codepipeline (#30)

* codepipeline

codepipeline-demo/app/config/appspec.yaml

@@ -0,0 +1,10 @@
+version: 0.0
+Resources:
+  - TargetService:
+      Type: AWS::ECS::Service
+      Properties:
+        # <TASK_DEFINITION> will be replaced by codedeploy when the pipeline runs
+        TaskDefinition: "<TASK_DEFINITION>"
+        LoadBalancerInfo: 
+          ContainerName: demo
+          ContainerPort: 3000

codepipeline-demo/app/config/buildspec.yml

@@ -0,0 +1,21 @@
+version: 0.2
+
+phases:
+  pre_build:
+    commands:
+      - $(aws ecr get-login --no-include-email)
+  build:
+    commands:
+      - docker build -t $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$CODEBUILD_RESOLVED_SOURCE_VERSION .
+  post_build:
+    commands:
+      # push
+      - docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$CODEBUILD_RESOLVED_SOURCE_VERSION
+      # create new task definition
+      - ./create-new-task-def.sh $IMAGE_REPO_NAME
+      - ./set-network-configuration.sh $IMAGE_REPO_NAME
+
+artifacts:
+  files:
+    - 'appspec.yaml'
+    - 'taskdef.json'

codepipeline-demo/app/scripts/create-new-task-def.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+set -ex
+SERVICE_NAME=$1
+IMAGE_URI="$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:$CODEBUILD_RESOLVED_SOURCE_VERSION"
+TASKDEF_NAME=$(aws ecs list-task-definitions |jq --raw-output '.taskDefinitionArns[] | select(contains("'${SERVICE_NAME}'"))' | tail -n1)
+CURRENT_TASKDEF=`aws ecs describe-task-definition --task-definition $TASKDEF_NAME`
+CURRENT_TASKDEF_CONTAINERDEF=`echo $CURRENT_TASKDEF| jq --raw-output ".taskDefinition.containerDefinitions"`
+TASKDEF_ROLE_ARN=`echo $CURRENT_TASKDEF| jq --raw-output ".taskDefinition.taskRoleArn"`
+EXECUTION_ROLE_ARN=`echo $CURRENT_TASKDEF| jq --raw-output ".taskDefinition.executionRoleArn"`
+TASKDEF=`echo $CURRENT_TASKDEF_CONTAINERDEF | jq ' [ .[] |  .image = "'${IMAGE_URI}'" ]'`
+CPU=$(echo $CURRENT_TASKDEF |jq -r '.taskDefinition.cpu')
+MEMORY=$(echo $CURRENT_TASKDEF |jq -r '.taskDefinition.memory')
+NETWORK_MODE=$(echo $CURRENT_TASKDEF |jq -r '.taskDefinition.networkMode')
+REQUIRES_COMPATIBILITIES=$(echo $CURRENT_TASKDEF |jq '.taskDefinition.requiresCompatibilities[]' | tr '\n' ',' | sed 's/.$//')
+echo '{"family": "'${SERVICE_NAME}'", "taskRoleArn": "'${TASKDEF_ROLE_ARN}'", "executionRoleArn": "'${EXECUTION_ROLE_ARN}'", "containerDefinitions": '$TASKDEF', "cpu": "'$CPU'", "memory": "'$MEMORY'", "requiresCompatibilities": ['$REQUIRES_COMPATIBILITIES'], "networkMode": "'${NETWORK_MODE}'" }' > taskdef.json
+#aws ecs register-task-definition --cli-input-json file://task-def-template.json.new > task-def-template.json.out
+#NEW_TASKDEF_ARN=`cat task-def-template.json.out |jq -r '.taskDefinition.taskDefinitionArn'`
+sed -i 's#$TASKDEF#'$NEW_TASKDEF_ARN'#' appspec.yaml

codepipeline-demo/app/scripts/set-network-configuration.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# set subnet, security groups, public ip
+SERVICE_NAME=$1
+CLUSTER_NAME=$1
+NETWORK_CONFIGURATION=$(aws ecs describe-services --services $SERVICE_NAME --cluster $CLUSTER_NAME |jq -r '.services[].networkConfiguration')
+SUBNETS=$(echo $NETWORK_CONFIGURATION |jq '.awsvpcConfiguration.subnets[]' | tr '\n' ',' | sed 's/.$//')
+SECURITY_GROUPS=$(echo $NETWORK_CONFIGURATION |jq '.awsvpcConfiguration.securityGroups[]' | tr '\n' ',' | sed 's/.$//')
+PUBLIC_IP=$(echo $NETWORK_CONFIGURATION |jq '.awsvpcConfiguration.assignPublicIp')
+sed -i 's/$SUBNETS/'$SUBNETS'/' appspec.yaml
+sed -i 's/$SECURITY_GROUPS/'$SECURITY_GROUPS'/' appspec.yaml
+sed -i 's/$PUBLIC_IP/'$PUBLIC_IP'/' appspec.yaml

