6. Configure ArgoCD

Back on your terminal, follow these steps:

update kubeconfig

aws eks update-kubeconfig --name Netflix-clone --region us-east-1

Install argoCD on the cluster

 kubectl create namespace argocd
 kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

verify installation

kubectl get all -n argocd

expose argocd

kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'

export argocd dns

export ARGOCD_SERVER=`kubectl get svc argocd-server -n argocd -o json | jq --raw-output '.status.loadBalancer.ingress[0].hostname'`

Get the argocd dns

echo $ARGOCD_SERVER

export argocd password

export ARGO_PWD=`kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d`

get the argocd PASSWORD

echo $ARGO_PWD

Copy the argoCD dns displayed in the command to get the argoCD dns and run it in a browser. The user name is admin and the password is the output of the cli command to get the argocd password. When successfully signed in, the display will be like:

Now we need the manifest files(kubernetes files) in a repository where ArgoCD will monitor for changes.
So clone the empty repo 2 to your local machine, in it we will put the manifest files for kubernetes. Create a folder named kubernetes containing the following files deployment.yml, service.yml, kustomization.yml and paste the following content:

deployment.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: amazon-app
spec:
  replicas: 4
  selector:
    matchLabels:
      app: amazon-app
  template:
    metadata:
      labels:
        app: amazon-app
    spec:
      containers:
        - name: amazon-app
          image: 997450571655.dkr.ecr.us-east-1.amazonaws.com/amazon-clone:latest
          ports:
            - containerPort: 3000

service.yml

apiVersion: v1
kind: Service
metadata:
  name: amazon-app-service
spec:
  selector:
    app: amazon-app
  ports:
    - protocol: TCP
      port: 80           # External port to expose the service
      targetPort: 3000   # Port on the container
  type: LoadBalancer

kustomization.yml

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
  - deployment.yml
  - service.yml

namePrefix: kustomize-

commonLabels:
  app: amazon-clone
  version: v1

images:
  - name: amazon-clone
    newName: 997450571655.dkr.ecr.us-east-1.amazonaws.com/amazon-clone
    newTag: latest

replicas:
  - name: amazon-app
    count: 4

Commit and push the code to Github.

On the web browser, where argoCD was opened, create a new application with the following fields:

Application name: amazon-clone
Project name: default
Sync: automatic
repository url:
Revision: HEAD
path: kubernetes
Cluster url: select the dropdown
namespace: default

Leave the rest as defaults and click create. Within a moment argoCD will create the pods to sync with the kustomize files.

Now run

kubectl get svc -n default

You will have the endpoint of the load balancer, copy and paste it on the browser, you will access the Application:

In repo 1, open the VERSION file and change the version to 0.0.2, commit and push to trigger a pipeline deployment. Go to Github -> Actions, you will see the pipeline running automatically, and if observed, the pipeline will finish successfully like below:

If you check argoCD web app, you will see that it will automatically detect the change and update the pods with the new image version.

7. Configure Monitoring

When the cluster is working, it is important to know the behavior of the resources. This can only be done when proper monitoring is put in place to Monitor Key Performance metrics. The steps include

Add Prometheus community Helm Repo

helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo add stable https://charts.helm.sh/stable
helm repo update

Create namespaces

kubectl create namespace prometheus
kubectl create namespace grafana

Install Prometheus

helm install prometheus prometheus-community/prometheus \
  --namespace prometheus \
  --set server.service.type=LoadBalancer \
  --set server.persistentVolume.enabled=false

Install Grafana

helm repo add grafana https://grafana.github.io/helm-charts   
helm repo update     
helm install grafana grafana/grafana \
  --namespace grafana \
  --set service.type=LoadBalancer \
  --set adminPassword='SuperSecret123!'

After 2-3mins, run

kubectl get svc -n prometheus
kubectl get svc -n grafana

Edit Security Group in AWS console
Go to EC2 > Load Balancers and locate the ELB with the same name as in the EXTERNAL-IP, Click the description tab of the ELB, copy the SG ID, now go to the Security groups in EC2 and edit the inbound rules and add port 80, open to 0.0.0.0/0
Add Prometheus Data source to Grafana

- Log in to the grafana UI
- Go to settings -> Data sources -> Add data source
- Choose Prometheus
- Enter the url: http://prometheus-server.prometheus.svc.cluster.local
Click "Save & test"

Import Dashboards

- go to + -> import
- Enter the id: 6417 (kubernetes cluster monitoring)
- click Import and select Prometheus as data source

It will load the Graphana UI for kubernetes cluster monitoring like the one below. Congratulations on finishing the project

Deploy Netflix Clone App on EKS with Cloudformation and GitHub Actions

Jones Ndzenyuy — Wed, 23 Jul 2025 00:59:24 +0000

In this project, we will deploy a Netflix clone on an EKS Cluster. We will deploy the EKS cluster using Cloudformation and use GitHub Actions for the CICD pipeline.

Project Architecture

Step by Step Guide

1. Get the TMDB API Key

Open a web browser and navigate to TMDB (The Movie Database) website.
Click on "Login" and create an account.
Once logged in, go to your profile and select "Settings."
Click on "API" from the left-side panel.
Create a new API key by clicking "Create" and accepting the terms and conditions.
Provide the required basic details and click "Submit."
You will receive your TMDB API key.

2. Clone the Code

Clone the code repository, and initialise the code to be hosted on your repository, run the following code on the terminal(make sure you have vscode installed on your machine)

git clone https://github.com/Ndzenyuy/NetFlix-Clone-app.git
cd NetFlix-Clone-app
rm -rf .git .github
git init
code .

3. Create Sonar Cloud Project

Create a sonarcloud organization

Click on the account icon on the top right of the screen
My Organizations and click create organisation
create one manually
Give it the name "netflix-clone"
select the free plan
-> Create Organization
Copy the organization name as it will be needed shortly

Analyse new project

Display name, give it "netflix-clone-project"
Project visibility: public
Next
The new code for this project will be based on: Previous version
choose your analysis methode: With Github Actions
Copy the SONAR_TOKEN as will be needed in a safe location

Create the github actions workflow and test project scan with Sonar scanner

Create a folder in the root folder with name .github, a subfolder workflows and create a file named "deployment.yml". In it paste the following code:

name: Netflix Clone wih Github Actions
on:
  push:
    branches:
      - "main"
      - "dev"
  pull_request:
    branches:
      - "main"

  workflow_dispatch:

env:
  AWS_REGION: us-east-1

jobs:
  Testing:
    runs-on: ubuntu-latest
    steps:
      - name: Code checkout
        uses: actions/checkout@v4

      - name: Setup SonarQube
        uses: warchant/setup-sonar-scanner@v7

      - name: SonarQube Scan
        run: sonar-scanner
          -Dsonar.host.url=${{ secrets.SONAR_HOST_URL }}
          -Dsonar.login=${{ secrets.SONAR_TOKEN }}
          -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }}
          -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }}
          -Dsonar.sources=src/
          -Dsonar.junit.reportsPath=target/surefire-reports/
          -Dsonar.jacoco.reportsPath=target/jacoco.exec
          -Dsonar.java.checkstyle.reportPaths=target/checkstyle-result.xml
          -Dsonar.java.binaries=target/test-classes/com/visualpathit/account/controllerTest/

Now commit the code, publish the branch in a repository. The workflow will fail because the secrets are not stored. On GitHub, open the repository settings and added these secrets to the project:

TMDB_V3_API_KEY: <your api key for TMDB>
SONAR_TOKEN: <your sonar token>
IMAGE_NAME: neflix-clone-image
SONAR_ORGANIZATION: <your sonar organization>
SONAR_PROJECT_KEY: <your project key>

Now push the code to GitHub once more to trigger a build. The build should be successful this time

Open Sonar cloud and open the organisation of this project. We should see the successful scan results

4. Create an OIDC Role for our workflow

We are going to deploy a cloudformation template which will create an IAM role that will permit github actions to deploy to our AWS account without exposing our keys.
For the parameters, you will need your GitHub repository name and your GitHub usernames, create a Yaml file OIDC.yml and paste the following code:

Parameters:
  GitHubOrg:
    Description: Name of GitHub Username (case sensitive)
    Type: String
    Default: "Ndzenyuy"

  RepositoryName:
    Description: Name of GitHub Repository (case sensitive)
    Type: String
    Default: "NetFlix-Clone-app"

  OIDCProviderArn:
    Description: ARN of the GitHub OIDC Provider (Leave blank to create one)
    Type: String
    Default: "arn:aws:iam::997450571655:oidc-provider/token.actions.githubusercontent.com"

  OIDCAudience:
    Description: Audience supplied to configure-aws-credentials.
    Type: String
    Default: "sts.amazonaws.com"

Conditions:
  CreateOIDCProvider: !Equals
    - !Ref OIDCProviderArn
    - ""

Resources:
  GithubOidc:
    Type: AWS::IAM::OIDCProvider
    Condition: CreateOIDCProvider
    Properties:
      Url: https://token.actions.githubusercontent.com
      ClientIdList:
        - !Ref OIDCAudience
      ThumbprintList:
        - "74f3a68f16524f15424927704c9506f55a9316bd" # Replace with actual thumbprint

  Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action: sts:AssumeRoleWithWebIdentity
            Principal:
              Federated: !If
                - CreateOIDCProvider
                - !Ref GithubOidc
                - !Ref OIDCProviderArn
            Condition:
              StringEquals:
                token.actions.githubusercontent.com:aud: !Ref OIDCAudience
              StringLike:
                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
      Policies:
        - PolicyName: AllowECRAndEKSAccess
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - ecr:GetAuthorizationToken
                  - ecr:BatchCheckLayerAvailability
                  - ecr:CompleteLayerUpload
                  - ecr:GetDownloadUrlForLayer
                  - ecr:InitiateLayerUpload
                  - ecr:PutImage
                  - ecr:UploadLayerPart
                Resource: "*"

              - Effect: Allow
                Action:
                  - eks:DescribeCluster
                  - eks:ListClusters
                Resource: "*"

              - Effect: Allow
                Action:
                  - sts:GetCallerIdentity
                Resource: "*"

              - Effect: Allow
                Action:
                  - eks:Describe*
                  - eks:List*
                  - eks:Update*
                  - eks:AccessKubernetesApi
                Resource: "*"

Outputs:
  RoleArn:
    Description: IAM Role ARN for GitHub Actions
    Value: !GetAtt Role.Arn

Go to cloud formation and create a stack with new resources:

create stack
choose an existing template
upload a template file
choose file and locate where the cloud formation template is stored on your local machine
stack name: github-oidc
GitHubOrg:
OIDCAudience: sts.amazonaws.com
OIDCProviderARN: leave blanc to create a new oidc provider
Repository name: give your repository
Acknowledge -> next and submit
After it finishes creation, copy the role arn as it will be stored in Github secrets(with the name "AWS_GITHUB_ROLE").

5 Add OWASP and Trivy File scan

OWASP provides tools for scanning files and containers to identify vulnerabilities and security risks. OWASP Dependency Check, which allows users to scan project source code by providing a zip file or a GitHub URL. The container then generates a report through an API. Trivy is used for container scanning, it identifies known vulnerable packages inside the container and scans the built container as part of each commit and pull-request. It is also run as a nightly cron job against the default branch. If vulnerabilities are discovered, the maintainers are alerted via GitHub’s security tab. Adding these two to our workflow, we can therefore scan our project to be sure every known vulnerability is mitigated.

The code quality check job should be as follows:

Code-Quality-checks:
    runs-on: ubuntu-latest
    steps:
      - name: Code checkout
        uses: actions/checkout@v4

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "16"

      - name: Set up JDK 17
        uses: actions/setup-java@v4
        with:
          java-version: "17"
          distribution: "temurin"

      - name: Setup SonarQube
        uses: warchant/setup-sonar-scanner@v7

      - name: SonarQube Scan
        run: sonar-scanner
          -Dsonar.host.url=${{ secrets.SONAR_HOST_URL }}
          -Dsonar.login=${{ secrets.SONAR_TOKEN }}
          -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }}
          -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }}
          -Dsonar.sources=src/
          -Dsonar.junit.reportsPath=target/surefire-reports/
          -Dsonar.jacoco.reportsPath=target/jacoco.exec
          -Dsonar.java.checkstyle.reportPaths=target/checkstyle-result.xml
          -Dsonar.java.binaries=target/test-classes/com/visualpathit/account/controllerTest/

      - name: Install Dependencies
        run: npm install

      - name: Download OWASP Dependency Check
        run: |
          curl -L -o dependency-check.zip https://github.com/jeremylong/DependencyCheck/releases/download/v8.4.0/dependency-check-8.4.0-release.zip
          unzip dependency-check.zip -d dependency-check-dir
          ls dependency-check-dir
          chmod +x dependency-check-dir/dependency-check/bin/dependency-check.sh

      - name: Run OWASP Dependency Check
        run: |
          dependency-check-dir/dependency-check/bin/dependency-check.sh \
            --project "Netflix" \
            --scan . \
            --format "XML" \
            --disableYarnAudit \
            --disableNodeAudit \
            --disableAssembly \
            --exclude node_modules

      - name: Upload OWASP Report
        uses: actions/upload-artifact@v4
        with:
          name: dependency-check-report
          path: "**/dependency-check-report.xml"

      - name: Trivy FS Scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: "fs"
          scan-ref: "."
          output: "trivyfs.txt"
          severity: "HIGH,CRITICAL"
          exit-code: "0"   # Do not fail build
          format: "table"

