diff --git a/.circleci/test-deploy.yml b/.circleci/test-deploy.yml index ce0afaf3..4e5c323a 100644 --- a/.circleci/test-deploy.yml +++ b/.circleci/test-deploy.yml @@ -11,7 +11,7 @@ filters: &filters jobs: pytest: docker: - - image: cimg/python:3.7.9 + - image: cimg/python:3.10.4 steps: - checkout - restore_cache: @@ -36,8 +36,17 @@ jobs: test-fargatespot: docker: - image: cimg/base:stable + parameters: + profile-name: + type: string + default: 'default' + role-arn: + type: string + default: '' steps: - - aws-cli/setup + - aws-cli/setup: + profile-name: << parameters.profile-name >> + role-arn: << parameters.role-arn >> - jq/install - run: name: Get cluster info @@ -59,7 +68,7 @@ jobs: --cluster "${AWS_RESOURCE_NAME_PREFIX_FARGATE}-cluster" \ --capacity-providers FARGATE FARGATE_SPOT \ --default-capacity-provider-strategy capacityProvider=FARGATE,weight=1 \ - --region ${AWS_DEFAULT_REGION} + --region ${AWS_REGION} - run: name: Register task definition command: | @@ -78,7 +87,7 @@ jobs: security-group-ids: $SECURITY_GROUP_IDS_FETCHED build-test-app: docker: - - image: cimg/go:1.18.1 + - image: cimg/go:1.19 parameters: docker-image-namespace: description: "The namespace in which the built Docker image will be published" @@ -118,11 +127,24 @@ jobs: parameters: terraform-image: type: string - default: hashicorp/terraform:1.1.9 + default: "hashicorp/terraform:1.1.9" aws-resource-name-prefix: type: string terraform-config-dir: type: string + profile-name: + type: string + default: 'default' + role-arn: + type: string + default: '' + aws-access-key-id: + type: env_var_name + default: AWS_ACCESS_KEY_ID + aws-secret-access-key: + type: env_var_name + default: AWS_SECRET_ACCESS_KEY + docker: - image: << parameters.terraform-image >> steps: @@ -134,6 +156,12 @@ jobs: circleci step halt fi - checkout + - when: + condition: << parameters.role-arn >> + steps: + - aws-cli/setup: + profile-name: << parameters.profile-name >> + role-arn: << parameters.role-arn >> - run: name: terraform init command: | @@ -147,7 +175,8 @@ jobs: -input=false \ -var "aws_access_key=${AWS_ACCESS_KEY_ID}" \ -var "aws_secret_key=${AWS_SECRET_ACCESS_KEY}" \ - -var "aws_region=${AWS_DEFAULT_REGION}" \ + -var "aws_session_token=${AWS_SESSION_TOKEN}" \ + -var "aws_region=${AWS_REGION}" \ -var "aws_account_id=${AWS_ACCOUNT_ID}" \ -var "aws_resource_prefix=<< parameters.aws-resource-name-prefix >>" \ -out tfplan @@ -183,14 +212,17 @@ jobs: description: "The profile name to use for AWS credentials" type: string default: "default" + role-arn: + type: string + default: '' steps: - checkout - setup_remote_docker - attach_workspace: at: workspace - aws-cli/setup: - aws-access-key-id: AWS_ACCESS_KEY_ID - aws-region: AWS_DEFAULT_REGION + profile-name: << parameters.profile-name >> + role-arn: << parameters.role-arn >> - run: name: Load image command: | @@ -201,15 +233,18 @@ jobs: echo 'export ECR_REPOSITORY_NAME="<< parameters.aws-resource-name-prefix >>"' >> $BASH_ENV echo 'export ECS_CLUSTER_NAME="<< parameters.aws-resource-name-prefix >>-cluster"' >> $BASH_ENV echo 'export ECS_SERVICE_NAME="<< parameters.aws-resource-name-prefix >>-service"' >> $BASH_ENV - echo 'export FULL_IMAGE_NAME="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/${ECR_REPOSITORY_NAME}:${CIRCLE_SHA1}"' >> $BASH_ENV + echo 'export FULL_IMAGE_NAME="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPOSITORY_NAME}:${CIRCLE_SHA1}"' >> $BASH_ENV - run: name: Push image command: | - aws ecr get-login-password --region $AWS_DEFAULT_REGION --profile "<>" | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com + aws ecr get-login-password --region $AWS_REGION --profile "<>" | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com docker push $FULL_IMAGE_NAME - unless: condition: << parameters.skip-service-update >> steps: + - aws-cli/setup: + profile-name: << parameters.profile-name >> + role-arn: << parameters.role-arn >> - aws-ecs/update-service: family: "<< parameters.family-name >>" service-name: "<< parameters.service-name >>" @@ -229,11 +264,18 @@ jobs: family-name: description: "Family name" type: string + profile-name: + type: string + default: 'default' + role-arn: + type: string + default: '' steps: - checkout - aws-cli/setup: - aws-access-key-id: AWS_ACCESS_KEY_ID - aws-region: AWS_DEFAULT_REGION + profile-name: << parameters.profile-name >> + role-arn: << parameters.role-arn >> + aws-region: AWS_REGION - run: name: Get existing task definition command: | @@ -254,11 +296,19 @@ jobs: family-name: description: "Family name" type: string + profile-name: + description: "The profile name to use for AWS credentials" + type: string + default: "default" + role-arn: + type: string + default: '' steps: - checkout - aws-cli/setup: - aws-access-key-id: AWS_ACCESS_KEY_ID - aws-region: AWS_DEFAULT_REGION + role-arn: << parameters.role-arn >> + profile-name: << parameters.profile-name >> + aws-region: AWS_REGION - run: name: Register task definition command: | @@ -273,11 +323,18 @@ jobs: family-name: description: "Family name" type: string + profile-name: + type: string + default: 