Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create ECS Task container from Docker image in central AWS account (cross AWS account access) #119

Merged
merged 23 commits into from
Nov 28, 2024
Merged

Create ECS Task container from Docker image in central AWS account (cross AWS account access) #119

merged 23 commits into from
Nov 28, 2024

Conversation

kunduso
Copy link
Owner

@kunduso kunduso commented Nov 27, 2024
edited
Loading

This PR closes #114. This is part 2 of the PR where the ECS Task container points to a Docker image stored in the central AWS account.

kunduso added 23 commits November 1, 2024 22:37
@kunduso
update readme with blue-green deployment pattern use case
1c3ae91
@kunduso
commented out ecr to create it in central aws account
8d2db99
@kunduso
create ecr resource in central aws account
e27bde0
@kunduso
comment out deploy stage and add role for central account
4ee20fb
@kunduso
updated statefile storage
1eefbd1
@kunduso
do not trigger for changes in the tf folder
65ff6e0
@kunduso
added paths and updated working directory
1195502
@kunduso
corrected environment
955d788
@kunduso
added policy for ecr repo
ccf660a
@kunduso
added kms key and policy for ecr
8af7f00
@kunduso
added pipeline to deploy ecr and kms key to central aws account
3dbbefa
@kunduso
fixed workflow error
277f445
@kunduso
corrected working directory
0613274
@kunduso
fix checkov scan results
53aff04
@kunduso
Merge branch 'main' into central-ecr
6ed833d
@kunduso
updated to support traditional ecs deployment
57fde8d
@kunduso
update resource reference
fda29b3
@kunduso
added cross account access policy
c0bb521
@kunduso
update deployment process to ecs
696c75b
@kunduso
comment out code deploy resource to support ecs deploy
54367d2
@kunduso
Merge branch 'main' into central-ecr
68dcb2e
@kunduso
Merge branch 'main' into central-ecr
7bc2550
@kunduso
fix for CKV_AWS_355
9700426
@kunduso kunduso self-assigned this Nov 27, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 27, 2024
edited
Loading

💰 Infracost report

Monthly estimate generated

This comment will be updated when code changes.