      - name: Upload Trivy FS Scan Report
        uses: actions/upload-artifact@v4
        with:
          name: trivy-fs-scan
          path: trivyfs.txt

5. Build and Push to ECR

After Testing our code, we have to now build and push to ECR. Create an ECR Private repository with the name: netflix-clone, update your workflow code with:

name: Netflix Clone wih Github Actions
on:
  push:
    branches:
      - "main"
      - "dev"
  pull_request:
    branches:
      - "main"

  workflow_dispatch:

permissions:
  id-token: write
  contents: read

env:
  AWS_REGION: us-east-1
  ECR_REPOSITORY: neflix-clone

jobs:
  Code-Quality-checks:
    runs-on: ubuntu-latest
    steps:
      - name: Code checkout
        uses: actions/checkout@v4

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "16"

      - name: Set up JDK 17
        uses: actions/setup-java@v4
        with:
          java-version: "17"
          distribution: "temurin"

      - name: Setup SonarQube
        uses: warchant/setup-sonar-scanner@v7

      - name: SonarQube Scan
        run: sonar-scanner
          -Dsonar.host.url=${{ secrets.SONAR_HOST_URL }}
          -Dsonar.login=${{ secrets.SONAR_TOKEN }}
          -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }}
          -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }}
          -Dsonar.sources=src/
          -Dsonar.junit.reportsPath=target/surefire-reports/
          -Dsonar.jacoco.reportsPath=target/jacoco.exec
          -Dsonar.java.checkstyle.reportPaths=target/checkstyle-result.xml
          -Dsonar.java.binaries=target/test-classes/com/visualpathit/account/controllerTest/

      - name: Install Dependencies
        run: npm install

      - name: Download OWASP Dependency Check
        run: |
          curl -L -o dependency-check.zip https://github.com/jeremylong/DependencyCheck/releases/download/v8.4.0/dependency-check-8.4.0-release.zip
          unzip dependency-check.zip -d dependency-check-dir
          ls dependency-check-dir
          chmod +x dependency-check-dir/dependency-check/bin/dependency-check.sh

      - name: Run OWASP Dependency Check
        run: |
          dependency-check-dir/dependency-check/bin/dependency-check.sh \
            --project "Netflix" \
            --scan . \
            --format "XML" \
            --disableYarnAudit \
            --disableNodeAudit \
            --disableAssembly \
            --exclude node_modules

      - name: Upload OWASP Report
        uses: actions/upload-artifact@v4
        with:
          name: dependency-check-report
          path: "**/dependency-check-report.xml"

      - name: Trivy FS Scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: "fs"
          scan-ref: "."
          output: "trivyfs.txt"
          severity: "HIGH,CRITICAL"
          exit-code: "0" # Do not fail build
          format: "table"

      - name: Upload Trivy FS Scan Report
        uses: actions/upload-artifact@v4
        with:
          name: trivy-fs-scan
          path: trivyfs.txt

  build-and-push:
    needs: Code-Quality-checks
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_GITHUB_ROLE }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Get version from VERSION file
        id: get-version
        run: |
          if [ -f VERSION ]; then
            VERSION=$(cat VERSION)
          else
            echo "VERSION file not found. Exiting..."
            exit 1
          fi
          echo "Current version: $VERSION"
          echo version=$VERSION >> $GITHUB_OUTPUT

      - name: Build Docker image
        run: |
          docker build -t ${{ env.ECR_REPOSITORY }}:${{ steps.get-version.outputs.version }} .

      - name: Scan image with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ env.ECR_REPOSITORY }}:${{ steps.get-version.outputs.version }}
          format: "table"
          severity: CRITICAL,HIGH
          ignore-unfixed: true
          exit-code: 1 # fail if vulnerabilities are found

      - name: Tag and Push Docker image
        run: |
          docker tag ${{ env.ECR_REPOSITORY }}:${{ steps.get-version.outputs.version }} \
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ steps.get-version.outputs.version }}

          docker tag ${{ env.ECR_REPOSITORY }}:${{ steps.get-version.outputs.version }} \
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:latest

          docker push ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ steps.get-version.outputs.version }}
          docker push ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:latest

6 Deploy a Kubernetes cluster

Now go to Cloudformation and create a stack. This stack will create an IAM role for our OIDC and a kubernetes cluster. Create a file named cloudInfra.yml with the content:

AWSTemplateFormatVersion: "2010-09-09"
Description: Create an Amazon EKS Cluster with a managed node group.

Parameters:
  ClusterName:
    Type: String
    Default: Netflix-clone

  ClusterVersion:
    Type: String
    Default: "1.31"

  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: "VPC for the EKS cluster"

  SubnetIds:
    Type: List<AWS::EC2::Subnet::Id>
    Description: "Subnets (private/public) for the worker nodes and control plane"

  NodeInstanceType:
    Type: String
    Default: t3.medium

  DesiredCapacity:
    Type: Number
    Default: 2

  GitHubOrg:
    Description: Name of GitHub Username (case sensitive)
    Type: String
    Default: "Ndzenyuy"

  RepositoryName:
    Description: Name of GitHub Repository (case sensitive)
    Type: String
    Default: "NetFlix-Clone-app"

  OIDCProviderArn:
    Description: ARN of the GitHub OIDC Provider (Leave blank to create one)
    Type: String
    Default: "arn:aws:iam::997450571655:oidc-provider/token.actions.githubusercontent.com"

  OIDCAudience:
    Description: Audience supplied to configure-aws-credentials.
    Type: String
    Default: "sts.amazonaws.com"

Conditions:
  CreateOIDCProvider: !Equals
    - !Ref OIDCProviderArn
    - ""

Resources:
  # IAM Role for EKS Cluster
  EKSClusterRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: eks.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy

  # EKS Cluster
  EKSCluster:
    Type: AWS::EKS::Cluster
    Properties:
      Name: !Ref ClusterName
      Version: !Ref ClusterVersion
      RoleArn: !GetAtt EKSClusterRole.Arn
      ResourcesVpcConfig:
        SubnetIds: !Ref SubnetIds
        EndpointPrivateAccess: false
        EndpointPublicAccess: true

  # IAM Role for Node Group
  NodeInstanceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
        - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
        - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy

  # Managed Node Group
  NodeGroup:
    Type: AWS::EKS::Nodegroup
    Properties:
      ClusterName: !Ref EKSCluster
      NodeRole: !GetAtt NodeInstanceRole.Arn
      Subnets: !Ref SubnetIds
      ScalingConfig:
        DesiredSize: !Ref DesiredCapacity
        MaxSize: 4
        MinSize: 1
      InstanceTypes:
        - !Ref NodeInstanceType
      AmiType: AL2_x86_64
      NodegroupName: !Sub "${ClusterName}-nodegroup"
      DiskSize: 20

  EKSPublicAccessSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !GetAtt EKSCluster.ClusterSecurityGroupId
      IpProtocol: tcp
      FromPort: 80
      ToPort: 80
      CidrIp: 0.0.0.0/0
  PrometheusIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !GetAtt EKSCluster.ClusterSecurityGroupId
      IpProtocol: tcp
      FromPort: 9090
      ToPort: 9090
      CidrIp: 0.0.0.0/0

  GrafanaIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !GetAtt EKSCluster.ClusterSecurityGroupId
      IpProtocol: tcp
      FromPort: 3000
      ToPort: 3000
      CidrIp: 0.0.0.0/0

  GithubOidc:
    Type: AWS::IAM::OIDCProvider
    Condition: CreateOIDCProvider
    Properties:
      Url: https://token.actions.githubusercontent.com
      ClientIdList:
        - !Ref OIDCAudience
      ThumbprintList:
        - "74f3a68f16524f15424927704c9506f55a9316bd" # Replace with actual thumbprint

  Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action: sts:AssumeRoleWithWebIdentity
            Principal:
              Federated: !If
                - CreateOIDCProvider
                - !Ref GithubOidc
                - !Ref OIDCProviderArn
            Condition:
              StringEquals:
                token.actions.githubusercontent.com:aud: !Ref OIDCAudience
              StringLike:
                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
      Policies:
        - PolicyName: AllowECRAndEKSAccess
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - ecr:GetAuthorizationToken
                  - ecr:BatchCheckLayerAvailability
                  - ecr:CompleteLayerUpload
                  - ecr:GetDownloadUrlForLayer
                  - ecr:InitiateLayerUpload
                  - ecr:PutImage
                  - ecr:UploadLayerPart
                Resource: "*"

              - Effect: Allow
                Action:
                  - eks:DescribeCluster
                  - eks:ListClusters
                Resource: "*"

              - Effect: Allow
                Action:
                  - sts:GetCallerIdentity
                Resource: "*"

              - Effect: Allow
                Action:
                  - eks:Describe*
                  - eks:List*
                  - eks:Update*
                  - eks:AccessKubernetesApi
                Resource: "*"

Outputs:
  ClusterName:
    Value: !Ref EKSCluster
    Description: Name of the EKS Cluster

  ClusterRoleArn:
    Value: !GetAtt EKSClusterRole.Arn

  RoleArn:
    Description: IAM Role ARN for GitHub Actions
    Value: !GetAtt Role.Arn

  NodeGroupRoleArn:
    Value: !GetAtt NodeInstanceRole.Arn

Wait for a while for the EKS cluster to be created, it can take about 5-10 minutes.

Copy the OIDC role arn and create a secret the secrets for the application repository(NetFlix-Clone-app) in GitHub under the name: AWS_GITHUB_ROLE

Back on your terminal, follow these steps:

update kubeconfig

aws eks update-kubeconfig --name Netflix-clone --region us-east-1

Install argoCD on the cluster

 kubectl create namespace argocd
 kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

verify installation

kubectl get all -n argocd

expose argocd

kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'

export argocd dns

export ARGOCD_SERVER=`kubectl get svc argocd-server -n argocd -o json | jq --raw-output '.status.loadBalancer.ingress[0].hostname'`

Get the argocd dns

echo $ARGOCD_SERVER

export argocd password

export ARGO_PWD=`kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d`

get the argocd PASSWORD

echo $ARGO_PWD

Now we need the manifest files(kubernetes files) in a repository where ArgoCD will monitor for changes.

So in a new folder, let's create a repository (neflix-clone-manifest) and initialize it with the following commands[make sure it is not a subfolder of the app repository folder.

mkdir neflix-clone-manifest
cd neflix-clone-manifest
touch deployment.yml service.yml Chart.yml

In the different folders, enter the following codes for each of the yaml files

deployment.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .Release.Name }}-app
  labels:
    app: {{ .Release.Name }}-app
spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      app: {{ .Release.Name }}-app
  template:
    metadata:
      labels:
        app: {{ .Release.Name }}-app
    spec:
      containers:
        - name: {{ .Release.Name }}-app
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 80

service.yml

apiVersion: v1
kind: Service
metadata:
  name: {{ .Release.Name }}-app
  labels:
    app: {{ .Release.Name }}-app
spec:
  type: LoadBalancer
  ports:
    - port: 80
      targetPort: 80
  selector:
    app: {{ .Release.Name }}-app

Chart.yml

apiVersion: v2
name: netflix-clone
description: A Helm chart for the Netflix clone app
version: 0.1.0
appVersion: "1.0.0"

values.yml

replicaCount: 2
image:
  repository: <your image repository URI>
  tag: latest
resources: {}
nodeSelector: {}
tolerations: []
affinity: []

Now install helm on your local machine and run the command

helm create netflix-app

It will create a new folder called netflix-app, open this folder and delete all the files inside the charts subfolder, then paste the files values.yml and Chart.yml. Open templates folder and delete all files exept for __helpers.tpl, then paste the files deployment.yml, node-service.yml and service.yml. Your folder should be of the structure:

netflix-clone-infra/
├── netflix-clone/
│    ├── Chart.yml│
│    ├── templates/ 
│    │    ├── deployment.yml
│    │    ├── node-service.yml
│    │    ├── service.yml
│    │    └── __helpers.tpl
│    ├── deployment.yml    
│    └── service.yml  
└── Kubernetes/

Now return to the root folder of this repo and push the code to github repository.

Configure ArgoCD to monitor this Repository

To argocd on the web browser, click on create an application, and fill the fields:

Application name: netflix-clone
Project name: default
repository url: <your repo url>
Revision: HEAD
path: netflix-clone
Cluster url: select the dropdown
namespace: default
Values file: values.yml

Create the App, after creation, ArgoCD will sync with the repository and create the pods required.

Now run

kubectl get svc -n default

You will have the endpoint of the load balancer, copy and paste it on the browser, you will access the Application:

7. Monitoring with Prometheus and Grafana

When the cluster is working, it is important to know the behavior of the resources. This can only be done when proper monitoring is put in place to Monitor Key Performance metrics. The steps include

Add Prometheus community Helm Repo

helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo add stable https://charts.helm.sh/stable
helm repo update

Create namespaces

kubectl create namespace prometheus
kubectl create namespace grafana

Install Prometheus

helm install prometheus prometheus-community/prometheus \
  --namespace prometheus \
  --set server.service.type=LoadBalancer \
  --set server.persistentVolume.enabled=false

Install Grafana

helm repo add grafana https://grafana.github.io/helm-charts   
helm repo update     
helm install grafana grafana/grafana \
  --namespace grafana \
  --set service.type=LoadBalancer \
  --set adminPassword='SuperSecret123!'

