DEV Community: Bogdan Vlad The latest articles on DEV Community by Bogdan Vlad (@vladbogdan10). https://dev.to/vladbogdan10 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F908442%2Fd9314fb3-6d4f-430f-ba32-ffcd0c09e3f9.jpeg DEV Community: Bogdan Vlad https://dev.to/vladbogdan10 en Guide to Deploy a Web App on AWS with Terraform and GitHub Actions Bogdan Vlad Wed, 22 Mar 2023 18:25:16 +0000 https://dev.to/vladbogdan10/guide-to-deploy-a-web-app-on-aws-with-terraform-and-github-actions-2jle https://dev.to/vladbogdan10/guide-to-deploy-a-web-app-on-aws-with-terraform-and-github-actions-2jle <p>In this guide, I will show you how to deploy a very basic Express.js web application on AWS ECS using the Fargate launch type.</p> <p>We will use Terraform to provision and manage all the resources needed, like the ECS cluster, VPC, ECR repository, IAM roles, etc. Then we'll use GitHub Actions to build the project and automatically deploy the application and infrastructure changes with the push of a new git tag.</p> <p><strong>Be aware that some AWS resources created throughout this guide are not free.</strong> The costs will depend on your region and the resources allocated. The initial costs will be lower if you qualify for the <a href="https://aws.amazon.com/free/">Free Tier</a>.</p> <h2> Prerequisites </h2> <p>This guide assumes that you already have the following:</p> <ul> <li>Some knowledge of Git, Terraform, AWS, and Docker</li> <li>Terraform v1.4.1 (latest version at the time of writing)</li> <li>AWS account</li> <li>AWS credentials configured on your local machine</li> <li>GitHub account and a git repository</li> <li>Node.js installed on your machine.</li> </ul> <h2> A Brief Introduction to AWS ECS and Fargate: </h2> <p>ECS is a fully managed service for running and orchestrating Docker containers, so you don't have to worry about managing the underlying infrastructure. It allows you to create a cluster of EC2 instances and then run tasks on those instances where each task is a containerized application.</p> <p>Fargate is a serverless compute engine for containers built on top of ECS. When you launch a task or a service on ECS with Fargate, it will provision all the necessary infrastructure to run your containers without the need to provision and manage the underlying EC2 instances.</p> <p>You can read more about ECS and Fargate <a href="https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html">here</a> and <a href="https://docs.aws.amazon.com/AmazonECS/latest/userguide/what-is-fargate.html">here</a>.</p> <h2> Hello World! A very basic Express.js web application </h2> <p>In an empty git repository, create an <code>app.js</code> file and add the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nx">express</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="mi">3000</span> <span class="nx">app</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Hello World!</span><span class="dl">'</span><span class="p">)</span> <span class="p">})</span> <span class="nx">app</span><span class="p">.</span><span class="nx">listen</span><span class="p">(</span><span class="nx">port</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">`Example app listening on port </span><span class="p">${</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <p>Next, create a <code>Dockerfile</code> file with the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> node:18</span> <span class="k">WORKDIR</span><span class="s"> /usr/src/app</span> <span class="k">COPY</span><span class="s"> package*.json app.js ./</span> <span class="k">RUN </span>npm <span class="nb">install</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">CMD</span><span class="s"> ["node", "app.js"]</span> </code></pre> </div> <p>And finally, create a <code>.gitignore</code> file with the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>node_modules terraform/.terraform </code></pre> </div> <p>Now, inside the project run <code>npm init -y</code> to auto generate a <code>package.json</code> file and then run <code>npm install express</code>.</p> <p>That's it! You can run the app with the following command <code>node app.js</code> and then go to <a href="http://localhost:3000">http://localhost:3000</a>. You should see "Hello World!".</p> <h2> Infrastructure Provisioning with Terraform </h2> <p>Before starting, I must mention that some examples in this guide will use the open-source "Cloud Posse" terraform modules. These modules simplify the provisioning of AWS services and the underlying resources. They are well-maintained and have very good documentation. You can find more about the modules and what properties each module supports on their <a href="https://github.com/cloudposse">GitHub</a>.</p> <p>Ok, without further ado, let's jump to the Terraform code.</p> <p>First, create a folder named <code>terraform</code> in your project and add the following files: <code>backend.tf</code>, <code>main.tf</code>, <code>outputs.tf</code>, <code>provider.tf</code>, <code>variables.tf</code>, and <code>versions.tf</code>.</p> <p>Let's set up the backend where terraform will store its state. For this, you must first create an S3 bucket and give it any name, e.g., "tfstate-a123" (name must be globally unique). This is the only resource that we'll create without terraform.</p> <p><strong>Tip:</strong> You should enable Bucket Versioning on the S3 bucket to allow for state recovery if something goes wrong.</p> <p>Add the following to the <code>backend.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># backend.tf</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"tfstate-a123"</span> <span class="c1"># name of the s3 bucket you created</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"production/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="c1"># change to your region</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now let's add the rest of the Terraform configuration. Add the following to the <code>provider.