Deploy Container Service
In this deployment, we will create service related resources which are depending on base resources. This guide has two parts:
- Deploying service in AWS
- Configuring the application respository for image build and push
Infrastructure as Code Repository
An active engagement with OPStimus is required to access the GitHub repositories mentioned in this guide.
Using contents from https://github.com/opstimus/client-aws-architecture-iac-service, setup a git repository in your organization as <project-slug>-iac-<service-name> name.
Configure Terraform Backend
In the environment/prod directory.
Edit config.s3.tfbackend and s3 bucket name with your project account id and also update the key name according to the service name.
You will need to duplicate prod directory inside environment directory if you plan to deploy other environments such as dev and stg. And update the backend and variables according to the environment requirements.
Update Resource Definitions
Inside repository, edit main.tf and update according to the project requirements.
Edit terraform.tfvars and set the region, environement and other parameters that are specific to the environment.
Create IAM role for GitHub Workflow to Assume
In the project account.
- In AWS console, Goto IAM → Roles.
- Click Create role.
- Select Web identity and select github Identity Provider in the dropdown.
- Fill the repository and branch details (never leave them blank) and click Next.
- Select the required AWS managed permissions that needed for base deployment. Generally they are:
- AmazonEC2FullAccess
- IAMFullAccess
- Click Next and set role name
<project-slug>-<env-slug>-iac-service - Update role ARN in
cd-<env-slug>.yml.exampleworkflow.
Application Repository
In this step, you will setup your application repository and build the docker image for the API service. The docker image will be pushed to the ECR (Elastic Container Registry) which is created in the shared account. Once image is pushed, the pipeline will commit the new image tag to <project-slug>-iac-<service-name> repository, which will start the deployment of the service.
To lean more about how to manage commits to trunk and creating production releases, refer to Git Branching Strategy.
An active engagement with OPStimus is required to access the GitHub repositories mentioned in this guide.
Initialize or use an existing git repository or use in your organization to build the docker image. In this example we will build the API service from https://github.com/opstimus/client-aws-architecture-service.
If you already have your application code repository, copy .github and Docker related files into your repository.
GitHub Workflow
GitHub workflow has two main steps:
- Build and push the docker image to ECR.
- Commit the new image tag to IaC repository.
Personal Access Token
Create GitHub Service Account
In order to commit the image tag to IaC repository, you need to create a GitHub service account, a personal access token and configure in the workflow. Follow the steps in GitHub Service Account to create a service account.
Add Personal Access Token to Repository Secrets
To add personal access token to the repository secrets:
- Go to your repository → Settings → Secrets and variables → Actions.
- Click on New repository secret.
- Add the token with name
IAC_PATand paste the token value. - Click on Add secret.
Workflow Configuration
Rename ci-<env-slug>.yml.example to ci-<env-slug>.yml in .github/workflows directory and update below parameters.
aws_region: AWS region where the ECR is created.registry_aws_account_id: Shared account id where the ECR is created.ecr_repository: ECR repository name.aws_ecr_iam_role_arn: IAM role ARN created to assume for ECR push.
In on.push.branches define the name of the branch that is trunk.
Get the IAM role ARN created as part ECR creation and update in ci-<env-slug>.yml workflow.
Run Deployment
In IaC repository, after ensuring Terraform resource configurations, start the initial deployment by renaming cd-<env-slug>.yml.example to cd-<env-slug>.yml