After 2-3mins, run

kubectl get svc -n prometheus
kubectl get svc -n grafana

Edit Security Group in AWS console
Go to EC2 > Load Balancers and locate the ELB with the same name as in the EXTERNAL-IP, Click the description tab of the ELB, copy the SG ID, now go to the Security groups in EC2 and edit the inbound rules and add port 80, open to 0.0.0.0/0
Add Prometheus Data source to Grafana

- Log in to the grafana UI
- Go to settings -> Data sources -> Add data source
- Choose Prometheus
- Enter the url: http://prometheus-server.prometheus.svc.cluster.local
Click "Save & test"

Import Dashboards

- go to + -> import
- Enter the id: 6417 (kubernetes cluster monitoring)
- click Import and select Prometheus as data source

It will load the Graphana UI for kubernetes cluster monitoring like the one below. Congratulations on finishing the project

Deploy a Microservices application on ECS

Jones Ndzenyuy — Wed, 25 Jun 2025 23:30:50 +0000

Introduction

The Elastic Compute Service - ECS can be a game changer for startups with low initial traffic and a vision to scale. It allows you to deploy Docker containers in an AWS managed environment, eliminating the need to manage the control plane. ECS is a free service, you only pay for the resources deployed. With its auto scaling feature, there's no need to worry about over provisioning infrastructure. You can start with the minimum resources and scale up as traffic grows.
In this article, I'll guide you step by step on how to deploy a microservices infrastructure on ECS. The Application consists of an Nginx server acting as a reverse proxy, intelligently routing traffic to downstream applications(Angular, Node and Java) based on user requests. The architecture of the application is as follows:

Re-architecting the Application to be deployed on ECS

The different services of the App communicates with each other, in ECS, we need to ensure that there is communication among services. ECS doesn't manage volumes like in EKS, so we need to deploy an RDS-MySQL database and a MongoDB Atlas DB, then configure our containers to access the external services via our network setup. To ensure there is communication between services, we will use ECS' Service Discover, which will register a private hosted zone and permit the services to discover each other and send API calls amongst them. Nginx should be configured to use the domain names that will be used in the private Hosted zone for communications and routing of traffic. The Architecture to be deployed is as follows:

How to build it

Create IAM Roles

Github Actions via OIDC and attach policies

Go to Console -> Cloudformation and create a new deployment. Give the name of the stack github-iam-oidc, copy the code below into a yaml file and choose it for cloudformation to deploy it

  GitHubOrg:
    Description: Name of GitHub Username (case sensitive)
    Type: String
    Default: "YOUR-GITHUB-USERNAME"

  RepositoryName:
    Description: Name of GitHub Repository (case sensitive)
    Type: String
    Default: "THE-REPO_NAME-FOR-THI-PROJECT"

  OIDCProviderArn:
    Description: ARN of the GitHub OIDC Provider (Leave blank to create one)
    Type: String
    Default: "arn:aws:iam::997450571655:oidc-provider/token.actions.githubusercontent.com"

  OIDCAudience:
    Description: Audience supplied to configure-aws-credentials.
    Type: String
    Default: "sts.amazonaws.com"

Conditions:
  CreateOIDCProvider: !Equals 
    - !Ref OIDCProviderArn
    - ""

Resources:
  GithubOidc:
    Type: AWS::IAM::OIDCProvider
    Condition: CreateOIDCProvider
    Properties:
      Url: https://token.actions.githubusercontent.com
      ClientIdList:
        - !Ref OIDCAudience
      ThumbprintList:
        - "74f3a68f16524f15424927704c9506f55a9316bd"  # Replace with actual thumbprint

  Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action: sts:AssumeRoleWithWebIdentity
            Principal:
              Federated: !If
                - CreateOIDCProvider
                - !Ref GithubOidc
                - !Ref OIDCProviderArn
            Condition:
              StringEquals:
                token.actions.githubusercontent.com:aud: !Ref OIDCAudience
              StringLike:
                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*

Outputs:
  RoleArn:
    Description: IAM Role ARN for GitHub Actions
    Value: !GetAtt Role.Arn

Update the policy in the created role Now search the IAM roles that is created(github-iam-oidc-XXX) and add policies that will permit us to push to ECR and deploy to ECS. Add an inline policy with name github-deploy-to-ecs, We will add the following policies:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecs:CreateService",
                "ecs:DescribeServices",
                "ecs:DescribeClusters",
                "ecs:UpdateService",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeImages",
                "ecr:UploadLayerPart",
                "ecr:ListImages",
                "ecr:InitiateLayerUpload",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecs:DescribeTaskDefinition",
                "ecs:RegisterTaskDefinition",
                "ecs:ListTasks",
                "ec2:DescribeNetworkInterfaces",
                "ecs:DescribeTasks",
                "ecr:GetAuthorizationToken",
                "iam:PassRole"
            ],
            "Resource": [
                "*"
            ]
        }       
    ]
}

Create ecsTaskExecutionRole and give it admin access(just for this project)

Create ECR Repository

We have to create 4 different repositories for the the different containers. On the console, navigate to ECR and select create(do it for the 4 different containers), give the names to the different repos:

client
javaapi
nodeapi
nginx Leave the other settings as defaults and select create.

Create MySQL database in RDS

In the console navigate to RDS and create a MySQL database with the following settings:

Choose a database creation method: Standard create
Engine Options: MySQL
Engine version: select the latest
Templates: Free tier
Db instance identifier: books
Master username: root
password: give-your-password
Storage: 20Gb
VPC security group: create new
 - SG name: rds-sg

Leave the rest as defaults and create the database. When created, record the db URL, username and password, Instance identifier.

Create MongoDB Atlas database

Navigate to https://cloud.mongodb.com, create a free account and create a free database.

db name: epoc
username: GIVE-YOUR-USERNAME
password: GIVE-YOUR-PASSWORD

Under database clusters click on connect and select Drivers

Scroll down and copy the Connection string to be add to our environment variables. The string will be similar to:

mongodb+srv://ndzenyuyjones:<db_password>@epoc.fezqjvq.mongodb.net/?retryWrites=true&w=majority&appName=epoc

Now we have to edit this string to include the DB name, and the password(replace with your password, then add the db name to the string(after mongodb.net/) Your string should be something like:

mongodb+srv://ndzenyuyjones:<db_password>@epoc.fezqjvq.mongodb.net/epoc?retryWrites=true&w=majority&appName=epoc

Copy this to a variables file including the other values registered above. We will need them for deployment.

Clone Project Repository

Open git on your local machine and run the following to clone the project repository and initialize for usage in the steps ahead

git clone https://github.com/Ndzenyuy/day-1-deploy_microservices_to_ecs.git

cd day-1-deploy_microservices_to_ecs

sudo rm -rf .github
sudo rm -rf .git

Initialise git and Create a folder with the following code

git init
mkdir .github/workflows
touch .github/workflows/nginx.yml .github/workflows/client.yml .github/workflows/nodeapi.yml .github/workflows/javaapi.yml

It will create deployment files for the different services. Each of the pipelines will run only when there is a change in the folder containing the source files.

open the nginx.yml file and paste the following

name: Deploy to ECS

on:
  push:
    paths:
      - "nginx/**"
  pull_request:
    paths:
      - "nginx/**"

  workflow_dispatch:

permissions:
  id-token: write
  contents: read

env:
  AWS_REGION: "us-east-1"
  AWS_GITHUB_ROLE: ${{ secrets.AWS_GITHUB_ROLE }}
  ECS_PROJECT: ${{ secrets.ECS_PROJECT }}

  ECR_REPOSITORY_NGINX: "nginx"
  ECS_NGINX_TASK: "nginx-task"
  ECS_CLUSTER: "ecs-task"
  ECS_SERVICE: "nginx-task-service"

jobs:
  build:
    name: Build and Push to ECR
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_GITHUB_ROLE }}
          aws-region: ${{ secrets.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Get version from VERSION file
        id: get-version
        run: |
          if [ -f VERSION ]; then
            VERSION=$(cat VERSION)
          else
            echo "VERSION file not found. Exiting..."
            exit 1
          fi
          echo "Current version: $VERSION"
          echo version=$VERSION >> $GITHUB_OUTPUT

      # Build and push nginx image
      - name: Build and push Nginx image
        id: build-image-nginx
        uses: docker/build-push-action@v5
        with:
          context: ./nginx
          file: ./nginx/Dockerfile
          push: true
          provenance: false
          tags: |
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY_NGINX }}:${{ steps.get-version.outputs.version }}
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY_NGINX }}:latest

  deploy:
    needs: build
    name: Deploy to ECS-nginx task
    runs-on: ubuntu-latest
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_GITHUB_ROLE }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Checkout code
        uses: actions/checkout@v4

      - name: Download task definition
        run: |
          aws ecs describe-task-definition \
          --task-definition ${{ env.ECS_NGINX_TASK }} \
          --query taskDefinition \
          --region ${{ env.AWS_REGION }} > task-definition.json

      - name: Get version from VERSION file
        id: get-version
        run: |
          if [ -f VERSION ]; then
            VERSION=$(cat VERSION)
          else
            echo "VERSION file not found. Exiting..."
            exit 1
          fi
          echo "Current version: $VERSION"
          echo version=$VERSION >> $GITHUB_OUTPUT

      - name: Fill in the new image ID in the Amazon ECS task definition
        id: task-def
        uses: aws-actions/amazon-ecs-render-task-definition@v1
        with:
          task-definition: task-definition.json
          container-name: ${{ env.ECR_REPOSITORY_NGINX }}
          image: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY_NGINX }}:${{ steps.get-version.outputs.version }}

      - name: Deploy to ECS
        id: deploy-ecs
        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
        with:
          service: ${{ env.ECS_SERVICE }}
          cluster: ${{ env.ECS_CLUSTER }}
          task-definition: ${{ steps.task-def.outputs.task-definition }}
          wait-for-service-stability: true

angular.yml

name: Angular CI/CD

on:
  push:
    paths:
      - "client/**"
  pull_request:
    paths:
      - "client/**"

  workflow_dispatch:

permissions:
  id-token: write
  contents: read

env:
  MONGO_URI: ${{ secrets.MONGO_URI }}
  MYSQL_HOST: ${{ secrets.MYSQL_HOST }}
  MYSQL_USER: ${{ secrets.MYSQL_USER }}
  MYSQL_PASS: ${{ secrets.MYSQL_PASS }}
  MYSQL_DB: ${{ secrets.MYSQL_DB }}

  AWS_REGION: ${{ secrets.AWS_REGION }}
  AWS_GITHUB_ROLE: ${{ secrets.AWS_GITHUB_ROLE }}
  ECS_PROJECT: ${{ secrets.ECS_PROJECT }}

  ECR_REPOSITORY_CLIENT: "client"
  ECR_REPOSITORY_JAVA: "javaapi"
  ECR_REPOSITORY_NODEAPI: "nodeapi"
  ECR_REPOSITORY_NGINX: "nginx"

  ECS_ANGULAR_TASK: "angular-task"
  ECS_CLUSTER: "ecs-task"
  ECS_SERVICE: "angular-task-service"

jobs:
  build-angular:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_GITHUB_ROLE }}
          aws-region: ${{ secrets.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      #Angular
      - name: Build and push Angular image
        id: build-image-angular
        uses: docker/build-push-action@v5
        with:
          context: ./client
          file: ./client/Dockerfile
          push: true
          provenance: false
          tags: |
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY_CLIENT }}:${{ github.run_number }}
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY_CLIENT }}:latest

  deploy:
    needs: build-
    name: Deploy to ECS-angula task
    runs-on: ubuntu-latest
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_GITHUB_ROLE }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Checkout code
        uses: actions/checkout@v4

      - name: Download task definition
        run: |
          aws ecs describe-task-definition \
          --task-definition ${{ env.ECS_ANGULAR_TASK }} \
          --query taskDefinition \
          --region ${{ env.AWS_REGION }} > task-definition.json

      - name: Get version from VERSION file
        id: get-version
        run: |
          if [ -f VERSION ]; then
            VERSION=$(cat VERSION)
          else
            echo "VERSION file not found. Exiting..."
            exit 1
          fi
          echo "Current version: $VERSION"
          echo version=$VERSION >> $GITHUB_OUTPUT

      - name: Fill in the new image ID in the Amazon ECS task definition
        id: task-def
        uses: aws-actions/amazon-ecs-render-task-definition@v1
        with:
          task-definition: task-definition.json
          container-name: ${{ env.ECR_REPOSITORY_CLIENT }}
          image: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY_CLIENT }}:${{ steps.get-version.outputs.version }}

      - name: Deploy to ECS
        id: deploy-ecs
        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
        with:
          service: ${{ env.ECS_SERVICE }}
          cluster: ${{ env.ECS_CLUSTER }}
          task-definition: ${{ steps.task-def.outputs.task-definition }}
          wait-for-service-stability: true

javaapi.yml

name: Java-api CI/CD

on:
  push:
    paths:
      - "javaapi/**"
  pull_request:
    paths:
      - "javaapi/**"

  workflow_dispatch:

permissions:
  id-token: write
  contents: read

env:
  MONGO_URI: ${{ secrets.MONGO_URI }}
  MYSQL_HOST: ${{ secrets.MYSQL_HOST }}
  MYSQL_USER: ${{ secrets.MYSQL_USER }}
  MYSQL_PASS: ${{ secrets.MYSQL_PASS }}
  MYSQL_DB: ${{ secrets.MYSQL_DB }}

  AWS_REGION: ${{ secrets.AWS_REGION }}
  AWS_GITHUB_ROLE: ${{ secrets.AWS_GITHUB_ROLE }}
  ECS_PROJECT: ${{ secrets.ECS_PROJECT }}