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># provider.tf</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">region</span> <span class="c1"># value will be set later in variables.tf</span> <span class="nx">default_tags</span> <span class="p">{</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"Terraform"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This tells Terraform which provider to use and the region where to create the resources. Here we also set the <code>default_tags</code> property to automatically tag all resources that support tagging.</p> <p>Next, let's set the required terraform version and the providers. Add the following to the <code>versions.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># versions.tf</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.0.0"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"&gt;= 4.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now let's set the variables that we'll use throughout the code. Add the following to the <code>variables.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># variables.tf</span> <span class="nx">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"AWS Region"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"namespace"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"app"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Usually an abbreviation of your organization name, e.g. 'eg' or 'cp'"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"stage"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"prod"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"myproject"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Project name"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"image_tag"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"latest"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Docker image tag"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"container_port_mappings"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="err">(</span><span class="nx">object</span><span class="err">(</span><span class="p">{</span> <span class="nx">containerPort</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">hostPort</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span><span class="err">))</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">containerPort</span> <span class="p">=</span> <span class="mi">3000</span> <span class="nx">hostPort</span> <span class="p">=</span> <span class="mi">3000</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The port mappings to configure for the container. This is a list of maps. Each map should contain </span><span class="se">\"</span><span class="s2">containerPort</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">hostPort</span><span class="se">\"</span><span class="s2">, and </span><span class="se">\"</span><span class="s2">protocol</span><span class="se">\"</span><span class="s2">, where </span><span class="se">\"</span><span class="s2">protocol</span><span class="se">\"</span><span class="s2"> is one of </span><span class="se">\"</span><span class="s2">tcp</span><span class="se">\"</span><span class="s2"> or </span><span class="se">\"</span><span class="s2">udp</span><span class="se">\"</span><span class="s2">. If using containers in a task with the awsvpc or host network mode, the hostPort can either be left blank or set to the same value as the containerPort"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"desired_count"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The number of instances of the task definition to place and keep running"</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> </code></pre> </div> <p>The values for the <code>namespace</code>, <code>stage</code> and <code>name</code> will dictate how the resources will be named. Change them to your needs. With the default values in this example the resources will be named or prefixed with "app-prod-myproject".</p> <p>And now comes the fun part, the provisioning of the services needed to run a web application. Let's start by adding the configurations for the VPC and Subnets resources first.</p> <p>Add the following to the <code>main.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"cloudposse/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"2.0.0"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">namespace</span> <span class="nx">stage</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">stage</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">name</span> <span class="nx">ipv4_primary_cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"subnets"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"cloudposse/dynamic-subnets/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"2.0.4"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">namespace</span> <span class="nx">stage</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">stage</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">name</span> <span class="nx">availability_zones</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eu-west-1a"</span><span class="p">,</span> <span class="s2">"eu-west-1b"</span><span class="p">,</span> <span class="s2">"eu-west-1c"</span><span class="p">]</span> <span class="c1"># change to your AZs</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">vpc</span><span class="err">.</span><span class="nx">vpc_id</span> <span class="nx">igw_id</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="err">.</span><span class="nx">vpc</span><span class="err">.</span><span class="nx">igw_id</span><span class="p">]</span> <span class="nx">ipv4_cidr_block</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="err">.</span><span class="nx">vpc</span><span class="err">.