codepipeline-demo/codedeploy.tf

@@ -0,0 +1,53 @@
+resource "aws_codedeploy_app" "demo" {
+  compute_platform = "ECS"
+  name             = "demo"
+}
+
+resource "aws_codedeploy_deployment_group" "demo" {
+  app_name               = aws_codedeploy_app.demo.name
+  deployment_config_name = "CodeDeployDefault.ECSAllAtOnce"
+  deployment_group_name  = "demo"
+  service_role_arn       = aws_iam_role.demo-codedeploy.arn
+
+  auto_rollback_configuration {
+    enabled = true
+    events  = ["DEPLOYMENT_FAILURE"]
+  }
+
+  blue_green_deployment_config {
+    deployment_ready_option {
+      action_on_timeout = "CONTINUE_DEPLOYMENT"
+    }
+
+    terminate_blue_instances_on_deployment_success {
+      action                           = "TERMINATE"
+      termination_wait_time_in_minutes = 5
+    }
+  }
+
+  deployment_style {
+    deployment_option = "WITH_TRAFFIC_CONTROL"
+    deployment_type   = "BLUE_GREEN"
+  }
+
+  ecs_service {
+    cluster_name = aws_ecs_cluster.demo.name
+    service_name = aws_ecs_service.demo.name
+  }
+
+  load_balancer_info {
+    target_group_pair_info {
+      prod_traffic_route {
+        listener_arns = [aws_lb_listener.demo.arn]
+      }
+
+      target_group {
+        name = aws_lb_target_group.demo-blue.name
+      }
+
+      target_group {
+        name = aws_lb_target_group.demo-green.name
+      }
+    }
+  }
+}

codepipeline-demo/codepipeline.tf

@@ -54,19 +54,19 @@ resource "aws_codepipeline" "demo" {
     name = "Deploy"
 
     action {
-      name            = "Deploy"
+      name            = "DeployToECS"
       category        = "Deploy"
       owner           = "AWS"
-      provider        = "ECS"
+      provider        = "CodeDeployToECS"
       input_artifacts = ["demo-docker-build"]
       version         = "1"
 
       configuration = {
-        ClusterName = "demo" # name of cluster
-        ServiceName = "demo" # name of service
+        ApplicationName                = aws_codedeploy_app.demo.name
+        DeploymentGroupName            = aws_codedeploy_deployment_group.demo.deployment_group_name
+        TaskDefinitionTemplateArtifact = "demo-docker-build"
+        AppSpecTemplateArtifact        = "demo-docker-build"
       }
-
-      role_arn = aws_iam_role.demo-codepipeline.arn
     }
   }
 }

codepipeline-demo/fargate-service.tf

@@ -44,6 +44,11 @@ resource "aws_ecs_service" "demo" {
   desired_count   = 1
   task_definition = aws_ecs_task_definition.demo.arn
   launch_type     = "FARGATE"
+  depends_on      = [aws_lb_listener.demo]
+
+  deployment_controller {
+    type = "CODE_DEPLOY"
+  }
 
   network_configuration {
     subnets          = slice(module.vpc.public_subnets, 1, 2)
@@ -52,13 +57,14 @@ resource "aws_ecs_service" "demo" {
   }
 
   load_balancer {
-    target_group_arn = aws_lb_target_group.demo.id
+    target_group_arn = aws_lb_target_group.demo-blue.id
     container_name   = "demo"
     container_port   = "3000"
   }
   lifecycle {
     ignore_changes = [
-      task_definition
+      task_definition,
+      load_balancer
     ]
   }
 }
@@ -69,6 +75,13 @@ resource "aws_security_group" "ecs-demo" {
   vpc_id      = module.vpc.vpc_id
   description = "ECS demo"
 