'default' + role-arn: + type: string + default: '' steps: - checkout - aws-cli/setup: - aws-access-key-id: AWS_ACCESS_KEY_ID - aws-region: AWS_DEFAULT_REGION + profile-name: << parameters.profile-name >> + role-arn: << parameters.role-arn >> + aws-region: AWS_REGION - run: name: Deregister task definition command: | @@ -293,6 +350,18 @@ jobs: type: string terraform-config-dir: type: string + aws-access-key-id: + type: env_var_name + default: AWS_ACCESS_KEY_ID + aws-secret-access-key: + type: env_var_name + default: AWS_SECRET_ACCESS_KEY + profile-name: + type: string + default: 'default' + role-arn: + type: string + default: '' docker: - image: << parameters.terraform-image >> steps: @@ -304,6 +373,12 @@ jobs: circleci step halt fi - checkout + - when: + condition: << parameters.role-arn >> + steps: + - aws-cli/setup: + profile-name: << parameters.profile-name >> + role-arn: << parameters.role-arn >> - run: name: terraform init command: | @@ -317,15 +392,13 @@ jobs: if [ "$(terraform destroy -input=false -auto-approve \ -var "aws_access_key=${AWS_ACCESS_KEY_ID}" \ -var "aws_secret_key=${AWS_SECRET_ACCESS_KEY}" \ + -var "aws_session_token=${AWS_SESSION_TOKEN}" \ -var "aws_region=${AWS_DEFAULT_REGION}" \ -var "aws_account_id=${AWS_ACCOUNT_ID}" \ -var "aws_resource_prefix=<< parameters.aws-resource-name-prefix >>" > /dev/null; echo $?)" -ne 0 ]; then - - echo "retrying terraform destroy" - terraform destroy \ - -input=false \ - -auto-approve \ + echo "Retrying terraform destroy" + terraform destroy -input=false -auto-approve \ -var "aws_access_key=${AWS_ACCESS_KEY_ID}" \ -var "aws_secret_key=${AWS_SECRET_ACCESS_KEY}" \ -var "aws_region=${AWS_DEFAULT_REGION}" \ @@ -365,14 +438,14 @@ workflows: parameters: executor: [linux, mac] filters: *filters - ################# - # Fargate - ################# + # ################# + # # Fargate + # ################# - build-test-app: name: fargate_build-test-app - docker-image-namespace: "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com" + docker-image-namespace: "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" docker-image-name: "${AWS_RESOURCE_NAME_PREFIX_FARGATE}:${CIRCLE_SHA1}" - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] filters: *filters - set-up-test-env: name: fargate_set-up-test-env @@ -381,7 +454,8 @@ workflows: - fargate_build-test-app aws-resource-name-prefix: ${AWS_RESOURCE_NAME_PREFIX_FARGATE} terraform-config-dir: "tests/terraform_setup/fargate" - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" - test-service-update: name: fargate_test-update-service-command filters: *filters @@ -390,9 +464,10 @@ workflows: aws-resource-name-prefix: ${AWS_RESOURCE_NAME_PREFIX_FARGATE} family-name: "${AWS_RESOURCE_NAME_PREFIX_FARGATE}-service" service-name: "${AWS_RESOURCE_NAME_PREFIX_FARGATE}-service" - docker-image-namespace: "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com" + docker-image-namespace: "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" docker-image-name: "${AWS_RESOURCE_NAME_PREFIX_FARGATE}:${CIRCLE_SHA1}" - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" - aws-ecs/deploy-service-update: name: fargate_test-update-service-job docker-image-for-job: cimg/python:3.10.4 @@ -400,7 +475,7 @@ workflows: requires: - fargate_test-update-service-command aws-access-key-id: AWS_ACCESS_KEY_ID - aws-region: AWS_DEFAULT_REGION + aws-region: AWS_REGION profile-name: "ECS_TEST_PROFILE" family: "${AWS_RESOURCE_NAME_PREFIX_FARGATE}-service" cluster: "${AWS_RESOURCE_NAME_PREFIX_FARGATE}-cluster" @@ -410,7 +485,8 @@ workflows: verify-revision-is-deployed: true max-poll-attempts: 40 poll-interval: 10 - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" post-steps: - test-deployment: service-name: "${AWS_RESOURCE_NAME_PREFIX_FARGATE}-service" @@ -422,7 +498,7 @@ workflows: requires: - fargate_test-update-service-job aws-access-key-id: AWS_ACCESS_KEY_ID - aws-region: AWS_DEFAULT_REGION + aws-region: AWS_REGION profile-name: "ECS_TEST_PROFILE" family: "${AWS_RESOURCE_NAME_PREFIX_FARGATE}-service" cluster: "${AWS_RESOURCE_NAME_PREFIX_FARGATE}-cluster" @@ -433,7 +509,8 @@ workflows: verify-revision-is-deployed: true max-poll-attempts: 40 poll-interval: 10 - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" - tear-down-test-env: name: fargate_tear-down-test-env filters: *filters @@ -442,16 +519,17 @@ workflows: - test-fargatespot aws-resource-name-prefix: ${AWS_RESOURCE_NAME_PREFIX_FARGATE} terraform-config-dir: "tests/terraform_setup/fargate" - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" - ################# - # EC2 - ################# + # ################# + # # EC2 + # ################# - build-test-app: name: ec2_build-test-app - docker-image-namespace: "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com" + docker-image-namespace: "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" docker-image-name: "${AWS_RESOURCE_NAME_PREFIX_EC2}:${CIRCLE_SHA1}" - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] filters: *filters - set-up-test-env: name: ec2_set-up-test-env @@ -460,35 +538,38 @@ workflows: - ec2_build-test-app aws-resource-name-prefix: ${AWS_RESOURCE_NAME_PREFIX_EC2} terraform-config-dir: "tests/terraform_setup/ec2" - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" - set-up-run-task-test: name: ec2_set-up-run-task-test filters: *filters requires: - ec2_set-up-test-env family-name: "${AWS_RESOURCE_NAME_PREFIX_EC2}-sleep360" - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" - aws-ecs/run-task: name: ec2_run-task-test filters: *filters requires: - ec2_set-up-run-task-test cluster: "${AWS_RESOURCE_NAME_PREFIX_EC2}-cluster" - aws-region: AWS_DEFAULT_REGION + aws-region: AWS_REGION task-definition: "${AWS_RESOURCE_NAME_PREFIX_EC2}-sleep360" launch-type: "EC2" awsvpc: false run-task-output: "run-task-output.json" overrides: '{"containerOverrides":[{"name": "${INTERPOLATION_TEST}", "memory": 512}]}' - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" - tear-down-run-task-test: name: ec2_tear-down-run-task-test filters: *filters requires: - ec2_run-task-test family-name: ${AWS_RESOURCE_NAME_PREFIX_EC2}-sleep360 - context: [CPE_ORBS_AWS] - + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" - test-service-update: name: ec2_test-update-service-command filters: *filters @@ -497,25 +578,28 @@ workflows: aws-resource-name-prefix: ${AWS_RESOURCE_NAME_PREFIX_EC2} family-name: "${AWS_RESOURCE_NAME_PREFIX_EC2}-family" service-name: "${AWS_RESOURCE_NAME_PREFIX_EC2}-service" - docker-image-namespace: "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com" + docker-image-namespace: "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" docker-image-name: "${AWS_RESOURCE_NAME_PREFIX_EC2}:${CIRCLE_SHA1}" - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" - test-task-definition-update: name: ec2_test-task-definition-update family-name: "${AWS_RESOURCE_NAME_PREFIX_EC2}-family" - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" filters: *filters requires: - ec2_test-update-service-command - aws-ecs/deploy-service-update: name: ec2_test-update-service-job docker-image-for-job: cimg/python:3.10.4 - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" filters: *filters requires: - ec2_test-task-definition-update aws-access-key-id: AWS_ACCESS_KEY_ID - aws-region: AWS_DEFAULT_REGION + aws-region: AWS_REGION family: "${AWS_RESOURCE_NAME_PREFIX_EC2}-family" service-name: "${AWS_RESOURCE_NAME_PREFIX_EC2}-service" cluster: "${AWS_RESOURCE_NAME_PREFIX_EC2}-cluster" @@ -527,7 +611,6 @@ workflows: service-name: "${AWS_RESOURCE_NAME_PREFIX_EC2}-service" cluster: "${AWS_RESOURCE_NAME_PREFIX_EC2}-cluster" test-asterisk-expansion: true - - tear-down-test-env: name: ec2_tear-down-test-env filters: *filters @@ -536,15 +619,17 @@ workflows: - ec2_tear-down-run-task-test aws-resource-name-prefix: ${AWS_RESOURCE_NAME_PREFIX_EC2} terraform-config-dir: "tests/terraform_setup/ec2" - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" - # ################# - # # FargateSpot - # ################# + ################# + # FargateSpot + ################# - test-fargatespot: - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] filters: *filters + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" requires: - fargate_set-up-test-env @@ -553,9 +638,9 @@ workflows: ################# - build-test-app: name: codedeploy_fargate_build-test-app - docker-image-namespace: "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com" + docker-image-namespace: "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" docker-image-name: "${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}:${CIRCLE_SHA1}" - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] filters: *filters - set-up-test-env: name: codedeploy_fargate_set-up-test-env @@ -565,7 +650,8 @@ workflows: terraform-image: "hashicorp/terraform:1.1.9" aws-resource-name-prefix: ${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE} terraform-config-dir: "tests/terraform_setup/fargate_codedeploy" - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" - test-service-update: name: codedeploy_fargate_test-update-service-command filters: *filters @@ -574,21 +660,21 @@ workflows: aws-resource-name-prefix: ${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE} family-name: "${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-service" service-name: "${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-service" - docker-image-namespace: "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com" + docker-image-namespace: "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" docker-image-name: "${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}:${CIRCLE_SHA1}" + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" skip-service-update: true - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] - aws-ecs/deploy-service-update: name: codedeploy_fargate_test-update-service-job docker-image-for-job: cimg/python:3.10.4 filters: *filters requires: - codedeploy_fargate_test-update-service-command - aws-access-key-id: AWS_ACCESS_KEY_ID - aws-region: AWS_DEFAULT_REGION + aws-region: AWS_REGION family: "${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-service" cluster: "${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-cluster" - container-image-name-updates: "container=${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-service,image-and-tag=${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}:${CIRCLE_SHA1}" + container-image-name-updates: "container=${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-service,image-and-tag=${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}:${CIRCLE_SHA1}" container-env-var-updates: 'container=${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-service,name=VERSION_INFO,value="${CIRCLE_SHA1}_${CIRCLE_BUILD_NUM}",container=${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-service,name=BUILD_DATE,value=$(date)' deployment-controller: "CODE_DEPLOY" codedeploy-application-name: "${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-codedeployapp" @@ -599,7 +685,8 @@ workflows: codedeploy-capacity-provider-base: "1" codedeploy-capacity-provider-weight: "2" verify-revision-is-deployed: false - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" post-steps: - wait-for-codedeploy-deployment: application-name: "${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-codedeployapp" @@ -611,15 +698,15 @@ workflows: - aws-ecs/deploy-service-update: name: codedeploy_fargate_test-update-and-wait-service-job docker-image-for-job: cimg/python:3.10.4 - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" filters: *filters requires: - codedeploy_fargate_test-update-service-job - aws-access-key-id: AWS_ACCESS_KEY_ID - aws-region: AWS_DEFAULT_REGION + aws-region: AWS_REGION family: "${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-service" cluster: "${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-cluster" - container-image-name-updates: "container=${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-service,image-and-tag=${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}:${CIRCLE_SHA1}" + container-image-name-updates: "container=${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-service,image-and-tag=${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}:${CIRCLE_SHA1}" container-env-var-updates: 'container=${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-service,name=VERSION_INFO,value="${CIRCLE_SHA1}_${CIRCLE_BUILD_NUM}",container=${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-service,name=BUILD_DATE,value=$(date)' deployment-controller: "CODE_DEPLOY" codedeploy-application-name: "${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE}-codedeployapp" @@ -643,7 +730,8 @@ workflows: terraform-image: "hashicorp/terraform:1.1.9" aws-resource-name-prefix: ${AWS_RESOURCE_NAME_PREFIX_CODEDEPLOY_FARGATE} terraform-config-dir: "tests/terraform_setup/fargate_codedeploy" - context: [CPE_ORBS_AWS] + context: [CPE-OIDC] + role-arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST" filters: *filters - orb-tools/pack: filters: *filters diff --git a/README.MD b/README.MD index e1a0617a..001aec62 100644 --- a/README.MD +++ b/README.MD @@ -1,52 +1,25 @@ -# AWS ECS Orb for CircleCI +# AWS ECS Orb -[![CircleCI Build Status](https://circleci.com/gh/CircleCI-Public/aws-ecs-orb.svg?style=shield "CircleCI Build Status")](https://circleci.com/gh/CircleCI-Public/aws-ecs-orb) [![CircleCI Orb Version](https://img.shields.io/badge/endpoint.svg?url=https://badges.circleci.io/orb/circleci/aws-ecs)](https://circleci.com/orbs/registry/orb/circleci/aws-ecs) [![GitHub License](https://img.shields.io/badge/license-MIT-lightgrey.svg)](https://raw.githubusercontent.com/CircleCI-Public/aws-ecs-orb/master/LICENSE) [![CircleCI Community](https://img.shields.io/badge/community-CircleCI%20Discuss-343434.svg)](https://discuss.circleci.com/c/ecosystem/orbs) +[![CircleCI Build Status](https://circleci.com/gh/CircleCI-Public/aws-ecs-orb.svg?style=shield "CircleCI Build Status")](https://circleci.com/gh/CircleCI-Public/aws-ecs-orb) [![CircleCI Orb Version](https://img.shields.io/badge/endpoint.svg?url=https://badges.circleci.io/orb/circleci/aws-ecs)](https://circleci.com/orbs/registry/orb/circleci/aws-ecs) [![GitHub License](https://img.shields.io/badge/license-MIT-blue.svg)](https://raw.githubusercontent.com/CircleCI-Public/aws-ecs-orb/master/LICENSE) [![CircleCI Community](https://img.shields.io/badge/community-CircleCI%20Discuss-343434.svg)](https://discuss.circleci.com/c/ecosystem/orbs) A CircleCI Orb to simplify deployments to Amazon Elastic Container Service (ECS). Supports EC2 and Fargate launch type deployments. -## Features - -This orb allows convenient updating of ECS services when only the Docker -image name/tag and/or environment variables in a service's container definitions need to be updated. -A sample project that demonstrates using the orb is available on this GitHub repository branch: https://github.com/CircleCI-Public/circleci-demo-aws-ecs-ecr - ## Resources [CircleCI Orb Registry Page](https://circleci.com/orbs/registry/orb/circleci/aws-ecs) - The official registry page of this orb for all versions, executors, commands, and jobs described. -[CircleCI