  ECR_REPOSITORY_CLIENT: "client"
  ECR_REPOSITORY_JAVA: "javaapi"
  ECR_REPOSITORY_NODEAPI: "nodeapi"
  ECR_REPOSITORY_NGINX: "nginx"

  ECS_JAVA_TASK: "java-task"
  ECS_CLUSTER: "ecs-task"
  ECS_SERVICE: "java-task-service"

jobs:
  build-javaapi:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_GITHUB_ROLE }}
          aws-region: ${{ secrets.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

        # Java API
      - name: Build and push Java image
        id: build-image-java
        uses: docker/build-push-action@v5
        with:
          push: true
          provenance: false
          tags: |
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY_JAVA }}:${{ github.run_number }}
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY_JAVA }}:latest

  deploy:
    needs: build-javaapi
    name: Deploy to ECS-javaapi task
    runs-on: ubuntu-latest
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_GITHUB_ROLE }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Checkout code
        uses: actions/checkout@v4

      - name: Download task definition
        run: |
          aws ecs describe-task-definition \
          --task-definition ${{ env.ECS_JAVA_TASK }} \
          --query taskDefinition \
          --region ${{ env.AWS_REGION }} > task-definition.json

      - name: Get version from VERSION file
        id: get-version
        run: |
          if [ -f VERSION ]; then
            VERSION=$(cat VERSION)
          else
            echo "VERSION file not found. Exiting..."
            exit 1
          fi
          echo "Current version: $VERSION"
          echo version=$VERSION >> $GITHUB_OUTPUT

      - name: Fill in the new image ID in the Amazon ECS task definition
        id: task-def
        uses: aws-actions/amazon-ecs-render-task-definition@v1
        with:
          task-definition: task-definition.json
          container-name: ${{ env.ECR_REPOSITORY_JAVA }}
          image: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY_JAVA }}:${{ steps.get-version.outputs.version }}

      - name: Deploy to ECS
        id: deploy-ecs
        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
        with:
          service: ${{ env.ECS_SERVICE }}
          cluster: ${{ env.ECS_CLUSTER }}
          task-definition: ${{ steps.task-def.outputs.task-definition }}
          wait-for-service-stability: true

nodeapi.yml

name: Node-api CI/CD

on:
  push:
    paths:
      - "nodeapi/**"
  pull_request:
    paths:
      - "nodeapi/**"

  workflow_dispatch:

permissions:
  id-token: write
  contents: read

env:
  MONGO_URI: ${{ secrets.MONGO_URI }}
  MYSQL_HOST: ${{ secrets.MYSQL_HOST }}
  MYSQL_USER: ${{ secrets.MYSQL_USER }}
  MYSQL_PASS: ${{ secrets.MYSQL_PASS }}
  MYSQL_DB: ${{ secrets.MYSQL_DB }}

  AWS_REGION: ${{ secrets.AWS_REGION }}
  AWS_GITHUB_ROLE: ${{ secrets.AWS_GITHUB_ROLE }}
  ECS_PROJECT: ${{ secrets.ECS_PROJECT }}

  ECR_REPOSITORY_CLIENT: "client"
  ECR_REPOSITORY_JAVA: "javaapi"
  ECR_REPOSITORY_NODEAPI: "nodeapi"
  ECR_REPOSITORY_NGINX: "nginx"

  ECS_NODEAPI_TASK: "node-task"
  ECS_CLUSTER: "ecs-task"
  ECS_SERVICE: "node-task-service"

jobs:
  build-nodeapi:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_GITHUB_ROLE }}
          aws-region: ${{ secrets.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

        # Node API
      - name: Build and push Node.js image
        id: build-image-node
        uses: docker/build-push-action@v5
        with:
          context: ./nodeapi
          file: ./nodeapi/Dockerfile
          push: true
          provenance: false
          tags: |
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY_NODEAPI }}:${{ github.run_number }}
            ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY_NODEAPI }}:latest

  deploy:
    needs: build-nodeapi
    name: Deploy to ECS-javaapi task
    runs-on: ubuntu-latest
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_GITHUB_ROLE }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Checkout code
        uses: actions/checkout@v4

      - name: Download task definition
        run: |
          aws ecs describe-task-definition \
          --task-definition ${{ env.ECS_NODEAPI_TASK }} \
          --query taskDefinition \
          --region ${{ env.AWS_REGION }} > task-definition.json

      - name: Get version from VERSION file
        id: get-version
        run: |
          if [ -f VERSION ]; then
            VERSION=$(cat VERSION)
          else
            echo "VERSION file not found. Exiting..."
            exit 1
          fi
          echo "Current version: $VERSION"
          echo version=$VERSION >> $GITHUB_OUTPUT

      - name: Fill in the new image ID in the Amazon ECS task definition
        id: task-def
        uses: aws-actions/amazon-ecs-render-task-definition@v1
        with:
          task-definition: task-definition.json
          container-name: ${{ env.ECR_REPOSITORY_NODEAPI }}
          image: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY_NODEAPI }}:${{ steps.get-version.outputs.version }}

      - name: Deploy to ECS
        id: deploy-ecs
        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
        with:
          service: ${{ env.ECS_SERVICE }}
          cluster: ${{ env.ECS_CLUSTER }}
          task-definition: ${{ steps.task-def.outputs.task-definition }}
          wait-for-service-stability: true

Now Commit and push the project code to Github, create a repository in your github account. This will trigger Github actions to launch the different pipelines which will obviously fail because of the missing secrets and variables.

Github Secrets

On Github, navigate to the created repository in the previous steps, go to settings and check secrets and variables -> actions.
Now create repository secrets, put the values of the following as recorded when the different services where created for:

AWS_GITHUB_ROLE (the oidc role created with cloudformation)
AWS_REGION
MONGO_URI
MYSQL_DB
MYSQL_HOST
MYSQL_PASS
MYSQL_PORT
MYSQL_USER

Re-run the failed workflows for at least the docker images be pushed to ECR

Create the task definitions

Navigate to ECS service on the console and select task definitions. Create task definitions for the different service-containers that we will be deploying.

Nginx Task definition:
Task definition family: nginx-task
Infrastructure requirements: AWS Fargate
container name: nginx
Image URI: copy and paste the nginx image URI from ECR
container port: 80
use log collection = true
create
Angular task definition
Task definition family: angular-task
Infrastructure requirements: AWS Fargate
container name: client
Image URI: copy and paste the client image URI from ECR
container port: 4200
use log collection = true
create
Java task definition
Task definition family: java-task
Infrastructure requirements: AWS Fargate
container name: java
Image URI: copy and paste the java image URI from ECR
container port: 9000
environment variables:
- MYSQL_PASS :
- MYSQL_DB: (books)
- MYSQL_HOST:
- MYSQL_USER: root
- MONGO_URI: use log collection = true create
Node task definition
Task definition family: node-task
Infrastructure requirements: AWS Fargate
container name: node
Image URI: copy and paste the node image URI from ECR
container port: 5000
environment variables:
- MONGO_URI: use log collection = true create

Create ECS Cluster

Navigate to the console and create a cluster under ECS service with the following parameters:
Cluster name: ecs-cluster
Leave the rest as defaults and create cluster.

Create ECS services

We have to now create services for each of the tasks. Go to create services and configure each with the following:

Angular service

Task definition family: angular-task
revision: choose the latest
service name: angular-task-service
Compute options: Launch type
Desired tasks: 1
Service discovery: use service discovery
Configure namespace: create a new namespace
namespace name: ecs-microservice-ns
Service discovery name: client

leave the rest as defaults and create

Node Service

Task definition family: node-task
revision: choose the latest
service name: node-task-service
Compute options: Launch type
Desired tasks: 1
Service discovery: use service discovery
Configure namespace: select existing namespace
namespace name: ecs-microservice-ns
Service discovery name: nodeapi

leave the rest as defaults and create

Java Service

Task definition family: java-task
revision: choose the latest
service name: java-task-service
Compute options: Launch type
Desired tasks: 1
Service discovery: use service discovery
Configure namespace: select existing namespace
namespace name: ecs-microservice-ns
Service discovery name: javaapi

leave the rest as defaults and create

Nginx Service

Task definition family: nginx-task
revision: choose the latest
service name: nginx-task-service
Compute options: Launch type
Desired tasks: 1
Service discovery: use service discovery
Configure namespace: select existing namespace
namespace name: ecs-microservice-ns
Service discovery name: nginx
Load balancing: Use load balancing
Load balancer type: Aplication load balancer
Application Load Balancer: create a new ALB
Load balancer name: ecs-alb
listener: create new listener
target group: create a new target group
target group name: ecs-nginx-tg

leave the rest as defaults and create

After some time, the different services will be created, check the load balancer DNS record and paste it on the browser, the app will appear as such:

The App is up and running. Congratulations !!!

Streamlining Kubernetes Deployments: CI/CD with GitHub Actions and Helm for EKS

Jones Ndzenyuy — Tue, 10 Dec 2024 15:53:34 +0000

In this project, I will guide you in building a pipeline with GitHub actions that will deploy an infrastructure using Terraform(VPC, public and private subnets, nat gatway) and run containers on EKS, updates EKS each time there's a new application version. The new version is automatically built each time the developper pushes application code to the code repository. Necessary security scans are run in order to ensure a secure and complaint code. The infrastructure code and application code are stored in two different repositories.

Architecture

How to build it

Prepare Repositories

git clone https://github.com/Ndzenyuy/githubactions-infra.git
git clone https://github.com/Ndzenyuy/githubactions-appl.git
rm -rf githubactions-infra/.git/ githubactions-infra/.github/
rm -rf githubactions-appl/.git/ githubactions-appl/.github/

The two repositories contain the infrastructure(githubactions-infra) and the application code(githubactions-appl). Now we have to initialize git for code management, first for the infrastructure. Back to the console, run the following

cd githubactions-infra
git init
code .

The above code will open the infrastructure in VScode and initialise git. Under the source control icon in VScode, publish the branch to GitHub, choose public repository. Return to the console and run the following code (make sure you are in the githubactions-infra folder)

cd ../githubactions-appl
git init
code .

Another VScode window will open, Under the source control icon in VScode, publish the branch to GitHub, choose public repository. We are now ready to deploy our application.

GitHub Secrets

Here we are going to create and store AWS access keys, S3 bucket, ECR repository and store in Github secrets.

Create IAM user

Go to AWS console and create an admin user IAM -> User -> create user -> attach policies -> administrator access -> create access keys

On github, githubactions-infra repository go to settings -> Secrets and variables -> actions -> new repository secret and store the following keys

Name: AWS_ACCESS_KEY_ID, Secret:
Name: AWS_SECRET_ACCESS_KEY: secret:

Do the same for the repository githubactions-appl, store both secrets with the same name.

Create S3 bucket

Goto AWS console, and create an S3 bucket, we can call it "githubactions-infra-xxx" (xxx is a random number to make bucket unique)

Back to Github secrets(githubactions-infra), create a new secret having the bucket name:

Name: BUCKET_TF_STATE, secret: githubactions-infra-xxx

Create ECR repository

On to AWS console, Elastic Container Registry -> Create repository -> name: githubactions-appl -> create repository. Copy the repository URI(XXXXXXXXX.dkr.ecr.us-east-2.amazonaws.com/githubactions-appl)

Back to github secrets (githubactions-appl), Create another secret

Name: REGISTRY, secret: XXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com

githubactions-infra secrets should be similar to

Terraform Code Adjustments

In the githubactions-infra repo code, open it in VSCode and move to the folder terraform, modify the contents of terraform.tf while updating the name of your s3 bucket and the region where the infrastructure will be deployed

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.25.0"
    }

    random = {
      source  = "hashicorp/random"
      version = "~> 3.5.1"
    }

    tls = {
      source  = "hashicorp/tls"
      version = "~> 4.0.4"
    }

    cloudinit = {
      source  = "hashicorp/cloudinit"
      version = "~> 2.3.2"
    }

    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "~> 2.23.0"
    }
  }

  backend "s3" {
    bucket = "<Your bucket name>"
    key    = "terraform.tfstate"
    region = "your working region"
  }

  #required_version = "~> 1.5.1"
  required_version = "~> 1.10.1"

}

Github actions workflow

In this workflow terraform will not apply the code for the infrastructure to be created(staging), but when a pull request is made, the pipeline is triggered and this time and the pipeline get applied(main), we need to put conditions. In the file .github/workflow/terraform.yml, we should have the code

name: "Github Actions IaC"
on:
    push:
        branches:
            - main
            - stage
        paths:
            - terraform/**
    pull_request:
        branches:
            - main
        paths:
            - terraform/**

env:
    # Credentials for deployment to AWS
    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    # S3 bucket for the Terraform state
    BUCKET_TF_STATE: ${{ secrets.BUCKET_TF_STATE }}
    AWS_REGION: us-east-1
    EKS_CLUSTER: infra-eks

jobs:
    terraform:
        name: "Apply terraform code changes"
        runs-on: ubuntu-latest
        defaults:
            run:
                shell: bash
                working-directory: ./terraform

        steps:
            - name: Checkout source code
              uses: actions/checkout@v4           

            - name: Setup Terraform with specified version on the runner
              uses: hashicorp/setup-terraform@v2
              #with:
              #  terraform_version: 1.6.3

            - name: Terraform init
              id: init
              run: terraform init -backend-config="bucket=$BUCKET_TF_STATE"

            - name: Terraform format
              id: fmt
              run: terraform fmt -check

            - name: Terraform validate
              id: validate
              run: terraform validate

            - name: Terraform plan
              id: plan
              run: terraform plan -no-color -input=false -out planfile
              continue-on-error: true

            - name: Terraform plan status
              if: steps.plan.outcome == 'failure'
              run: exit 1

            - name: Terraform Apply
              id: apple
              if: github.ref == 'refs/heads/main' && github.event_name == 'push'
              run: terraform apply -auto-approve -input=false -parallelism=1 planfile

            - name:  Configure AWS credentials
              uses: aws-actions/configure-aws-credentials@v1
              with: 
                aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
                aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
                aws-region: ${{ env.AWS_REGION }}

            - name: Get Kube config file
              id: getconfig
              if: steps.apple.outcome == 'success' 
              run: aws eks update-kubeconfig --region ${{ env.AWS_REGION }} --name ${{ env.EKS_CLUSTER }}

            - name: Install Ingress controller
              if: steps.apple.outcome == 'success' && steps.getconfig.outcome == 'success'
              run: kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.3/deploy/static/provider/aws/deploy.yaml

Test Pipeline

We need to first test the pipeline with a dry run by creating a staging branch. This will trigger the pipeline but will not apply so we are sure it can run. Got to the githubactions-infra window in VScode and open a new terminal, make sure any changes have been committed then run the following:

git branch -b stage

This will create a new branch, on the source control icon in VSCode, publish the branch. This will run the pipeline and skip the apply step because there is a a condition set to only run apply when the main branch is active

If the run is successful, we can now be certain the pipeline will run, if it fails, read the logs, the terraform version might have been outdated. Change it to the new and push the code again.

