DEV-3798 Document the new ECS Strategy #856
Conversation
…o ecs-atmos-deployment * 'ecs-atmos-deployment' of github.com:cloudposse/docs: Fix release versioning by storing library docs in draft releases (#854) docs: Add RunsOn regional availability guidance to primary region decision (#851) Add redirects for all Spacelift tutorials (#853) Add redirect for Spacelift tutorial (#850)
milldr
left a comment
milldr
left a comment
There was a problem hiding this comment.
please fix build (broken links)
There was a problem hiding this comment.
Can we move this page Software Delivery to the top position in the sidebar?
Implement CI/CD
Review Design Decisions
Software Delivery
ECS with Atmos
ECS with ecspresso (Deprecated)
EKS with ArgoCD
Lambda with GitHub Actions
Tutorials
docs/jumpstart/action-items.mdx
Outdated
| ### <StepNumber/> PATs for ECS with `ecspresso` (Deprecated) | ||
|
|
||
| :::note | ||
| This step can likely be skipped. The ecspresso-based ECS deployment approach is deprecated in favor of [ECS with Atmos](/layers/software-delivery/ecs-atmos/), which does not require these PATs. | ||
| ::: | ||
|
|
There was a problem hiding this comment.
Let's just remove this whole section from this page and move all requirements for ecspresso to that ecspresso page, docs/layers/software-delivery/ecs-ecspresso/ecs-ecspresso.mdx
There was a problem hiding this comment.
remove the same from quickstart/action-items, if relevant
| ### <StepNumber/> Deploy Platform Infrastructure | ||
|
|
||
| Deploy the foundational infrastructure components in your `infra` repository. | ||
|
|
||
| Ensure the following components are deployed in your target AWS accounts: | ||
|
|
||
| ```bash | ||
| # Deploy VPC | ||
| atmos terraform deploy vpc -s plat-use1-dev | ||
| atmos terraform deploy vpc -s plat-use1-staging | ||
| atmos terraform deploy vpc -s plat-use1-prod | ||
|
|
||
| # Deploy ECS Cluster | ||
| atmos terraform deploy ecs/cluster -s plat-use1-dev | ||
| atmos terraform deploy ecs/cluster -s plat-use1-staging | ||
| atmos terraform deploy ecs/cluster -s plat-use1-prod | ||
|
|
||
| # Deploy Github OIDC Provider | ||
| atmos terraform deploy github-oidc-provider -s plat-gbl-dev | ||
| atmos terraform deploy github-oidc-provider -s plat-gbl-staging | ||
| atmos terraform deploy github-oidc-provider -s plat-gbl-prod | ||
| ``` |
There was a problem hiding this comment.
Instead of asking the user to redeploy these specific three components, we should have a task list that lists what is required for the ECS app. (see the "TaskList" component).
Phrasing like we have in now implies that the user has to redeploy a VPC, EKS cluster, and GitHub OIDC, but in reality, those are already all deployed by this point.
| <Admonition type="info" title="Platform Infrastructure"> | ||
| These components are typically deployed once and shared across multiple applications. See the [ECS Cluster](/components/library/aws/ecs/) documentation for detailed setup instructions. | ||
| </Admonition> |
There was a problem hiding this comment.
Link to the setup docs for the whole layer, not just for the component.
layers/ecs/
| Deploy tfstate bucket: | ||
|
|
||
| ```bash | ||
| atmos terraform deploy tfstate-bucket-apps -s plat-use1-dev | ||
| atmos terraform deploy tfstate-bucket-apps -s plat-use1-staging | ||
| atmos terraform deploy tfstate-bucket-apps -s plat-use1-prod | ||
| ``` |
There was a problem hiding this comment.
We should have an Atmos workflow.
| The template includes: | ||
| - Sample Go application with Dockerfile | ||
| - GitHub Actions workflows for CI/CD | ||
| - Terraform/OpenTofu components for ECS task definitions | ||
| - Atmos stack configurations for each environment |
There was a problem hiding this comment.
