![](/img/trans.png)
[英]Multiple containers in ECS task deinition deployment with github actions
[英]GitHub Actions for multiple Environments
我正在使用 GitHub 在多個環境中部署基於容器的應用程序,我有兩個環境,
我正在兩個環境上構建應用程序,這是我的 yml 文件:
name: 'Manual - Build & Deploy - Enterprise'
on:
push:
branches-ignore:
- '**'
workflow_dispatch:
inputs:
git-ref:
description: Git Ref (Optional)
default: develop
required: false
account:
description: slb-dev, slb-prod
default: slb-dev
required: true
environment:
description: development (main, int, qs), production (v1_demo, v1_rosecity, demo)
default: main
required: false
microservice:
description: chroma, liquid, tenant, dashboard, lims, lims-simulator, client, logging, metrc
default: chroma
required: false
builddir:
description: MicroChromatographyService/MicroChromatographyService, MicroLiquidHandlingService/MicroLiquidHandlingService, MicroTenantService/MicroTenantService, MicroDashboardService/MicroDashboardService, LIMSIntegrationService/LIMSIntegrationService, LIMSSimulatorService/LIMSSimulatorService, IntegrationHubClientService/IntegrationHubClientService, PerkinElmer.LoggingService/PerkinElmer.LoggingService, MetRCReportService/MetRCReportService
default: MicroChromatographyService/MicroChromatographyService
required: false
jobs:
setup:
name: Setup ENV Variables
runs-on: ubuntu-latest
environment:
name: dev
url: https://dev.test.com
steps:
- name: Set Vars
id: setvars
run: |
echo "::set-output name=APP_NAME::${{ github.event.inputs.microservice }}"
echo "::set-output name=AWS_REGION::us-east-1"
echo "::set-output name=SHA8::${{ github.sha }} | cut -c1-8)"
echo "::set-output name=BUILD_DIR::${{ github.event.inputs.builddir }}"
echo "::set-output name=ECR_REPOSITORY::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
echo "::set-output name=ECS_CLUSTER::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}"
echo "::set-output name=ECS_SERVICE::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
echo "::set-output name=ECS_TASK_DEFINITION::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
echo "::set-output name=ECS_TASK_DEFINITION_FILE::task-definition-${{ github.event.inputs.microservice }}.json"
echo "::set-output name=ECS_CONTAINER_NAME::${{ github.event.inputs.account }}-${{ github.event.inputs.environment }}-${{ github.event.inputs.microservice }}"
outputs:
APP_NAME: ${{ steps.setvars.outputs.APP_NAME }}
AWS_REGION: ${{ steps.setvars.outputs.AWS_REGION }}
SHA8: ${{ steps.setvars.outputs.SHA8 }}
BUILD_DIR: ${{ steps.setvars.outputs.BUILD_DIR }}
ECR_REPOSITORY: ${{ steps.setvars.outputs.ECR_REPOSITORY }}
ECS_CLUSTER: ${{ steps.setvars.outputs.ECS_CLUSTER }}
ECS_SERVICE: ${{ steps.setvars.outputs.ECS_SERVICE }}
ECS_TASK_DEFINITION: ${{ steps.setvars.outputs.ECS_TASK_DEFINITION }}
ECS_TASK_DEFINITION_FILE: ${{ steps.setvars.outputs.ECS_TASK_DEFINITION_FILE }}
ECS_CONTAINER_NAME: ${{ steps.setvars.outputs.ECS_CONTAINER_NAME }}
DeployDev:
name: Deploy to Dev
needs: setup
runs-on: ubuntu-latest
permissions:
packages: write
contents: write
id-token: write
environment:
name: dev
url: 'http://dev.myapp.com'
steps:
- name: Set Environments
run: |
if [[ "${{github.event.inputs.account}}" == "slb-dev" ]]; then
echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_DEV }}" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_DEV }}" >> $GITHUB_ENV
fi
if [[ "${{github.event.inputs.account}}" == "slb-prod" ]]; then
echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_PROD }}" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_PROD }}" >> $GITHUB_ENV
fi
- name: Clone Repository (Current branch)
uses: actions/checkout@v2