Orb Docs](https://circleci.com/docs/2.0/orb-intro/#section=configuration) - Docs for using and creating CircleCI Orbs. - -## Usage - -See the [orb registry listing](https://circleci.com/orbs/registry/orb/circleci/aws-ecs) for usage guidelines. -## Requirements -- `python` should be available in `PATH`. Supported versions are Python 2 version 2.7.1 and above and Python 3 version 3.4.9 and above. -- The `aws` CLI should be available in `PATH`. Otherwise, `pip` is required to be available as the job will then attempt to install `aws` via `pip`. The default profile of `aws` will be used. -- `bash` to be present in `/bin/bash`. Otherwise, `/bin/sh` will be used, but the orb has not been tested for compatibility with other shells. - -## How to Contribute +[CircleCI Orb Docs](https://circleci.com/docs/2.0/orb-intro/#section=configuration) - Docs for using and creating CircleCI Orbs. -We welcome [issues](https://github.com/CircleCI-Public/aws-ecs-orb/issues) to and [pull requests](https://github.com/CircleCI-Public/aws-ecs-orb/pulls) against this repository! +### Examples -For internal contributors, please view the development docs: [here](https://github.com/CircleCI-Public/aws-ecs-orb/tree/master/dev-docs) +Please visit the [orb registry listing](https://circleci.com/orbs/registry/orb/circleci/aws-ecs) for usage examples and guidelines. -### How to Publish -* Create and push a branch with your new features. -* When ready to publish a new production version, create a Pull Request from fore _feature branch_ to `master`. -* The title of the pull request must contain a special semver tag: `[semver:]` where `` is replaced by one of the following values. -| Increment | Description| -| ----------| -----------| -| major | Issue a 1.0.0 incremented release| -| minor | Issue a x.1.0 incremented release| -| patch | Issue a x.x.1 incremented release| -| skip | Do not issue a release| -Example: `[semver:major]` +### How to Contribute -* Squash and merge. Ensure the semver tag is preserved and entered as a part of the commit message. -* On merge, after manual approval, the orb will automatically be published to the Orb Registry. +We welcome [issues](https://github.com/CircleCI-Public/aws-ecs-orb/issues) to and [pull requests](https://github.com/CircleCI-Public/aws-ecs-orb/pulls) against this repository! For further questions/comments about this or other orbs, visit the Orb Category of [CircleCI Discuss](https://discuss.circleci.com/c/orbs). diff --git a/src/commands/update-service.yml b/src/commands/update-service.yml index 188a5e50..bed2c4f7 100644 --- a/src/commands/update-service.yml +++ b/src/commands/update-service.yml @@ -72,7 +72,7 @@ parameters: container-secret-updates: description: > Use this to update or set the values of secret variables that will be defined for the containers. - (Existing secrets variables not included in this parameter will not beremoved) + (Existing secrets variables not included in this parameter will not be removed) Expected format: container=,name=,valueFrom=,container=...,name=...,valueFrom=..., diff --git a/src/examples/deploy-ecs-scheduled-task.yml b/src/examples/deploy-ecs-scheduled-task.yml new file mode 100644 index 00000000..78f5691b --- /dev/null +++ b/src/examples/deploy-ecs-scheduled-task.yml @@ -0,0 +1,29 @@ +description: | + Use the AWS CLI and this orb to deploy an ECS Scheduled Task Rule after updating a task definition. + The update-task-definition or update-task-definition-from-json command must be run first. +usage: + version: 2.1 + orbs: + aws-cli: circleci/aws-cli@3.1 + aws-ecs: circleci/aws-ecs@3.2 + jobs: + deploy-scheduled-task: + docker: + - image: cimg/python:3.10 + steps: + - aws-cli/setup: + # This example uses CircleCI's OpenID Connect Token to generate temporary AWS keys + role-arn: "arn:aws:iam::123456789012:role/OIDC_ARN" + aws-region: AWS_REGION + profile-name: "OIDC-PROFILE" + session-duration: 3600 + role-session-name: "example-session-name" + - aws-ecs/update-task-definition-from-json: + task-definition-json: my-app-definition.json + - aws-ecs/deploy-ecs-scheduled-task: + rule-name: "example-rule" + workflows: + deploy: + jobs: + - deploy-scheduled-task: + context: [CircleCI_OIDC_Token] diff --git a/src/examples/deploy-service-update.yml b/src/examples/deploy-service-update.yml index 7af08c66..1c08d27f 100644 --- a/src/examples/deploy-service-update.yml +++ b/src/examples/deploy-service-update.yml @@ -2,13 +2,13 @@ description: Update an ECS service. usage: version: 2.1 orbs: - aws-ecr: circleci/aws-ecr@6.15 - aws-ecs: circleci/aws-ecs@2.0.0 + aws-ecr: circleci/aws-ecr@8.1 + aws-ecs: circleci/aws-ecs@3.2 workflows: build-and-deploy: jobs: - aws-ecr/build-and-push-image: - account-url: AWS_ECR_ACCOUNT_URL + registry-id: AWS_ECR_REGISTRY_ID repo: '${MY_APP_PREFIX}' region: AWS_REGION tag: '${CIRCLE_SHA1}' diff --git a/src/examples/run-task-ec2.yml b/src/examples/run-task-ec2.yml index 97112aff..f7b49885 100644 --- a/src/examples/run-task-ec2.yml +++ b/src/examples/run-task-ec2.yml @@ -2,11 +2,11 @@ description: Start the run of an ECS task on