Merge the staging branch to main branch, this will cause the pipeline again to run but this time, will apply the changes and setup the infrastructure on AWS eks.

App workflow

The next workflow will use the infrastructure created from the previous job, then deploy the application with best practices.

Create an organization in sonarcloud

Open the browser and navigate to www.sonarcloud.io, click the "+" at the top right corner and create a new organization -> create one manually

name: github-actions-cicd key: github-actions-cicd -> Create

Click analyze new project
Organization: github-actions-cicd display name: github-actions Project key: github-actions -> Next The new code for this project will be based on: Previous version=true -> Create project

Choose analysis method: With Github actions:

Copy the sonar token and paste it in notepad, click on information on the left, copy the values of organization, project key and create secrets in Github repo githubactions-infra

name: SONAR_TOKEN, secret: <COPIED TOKEN> name: SONAR_ORGANIZATION, secret: <COPIED ORGANIZATION> name: SONAR_PROJECT_KEY, secret: <COPIED PROJECT KEY> name: SONAR_URL, secret: https://sonarcloud.io

Create quality gate in sonarcloud -> Administration -> Organization's settings -> Create:
name: githubactionsQG add condition: where: on overall code = true Quality gate fails when Bugs > 50 select project: github-actions

Go back to project administration, select Quality gate then "githubactionsQG"

Deployment to EKS

Install helm charts

In terminal, run the code(for ubuntu users, other users can check their operating system installation)

sudo apt install helm

Configure helm

Change to the directory where the project is githubactions-appl, then run

helm create githubactions-charts

A new directory(githubactions-charts) will be created, next

mv githubactions-charts helm/
rm -rf helm/githubactions-charts/templates/*
cp kubernetes/vpro-app/* helm/githubactions-charts/templates/

Deploy code

We need to first git the workflow the permissions to write trivy scan results in the security tab. To do so, Navigate to githubactions-appl repository on GitHub. Click on the Settings tab; In the sidebar, click on Actions. Under the Actions permissions section, click general and scroll down to Workflow permissions and select Read and write permissions then save.

Back to VSCode, commit and push the changes. In github actions, run the workflow. This time the pipeline will not be triggered automatically(as configured in our code), we'll have to trigger it manually on our github actions tab.

Check the security tab in github actions to see the report of the security scans with trivy

Modify domain name

In the file helm/githubactions-charts/templates/vproingress.yaml, modify the domain name to your own after creating a hosted zone in Route53

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: vpro-ingress
  annotations:
    nginx.ingress.kubernetes.io/use-regex: "true"
spec:
  ingressClassName: nginx
  rules:
  - host: github.ndzenyuyjones.link
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-app
            port:
              number: 8080

Modify the line - host: github.ndzenyuyjones.link to contain your domain name, will put a CNAME record in the hosted zone.

On the AWS console, we need to search and copy the url of the load balancer created for this project by the previous stack, copy the url and create a hosted zone with a cname record

Type: CNAME
Name: githubactions
value:
Wait about 5-10mins and search the link of our project on a browser github.ndzenyuyjones.link(use the link you created in the hosted zone), the landing page should appear.

username: admin_vp passwrd: admin_vp

Clean up

Remove ingress controller

First we need to make sure there is no existing kubeconfig file in our local machine by running

rm -rf /.kube/config
aws eks update-kubeconfig --region us-east-1 --name infra-eks

Now navigate to the repository on your local machine, where ever it was cloned and run

kubectl delete -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.3/deploy/static/provider/aws/deploy.yaml

Now delete the helm list, you can first run helm list and copy the name of the list to be uninstalled

helm uninstall githubactions-charts

Move to terraform folder

cd terraform/
Then initialize terraform

Change the content of terraform.tf file to match the following

terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.25.0"
}

random = {
  source  = "hashicorp/random"
  version = "~> 3.5.1"
}

tls = {
  source  = "hashicorp/tls"
  version = "~> 4.0.4"
}

cloudinit = {
  source  = "hashicorp/cloudinit"
  version = "~> 2.3.2"
}

kubernetes = {
  source  = "hashicorp/kubernetes"
  version = "~> 2.23.0"
}

}

backend "s3" {
bucket = "githubactions-infra-012"
key    = "terraform.tfstate"
region = "us-east-1"

}

required_version = "~> 1.5.1"
}

Then we initialise the local machine to have the same state as the created cloud infrastructure.

terraform init

Now we run destroy command, when prompted type "yes"

terraform destroy

Mastering CI/CD: How to Build a Robust Pipeline with GitHub Actions, Docker, and ECS

Jones Ndzenyuy — Tue, 03 Dec 2024 06:07:21 +0000

I will guide you in this project how to build a secure CI/CD pipeline on AWS that detects code on a Github repository, runs static code analysis on sonar cloud, builds a docker image, scans the image for known vulnerabilities and deploys to ECS using DevSecOps Best practices.

Architecture

Principle

Each time a developer commits code to GitHub, it triggers GitHub actions to run static code analysis. The static code analysis consists of maven tests, checkstyle tests, junit, jacoco and quality gates. These static test will ensure that code works as expected, checks for adherence to a set of defined coding conventions, provide annotations to define test methods, assertions to test expected results and runners to execute the tests, generates reports that show which parts of the code base are covered by tests and enforce rules regarding code quality such as minimum code coverage, number of code smells or the absence of critical bugs.

The next step is to build a docker image, the steps involved are declared in the Dockerfile which will be in the code repository, after building the image, it will be safe to run Trivy scan for known vulnerabilities using OWASP scans; the various security assessment techniques to obtain a secure docker image. The image is then Pushed to ECR, AWS' image repository from where we can easily pull to deploy on ECS

How to build it

GitHub Setup

git clone https://github.com/Ndzenyuy/Mastering-CICD.git

Make a new folder and copy the files to it, initialize git and open VS Code with the following commands:

  mkdir CICD-with-GitActions
  cp -r Mastering-CICD/* CICD-with-GitActions
  cd CICD-with-GitActions
  git init
  code .

Now VSCode opens, under source control icon, publish project to your github under a public repository.

Sonar Analysis and Quality Gates

We need to start checking our workflow step by step, first we analyse our code for bugs with sonarqube in the file CICD-with-GitActions/.github/workflows/main.yml replace all its contents with

name: CICD-with-GitActions
on: workflow_dispatch

jobs: 
  Testing:
    runs-on: ubuntu-latest
    steps:
      - name: Testing workflow
        uses: actions/checkout@v4

      - name: Maven test
        run: mvn test

      - name: Checkstyle
        run: mvn checkstyle:checkstyle

This portion of code does three things: downloads the source code to github actions, runs maven test and runs mvn checkstyle. This is the first set of tests to be sure the code structure and styles are good and bug free. Now push this code and run it going to:

Github -> Mastering-CICD -> Actions -> Run Workflow
Upon successful completion, we'll have the following

Create a sonar cloud organization

Login to Sonar Cloud create an account and link it to your github then
Create a new organization -> Create an organization manually and give the following parameters
Organization name: mastercicd choose plan: free plan -> create organization

Next select choose Analyse new project and configure with the following
Organization: mastercicd Display name: github-actions Project key: mastercicd_github-actions Project visibility: public -> next Previous version = true -> create project

Choose analysis method: Github actions

Copy the sonar token to a sticky note

Create a quality gate

Under organizations select mastercicd -> Quality gates -> Create -> Name: actionsQG

Add conditions -> Where?: on overall code Quality gate fails when: Bugs Operator: is greater than, Value 35; Projects: mastercicd_github-actions

Store Secrets in GitHub

In out Github project repository, go to settings -> secrets and variables -> Actions -> new repository secret: add the following secrets(name: value):

SONAR_TOKEN : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (input the token retrieved from above when creating project)
SONAR_URL : https://sonarcloud.io
SONAR_ORGANIZATION: mastercicd
SONAR_PROJECT_KEY: mastercicd_github-actions

Test the sonar scanner and the quality gates, replace the content of the workflow(main.yml) with the following

  name: github Actions
on: [push, workflow_dispatch]   
jobs: 
  Testing:
    runs-on: ubuntu-latest
    steps:
      - name: Testing workflow
        uses: actions/checkout@v4

      - name: Maven test
        run: mvn test

      - name: Checkstyle
        run: mvn checkstyle:checkstyle

# Setup java 17 to be default (sonar-scanner requirement as of 5.x)
      - name: Set Java 17
        uses: actions/setup-java@v3
        with:
          distribution: 'temurin' # See 'Supported distributions' for available options
          java-version: '17' 

      # Setup sonar-scanner
      - name: Setup SonarQube
        uses: warchant/setup-sonar-scanner@v7

      # Run sonar-scanner
      - name: SonarQube Scan
        run: sonar-scanner
          -Dsonar.host.url=${{ secrets.SONAR_URL }}
          -Dsonar.login=${{ secrets.SONAR_TOKEN }}
          -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }}
          -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }}
          -Dsonar.sources=src/
          -Dsonar.junit.reportsPath=target/surefire-reports/ 
          -Dsonar.jacoco.reportsPath=target/jacoco.exec 
          -Dsonar.java.checkstyle.reportPaths=target/checkstyle-result.xml
          -Dsonar.java.binaries=target/test-classes/com/visualpathit/account/controllerTest/

              # Check the Quality Gate status.

      - name: SonarQube Quality Gate check
        id: sonarqube-quality-gate-check
        uses: sonarsource/sonarqube-quality-gate-action@master
        # Force to fail step after specific time.
        timeout-minutes: 5
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: ${{ secrets.SONAR_URL }} #OPTIONAL

Job should build successfully

And sonar cloud should have data

AWS IAM, ECR and RDS Setup

Create an IAM user

Go to the console and search IAM then create a user with the following policies
Cloudwatch full access ECR full access RDS full access Create access keys -> use case: CLI
Save the access keys in a sticky note.

Setup ECR

Create a new private repository in ECR
name: github-actions -> create Copy repository URI of the form xxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com and store in sticky notes

Create RDS Database

Goto console and search RDS, create a database with the following parameters
Standard create = true engine options: MySQL engine version: 8.0.35 templates: freetier db instance identifier: github-actions-db credentials settings: master username: admin password: admin123 Instance configuration: db.t3.micro Connectivity: VPC security group: create new; -> name: github-actions-sg Additional configuration: initial database name: accounts Leave defaults and Create database

After the database finishes the creating phase, we need to spin an EC2 instance to set up the database with initial data for our configuration. Start an ec2 instance
instance type: t2.micro OS: ubuntu security group: ubuntu-actions-sg edit inbound rules: allow all traffic from my IP
Go to the RDS security group and edit the inbound rules to allow MySQL traffic(3306) from ubuntu-actions-sg. Wait for the RDS to be available and copy the endpoint. Go back in our terminal on local machine, ssh into the ec2 isntance and run the following code(make sure to replace with the RDS endpoint)

 sudo apt-get update
 sudo apt-get install mysql-server -y      
 wget https://raw.githubusercontent.com/Ndzenyuy/vprofile-project/refs/heads/cd-aws/src/main/resources/db_backup.sql
mysql -h <enter-rds-edpoint> -u admin -padmin123 accounts < db_backup.sql

The above code will install mysql server, used to connect to mysql database, clone the project code and import the mysql dump found in db_backup.sql to the db server. At this point, the ec2 instance can be terminated. The Database is ready to be used in our app.