Fix formatting. Use one of the existing components. For example, TaskList, or Steps.
| ```yaml title="stacks/catalog/iam-role/example-app.yaml" | ||
| import: | ||
| - catalog/iam-role/defaults | ||
|
|
||
| components: | ||
| terraform: | ||
| example-app/iam-role: | ||
| metadata: | ||
| component: iam-role | ||
| inherits: | ||
| - iam-role/defaults | ||
| vars: | ||
| name: example-app | ||
| attributes: | ||
| - "terraform" | ||
| role_description: | | ||
| Role for GitHub Actions to access the GitOps resources, such as the S3 Bucket and DynamoDB Table. | ||
| github_oidc_provider_enabled: true | ||
| github_oidc_provider_arn: !terraform.state github-oidc-provider oidc_provider_arn | ||
| trusted_github_org: acme | ||
| trusted_github_repos: | ||
| - example-app | ||
| policy_statements: | ||
| AllowECRAccess: | ||
| effect: "Allow" | ||
| actions: | ||
| - "ecr:GetAuthorizationToken" | ||
| - "ecr:BatchCheckLayerAvailability" | ||
| - "ecr:GetDownloadUrlForLayer" | ||
| - "ecr:BatchGetImage" | ||
| - "ecr:InitiateLayerUpload" | ||
| - "ecr:UploadLayerPart" | ||
| - "ecr:CompleteLayerUpload" | ||
| - "ecr:PutImage" | ||
| - "ecr:CreatePullThroughCacheRule" | ||
| - "ecr:BatchImportUpstreamImage" | ||
| - "ecr:CreateRepository" | ||
| resources: | ||
| - "*" | ||
| AllowAssumeRole: | ||
| effect: "Allow" | ||
| actions: | ||
| - "sts:AssumeRole" | ||
| - "sts:TagSession" | ||
| - "sts:SetSourceIdentity" | ||
| resources: | ||
| - "*" | ||
| AllowServicesAccess: | ||
| effect: "Allow" | ||
| actions: |
There was a problem hiding this comment.
| tfstate-backend-apps: | ||
| vars: | ||
| privileged_principal_arns: | ||
| - !terraform.state example-app/iam-role .role.arn |
There was a problem hiding this comment.
| In your **application repository**, create dependency stack files: | ||
|
|
||
| ```yaml title="terraform/stacks/deps/vpc.yaml" | ||
| components: | ||
| terraform: | ||
| vpc: | ||
| metadata: | ||
| component: vpc | ||
| type: abstract | ||
| terraform_workspace: "{{ .vars.tenant }}-{{ .vars.environment }}-{{ .vars.deps_stage }}" | ||
| backend_type: s3 | ||
| backend: | ||
| s3: | ||
| bucket: "acme-core-gbl-root-tfstate" | ||
| region: "us-east-1" | ||
| encrypt: true | ||
| key: terraform.tfstate | ||
| acl: bucket-owner-full-control | ||
| assume_role: | ||
| role_arn: "arn:aws:iam::111111111111:role/acme-core-gbl-root-tfstate-ro" | ||
| ``` | ||
| ```yaml title="terraform/stacks/deps/ecs-cluster.yaml" | ||
| components: | ||
| terraform: | ||
| vpc: | ||
| metadata: | ||
| component: vpc | ||
| type: abstract | ||
| terraform_workspace: "{{ .vars.tenant }}-{{ .vars.environment }}-{{ .vars.deps_stage }}" | ||
| backend_type: s3 | ||
| backend: | ||
| s3: | ||
| bucket: "acme-core-gbl-root-tfstate" | ||
| region: "us-east-1" | ||
| encrypt: true | ||
| key: terraform.tfstate | ||
| acl: bucket-owner-full-control | ||
| assume_role: | ||
| role_arn: "arn:aws:iam::111111111111:role/acme-core-gbl-root-tfstate-ro" | ||
| ``` |
There was a problem hiding this comment.
Does the user need to copy and paste all of this and fill it out, or do they just update the files that were generated from the template?
We should clarify that we don't need to copy and paste a bunch of stuff. We just need to update a few places after generating the template.
There was a problem hiding this comment.
At the moment, we do not have generation from templates for deps.
Actually, if you create a repository from the template repository, you will get ECS and VPC dependencies by default.
The only things that would need to be updated are role_arn, bucket, and region.
I agree that we need to automate these steps, but that is not related to the documentation task
|
|
||
| --- | ||
|
|
||
| ## Triggering Workflows |
There was a problem hiding this comment.
This page is quite massive and includes a ton of overview, checklist, and triggering workflows. Can we split these into 2 different pages?
for example
Implement CI/CD
ECS with Atmos
Setup Application Repository
Trigger Workflows
what
why