</span><span class="nx">vpc_cidr_block</span><span class="p">]</span> <span class="nx">nat_gateway_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">max_nats</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> </code></pre> </div> <p>Here, <code>max_nats</code> is set to <code>1</code>, to save costs at the expense of availability as NAT Gateways are fairly expensive. You can remove or comment out the <code>max_nats</code> property and it will create a NAT Gateway for each "Availability Zone" (number depends on your region) or you can set the <code>nat_gateway_enabled</code> to <code>false</code> if you don't want to create any NAT Gateway and then create resources under the public subnets if they need access to services outside the VPC.</p> <p>From AWS documentation:</p> <blockquote> <p>A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.</p> </blockquote> <p>With that said, if you choose not to use a NAT Gateway, don't worry. The Security Group attached to the ECS Service will only allow incoming requests from the ALB.</p> <p>Now let's add the configuration for the Application Load Balancer (ALB). This will be the entry point to the application and as the name suggest, it will automatically distribute the incoming traffic across multiple targets, meaning ECS Tasks aka docker containers.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">module</span> <span class="s2">"alb"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"cloudposse/alb/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.7.0"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">namespace</span> <span class="nx">stage</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">stage</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">name</span> <span class="nx">access_logs_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">vpc</span><span class="err">.</span><span class="nx">vpc_id</span> <span class="nx">ip_address_type</span> <span class="p">=</span> <span class="s2">"ipv4"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">subnets</span><span class="err">.</span><span class="nx">public_subnet_ids</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="err">.</span><span class="nx">vpc</span><span class="err">.</span><span class="nx">vpc_default_security_group_id</span><span class="p">]</span> <span class="c1"># https_enabled = true</span> <span class="c1"># certificate_arn = aws_acm_certificate.cert.arn</span> <span class="c1"># http_redirect = true</span> <span class="nx">health_check_interval</span> <span class="p">=</span> <span class="mi">60</span> <span class="p">}</span> </code></pre> </div> <p>The <code>https</code> related properties are commented as it's out of scope for this guide. There will be a follow up article on how to create an SSL certificate with AWS Certificate Manager and enable HTTPS.</p> <p>Next comes the ECS configuration. This will create the ECS Cluster, ECR, CloudWatch Logs, a Container definition -- which will be used to create the ECS task definition -- and the Service that will run and manage the ECS task definition.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">module</span> <span class="s2">"ecr"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"cloudposse/ecr/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"0.35.0"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">namespace</span> <span class="nx">stage</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">stage</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">name</span> <span class="nx">max_image_count</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">protected_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"latest"</span><span class="p">]</span> <span class="nx">image_tag_mutability</span> <span class="p">=</span> <span class="s2">"MUTABLE"</span> <span class="nx">enable_lifecycle_policy</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Whether to delete the repository even if it contains images</span> <span class="nx">force_delete</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"cloudwatch_logs"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"cloudposse/cloudwatch-logs/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"0.6.6"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">namespace</span> <span class="nx">stage</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">stage</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">name</span> <span class="nx">retention_in_days</span> <span class="p">=</span> <span class="mi">7</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"container_definition"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"cloudposse/ecs-container-definition/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"0.58.1"</span> <span class="nx">container_name</span> <span class="p">=</span> <span class="s2">"${var.namespace}-${var.stage}-${var.name}"</span> <span class="nx">container_image</span> <span class="p">=</span> <span class="s2">"${module.ecr.repository_url}:${var.image_tag}"</span> <span class="nx">container_memory</span> <span class="p">=</span> <span class="mi">512</span> <span class="c1"># optional for FARGATE launch type</span> <span class="nx">container_cpu</span> <span class="p">=</span> <span class="mi">256</span> <span class="c1"># optional for FARGATE launch type</span> <span class="nx">essential</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">port_mappings</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">container_port_mappings</span> <span class="c1"># The environment variables to pass to the container.</span> <span class="nx">environment</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ENV_NAME"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"ENV_VALUE"</span> <span class="p">},</span> <span class="p">]</span> <span class="c1"># Pull secrets from AWS Parameter Store.</span> <span class="c1"># "name" is the name of the env var.</span> <span class="c1"># "valueFrom" is the name of the secret in PS.