+  ingress {
+    from_port   = 3000
+    to_port     = 3000
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
   egress {
     from_port = 0
     to_port   = 0
@@ -78,3 +91,8 @@ resource "aws_security_group" "ecs-demo" {
     ]
   }
 }
+
+# logs
+resource "aws_cloudwatch_log_group" "demo" {
+  name = "demo"
+}

codepipeline-demo/iam-codebuild.tf

@@ -114,6 +114,17 @@ resource "aws_iam_role_policy" "demo-codebuild" {
         "*"
       ]
     }, 
+    {
+      "Sid": "ECS",
+      "Effect": "Allow",
+      "Action": [
+        "ecs:List*",
+        "ecs:Describe*"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }, 
     {
       "Effect": "Allow",
       "Action": [

codepipeline-demo/iam-codedeploy.tf

@@ -0,0 +1,86 @@
+resource "aws_iam_role" "demo-codedeploy" {
+  name = "demo-codedeploy"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "codedeploy.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+
+}
+
+data "aws_iam_policy_document" "demo-codedeploy-role-policy" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecs:DescribeServices",
+      "ecs:CreateTaskSet",
+      "ecs:UpdateServicePrimaryTaskSet",
+      "ecs:DeleteTaskSet",
+      "elasticloadbalancing:DescribeTargetGroups",
+      "elasticloadbalancing:DescribeListeners",
+      "elasticloadbalancing:ModifyListener",
+      "elasticloadbalancing:DescribeRules",
+      "elasticloadbalancing:ModifyRule",
+      "lambda:InvokeFunction",
+      "cloudwatch:DescribeAlarms",
+      "sns:Publish",
+      "s3:GetObject",
+      "s3:GetObjectVersion"
+    ]
+    resources = [
+      "*",
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:Get*",
+    ]
+    resources = [
+      "${aws_s3_bucket.demo-artifacts.arn}/*",
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:DescribeKey",
+      "kms:Decrypt",
+    ]
+    resources = [
+      aws_kms_key.demo-artifacts.arn
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "iam:PassRole"
+    ]
+    resources = [
+      aws_iam_role.ecs-task-execution-role.arn,
+      aws_iam_role.ecs-demo-task-role.arn,
+    ]
+    condition {
+      test     = "StringLike"
+      variable = "iam:PassedToService"
+      values   = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role_policy" "demo-codedeploy" {
+  name   = "codedeploy-policy"
+  role   = aws_iam_role.demo-codedeploy.id
+  policy = data.aws_iam_policy_document.demo-codedeploy-role-policy.json
+}
+
+

codepipeline-demo/iam-codepipeline.tf

@@ -78,6 +78,7 @@ data "aws_iam_policy_document" "demo-codepipeline-role-policy" {
   statement {
     effect = "Allow"
     actions = [
+      "codedeploy:*",
       "ecs:*",
     ]
     resources = [
@@ -87,14 +88,18 @@ data "aws_iam_policy_document" "demo-codepipeline-role-policy" {
   statement {
     effect = "Allow"
     actions = [
-      "iam:PassRole",
+      "iam:PassRole"
     ]
     resources = [
       aws_iam_role.ecs-task-execution-role.arn,
       aws_iam_role.ecs-demo-task-role.arn,
     ]
+    condition {
+      test     = "StringLike"
+      variable = "iam:PassedToService"
+      values   = ["ecs-tasks.amazonaws.com"]
+    }
   }
-
 }
 
 resource "aws_iam_role_policy" "demo-codepipeline" {

codepipeline-demo/lb.tf

@@ -2,6 +2,7 @@ resource "aws_lb" "demo" {
   name                             = "demo"
   subnets                          = module.vpc.public_subnets
   load_balancer_type               = "network"
+  enable_cross_zone_load_balancing = true
 }
 
 resource "aws_lb_listener" "demo" {
@@ -10,13 +11,33 @@ resource "aws_lb_listener" "demo" {
   protocol          = "TCP"
 
   default_action {
-    target_group_arn = aws_lb_target_group.demo.id
+    target_group_arn = aws_lb_target_group.demo-blue.id
     type             = "forward"
   }
+  lifecycle {
+    ignore_changes = [
+      default_action,
+    ]
+  }
 }
 
-resource "aws_lb_target_group" "demo" {
-  name                 = "demo-http"
+resource "aws_lb_target_group" "demo-blue" {
+  name                 = "demo-http-blue"
+  port                 = "3000"
+  protocol             = "TCP"
+  target_type          = "ip"
+  vpc_id               = module.vpc.vpc_id
+  deregistration_delay = "30"
+
+  health_check {
+    healthy_threshold   = 2
+    unhealthy_threshold = 2
+    protocol            = "TCP"
+    interval            = 30
+  }
+}
+resource "aws_lb_target_group" "demo-green" {
+  name                 = "demo-http-green"
   port                 = "3000"
   protocol             = "TCP"
   target_type          = "ip"