Build and Publish image to ECR

Back to GitHub secrets, add the following secrets
RDS_USER: admin RDS_PASS: admin123 RDS_ENDPOINT: (url of your rds endpoint) AWS_ACCESS_KEY_ID: < access key of the created IAM user > AWS_SECRET_ACCESS_KEY: REGISTRY: paste the URI of the copied ECR registry that was saved above and remove the /github-actions at the end, it should be like: XXXXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com

Now update the content of .github/main.yml with the following content

name: github Actions
on: [push, workflow_dispatch]

jobs: 
  Testing:
    runs-on: ubuntu-latest
    steps:
      - name: Testing workflow
        uses: actions/checkout@v4

      - name: Maven test
        run: mvn test

      - name: Checkstyle
        run: mvn checkstyle:checkstyle

# Setup java 17 to be default (sonar-scanner requirement as of 5.x)
      - name: Set Java 17
        uses: actions/setup-java@v3
        with:
          distribution: 'temurin' # See 'Supported distributions' for available options
          java-version: '17' 

      # Setup sonar-scanner
      - name: Setup SonarQube
        uses: warchant/setup-sonar-scanner@v7

      # Run sonar-scanner
      - name: SonarQube Scan
        run: sonar-scanner
          -Dsonar.host.url=${{ secrets.SONAR_URL }}
          -Dsonar.login=${{ secrets.SONAR_TOKEN }}
          -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }}
          -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }}
          -Dsonar.sources=src/
          -Dsonar.junit.reportsPath=target/surefire-reports/ 
          -Dsonar.jacoco.reportsPath=target/jacoco.exec 
          -Dsonar.java.checkstyle.reportPaths=target/checkstyle-result.xml
          -Dsonar.java.binaries=target/test-classes/com/visualpathit/account/controllerTest/

              # Check the Quality Gate status.

      - name: SonarQube Quality Gate check
        id: sonarqube-quality-gate-check
        uses: sonarsource/sonarqube-quality-gate-action@master
        # Force to fail step after specific time.
        timeout-minutes: 5
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} 

  BUILD_AND_PUBLISH:
    needs: Testing
    runs-on: ubuntu-latest
    steps:
      - name: Code checkout
        uses: actions/checkout@v4

      - name: Update application.properties file
        run: |
          sed -i "s/^jdbc.username.*$/jdbc.username\=${{ secrets.RDS_USER }}/" src/main/resources/application.properties
          sed -i "s/^jdbc.password.*$/jdbc.password\=${{ secrets.RDS_PASS }}/" src/main/resources/application.properties
          sed -i "s/db01/${{ secrets.RDS_ENDPOINT }}/" src/main/resources/application.properties

      - name: Build & Upload image to ECR
        uses: appleboy/docker-ecr-action@master
        with:
          access_key: ${{ secrets.AWS_ACCESS_KEY_ID }}
          secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          registry: ${{ secrets.REGISTRY }}
          repo: github-actions
          region: ${{ env.AWS_REGION }}
          tags: latest,${{ github.run_number }}
          daemon_off: false
          dockerfile: ./Dockerfile
          context: ./

In this pipeline code, we just added the build and publish stage. It'll will build the docker image and push it to ECR.

Now push the code to Github and see the pipeline triggered, If everything works well, we should see a success and the image hosted in ECR.

I succeeded in my 12th build because i had to update most library versions. That is part of the DevOps Career, solving similar issues.

ECS Setup

Once the image is in ECR, we need to setup ECS to pick this image and deploy it. In AWS console, goto ECS

Create a cluster -> name: github-actions-app -> create. Wait for few minutes for the creation to complete
Create a task definition:
Task definition configuration: github-td CPU: 1vCPU, memery: 2GiB Task execution role: create new role Container details: name: github-actions container port: 8080 image URI: <paste the image uri from ECR> : leave the rest as defaults
Now create it. After creation, click on the task execution role which will lead you to IAM. Make sure the policy in this role has AmazonECSTaskExecutionRolePolicy(AWS managed) now we have to add cloudwatch logs full access(CloudWatchLogsFullAccess).

Back to clusters, create a service with the following configurations:
Deployment configuration: family: github-actions service name: github-actions-svc Deployment failue detection Use the Amazon ECS deployment circuit breaker = false(uncheck) Networking: Security group: create new name: github-actions-sg inbound rules: HTTP from anywhere, custom tcp 8080 from anywhere

Load balancing: Application load balancer name: github-actions healthcheck grace period: 30s listener: create new listener: port 80 Create new target group: name: github-actions-tg healthcheck path: /login

Click create, this will take about 10 minutes to create the service and launch the container.

Select the service github-actions-svc, it opens a new tab, select configuration and networking, scroll down and Copy the DNS of the load balancer

Paste it in a browser to verify the app is running and is stable

Now we need to automate our pipeline to update the environment every time there is a new build

Deployment

The last job will be to deploy the latest version of the app each time the pipeline runs. Replace the main.yaml code with the following(I had to comment out Trivy scan because this code had many severe vulnerabilities causing the pipeline to fail. In real life situations, the Developers are to fix the vulnerabilities)

name: github Actions
on: [push, workflow_dispatch]
env: 
  AWS_REGION: us-east-1
  ECR_REPOSITORY: github-actions
  ECS_SERVICE: github-actions-svc
  ECS_CLUSTER: github-actions
  ECS_TASK_DEFINITION: aws-files/taskdeffile.json
  CONTAINER_NAME: github  
jobs: 
  Testing:
    runs-on: ubuntu-latest
    steps:
      - name: Testing workflow
        uses: actions/checkout@v4

      - name: Maven test
        run: mvn test

      - name: Checkstyle
        run: mvn checkstyle:checkstyle

# Setup java 17 to be default (sonar-scanner requirement as of 5.x)
      - name: Set Java 17
        uses: actions/setup-java@v3
        with:
          distribution: 'temurin' # See 'Supported distributions' for available options
          java-version: '17' 

      # Setup sonar-scanner
      - name: Setup SonarQube
        uses: warchant/setup-sonar-scanner@v7

      # Run sonar-scanner
      - name: SonarQube Scan
        run: sonar-scanner
          -Dsonar.host.url=${{ secrets.SONAR_URL }}
          -Dsonar.login=${{ secrets.SONAR_TOKEN }}
          -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }}
          -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }}
          -Dsonar.sources=src/
          -Dsonar.junit.reportsPath=target/surefire-reports/ 
          -Dsonar.jacoco.reportsPath=target/jacoco.exec 
          -Dsonar.java.checkstyle.reportPaths=target/checkstyle-result.xml
          -Dsonar.java.binaries=target/test-classes/com/visualpathit/account/controllerTest/

              # Check the Quality Gate status.

      - name: SonarQube Quality Gate check
        id: sonarqube-quality-gate-check
        uses: sonarsource/sonarqube-quality-gate-action@master
        # Force to fail step after specific time.
        timeout-minutes: 5
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} 

  BUILD_AND_PUBLISH:
    needs: Testing
    runs-on: ubuntu-latest
    steps:
      - name: Code checkout
        uses: actions/checkout@v4

      - name: Update application.properties file
        run: |
          sed -i "s/^jdbc.username.*$/jdbc.username\=${{ secrets.RDS_USER }}/" src/main/resources/application.properties
          sed -i "s/^jdbc.password.*$/jdbc.password\=${{ secrets.RDS_PASS }}/" src/main/resources/application.properties
          sed -i "s/db01/${{ secrets.RDS_ENDPOINT }}/" src/main/resources/application.properties

      - name: Build & Upload image to ECR
        uses: appleboy/docker-ecr-action@master
        with:
          access_key: ${{ secrets.AWS_ACCESS_KEY_ID }}
          secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          registry: ${{ secrets.REGISTRY }}
          repo: github-actions
          region: ${{ env.AWS_REGION }}
          tags: latest,${{ github.run_number }}
          daemon_off: false
          dockerfile: ./Dockerfile
          context: ./
    #- name: Run Trivy vulnerability scanner
     #  uses: aquasecurity/trivy-action@master
     #  with:
       #   image-ref: ${{ secrets.REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ github.run_number }}
      #    format: 'json'
      #    exit-code: '1'
       #   ignore-unfixed: true
       #   vuln-type: 'os,library'
      #    severity: 'HIGH' 

Deploy:
    needs: BUILD_AND_PUBLISH
    runs-on: ubuntu-latest
    steps:
      - name: Code checkout
        uses: actions/checkout@v4

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Fill in the new image ID in the Amazon ECS task definition
        id: task-def
        uses: aws-actions/amazon-ecs-render-task-definition@v1
        with:
          task-definition: ${{ env.ECS_TASK_DEFINITION }}
          container-name: ${{ env.CONTAINER_NAME }}
          image: ${{ secrets.REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ github.run_number }}

      - name: Deploy Amazon ECS task definition
        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
        with:
          task-definition: ${{ steps.task-def.outputs.task-definition }}
          service: ${{ env.ECS_SERVICE }}
          cluster: ${{ env.ECS_CLUSTER }}
          wait-for-service-stability: true

On ECS, goto Task definitions -> github-td -> Revision 1, select the json tab on the page and copy the JSON content of the task definition and paste it in the file /aws-files/taskdeffile.json.

{
    "taskDefinitionArn": "arn:aws:ecs:us-east-1:XXXXXXXXXXXX:task-definition/github-td:2",
    "containerDefinitions": [
        {
            "name": "github",
            "image": "781655249241.dkr.ecr.us-east-1.amazonaws.com/github-actions",
            "cpu": 0,
            "portMappings": [
                {
                    "name": "github-actions-port",
                    "containerPort": 8080,
                    "hostPort": 8080,
                    "protocol": "tcp",
                    "appProtocol": "http"
                }
            ],
            "essential": true,
            "environment": [],
            "environmentFiles": [],
            "mountPoints": [],
            "volumesFrom": [],
            "ulimits": [],
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-group": "/ecs/github-td",
                    "mode": "non-blocking",
                    "awslogs-create-group": "true",
                    "max-buffer-size": "25m",
                    "awslogs-region": "us-east-1",
                    "awslogs-stream-prefix": "ecs"
                },
                "secretOptions": []
            },
            "systemControls": []
        }
    ],
    "family": "github-td",
    "executionRoleArn": "arn:aws:iam::XXXXXXXXXXXX:role/ecsTaskExecutionRole",
    "networkMode": "awsvpc",
    "revision": 2,
    "volumes": [],
    "status": "ACTIVE",
    "requiresAttributes": [
        {
            "name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
        },
        {
            "name": "ecs.capability.execution-role-awslogs"
        },
        {
            "name": "com.amazonaws.ecs.capability.ecr-auth"
        },
        {
            "name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
        },
        {
            "name": "com.amazonaws.ecs.capability.docker-remote-api.1.28"
        },
        {
            "name": "ecs.capability.execution-role-ecr-pull"
        },
        {
            "name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
        },
        {
            "name": "ecs.capability.task-eni"
        },
        {
            "name": "com.amazonaws.ecs.capability.docker-remote-api.1.29"
        }
    ],
    "placementConstraints": [],
    "compatibilities": [
        "EC2",
        "FARGATE"
    ],
    "requiresCompatibilities": [
        "FARGATE"
    ],
    "cpu": "1024",
    "memory": "2048",
    "runtimePlatform": {
        "cpuArchitecture": "X86_64",
        "operatingSystemFamily": "LINUX"
    },
    "registeredAt": "2024-12-03T03:24:41.874Z",
    "registeredBy": "arn:aws:iam::XXXXXXXXXXXX:user/ndzenyuyjones@gmail.com",
    "tags": []
}

Now edit the different environment variables to match those you gave in your setup. Push your code to GitHub and watch the pipeline gets built and deployed. The pipeline should be successful with all three stages.

Now edit the security group of the data base to accept inbound transfer of MySQL traffic(3306) from the security group(githubactions-sg) of the ECS service.

Back to our web page, login with the following credentials
username: admin_vp password: admin_vp
You should land on the welcome page.

Congratulations, you just succesfully deployed your application on a pipeline using GitHub actions.

Build a Simple AWS CI/CD Pipeline with deployment to Elastic Beanstalk

Jones Ndzenyuy — Mon, 25 Nov 2024 21:54:48 +0000

Introduction

Building a pipeline for automated tests and deployment is every developers' dream, not having to manually verify security vulnerabilities or functioning before making it live. A wrongly configured pipeline or choosing tools without prior load considerations can either end up over spending or crashing. In this project I will guide you through the building of an AWS native pipeline, it will build our code and host directly on AWS, cost considerations are made to ensure very little expenditure with every build, AWS Build only charges for the build time, no servers running.

How it works

The code is hosted in Bitbucket, whenever there is an update, the pipeline is triggered and fetches the code, Code build runs a test on Sonar cloud, if the quality gate is passed, the pipeline launches the build phase, stores the built artifact in an S3 bucket next Elastic Beanstalk is triggered to pick the artifact from S3 and update its environment. After a 360 seconds waiting, the final stage of the pipeline is triggered which tests the deployed software, the credentials of a test user, initially stored in DB is used to login to the web App and takes screenshots which are stored in another S3 bucket.

Architecture

How to Build It

Host code in Bitbucket

Create an account on bitbucket a guide to create it can be found here. and clone the code by running

git clone https://github.com/Ndzenyuy/cicd-on-aws.git
cd cicd-on-aws

The above command will clone the source code and change the working directory in to cicd-on-aws folder.

Now we have to configure a Bitbucket repository and upload the code. Go to your browser and create a repository in Bitbucket. To learn how to create a repository in bitbucket check this guide here. The repository should the following
workspace: aws-cicd-beanstalk repo name: cicd-with-elastic_beanstalk access level: private

Now back to the terminal, run the following:

git remote rm origin
git remote add source https://path/to/your/bitbucket/repo.git
git push -u

Now the code should be present on Bitbucket. Verify if it is the case or troubleshoot were you may have gone wrong. Leave the bitbucket tab open and open a different one.