</span> <span class="nx">secrets</span> <span class="p">=</span> <span class="p">[</span> <span class="c1"># {</span> <span class="c1"># name = "SECRET_ENV_NAME"</span> <span class="c1"># valueFrom = "SECRET_ENV_NAME"</span> <span class="c1"># },</span> <span class="p">]</span> <span class="nx">log_configuration</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">logDriver</span> <span class="p">=</span> <span class="s2">"awslogs"</span> <span class="nx">options</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"awslogs-region"</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">region</span> <span class="s2">"awslogs-group"</span> <span class="p">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">cloudwatch_logs</span><span class="err">.</span><span class="nx">log_group_name</span> <span class="s2">"awslogs-stream-prefix"</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">secretOptions</span> <span class="p">=</span> <span class="kc">null</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"ecs_alb_service_task"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"cloudposse/ecs-alb-service-task/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"0.66.4"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">namespace</span> <span class="nx">stage</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">stage</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">name</span> <span class="nx">use_alb_security_group</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">alb_security_group</span> <span class="p">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">alb</span><span class="err">.</span><span class="nx">security_group_id</span> <span class="nx">container_definition_json</span> <span class="p">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">container_definition</span><span class="err">.</span><span class="nx">json_map_encoded_list</span> <span class="nx">ecs_cluster_arn</span> <span class="p">=</span> <span class="nx">aws_ecs_cluster</span><span class="err">.</span><span class="nx">ecs_cluster</span><span class="err">.</span><span class="nx">arn</span> <span class="nx">launch_type</span> <span class="p">=</span> <span class="s2">"FARGATE"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">vpc</span><span class="err">.</span><span class="nx">vpc_id</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="err">.</span><span class="nx">vpc</span><span class="err">.</span><span class="nx">vpc_default_security_group_id</span><span class="p">]</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">subnets</span><span class="err">.</span><span class="nx">private_subnet_ids</span> <span class="c1"># change to "module.subnets.public_subnet_ids" if "nat_gateway_enabled" is false</span> <span class="nx">ignore_changes_task_definition</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">network_mode</span> <span class="p">=</span> <span class="s2">"awsvpc"</span> <span class="nx">assign_public_ip</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># change to true if "nat_gateway_enabled" is false</span> <span class="nx">propagate_tags</span> <span class="p">=</span> <span class="s2">"TASK_DEFINITION"</span> <span class="nx">desired_count</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">desired_count</span> <span class="nx">task_memory</span> <span class="p">=</span> <span class="mi">512</span> <span class="nx">task_cpu</span> <span class="p">=</span> <span class="mi">256</span> <span class="nx">force_new_deployment</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">container_port</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">container_port_mappings</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="err">.</span><span class="nx">containerPort</span> <span class="nx">ecs_load_balancers</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">container_name</span> <span class="p">=</span> <span class="s2">"${var.namespace}-${var.stage}-${var.name}"</span> <span class="nx">container_port</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">container_port_mappings</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="err">.</span><span class="nx">containerPort</span> <span class="nx">elb_name</span> <span class="p">=</span> <span class="s2">""</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">alb</span><span class="err">.</span><span class="nx">default_target_group_arn</span> <span class="p">}]</span> <span class="p">}</span> </code></pre> </div> <p>There are two parameters that I want to mention here, the <code>ignore_changes_task_definition</code> and <code>force_new_deployment</code> as they are related to how a new version of the app is deployed live. For the first, we want terraform to track changes to the ECS task definition, like the <code>container_image</code> value and to create a new ECS task definition version. For the second we tell the Service to deploy the latest version immediately.</p> <p>And last we will create the assume IAM Role and the OpenID Connect (OIDC) Identity provider. This will allow GitHub Actions to request temporary security credentials for access to AWS resources.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_iam_openid_connect_provider"</span> <span class="s2">"github_actions_oidc"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://token.actions.githubusercontent.com"</span> <span class="nx">client_id_list</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"sts.amazonaws.com"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">thumbprint_list</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"6938fd4d98bab03faadb97b34396831e3780aea1"</span> <span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Namespace</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">namespace</span> <span class="nx">Stage</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">stage</span> <span class="nx">Name</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"github_actions_role"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"github_actions"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="err">(</span><span class="p">{</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span><span class="err">,</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span><span class="err">,</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Federated</span> <span class="p">=</span> <span class="nx">aws_iam_openid_connect_provider</span><span class="err">.