EC2. usage: version: 2.1 orbs: - aws-ecs: circleci/aws-ecs@2.0 + aws-ecs: circleci/aws-ecs@3.2 jobs: run-task: docker: - - image: cimg/python:3.9.1 + - image: cimg/python:3.10 steps: - aws-ecs/run-task: cluster: cluster1 diff --git a/src/examples/run-task-fargate-spot.yml b/src/examples/run-task-fargate-spot.yml index bf059e33..4c48a498 100644 --- a/src/examples/run-task-fargate-spot.yml +++ b/src/examples/run-task-fargate-spot.yml @@ -5,11 +5,11 @@ description: > usage: version: 2.1 orbs: - aws-ecs: circleci/aws-ecs@2.0 + aws-ecs: circleci/aws-ecs@3.2 jobs: run-task: docker: - - image: cimg/python:3.9.1 + - image: cimg/python:3.10 steps: - aws-ecs/run-task: cluster: $CLUSTER_NAME diff --git a/src/examples/run-task-fargate.yml b/src/examples/run-task-fargate.yml index 451db5d2..d8628026 100644 --- a/src/examples/run-task-fargate.yml +++ b/src/examples/run-task-fargate.yml @@ -2,11 +2,11 @@ description: Start the run of an ECS task on Fargate. usage: version: 2.1 orbs: - aws-ecs: circleci/aws-ecs@2.0 + aws-ecs: circleci/aws-ecs@3.2 jobs: run-task: docker: - - image: cimg/python:3.9.1 + - image: cimg/python:3.10 steps: - aws-ecs/run-task: cluster: cluster1 diff --git a/src/examples/update-service.yml b/src/examples/update-service.yml index 05a124f9..5577c2c9 100644 --- a/src/examples/update-service.yml +++ b/src/examples/update-service.yml @@ -4,18 +4,20 @@ description: | usage: version: 2.1 orbs: - aws-cli: circleci/aws-cli@1.3 - aws-ecs: circleci/aws-ecs@2.0 + aws-cli: circleci/aws-cli@3.1 + aws-ecs: circleci/aws-ecs@3.2 jobs: update-tag: docker: - - image: cimg/python:3.9.1 + - image: cimg/python:3.10 steps: - aws-cli/setup: - # If these values have not been modified from their default, they do not need to be included. - aws-access-key-id: AWS_SECRET_ACCESS_KEY - aws-secret-access-key: AWS_DEFAULT_REGION - aws-region: AWS_DEFAULT_REGION + # This example uses CircleCI's OpenID Connect Token to generate temporary AWS keys + role-arn: "arn:aws:iam::123456789012:role/OIDC_ARN" + aws-region: AWS_REGION + profile-name: "OIDC-PROFILE" + session-duration: 3600 + role-session-name: "example-session-name" - aws-ecs/update-service: family: '${MY_APP_PREFIX}-service' cluster: '${MY_APP_PREFIX}-cluster' @@ -23,4 +25,5 @@ usage: workflows: deploy: jobs: - - update-tag + - update-tag: + context: [CircleCI_OIDC_Token] diff --git a/src/examples/update-task-definition-from-json.yml b/src/examples/update-task-definition-from-json.yml index d91a3098..68a531f6 100644 --- a/src/examples/update-task-definition-from-json.yml +++ b/src/examples/update-task-definition-from-json.yml @@ -2,17 +2,24 @@ description: Use the AWS CLI and this orb to create a new ECS task definition ba usage: version: 2.1 orbs: - aws-cli: circleci/aws-cli@1.3 - aws-ecs: circleci/aws-ecs@2.0 + aws-cli: circleci/aws-cli@3.1 + aws-ecs: circleci/aws-ecs@3.2 jobs: update-tag: docker: - - image: cimg/python:3.9.1 + - image: cimg/python:3.10 steps: - aws-cli/setup: - # If these values have not been modified from their default, they do not need to be included. - aws-access-key-id: AWS_SECRET_ACCESS_KEY - aws-secret-access-key: AWS_DEFAULT_REGION - aws-region: AWS_DEFAULT_REGION + # This example uses CircleCI's OpenID Connect Token to generate temporary AWS keys + role-arn: "arn:aws:iam::123456789012:role/OIDC_ARN" + aws-region: AWS_REGION + profile-name: "OIDC-PROFILE" + session-duration: 3600 + role-session-name: "example-session-name" - aws-ecs/update-task-definition-from-json: task-definition-json: my-app-definition.json + workflows: + deploy: + jobs: + - update-tag: + context: [CircleCI_OIDC_Token] diff --git a/src/examples/verify-revision-deplopyment.yml b/src/examples/verify-revision-deplopyment.yml index 4df54911..572b1fa2 100644 --- a/src/examples/verify-revision-deplopyment.yml +++ b/src/examples/verify-revision-deplopyment.yml @@ -2,18 +2,20 @@ description: Verify the deployment of an ECS revision. usage: version: 2.1 orbs: - aws-cli: circleci/aws-cli@1.3 - aws-ecs: circleci/aws-ecs@2.0 + aws-cli: circleci/aws-cli@3.1 + aws-ecs: circleci/aws-ecs@3.2 jobs: verify-deployment: docker: - - image: cimg/python:3.9.1 + - image: cimg/python:3.10 steps: - aws-cli/setup: - # If they are included, they configure the "default" profile, which is specified below. - aws-access-key-id: AWS_SECRET_ACCESS_KEY - aws-secret-access-key: AWS_DEFAULT_REGION - aws-region: AWS_DEFAULT_REGION + # This example uses CircleCI's OpenID Connect Token to generate temporary AWS keys + role-arn: "arn:aws:iam::123456789012:role/OIDC_ARN" + aws-region: AWS_REGION + profile-name: "OIDC-PROFILE" + session-duration: 3600 + role-session-name: "example-session-name" - run: name: Get last task definition command: > @@ -31,4 +33,5 @@ usage: workflows: test-workflow: jobs: - - verify-deployment + - verify-deployment: + context: [CircleCI_OIDC_Token] diff --git a/src/jobs/deploy-service-update.yml b/src/jobs/deploy-service-update.yml index b65e01b2..98b4132a 100644 --- a/src/jobs/deploy-service-update.yml +++ b/src/jobs/deploy-service-update.yml @@ -21,11 +21,25 @@ parameters: aws-region: description: AWS region to operate in. Set this to the name of the environment variable you will use to hold this value, i.e. AWS_DEFAULT_REGION. type: env_var_name - default: AWS_DEFAULT_REGION + default: AWS_REGION profile-name: description: AWS profile name to be configured. type: string default: '' + role-arn: + description: | + The Amazon Resource Name (ARN) of the role that the caller is assuming. + Role ARN must be configured for web identity. + type: string + default: "" + role-session-name: + description: An identifier for the assumed role session. Environment varaibles will be evaluated. + type: string + default: ${CIRCLE_JOB} + session-duration: + description: The duration of the session in seconds + type: string + default: "3600" family: description: Name of the task definition's family. type: string @@ -235,11 +249,23 @@ parameters: default: '' steps: - - aws-cli/setup: - aws-access-key-id: << parameters.aws-access-key-id >> - aws-secret-access-key: << parameters.aws-secret-access-key >> - aws-region: << parameters.aws-region >> - profile-name: << parameters.profile-name >> + - when: + condition: <> + steps: + - aws-cli/setup: + role-arn: <> + profile-name: <> + session-duration: <> + aws-region: <> + role-session-name: <> + - unless: + condition: <> + steps: + - aws-cli/setup: + aws-access-key-id: << parameters.aws-access-key-id >> + aws-secret-access-key: << parameters.aws-secret-access-key >> + aws-region: << parameters.aws-region >> + profile-name: << parameters.profile-name >> - update-service: family: << parameters.family >> cluster: << parameters.cluster >> diff --git a/src/jobs/run-task.yml b/src/jobs/run-task.yml index 3a87c9ec..395f43ac 100755 --- a/src/jobs/run-task.yml +++ b/src/jobs/run-task.yml @@ -21,11 +21,25 @@ parameters: aws-region: description: AWS region to operate in. Set this to the name of the environment variable you will use to hold this value, i.e. AWS_DEFAULT_REGION. type: env_var_name - default: AWS_DEFAULT_REGION + default: AWS_REGION profile-name: description: AWS profile name to be configured. type: string default: '' + role-arn: + description: | + The Amazon Resource Name (ARN) of the role that the caller is assuming. + Role ARN must be configured for web identity. + type: string + default: "" + role-session-name: + description: An identifier for the assumed role session + type: string + default: ${CIRCLE_JOB} + session-duration: + description: The duration of the session in seconds + type: string + default: "3600" cluster: description: The name or ARN of the cluster on which to run the task. type: string @@ -155,11 +169,23 @@ parameters: type: string default: '' steps: - - aws-cli/setup: - aws-access-key-id: << parameters.aws-access-key-id >> - aws-secret-access-key: << parameters.aws-secret-access-key >> - aws-region: << parameters.aws-region >> - profile-name: << parameters.profile-name >> + - when: + condition: <> + steps: + - aws-cli/setup: + role-arn: <> + profile-name: <> + session-duration: <> + aws-region: <> + role-session-name: <> + - unless: + condition: <> + steps: + - aws-cli/setup: + aws-access-key-id: << parameters.aws-access-key-id >> + aws-secret-access-key: << parameters.aws-secret-access-key >> + aws-region: << parameters.aws-region >> + profile-name: << parameters.profile-name >> - run-task: cluster: << parameters.cluster >> task-definition: << parameters.task-definition >> diff --git a/src/jobs/update-task-definition-from-json.yml b/src/jobs/update-task-definition-from-json.yml index db418c29..a53e103c 100644 --- a/src/jobs/update-task-definition-from-json.yml +++ b/src/jobs/update-task-definition-from-json.yml @@ -20,7 +20,21 @@ parameters: aws-region: description: AWS region to operate in. Set this to the name of the environment variable you will use to hold this value, i.e. AWS_DEFAULT_REGION. type: env_var_name - default: AWS_DEFAULT_REGION + default: AWS_REGION + role-arn: + description: | + The Amazon Resource Name (ARN) of the role that the caller is assuming. + Role ARN must be configured for web identity. + type: string + default: "" + role-session-name: + description: An identifier for the assumed role session + type: string + default: ${CIRCLE_JOB} + session-duration: + description: The duration of the session in seconds + type: string + default: "3600" profile-name: description: AWS profile name to be configured. type: string @@ -38,11 +52,23 @@ parameters: description: The name of the scheduled task's rule to update. Must be a valid ECS Rule. type: string steps: - - aws-cli/setup: - aws-access-key-id: << parameters.aws-access-key-id >> - aws-secret-access-key: << parameters.aws-secret-access-key >> - aws-region: << parameters.aws-region >> - profile-name: << parameters.profile-name >> + - when: + condition: <> + steps: + - aws-cli/setup: + role-arn: <> + profile-name: <> + session-duration: <> + aws-region: <> + role-session-name: <> + - unless: + condition: <> + steps: + - aws-cli/setup: + aws-access-key-id: << parameters.aws-access-key-id >> + aws-secret-access-key: << parameters.aws-secret-access-key >> + aws-region: << parameters.aws-region >> + profile-name: << parameters.profile-name >> - update-task-definition-from-json: task-definition-json: << parameters.task-definition-json >> profile-name: << parameters.profile-name >> diff --git a/src/jobs/update-task-definition.yml b/src/jobs/update-task-definition.yml index 5a1b1375..ebc517a4 100644 --- a/src/jobs/update-task-definition.yml +++ b/src/jobs/update-task-definition.yml @@ -21,7 +21,21 @@ parameters: aws-region: description: AWS region to operate in. Set this to the name of the environment variable you will use to hold this value, i.e. AWS_DEFAULT_REGION. type: env_var_name - default: AWS_DEFAULT_REGION + default: AWS_REGION + role-arn: + description: | + The Amazon Resource Name (ARN) of the role that the caller is assuming. + Role ARN must be configured for web identity. + type: string + default: "" + role-session-name: + description: An identifier for the assumed role session + type: string + default: ${CIRCLE_JOB} + session-duration: + description: The duration of the session in seconds + type: string + default: "3600" profile-name: description: AWS profile name to be configured. type: string @@ -98,11 +112,23 @@ parameters: description: The name of the scheduled task's rule to update. Must be a valid ECS Rule. type: string steps: - - aws-cli/setup: - aws-access-key-id: << parameters.aws-access-key-id >> - aws-secret-access-key: << parameters.aws-secret-access-key >> - aws-region: << parameters.aws-region >> - profile-name: << parameters.profile-name >> + - when: + condition: <> + steps: + - aws-cli/setup: + role-arn: <> + profile-name: <> + session-duration: <> + aws-region: <> + role-session-name: <> + - unless: + condition: <> + steps: + - aws-cli/setup: + aws-access-key-id: << parameters.aws-access-key-id >> + aws-secret-access-key: << parameters.aws-secret-access-key >> + aws-region: << parameters.aws-region >> + profile-name: << parameters.profile-name >> - update-task-definition: family: << parameters.family >> container-image-name-updates: << parameters.container-image-name-updates >> diff --git a/tests/terraform_setup/ec2/terraform.tf b/tests/terraform_setup/ec2/terraform.tf index 38bceae4..b35d60ac 100644 --- a/tests/terraform_setup/ec2/terraform.tf +++ b/tests/terraform_setup/ec2/terraform.tf @@ -16,6 +16,7 @@ terraform { provider "aws" { access_key = var.aws_access_key secret_key = var.aws_secret_key + token = var.aws_session_token region = var.aws_region } diff --git a/tests/terraform_setup/ec2/variables.tf b/tests/terraform_setup/ec2/variables.tf index ac4bb689..cfc8a18f 100644 --- a/tests/terraform_setup/ec2/variables.tf +++ b/tests/terraform_setup/ec2/variables.tf @@ -1,9 +1,10 @@ variable "aws_access_key" {} variable "aws_secret_key" {} variable "aws_account_id" {} +variable "aws_session_token" {} variable "aws_region" { description = "AWS region e.g. us-east-1" } variable "aws_resource_prefix" { description = "Prefix to be used in the naming of the created AWS resources e.g. ecs-ec2" -} \ No newline at end of file +} diff --git a/tests/terraform_setup/fargate/terraform.tf b/tests/terraform_setup/fargate/terraform.tf index 0235fef9..d18e082f 100644 --- a/tests/terraform_setup/fargate/terraform.tf +++ b/tests/terraform_setup/fargate/terraform.tf @@ -16,6 +16,7 @@ terraform { provider "aws" { access_key = var.aws_access_key secret_key = var.aws_secret_key + token = var.aws_session_token region = var.aws_region } diff --git a/tests/terraform_setup/fargate/variables.tf b/tests/terraform_setup/fargate/variables.tf index ee712217..df711d0e 100644 --- a/tests/terraform_setup/fargate/variables.tf +++ b/tests/terraform_setup/fargate/variables.tf @@ -1,9 +1,10 @@ variable "aws_access_key" {} variable "aws_secret_key" {} variable "aws_account_id" {} +variable "aws_session_token" {} variable "aws_region" { description = "AWS region e.g. us-east-1 (Please specify a region supported by the Fargate launch type)" } variable "aws_resource_prefix" { description = "Prefix to be used in the naming of the created AWS resources e.g. ecs-fargate" -} \ No newline at end of file +} diff --git a/tests/terraform_setup/fargate_codedeploy/terraform.tf b/tests/terraform_setup/fargate_codedeploy/terraform.tf index 369231f7..08d7132f 100644 --- a/tests/terraform_setup/fargate_codedeploy/terraform.tf +++ b/tests/terraform_setup/fargate_codedeploy/terraform.tf @@ -16,6 +16,7 @@ terraform { provider "aws" { access_key = var.aws_access_key secret_key = var.aws_secret_key + token = var.aws_session_token region = var.aws_region } diff --git a/tests/terraform_setup/fargate_codedeploy/variables.tf b/tests/terraform_setup/fargate_codedeploy/variables.tf index 9edc0989..0cabe726 100644 --- a/tests/terraform_setup/fargate_codedeploy/variables.tf +++ b/tests/terraform_setup/fargate_codedeploy/variables.tf @@ -1,6 +1,7 @@ variable "aws_access_key" {} variable "aws_secret_key" {} variable "aws_account_id" {} +variable "aws_session_token" {} variable "aws_region" { description = "AWS region e.g. us-east-1 (Please specify a region supported by the Fargate launch type)" }