if: github.event.inputs.git-ref == ''
- name: Clone Repository (Custom Ref)
uses: actions/checkout@v2
if: github.event.inputs.git-ref != ''
with:
ref: ${{ github.event.inputs.git-ref }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ needs.setup.outputs.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ needs.setup.outputs.ECR_REPOSITORY }}
IMAGE_TAG: ${{ github.sha }}
run: |
cd ${{ needs.setup.outputs.BUILD_DIR }}
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
- name: Download task definition
run: |
aws ecs describe-task-definition --task-definition ${{ needs.setup.outputs.ECS_TASK_DEFINITION }} --query taskDefinition > ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
container-name: ${{ needs.setup.outputs.ECS_CONTAINER_NAME }}
image: ${{ steps.build-image.outputs.image }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@v1
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: ${{ needs.setup.outputs.ECS_SERVICE }}
cluster: ${{ needs.setup.outputs.ECS_CLUSTER }}
wait-for-service-stability: true
DeployProd:
name: Deploy to Production
needs: [DeployDev]
runs-on: ubuntu-latest
permissions:
packages: write
contents: write
id-token: write
environment:
name: Production
url: 'http://www.myapp.com'
steps:
- name: Set Environments
run: |
if [[ "${{github.event.inputs.account}}" == "slb-dev" ]]; then
echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_DEV }}" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_DEV }}" >> $GITHUB_ENV
fi
if [[ "${{github.event.inputs.account}}" == "slb-prod" ]]; then
echo "AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID_PROD }}" >> $GITHUB_ENV
echo "AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY_PROD }}" >> $GITHUB_ENV
fi
- name: Clone Repository (Current branch)
uses: actions/checkout@v2
if: github.event.inputs.git-ref == ''
- name: Clone Repository (Custom Ref)
uses: actions/checkout@v2
if: github.event.inputs.git-ref != ''
with:
ref: ${{ github.event.inputs.git-ref }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ needs.setup.outputs.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ needs.setup.outputs.ECR_REPOSITORY }}
IMAGE_TAG: ${{ github.sha }}
run: |
cd ${{ needs.setup.outputs.BUILD_DIR }}
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
- name: Download task definition
run: |
aws ecs describe-task-definition --task-definition ${{ needs.setup.outputs.ECS_TASK_DEFINITION }} --query taskDefinition > ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: ${{ needs.setup.outputs.ECS_TASK_DEFINITION_FILE }}
container-name: ${{ needs.setup.outputs.ECS_CONTAINER_NAME }}
image: ${{ steps.build-image.outputs.image }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@v1
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: ${{ needs.setup.outputs.ECS_SERVICE }}
cluster: ${{ needs.setup.outputs.ECS_CLUSTER }}
wait-for-service-stability: true
但我收到錯誤: 嘗試登錄時,我不確定是什么原因造成的。 我正在調用 GitHub Secrets 中的憑據,並且在進行單獨構建時似乎可以正常工作,但是當我嘗試在不同的環境中執行此操作時出現此錯誤。
在最近更新 aws 操作之前,需要將 aws 憑據配置為 github repo secret。 之后,它將這些憑據設置為環境變量,這使得它們可以在整個 github 操作中訪問。
在你的 yml 文件中應該是這樣的
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secret.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secret.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ needs.setup.outputs.AWS_REGION }}
注意 [IMP] :在最近的更新中,aws-actions 現在支持 OIDC 功能,這使我們能夠使用角色而不是在我們的 repo 中存儲憑據,這現在被認為是一種不好的做法。 參考文檔-> https://github.com/aws-actions/configure-aws-credentials#假設-a -role
我為 OIDC 問題寫了一個類似的答案,也許它可以幫助How to use serverless framework in github actions using github actions OIDC feature
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.