</span><span class="nx">github_actions_oidc</span><span class="err">.</span><span class="nx">arn</span> <span class="p">}</span><span class="err">,</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="err">,</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringLike</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"token.actions.githubusercontent.com:sub"</span> <span class="err">:</span> <span class="s2">"repo:EXAMPLE_ORG/REPO_NAME:*"</span> <span class="p">}</span><span class="err">,</span> <span class="nx">StringEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"token.actions.githubusercontent.com:aud"</span> <span class="err">:</span> <span class="s2">"sts.amazonaws.com"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span><span class="err">)</span> <span class="nx">managed_policy_arns</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"arn:aws:iam::aws:policy/AdministratorAccess"</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Namespace</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">namespace</span> <span class="nx">Stage</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">stage</span> <span class="nx">Name</span> <span class="p">=</span> <span class="nx">var</span><span class="err">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>StringLike</code> condition will match and allow any branch, pull request merge branch, or environment from the <code>EXAMPLE_ORG/REPO_NAME</code> to assume the <code>github_actions</code> IAM Role. If you want to limit to a specific branch like main, then replace the wildcard (*) with the branch name. You can read more <a href="https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services">here</a>.</p> <p>For the purpose of this guide we'll attach the AWS managed AdministratorAccess policy to the role. As the name suggests the role will have administrator permissions.</p> <p><strong>It's important to mention that the policies assigned to the role determine what the GitHub Actions user is allowed to do in AWS.</strong> As a security best practice it's highly recommended to give the least permissions to a role.</p> <p>And at last add the following to the <code>outputs.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># outputs.tf</span> <span class="nx">output</span> <span class="s2">"alb_dns_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"DNS name of ALB"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">alb</span><span class="err">.</span><span class="nx">alb_dns_name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"github_actions_role_arn"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ARN of the role to be assumed by the GitHub Actions"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="err">.</span><span class="nx">github_actions_role</span><span class="err">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"ecr_repository_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the ECR Repository"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="err">.</span><span class="nx">ecr</span><span class="err">.</span><span class="nx">repository_name</span> <span class="p">}</span> </code></pre> </div> <p>Now, inside the terraform folder, run the <code>terraform init</code> command and then run the <code>terraform plan</code> and check the output to see the resources that will be created, and lastly, you should see this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>... Plan: 54 to add, 0 to change, 0 to destroy. </code></pre> </div> <p>If everything looks good go on and run <code>terraform apply</code>. After all the resources were created, copy the <code>alb_dns_name</code> value from the outputs and paste it in the browser and... (drum rolls), you get a "503 Service Temporarily Unavailable" error. This is expected as the Task Definition is configured to use the docker image with the "latest" or "1.x.x" tag which does not exist in the ECR yet. That's where GitHub Actions comes into play. Before moving to the next section, copy the <code>github_actions_role_arn</code> value. We'll need it for the next step.</p> <p>And that's it for the Infrastructure Provisioning part. Congrats for making it so far!</p> <h2> Automation with GitHub Actions </h2> <p>Now that we have the infrastructure ready, let's create the GitHub Actions workflow and automate the deployment process.</p> <p>Create the following folder structure <code>.github/workflows</code> at the root of your project. Inside the <code>workflows</code> folder create a <code>.yaml</code> file and name it <code>buildAndDeploy</code> (or any name you want) and copy the following configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># buildAndDeploy.yaml</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Build</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">deploy</span><span class="nv"> </span><span class="s">with</span><span class="nv"> </span><span class="s">terraform'</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">*'</span> <span class="na">env</span><span class="pi">:</span> <span class="na">AWS_REGION</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="c1"># Change to your region</span> <span class="na">IAM_ROLE_ARN</span><span class="pi">:</span> <span class="s">arn:aws:iam::xxxxxxxxxxxx:role/github_actions</span> <span class="c1"># Change to github action role arn</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="c1"># This