@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Plan 📖success

Terraform Validation 🤖success

Show Plan 

terraform
data.aws_caller_identity.current: Reading...
aws_service_discovery_http_namespace.namespace: Refreshing state... [id=ns-cc5i7ykaj67ppst3]
aws_kms_key.custom_kms_key: Refreshing state... [id=ef68e503-5cdd-4baf-9547-3d39d0e4a0c8]
aws_vpc.this: Refreshing state... [id=vpc-0177cbea506968866]
aws_ecr_repository.image_repo: Refreshing state... [id=app-6]
data.aws_caller_identity.current: Read complete after 0s [id=743794601996]
aws_kms_alias.key: Refreshing state... [id=alias/app-6]
aws_kms_key_policy.encrypt_app: Refreshing state... [id=ef68e503-5cdd-4baf-9547-3d39d0e4a0c8]
aws_secretsmanager_secret.ecs_secret: Refreshing state... [id=arn:aws:secretsmanager:us-east-2:743794601996:secret:ecs_secret-xyMvld]
aws_cloudwatch_log_group.logs: Refreshing state... [id=/amazon-ecs/app-6/log]
aws_secretsmanager_secret_version.ecs_secret_version: Refreshing state... [id=arn:aws:secretsmanager:us-east-2:743794601996:secret:ecs_secret-xyMvld|terraform-20241127212311942500000001]
aws_ecs_cluster.app_cluster: Refreshing state... [id=arn:aws:ecs:us-east-2:743794601996:cluster/app-6]
aws_route_table.this_rt: Refreshing state... [id=rtb-0ee63cd483cdda2a6]
aws_default_security_group.default: Refreshing state... [id=sg-0e90b718d992b31ea]
aws_vpc_endpoint.s3: Refreshing state... [id=vpce-08ac7d43bbc3bb49d]
aws_security_group.container_sg: Refreshing state... [id=sg-011020866225de511]
aws_lb_target_group.target_group: Refreshing state... [id=arn:aws:elasticloadbalancing:us-east-2:743794601996:targetgroup/app-6/0937522383c54be0]
aws_internet_gateway.this_igw: Refreshing state... [id=igw-0c1c35cd1eebdf561]
aws_subnet.private[1]: Refreshing state... [id=subnet-09b612ab68f8cf06d]
aws_subnet.private[0]: Refreshing state... [id=subnet-0da40b020a8b8fca6]
aws_security_group.custom_sg: Refreshing state... [id=sg-0f503030dfa8c9ef8]
aws_security_group.endpoint_sg: Refreshing state... [id=sg-0318f588f4818e5cf]
aws_subnet.public[1]: Refreshing state... [id=subnet-0ba781f8c180ec1c5]
aws_route_table.this_rt_private: Refreshing state... [id=rtb-076c0decdd5557da1]
aws_subnet.public[0]: Refreshing state... [id=subnet-0265de33fcbcc74bf]
aws_route.internet_route: Refreshing state... [id=r-rtb-0ee63cd483cdda2a61080289494]
aws_security_group_rule.egress_container: Refreshing state... [id=sgrule-4292562398]
aws_security_group_rule.ingress_load_balancer: Refreshing state... [id=sgrule-2183468127]
aws_security_group_rule.ingress_container: Refreshing state... [id=sgrule-1962334996]
aws_security_group_rule.egress_load_balancer: Refreshing state... [id=sgrule-4047886860]
aws_security_group_rule.ingress_vpc_endpoint: Refreshing state... [id=sgrule-993827166]
aws_vpc_endpoint.ecr: Refreshing state... [id=vpce-0eda08325c5d33c42]
aws_vpc_endpoint.cloudwatch: Refreshing state... [id=vpce-0accdb89f1535e6c5]
aws_vpc_endpoint.ecr_api: Refreshing state... [id=vpce-07314797ccaba5e5f]
aws_vpc_endpoint.secrets_manager: Refreshing state... [id=vpce-0a6cf8ee910b8e883]
aws_route_table_association.private[0]: Refreshing state... [id=rtbassoc-0dfbe27f944a69c10]
aws_route_table_association.private[1]: Refreshing state... [id=rtbassoc-05abae80d12bb9a36]
aws_vpc_endpoint_route_table_association.s3_association: Refreshing state... [id=a-vpce-08ac7d43bbc3bb49d1013104409]
aws_lb.app_lb: Refreshing state... [id=arn:aws:elasticloadbalancing:us-east-2:743794601996:loadbalancer/app/app-6/dd3117db6f42b247]
aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-068a2547cce99ca0d]
aws_route_table_association.public[1]: Refreshing state... [id=rtbassoc-01e8adeb6b52b7d82]
aws_alb_listener.listener: Refreshing state... [id=arn:aws:elasticloadbalancing:us-east-2:743794601996:listener/app/app-6/dd3117db6f42b247/97befa50e51ff9bc]
aws_ssm_parameter.infra_output: Refreshing state... [id=/app-6/output]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # aws_ecr_repository.image_repo will be destroyed
  # (because aws_ecr_repository.image_repo is not in configuration)
  - resource "aws_ecr_repository" "image_repo" {
      - arn                  = "arn:aws:ecr:us-east-2:743794601996:repository/app-6" -> null
      - id                   = "app-6" -> null
      - image_tag_mutability = "IMMUTABLE" -> null
      - name                 = "app-6" -> null
      - registry_id          = "743794601996" -> null
      - repository_url       = "743794601996.dkr.ecr.us-east-2.amazonaws.com/app-6" -> null
      - tags                 = {} -> null
      - tags_all             = {
          - "Source" = "https://github.com/kunduso/add-aws-ecr-ecs-fargate"
        } -> null

      - encryption_configuration {
          - encryption_type = "KMS" -> null
          - kms_key         = "arn:aws:kms:us-east-2:743794601996:key/ef68e503-5cdd-4baf-9547-3d39d0e4a0c8" -> null
        }

      - image_scanning_configuration {
          - scan_on_push = true -> null
        }
    }

Plan: 0 to add, 0 to change, 1 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: TFplan.JSON

To perform exactly these actions, run the following command to apply:
    terraform apply "TFplan.JSON"

Pushed by: @kunduso, Action: pull_request

@github-actions GitHub Actions
Copy link

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Plan 📖failure

Terraform Validation 🤖success

Show Plan 

terraform
data.aws_ssm_parameter.infra_output: Reading...
data.aws_caller_identity.current: Reading...
data.aws_caller_identity.current: Read complete after 0s [id=743794601996]
data.aws_ssm_parameter.infra_output: Read complete after 0s [id=/app-6/output]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform planned the following actions, but then encountered a problem:

  # aws_ecs_task_definition.web_app will be created
  + resource "aws_ecs_task_definition" "web_app" {
      + arn                      = (known after apply)
      + arn_without_revision     = (known after apply)
      + container_definitions    = (sensitive value)
      + cpu                      = "1024"
      + execution_role_arn       = (known after apply)
      + family                   = "app-6"
      + id                       = (known after apply)
      + memory                   = "3072"
      + network_mode             = "awsvpc"
      + requires_compatibilities = [
          + "FARGATE",
        ]
      + revision                 = (known after apply)
      + skip_destroy             = false
      + tags_all                 = {
          + "Source" = "https://github.com/kunduso/add-aws-ecr-ecs-fargate"
        }
      + task_role_arn            = (known after apply)
      + track_latest             = false

      + runtime_platform {
          + cpu_architecture        = "X86_64"
          + operating_system_family = "LINUX"
        }
    }

  # aws_iam_policy.ecr_access_policy will be created
  + resource "aws_iam_policy" "ecr_access_policy" {
      + arn         = (known after apply)
      + description = "Policy to allow ECR image pulling and KMS decryption"
      + id          = (known after apply)
      + name        = "ecr-access-policy"
      + name_prefix = (known after apply)
      + path        = "/"
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "ecr:GetAuthorizationToken",
                          + "ecr:BatchCheckLayerAvailability",
                          + "ecr:GetDownloadUrlForLayer",
                          + "ecr:BatchGetImage",
                        ]
                      + Effect   = "Allow"
                      + Resource = "arn:aws:ecr:us-east-2:076680484948:repository/*"
                    },
                  + {
                      + Action   = [
                          + "kms:Decrypt",
                        ]
                      + Effect   = "Allow"
                      + Resource = "arn:aws:kms:us-east-2:076680484948:key/*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id   = (known after apply)
      + tags_all    = {
          + "Source" = "https://github.com/kunduso/add-aws-ecr-ecs-fargate"
        }
    }

  # aws_iam_policy.secrets_manager_read_policy will be created
  + resource "aws_iam_policy" "secrets_manager_read_policy" {
      + arn         = (known after apply)
      + description = "IAM policy for ECS Fargate to access Secrets Manager secrets and decrypt it."
      + id          = (known after apply)
      + name        = "app-6-ecs-fargate-secrets-manager-access"
      + name_prefix = (known after apply)
      + path        = "/"
      + policy      = (sensitive value)
      + policy_id   = (known after apply)
      + tags_all    = {
          + "Source" = "https://github.com/kunduso/add-aws-ecr-ecs-fargate"
        }
    }

  # aws_iam_role.ecs_task_execution_role will be created
  + resource "aws_iam_role" "ecs_task_execution_role" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "ecs-tasks.amazonaws.com"
                        }
                      + Sid       = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "app-6-task-execution-role"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = {
          + "Source" = "https://github.com/kunduso/add-aws-ecr-ecs-fargate"
        }
      + unique_id             = (known after apply)

      + inline_policy (known after apply)
    }

  # aws_iam_role.ecs_task_role will be created
  + resource "aws_iam_role" "ecs_task_role" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Condition = {
                          + ArnLike      = {
                              + "aws:SourceArn" = "arn:aws:ecs:us-east-2:743794601996:*"
                            }
                          + StringEquals = {
                              + "aws:SourceAccount" = "743794601996"
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "ecs-tasks.amazonaws.com"
                        }
                      + Sid       = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "app-6-task-role"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = {
          + "Source" = "https://github.com/kunduso/add-aws-ecr-ecs-fargate"
        }
      + unique_id             = (known after apply)

      + inline_policy (known after apply)
    }

  # aws_iam_role_policy_attachment.attach_ecr_access_task_execution_role will be created
  + resource "aws_iam_role_policy_attachment" "attach_ecr_access_task_execution_role" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "app-6-task-execution-role"
    }

  # aws_iam_role_policy_attachment.attach_secrets_read_task_execution_role will be created
  + resource "aws_iam_role_policy_attachment" "attach_secrets_read_task_execution_role" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "app-6-task-execution-role"
    }

  # aws_iam_role_policy_attachment.attach_secrets_read_task_role will be created
  + resource "aws_iam_role_policy_attachment" "attach_secrets_read_task_role" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "app-6-task-role"
    }

  # aws_iam_role_policy_attachment.custom will be created
  + resource "aws_iam_role_policy_attachment" "custom" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
      + role       = "app-6-task-execution-role"
    }

Plan: 9 to add, 0 to change, 0 to destroy.

Pushed by: @kunduso, Action: pull_request

@kunduso kunduso merged commit a134504 into main Nov 28, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@kunduso kunduso

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Separate out the ECR repository into the Central AWS account
1 participant
@kunduso