Configure CodeArtifact

The App is a java based app, we will be using Maven to build it, so we are configuring CodeArtifact so that we can download and store maven dependencies, this will help reduce build times in subsequent builds. On the AWS console, search CodeArtifact and create a repository and give it the following configurations:

repo name: cicd-aws Public upstream repositories: maven-central-store -> next aws account: this account domain: give your domain, could be any name -> next verify and create repository

The created repository will display as follows:

Now open maven-central-store repository and click on View connection instructions -> Mac & Linux = true -> Select package manager client = mvn.

Here you'll have the connection instructions on how to connect to the repository from your project.

Copy Step 3: Export a CodeArtifact authorization token for authorization to your repository from your preferred shell. and open the buildspec.yml file in vscode and replace the line 15. The code should be as:

 - export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token --domain sparxinc --domain-owner 781655249241 --region us-east-1 --query authorizationToken --output text`

Copy Step 4: Add your server to the list of servers to your settings.xml to settings.xml. Scroll to line 5 and replace the server section with what was copied from the artifact repos instructions. It should look like this

<servers>
  <server>
    <id>sparxinc-cicd-aws</id>
    <username>aws</username>
    <password>${env.CODEARTIFACT_AUTH_TOKEN}</password>
  </server>
</servers>

Next copy Step 5: Add a profile containing your repository to your settings.xml. and replace the contents of the profile section and the mirrors, it should look like this

#Profiles
<profiles>
  <profile>
    <id>sparxinc-cicd-aws</id>
    <activation>
      <activeByDefault>true</activeByDefault>
    </activation>
    <repositories>
      <repository>
        <id>sparxinc-cicd-aws</id>
        <url>https://sparxinc-XXXXXXXXXXXX.d.codeartifact.us-east-1.amazonaws.com/maven/maven-central-store/</url>
      </repository>
    </repositories>
  </profile>
</profiles>
#mirrors
<mirrors>
  <mirror>
    <id>sparxinc-maven-central-store</id>
    <name>sparxinc-maven-central-store</name>
    <url>https://sparxinc-XXXXXXXXXXXX.d.codeartifact.us-east-1.amazonaws.com/maven/maven-central-store/</url>
    <mirrorOf>*</mirrorOf>
  </mirror>
</mirrors>

Save the settings.xml file and open pom.xml. Back on the console, copy only the url from the instructions and replace those that is on line 303 and . The copied url is similar to:
<url>https://sparxinc-XXXXXXXXXXXX.d.codeartifact.us-east-1.amazonaws.com/maven/maven-central-store/</url>

Create build jobs

Here we are going to creat two build jobs, the first will analyse the code on sonar cloud and the second will build the artifact.

We need to first create a connection for bitbucket app, go under developer tools, search for settings -> connection and create a new connection.

Select a provider: bitbucket connection name: awscicd -> connect to bitbucket

In the next page click install new app and grant access to bitbucket when prompted. It'll return to the previous page, now click on the connect button. Our pipeline can now connect to bitbucket.

Code analysis job on sonar cloud

On the console, search CodeBuild -> Create project and give the following configurations:
Project name: code-analysis source provider: bitbucket Credential: Bitbucket app connection: awscicd repository: cicd-with-elastic_beanstalk operating system: ubuntu new service role name: codebuild-code-analysis-service-role Build spec -> use a buildspec file -> buildspec name: buildspec.yml Cloudwatch logs -> stream name prefix = awscicd-logs click create build project

If you open buildspec.yml file, you'll notice the parameters are stored in the parameter store, we need values for LOGIN, HOST, Organization and Project. For extra security, we need to store in Parameter store. But before then, we need to create a project in Sonarcloud before storing it's access information on parameter store. Go to sonarcloud and create an account if you don't have any yet by following this tutorial.
Login token: In the sonar cloud welcome page, on the top right corner of the screen, click you account icon and select My Account -> Security. Now give a token name of your choice and click generate. Copy the generated code to a sticky note for later use

Organization: On the same tab, open organizations and create a new organization, select create one manually
name: aws-cicd-organization key: aws-cicd-organization plan: free plan -> create organization

Project: On the page that opens, click analyse new project
organization: aws-cicd-organization display name: beanstalk-app project key: aws-cicd-organization_beanstalk-app -> next The new code for this project will be based on: Previous version create project

Open a new tab and open AWS console and search systems manager -> parameter store and create parameter with the following configurations.
HOST
parameter: HOST Tier: standard Type: String datatype: text value: https://sonarcloud.io

Organization
parameter: Organization Tier: standard Type: String datatype: text value: aws-cicd-organization

LOGIN
parameter: LOGIN Tier: standard Type: Secure String datatype: text value: (paste the value of the token generated in sonarcloud)

Project
parameter: Project Tier: standard Type: String datatype: text value: aws-cicd-organization_beanstalk-app

Return to the codebuild tab, we need to modify the IAM role of the build project in order to access parameter store, on the page

Under service role, top right, click on the IAM arn, it opens a new tab in IAM. Create a System manager policy with the following allow permissions:
under list: DescribeParameters under read: GetParameter, GetParametersByPath, GetParameterHistory, GetParameters, DescribeDocumentParameters

Click next, for policy name parameteraccess and create. Return and open the service role for the build project and add the created policy to it. Next search for another policy named "AWSCodeArtifactReadOnlyAccess" and add it to the same role. You should have policies as in the image below

Now return to the build project in codebuild tab and start build. If everything turns out well

So the Code analysis on sonar cloud should be populated with the statistics of the job that ran.

Build artifact job

Back to creating a build job console -> create build project and configure with the following:
name: build-artifact source provider: bitbucket select "custom source provider" repository: aws-cicd-beanstalk source version: main operating system: ubuntu select "new service role" build spec: select 'use buildspec file' buildspec name: aws-files/build_buildspec.yml create build project

Next we need to add the policy to access CodeArtifact to read the dependencies. To do so, click on the Service role url and add policy to this role. Add the policy named AWSCodeArtifactReadOnlyAccess.

Close the tab and return to CodeBuild and run build-artifact project by clicking start build. The project should finish successfully.

Create pipeline

Create an S3 bucket to store the artifact after the build job runs, give the parameters:
name: pipeline-storage-for-artifacts-xxx (xxx are random numbers to make the bucket name unique) region: us-east-1 create bucket
Now create a folder in the bucket named artifacts

On the AWS console, search pipeline -> create pipeline -> Build custom pipeline -> next
name: aws-cicd-pipeline leave defaults and click next source provider: bitbucket connection: connect to bitbucket -> enter a connection name -> create connection -> choose the app or create one if none exists and connect repository name: aws-cicd-beanstalk default branch: main -> next Build provider: select other build providers and choose AWS CodeBuild Project name: build-artifact input artifacts: source artifacts -> next Deploy provider: S3 input artifacts: BuildArtifact key: artifacts next, review and create pipeline
The pipeline will be automatically triggered, we need to stop it and add the code analysis stage. So click on stop execution select the pipeline and stop it. Click on edit and add a stage just before the build stage

stage name: codeanalysis -> add -> add action group
action name: analyse-code action provider: aws codebuild input artifacts: SourceArtifact project name: code-analysis -> done
Edit the deploy stage action and select Extract file before deploy then -> done

Make sure all the edited stages are validated with done. Save the changes and return to the pipeline. Click on release change to trigger the pipeline.

And voila, the pipeline has been successfully built. If you open the S3 bucket, you will find the artifact stored there

Configure SNS

Go to the console and search SNS -> create a new topic
type: standard name: awscicd-notification -> create notification

Click on create subscription
protocol: email endpoint: youremail@email.com
An email will be sent to the provided email. The status will be pending until you open the email and validate the subscription.

To the left pane, under pipelines -> settings -> notifications -> create notification rule
name: aws-cicd-rule Events that trigger notifications: select all targets: awscicd-notification -> submit

The notification rule will be created.
Now back to our pipeline, if we run the pipeline anew, notifications will be sent about the status of the pipeline

Launch Elastic Beanstalk

Create an IAM role

Console -> IAM -> roles -> Create role:
`Trusted entity type: AWS service
use case: EC2
Permissions policies:

AdministratorAccess-AWSElasticBeanstalk
AWSElasticBeanstalkCustomPlatformforEC2Role
AWSElasticBeanstalkRoleSNS
AWSElasticBeanstalkWebTier

role name: elasticbean-role-awscicd -> Create role`

Create keypair

Console -> EC2 -> Keypairs -> create keypair
Name: beanstalk-key -> create keypair

Launch Elastic beanstalk

Search Elastic Beanstalk on the console -> Create Application then
Application name: awscicd-beanstalk -> create

Click create new environment
Environment tier: web-server-environment platform: Tomcat Platform branch: Tomcat 10 with Corretto 21 running on 64bit Amazon Linux 2023 Platform version: 5.4.1 (Recommended) Presets: Custom configuration Leave any other as default and -> click next Service role: Create and use new service role EC2 key pair: beanstalk-key EC2 instance profile: elasticbean-role-awscicd Virtual Private Cloud (VPC): choose VPC with internet access Public IP address: activated =true Instance subnets: select all -> Next Root volume type: General Purpose 3(ssd) size: 10GB IOPS: 3000 Throughput: 125 Autoscaling group -> Environment type: load balanced min instances: 1 max instances: 4 Instance types: t2.micro Processes: select default -> actions -> edit -> sessions -> session stickiness = Enabled Monitoring: Enhanced email notifications: <enter your email> Deployment policy: Rolling Deployment batch size: 50 -> next
Review all the settings

Review all the settings and click on create. This will take about 4-5 minutes to create the infrastructure.

When Beanstalk is ready, you can click on the DNS link to access the page:

Our beanstalk environment is up and running, we will configure the pipeline to update the code with the built artifact.

Create RDS Database

Console -> RDS -> Create database and configure it as follows
choose a database creation method: standard create Engine options: MySQL Engine version: 8.0.35 Templates: free tier DB instance identifier: awscicd-mysql master username: admin password: admin123 Burstable classes (includes t classes): db.t3.micro storage: 20GB Security group: create new(name: awscicd-sg) Additional configuration: Initial database name: accounts

Review and create database. Wait for a while till the database is created. When the status changes from creating -> available before we can proceed.

Click on the created database and copy the endpoint. It should be like awscicd-mysql.cjrs4jngtznx.us-east-1.rds.amazonaws.com

Initialize Database

We have to login into the beanstalk instance and initialize the database with the initial data. But first we need to configure the awscicd-sg to receive traffic from beanstalk.

Go to console -> EC2 -> Security groups and open the Security group for the running beanstalk instance and copy the security group ID. Now open awscicd-sg -> Edit inbound rules.
Add a new rule allowing 3306 from the security group of the beanstalk instance. This will permit us to connect to the database through the beanstalk instance.

Save the changes. Now ssh into the running instance and run the following: (make sure to replace with the rds endpoint copied earlier)

sudo -i
dnf install mariadb105 -y
wget https://raw.githubusercontent.com/Ndzenyuy/vprofile-project/refs/heads/cd-aws/src/main/resources/db_backup.sql
mysql -h <enter-rds-edpoint> -u admin -padmin123 accounts < db_backup.sql

Add other parameters to Parameter store

We need to add the RDS endpoint, the database user and password to our parameters because Elastic beanstalk connects to the database. So we go to parameter store -> create new parameter and create the following parameters:

RDS-Endpoint
parameter: RDS-Endpoint Tier: standard Type: String datatype: text value: <enter your RDS End point>

RDPUSER
parameter: RDUSER Tier: standard Type: String datatype: text value: admin

RDPASS
parameter: RDPASS Tier: standard Type: Secure String datatype: text value: admin123 // or enter the password you used when creating db

Save all the parameters and edit the last stage of the pipeline, the deploy stage so that we can now deploy to beanstalk. Go to pipelines -> select the pipeline we created earlier(aws-cicd) and select it, choose edit and scroll to the deploy stage and update with the following parameters:
action name: deploy Action provider: AWS Elastic beanstalk Input artifact: BuildArtifact (what we defined in the build stage) Application name: awscicd-beanstalk Environment: web-server-environment and update the environment.

Now Click on done:

Scroll up and Save the pipeline. Now to test the pipeline, Click on Release change. This will trigger the pipeline to build all the steps and deploy to our beanstalk environment.

After the build successfully completes, after about 5 minutes, check the Enviroment DNS on beanstalk and see how the application is displayed

To check if the RDS database is connected, try to log-in with the credentials
Username: admin_vp password: admin_vp

If the database is connected, we'll be channeled to the welcome page:

Wooow!!!!!!!! Congratulations, you just deployed a cicd pipeline with AWS Pipeline. Each code update detected on your branch and pushed to bitbucket will automatically deploy to beanstalk.

If you succedded to build this project, please let me know in the comments, if you have difficulties i will be glad to help, just put it in the comments.

I haven't included Selenium test stage for the moment, but will certainly do when all is ripe

Build a Chatbot to streamline customer queries and automate tasks integrating amazon Lex and Bedrock

Jones Ndzenyuy — Tue, 12 Nov 2024 20:20:52 +0000

How it works

Have you ever wondered about the technology behind chatbots found on websites that interacts with users and answers FAQs? If you have ever looked for a solution to a problem about a service on any website and you happen to have to scroll through all the other irrelevant answers before finally getting the answer you wanted, then you'll agree with me it is time consuming. In this article, I will guide you on how to build a bot that can give precise answers about queries the users might have concerning the services on any company website as well as run automated tasks like booking a ticket, cancelling it, reschedule etc.