is required for requesting the JWT</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="c1"># This is required for actions/checkout</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build Docker Image</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check out code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v1-node16</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">${{ env.IAM_ROLE_ARN }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ env.AWS_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Login to Amazon ECR</span> <span class="na">id</span><span class="pi">:</span> <span class="s">login-ecr</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/amazon-ecr-login@v1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build, tag, and push image to Amazon ECR</span> <span class="na">env</span><span class="pi">:</span> <span class="na">ECR_REGISTRY</span><span class="pi">:</span> <span class="s">${{ steps.login-ecr.outputs.registry }}</span> <span class="na">ECR_REPOSITORY</span><span class="pi">:</span> <span class="s">app-prod-myproject</span> <span class="c1"># namespace-stage-name</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$GITHUB_REF_NAME -t $ECR_REGISTRY/$ECR_REPOSITORY:latest .</span> <span class="s">docker image push -a $ECR_REGISTRY/$ECR_REPOSITORY</span> <span class="na">terraform</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Apply</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">build</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="na">defaults</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">bash</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Check out code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v1-node16</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">${{ env.IAM_ROLE_ARN }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ env.AWS_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup Terraform</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">terraform_version</span><span class="pi">:</span> <span class="s">1.4.1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Init</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">./terraform</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform init</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan</span> <span class="na">id</span><span class="pi">:</span> <span class="s">plan</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">./terraform</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform plan -var="image_tag=$GITHUB_REF_NAME"</span> <span class="na">continue-on-error</span><span class="pi">:</span> <span class="no">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Plan Status</span> <span class="na">if</span><span class="pi">:</span> <span class="s">steps.plan.outcome == 'failure'</span> <span class="na">run</span><span class="pi">:</span> <span class="s">exit </span><span class="m">1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Apply</span> <span class="na">working-directory</span><span class="pi">:</span> <span class="s">./terraform</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform apply -var="image_tag=$GITHUB_REF_NAME" -auto-approve</span> </code></pre> </div> <p>I believe the pipeline jobs and steps within are quite self explanatory and I will not go into details. I will mention though the important parts. Replace the <code>AWS_REGION</code> and <code>IAM_ROLE_ARN</code> environment values with your AWS region and the <code>github_actions_role_arn</code> value that you copied earlier from the terraform output.</p> <p>In the <code>build</code> job, under the <code>steps</code>, change the <code>ECR_REPOSITORY</code> value with the values you set for the <code>namespace</code>, <code>stage</code> and <code>name</code> in the <code>variables.tf</code> file.</p> <p>That's it! Commit everything, create a tag and push to GitHub. Now go to your repository in GitHub and click on the "Actions" tab. If everything was setup correctly you should see that the "Build and deploy with terraform" workflow has been started or it's starting.</p> <p>After the deployment pipeline has finished successfully try again to access the ALB DNS in the browser. You should now see "Hello World!". If you still get a <code>503</code>, give it a few minutes. It's possible that the Task did not start yet. Otherwise, for troubleshooting, go the the ECS/Cluster/{cluster name}/Services in the AWS Console and check the followings:</p> <ul> <li>At least 1 Task is in running state</li> <li>Unhealthy targets in the Target Groups</li> <li>The "Deployments and events" tab</li> <li>The logs under the "Logs" tab or in CloudWatch</li> <li>The application is starting successfully and responds within the 200-399 http code range</li> </ul> <p>Awesome, you made it! I hope it was easy to follow along. I tried to keep it simple and to the point as possible.</p> <p>If, at this point, you want to delete the AWS resources created by terraform, run terraform destroy.</p> <p>Additionally, If you want your website to be accessible under your custom domain, go to your DNS provider, e.g. GoDaddy and create a CNAME Record pointing to the ALB DNS. If your DNS is managed by Route 53 create an Alias (A) record pointing to the ALB DNS.</p> <p>And finally, you can check the full code example in this repo: <a href="https://github.com/vladbogdan10/deploy-web-app-on-aws-with-terraform-and-github-actions">deploy-web-app-on-aws-with-terraform-and-github-actions</a></p> <p>Check the original <a href="https://thedevops.world/guide-to-deploy-a-web-app-on-aws-with-terraform-and-github-actions-eMbeI">article</a>. I will soon post the following articles there:</p> <ul> <li>Create an SSL certificate with AWS Certificate Manager and enable HTTPS</li> <li>Setting up AWS CloudFront CDN for your website.</li> <li>ECS autoscaling</li> </ul> aws ecs terraform githubactions