UNPKG

@povio/ecs-deploy-cli

Version:

Use this tool to deploy a Docker image to ECR and ECS with CI or manually.

github.com/povio/ecs-deploy-cli

povio/ecs-deploy-cli

286 lines (210 loc) 7.61 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
# ECS Deploy CLI Use this tool to deploy a Docker image to ECR and ECS with CI or manually. Features: - Environment and SSM credentials storage conventions - GitHub Actions pipeline example - Cross-platform (made with TypeScript/Javascript, external requirements: `git`, `docker`) Examples: - [NestJs](./examples/nestjs) Docker and Pipeline # Usage ```bash yarn add @povio/ecs-deploy-cli ``` ## Configure ### .config/${STAGE}.ecs-deploy.yaml ```yaml accountId: "000000000000" region: us-east-1 taskFamily: myapp-dev-backend serviceName: myapp-dev-backend clusterName: myapp-dev # build and upload to ecr with `ecs-deploy build backend --stage dev` build: - name: backend repoName: myapp-backend #context: ./test #dockerfile: Dockerfile platform: linux/amd64 # Docker Buildx Bake support #bakeFile: "./docker-bake.hcl" #bakeTarget: "backend" # optional: specific target environmentValues: # resolved at build time - name: RELEASE valueFrom: "func:release" - name: BUILD_TIMESTAMP valueFrom: "func:timestamp" - name: BUILD_ENV_VAR_1 value: "static value" # deploy to ecs with `ecs-deploy deploy --stage dev` taskDefinition: - name: default # resolved at deploy time, requires SSM access template: arn:aws:ssm:::parameter/myapp-dev/backend/task-definition containerDefinitions: - name: backend # name of build above or any other docker path image: backend # inserted into task definition and resolved at deploy time environmentValues: - name: DEPLOY_TIMESTAMP valueFrom: "func:timestamp" - name: TASK_ENV_VAR_1 value: "static value" # inserted into task definition and resolved at task init secrets: STAGE2: arn:aws:ssm:::parameter/myapp-dev/backend/task-definition # resolved at runtime using `ecs-deploy config backend --stage dev` configs: - name: backend destination: ./.config/myapp-dev.backend.yml # optional template, to diff the resolved data from template: values: # load config from ./.config/${stage}.backend.template.yml # and interpolate ${arn:aws:ssm..} and ${env:ENV_VALUE} values # load them onto the root - name: "@" configFrom: backend.template - name: "@" configFrom: backend.override optional: true # simple value mapping - name: database__password valueFrom: arn:aws:ssm:::parameter/myapp-dev/database/password # JSON object mapping - name: database valueFrom: arn:aws:ssm:::parameter/myapp-dev/database - name: database__host valueFrom: env:DATABASE_HOST ``` ### Example Where `configFrom: backend.template` and the config file is `.config/${stage}.backend.template.yml`: ```yaml stage: ${func:stage} release: ${func:release} database: username: myapp2 password: ${arn:aws:ssm:::parameter/myapp-dev/database/password} debug: ${env:DEBUG} ``` the output will be at the set destination, for example `./.config/myapp-dev.backend.yml`: ```yaml database: username: myapp2 password: the-password-from-ssm debug: the-value-from-the-environment ``` ## Run ```bash yarn ecs-deploy --help # Build a new image from the current git commit and push to ECR yarn ecs-deploy build <name> --stage my-stage # Push an existing image to ECR (tag of image needs to be the same as RELEASE or the git commit hash ) # yarn ecs-deploy push <name> --stage my-stage # Deploy the task definition to ECS yarn ecs-deploy deploy [name] --stage my-stage # Deploy and clean up old unused image tags older than 30 days yarn ecs-deploy deploy [name] --stage my-stage --untagUnused --days 30 # Generate a config script yarn ecs-deploy bootstrap [name] --stage my-stage ``` ## Run Options Descriptions for useful flags. Use `--help` for a comprehensive list. #### --ignoreGitChanges Use this flag while debugging the build. This might have unintended consequences - never deploy a build made using this flag. (build only) #### --skipEcrExistsCheck Speed up builds if you know the ECR image does not exist. (build only) #### --skipPush Only build the image. Useful for testing. #### --buildx Use [docker buildx](https://docs.docker.com/buildx/working-with-buildx/) to build on ARM / Apple M1. #### Docker Buildx Bake Support Enable Docker Buildx Bake by adding `bake-file` to your build configuration: ```yaml build: - name: backend repoName: myapp-backend bake-file: "./docker-bake.hcl" bake-target: "api-final" # optional: specific target, otherwise builds all ``` When `bake-file` is present, the CLI automatically: - Uses `docker buildx bake` instead of standard Docker build - Sets `--set "*.tags=<generated-tag>"` to override all image tags - Supports HCL, JSON, and YAML bake files - Optionally targets specific bake targets #### --watch In CI, wait for ecs-deploy to complete. This could take a while so set a timeout on the CI. #### --untagUnused Clean up old unused image tags from ECR repositories after deployment. This will remove tags that are older than the specified number of days (default: 30) while preserving the currently deployed image and the newly deployed image. #### --days Specify the number of days to keep image tags when using `--untagUnused`. Tags older than this number of days will be removed (default: 30). #### --untagPrefix Only untag images whose tags start with this prefix. Providing this argument overrides `build.prefix` property in config. #### untag Standalone command to untag images. ## Required AWS IAM Permissions To use all features of this CLI (build, push, deploy, untag, describe, etc.), your IAM user/role needs the following permissions: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", "ecr:BatchGetImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:PutImage", "ecr:BatchDeleteImage", "ecs:DescribeServices", "ecs:UpdateService", "ecs:DescribeTaskDefinition", "ecs:RegisterTaskDefinition", "ecs:ListTasks", "ecs:DescribeTasks" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath" ], "Resource": "*" } ] } ``` **Notes:** - You may scope `Resource` to specific ARNs for tighter security. - If you use SSM for secrets or task definitions, SSM permissions are required. ## How it works The build script builds and pushes a Docker image to ECR. The deploy script generates a ECS task definition using a template stored on SSM and deploys it to ECS. The bootstrap script generates a config script with resolved values from SSM and environment variables. <img src="./docs/arch-overview.svg"> ## Development ### Test locally Set up `./test/.config/myapp-dev.ecs-deploy.yml` with credentials to do a E2E test. ```bash # alias for `ecs-deploy` while developing yarn start build backend --cwd ./test --stage myapp-dev yarn start bootstrap --stage myapp-dev --verbose --pwd ./test yarn test:watch ``` ### Release Set new version in `package.json`. ```bash yarn build ```