When the user opens the website, the web UI loads and appears at the bottom right corner of the screen. Once clicked, it displays a pre-configured welcome message. If the user types any questions related to the company, the AI model searches the pre-loaded PDF files containing every information about the company, if the answer is found, the bot gives the user a human friendly and summarized response. In our case, the bot will not only answer FAQs, but will help users book travel tickets, give the different destinations, let them choose between classic or VIP travel options with their different tariffs.
The technologies involved are:

Amazon Lex
AWS S3
Amazon Bedrock
Amazon Polly
AWS IAM

Architecture

Step by Step guide to build it

Create a Lex Bot

Open the AWS console and search Amazon Lex, choose create Bot -> Descriptive Bot

Bot name: web-assistant runtime role: Create a role with basic Amazon Lex permissions = true Children’s Online Privacy Protection Act (COPPA) = no Idle session timeout = 5mins

Now click Next, for the Descriptive Bot Builder - GenAI enter this text:

Objective: we are a travel agency that transport passengers to different destinations in Cameroon. I want a bot that can book a journey, cancel a journey, check reservation details, Get travel status, reschedule a journey. We use ticket_id to identify the client. we offer two travel classes

For the other parameters, allow defaults and click done. Give it between two to 3 minutes to create the intents. When the intents are created on the green success bar that appears above to notify the intents were successfully created, click on review. In the next page that appears, you will see the different intents created. If you are happy with the intents, click "Accept intents" these intents will be included in the prompt for building the model.

Till now all the intents are the automatically generated, meaning the bot knows nothing about our company, only expects specific data in order to treat the request, say if the destination city isn't in it's database, then it'll not accept any other answer. So we have to personalize the bot in order to accept our company data, say we only travel to few towns, our tarrifs are in local currency. My generated intents are:

BookJourney
CheckReservationDetails
GetTravelStatus
CancelJourney
RescheduleJourney
FallbackIntent

We are therefore going to add a knowledge base which Amazon Lex will interact with in order to give us answers specific to our company. In order to personalize the different intents to go into the knowledge base and look for the required information, we need to configure each of them:

Configure BookJourney intent

Click BookJourney inside the intents page and scroll down to slots

Click on Prompt for slot: DepartureCity

Then go to Advanced options and configure the following
Enhance this slot with the assisted slot resolution feature: enable Runtime generative AI features: enable Select model: Anthropic, Claude instant and save

Back on go to intents -> BookJourney -> advanced options -> *Enable assisted slot resolution - GenAI = true * -> Save intent. This sets the chatbot to seek the knowledge base for specific type of answers.

Repeat the same activity for all the slots that have as type AMAZON.city or AMAZON.date, remember to save each time you enable the assisted slot resolution. Check for the intents and make sure they are configured to seek assistance from AI in order to manage the City and Date slots. This will help users give cities that are in the company data and for dates, the user can be prompted and they respond with either today, tomorrow or in two weeks and the model figures out the date based on the present date.

After finishing and saving the intents, go to Slot types and select ClassType

For the class values, we will input VIP and Classic, just as it is done in the image below:

Click save slot type. Then Click on Build to make sure all changes are saved

Create S3 bucket and store company data

Go to the console and search S3 -> Create bucket
Bucket name: knowledge-base-bucket-xxx (xxx are random numbers to make the bucket name unique) region: us-east-1

Upload data that has the data of the company, this include every service, cost etc that the company sells. In our case, lets use this text and convert to pdf and upload to our S3 bucket.

General Express Description:
Welcome to the General Express chatbot! We are dedicated to providing exceptional travel services across various destinations in Cameroon, with our headquarters located in Bafoussam. Our mission is to ensure a comfortable, convenient, and enjoyable travelexperience for all our customers. Key Features:
Travel Destinations and Pricing:
Our chatbot can assist you in exploring our travel routes and pricing options:
Bafoussam to Douala: 4000 XAF (Classic) | 6000 XAF (VIP)
Bafoussam to Yaoundé: 5000 XAF (Classic) | 6500 XAF (VIP)
Bafoussam to Bangante: 1000 XAF (Classic) | 1500 XAF (VIP)
Bafoussam to Bafang: 1000 XAF (Classic) | 1500 XAF (VIP)
Bafoussam to Bamenda: 2000 XAF (Classic) | 2500 XAF (VIP)
Bafoussam to Buea: 6000 XAF (Classic) | 7000 XAF (VIP)
Luggage Handling:
Our team will assess the value of your luggage before departure, ensuring safe and secure transport. Travel Schedules:
The chatbot provides information about our travel times:
Morning Journeys: 6 AM to 10 AM
Day Journeys: 11 AM to 5 PM
Night Journeys: 6 PM to 2 AM
Complimentary Meals:
Enjoy complimentary meals during your journey, enhancing your travel experience without any additional costs. Customer Service:
Our friendly and welcoming personnel are committed to ensuring your comfort and satisfaction throughout your travels. If you have any questions or need assistance, our chatbot is here to help!
Contact Information:
For further inquiries or to make a reservation, feel free to reach us at:
Phone: 600000000
Phone: 800000000
Conclusion:
The General Express chatbot is designed to make your travel
planning seamless and efficient. Whether you need information about
routes, pricing, or travel schedules, we are here to assist you at every step. Experience the joy of travel with General Express, where customer satisfaction is our top prior

Create a knowledge base for Amazon Bedrock

Go to the search bar in the console and search Amazon Bedrock -> Builder Tools -> Knowledge basses -> Create knowledge Base.
Provide the following details:
Knowledge base name: travel-assistant-knowledge-base IAM: Create and use a new service role choose data source: S3 -> Next

Configure data source:
data source name: travel-assistant-knowledge-base Data source location: this account S3 URI: Browse S3 choose: knowledge-base-bucket-xxx next

Select embeddings model and configure vector store
Embeddings modele: Titan Embeddings G1 - Text v1.2 vector database: Quick create a new vector store = true next

Review everything and create knowledge base. It will take few minutes to create. After that, we'll need to sync the knowledge base so that the LLM can read the pdf documents that are stored in our S3.

After the data source is created, click on sync for the LLM to read the PDF documents in our S3 bucket. If other information or services are added to the company, it just needs to be documented and uploaded to S3, not forgetting to sync the knowledge base.

Create a Lex bot QnA intent

Go back to the Lex console and select the bot we created and select Add intent -> use built-in intent -> AMAZON.QnAIntent-GenAI feature, give intent name as GenAiIntent as in the following image

Then click Add. Next configure the intent,
QnA configuration:
Select model: Anthropic Claude instant Knowledge store: Knowledge base for Amazon bedrock Knowledge base for Amazon Bedrock Id: (return to knowledge base console and copy the knowledge base id we created earlier, it has 10 characters) click save intent
The saved intent should appear to the left of the screen amongst the intents.

Then we have to build the the bot by clicking on the Build button(top right) and wait for the build to complete

Test the Chatbot

Click on the test button in order to start testing the bot. We need to verify the functionality of the bot before deployment. To the left of the screen, the test window opens, click on the inpect button so as to see the values. We will ask questions related to the uploaded document:

What are the destinations
What are the tariffs,

Woow, we have our bot answer questions based on the knowledge base information. Next we can try to book a ticket:
I will just type in Book a ticket, the model will identify the intent and ask the relevant questions in order to book the ticket

Notice that instead of giving a date, i wrote tomorrow and the bot figured out and selected the date of tomorrow. With human friendly interactions, we can book a ticket for a travel agency with little efforts

Looking at the Inspect dashboard, the bot asks questions and populates it, this can be used to trigger lambda functions to carryout the desired task in the backend.

Now we need to integrate it to our website by building a web UI chat icon.

Build a WebUI and attach to the website

Create a version

On the Lex console select the bot we created and select bot versions on the left panel and create a new version. This creates a snapshot of what we just built. It will create Version 1

Create an Alias

On the left panel, under deployments, select Aliases -> create Alias and fill the following
Alias name: travel-assistant-alias associate with a version: version 1 click create
Copy the alias ID and the bot ID as we will use it when creating the webUI.

Create a cloud formation stack

Open this page in a new tab Deploy webUI for Chatbot

Under the section Getting started with the AWS CloudFormation deployment option we choose the region where we want to create the stack which should also be the same region where the bot is located(North Virginia) and click launch stack. Search the following fields and populate them with the following:

Lex V2 Bot configuration parameters:
LexV2BotId: XXXXXXX (Replace X with the bot id you copied) LexV2BotAliasId: XXXXXXX (Replace with the alias Id)

Next look for Web Application Parameters and populate with the following:
WebAppParentOrigin: https://domain.com (enter the domain name where the web app is running) WebAppPath: /index.html (provide the name of the file that runs the home page) WebAppConfBotInitialText: You can ask me for help booking a ticket or FAQ about our company Just type "Book ticket" or click on the mic and say it. WebAppConfBotInitialSpeech: Say 'Book ticket' to get started. WebAppConfToolbarTitle: Book Ticket

Acknowledge the two radio buttons under Capabilities and create the stack.

It will open a cloud formation console, wait for it to finish creating.

After creation is completed, go to outputs and look for the SnippetsUrl

Copy the code snippet and go to the index.html file of the running website and paste it in the body part of the html code. Do necessary updates on the website to display the newly configured index.html file. In my case, it is a static website hosted in an S3 bucket. So i will upload the index.html to the S3.

Now open the website, you should see the chatbot open to the bottom right side of the screen

When you click the chat icon

And voila!! We have successfully integrated a chatbot to our website.

Harnessing AWS Bedrock: Create a Generative AI PDF Chatbot

Jones Ndzenyuy — Sat, 02 Nov 2024 20:58:56 +0000

Have you started your AI journey and want to implement a project that will help you build hands on experience with Gen AI using Amazon Bedrock? Well worry no more because in this project, I will guide you through an end to end project to build a sophisticated chatbot. It will enable users to interact with PDF documents smoothly. The app is conceived such that, a user can ask a question and the bot responds with an answer from the uploaded file. If it doesn’t find a response, it will report it. The user can upload files of maximum 200MB and the app will manage without difficulties thanks to the power of Bedrock LLM

I will guide you through a set of tools and technologies to create this application so as to guarantee reliable performance and an easy to use user interface, these tools include:

Amazon bedrock
AWS S3
AWS EC2
Docker
Langchain
Streamlit

Architecture

Principle

The app is conceived such that, when a user visits the web page, the first thing he is asked to do is to upload a pdf file. The file is processed using PyPDF and divides it into chunks. The chunks are then converted into vectors which is a representation of the PDF’s content. The generated vectors are stored in an S3 bucket for access and retrieval when the user asks a question.
When there is a query from the user, the application processes the vector from the S3 to seek similarities, it then generates a prompt with a query and context which are then used as input for our LLM(Jurassic-2 Mid) which then generates the answer for the user. The application runs in a Docker container, using Streamlit to create a visually appealing UI.

How to build It

Launch an EC2 instance

Name: pdf-Chat-Bot Instance type: t2.micro AMI: Ubuntu:latest Volume: 8GiB Security gate: Create new - inbound rules => allow 8083 from everywhere => allow ssh from my IP launch template:

#!bin/bash
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y

Create an IAM Role for the EC2 instance to access Bedrock and S3

Go to AWS console -> IAM -> Roles -> Create role

name: pdfBotRole attach policies: - AmazonBedrockFullAccess - AmazonS3FullAccess

Attach role to EC2 instance

Go to the EC2 console, select the instance then go to Actions -> Security -> Modify IAM role
Select the IAM role previously created "pdfBotRole" and click Apply

Create S3 bucket

On the console, search S3 then create a bucket with the following(xxx are random numbers to make the bucket name unique)

name: bedrock-chatpdf-xxx region: us-east-1 allow defaults and choose create
Copy the bucket name as we'll use it in the next steps

SSH into the instance and clone Source code

Copy the public address of the instance and open a terminal
ssh -i "path/to/.pem-file" ubuntu@public-ip-address
Verify docker installation

docker ps

If docker is installed, will see a table for existing docker containers which will of course be empty.

Clone source

Open a terminal and run the following
git clone https://github.com/Ndzenyuy/chatPdf.git cd chatPdf

In the cloned source code, we have the following files/folders
Dockerfile application.py requirements.txt /images

Access for LLM models in Amazon Bedrock

On the console Amazon Bedrock -> Base models -> Model Access
Make sure you have access to Jurassic-2 Ultra and Titan Embeddings G1 - Text, if not you can request access.

Build and Run App docker image

Make sure you are inside chatPdf folder and run the following command

docker build -t chatPdf-app .

The image will be built, then we can run it with the following

docker run -d -e BUCKET_NAME="yourBucketName" -p 8083:8083 chatPdf

Now copy the public IP of the EC2 instance and type it on the browser followed by the port number 8083. For instance

XX.XX.XX.XX:8083

How to use the App

The landing page will first require the user to upload a pdf document

Either drag and drop or Click on the button "Browse files" Load the PDF document and ask questions based on its content

Conclusion

This project happens to be an innovative PDF chatbot application that will reduce significantly the time researchers spend on reading PDF of articles and books. It transforms hours of traditional page by page reading and trying to understand irrelevant information as to the current needs, into just few prompts and interactive engagements, users can efficiently understand the content, authorship, summaries and in depth knowledge of pdf documents

This app will serve as a valuable tool for students harnessing their ability of interacting with academic articles and literature. By leveraging the procedure of further breaking complex texts, it does not only save time but builds a sense of critical thinking and asking of relevant questions