In this lab we will deploy an Application on ECS using Fargate with CI/CD using Code Pipeline in Control Tower environment.
We will be working with multiple accounts setup within Control Tower as mentioned below:
A. Tools Account
Used for Container repositories, Code Commit and setting up Code pipeline to build, push and deploy new images.
B. Application Account
Account where application will be deployed.
Before we start this lab, it’ll require:
For running commands, we’ll be using Cloud9 environment.
If you don’t have Cloud9 continue with next step to launch Cloud9 otherwise skip to setup Cloud9 environment:
Launch Cloud9
CT-Workshop
, and take all other defaults
.Setup Cloud9 Environment
It’ll create a directory named ECS-Control-Tower. Copy below commands and run in cloud9 terminal.
wget https://marketplace-sa-resources.s3.amazonaws.com/ctlabs/ECS-Control-Tower.zip
unzip ECS-Control-Tower.zip
Services used in Tools Account:
Services used in Application Account:
As Code Pipeline uses S3 bucket with encryption to store artifacts, we need to update the IAM role used by code pipeline with permission to the KMS key used. And an IAM role in application account which can be consumed by code pipeline to deploy app. For this cross-account setup, IAM roles with cross account trust for used resources are required. So as prerequisite, first we’ll create KMS key to use with code pipeline and IAM roles in application account.
Follow below instructions to create CloudFormation stack set instance in tools and application account to create KMS, S3 bucket and IAM.
Login to Master account with AWSAdministratorAccess role from SSO portal
Navigate to the StackSet console under CloudFormation in the master account
Click Create StackSet
Select Upload a template file
and select pre_req.yaml template under ct-lab folder from ECS-Control-Tower folder unzipped as part of pre-requisite.
Set the StackSet name as ECSPreReq
. (If using a shared account, use aliasECSPreReq).
Enter tools account number, where pipeline for ECS deployment will be created, for ToolsAccount
parameter.
Click Next
Under Permissions
, select AWSControlTowerStackSetRole
from the list under IAM Admin Role ARN. Type AWSControlTowerExecution
for IAM Execution Role Name and click on Next.
For Deployment locations choose Deploy stacks in accounts
and enter account number of Application account.
Under Specify regions
, choose the primary region where you launched Control Tower service.
Click Next
Acknowledge the Capabilities
Click Submit
Wait for the stack instance to be created successfully. Status for the stack instance should be CURRENT
.This template created below resource in Application account:
Login to Application account from SSO portal. (You can close the previous inactive aws tab/window)
Go to CloudFormation service and search for the stack name ECSPreReq
. Get the output value for CMKArn
from this CloudFormation stack, for later use.
We’ll need to create Code commit repository to push application code and ECR repository to push docker images for application in Tools Account
Setup programmatic access on cloud9 terminal for tools account from SSO portal
Paste copied commands from above step into cloud9 terminal.
Create an ECR repository, run below command. Pick the region same as Control Tower deployment and repo name as mydemoapp
aws ecr create-repository --repository-name mydemoapp --region <same as CT region>
Create Code Commit repo, run below command. Pick the region same as Control Tower deployment and repo name as mydemoapp
aws codecommit create-repository --repository-name mydemoapp --region <same as CT region>
Copy the cloneUrlHttp
value from above command’s output.
Before we are able to push code to our CodeCommit repo, we will need to configure our code commit credentials, run below commands
git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true
Go to ECS-Control-Tower directory
Run below git commands to initialize the repo and to commit files
git init
git add .
git commit -m "first commit"
Add code commit remote to directory
git remote add origin < cloneUrlHttp copied earlier in step 21>
Push code to code commit
git push origin master
Login to Tools account from SSO portal
Go to ECR service, select the mydemoapp
repository created in step 19.
Click on permissions on left side menu.
Click on Edit policy JSON, on right top corner.
Replace the account number of Application account and paste this JSON into policy document and click save.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ApplicationAccountNum>:root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
Now we’ll deploy the code pipeline and resources required in tools account.
Login to Application Account from SSO portal.
Go to VPC, copy public subnet ids and vpc id
Login to Master Account from SSO portal. (You can close the previous inactive aws tab/window)
Navigate to the StackSet console under CloudFormation in the master account
Click Create StackSet
Select Upload a template file
and select pipeline.yaml template under ct-lab folder from ECS-Control-Tower directory and click next.
Set the StackSet name as ECSPipeline
. (If using a shared account, use aliasECSPipeline).
Enter mydemoapp
for CodeCommitRepositoryName parameter
Enter mydemoapp
for ApplicationName parameter
Enter mydemoapp
for ECRRepositoryName parameter
Enter VPC id from Application Account, copied in step 33, for VpcId
parameter
Enter account number for application account, where ECS will be deployed, for ApplicationAccount
parameter
For CMKARN
parameter enter KMS key ARN copied earlier in step 16.
Enter comma separated (no spaces) subnet ids of public subnets from Application Account, copied in step 33, for PublicSubnets
parameter
Click Next
Under Permissions
, select AWSControlTowerStackSetRole
from the list under IAM Admin Role ARN. Type AWSControlTowerExecution
for IAM Execution Role Name and click on Next
For Deployment locations choose Deploy stacks in accounts
and enter account number of Tools account.
Under Specify regions
, choose the primary region where you launched Control Tower service.
Click Next
Acknowledge the Capabilities
.
Click Submit
Wait for the stack instance to be created successfully. Status for the stack instance should be CURRENT
. This template created below resource in tools accounts:
The pipeline checks out code from the AWS Code Commit repository to S3.
Then AWS Code Build will decrypt artifacts in the S3 bucket and run build steps.
Code build will build new docker image and push to ECR repositories.
Then Code build will generate a parameter JSON file with newly built images URI, which will be used with CloudFormation to deploy/update ECS resources. (Look at buildspec.yml file for steps executed by Code Build)
Once code build has finished successfully, code pipeline assumes IAM of application account and deploy CloudFormation template to application account.
As part of ECS CloudFormation deployment below mentioned resources are created for given application:
ECS Cluster
Task Definition
Application Load Balancer
Security groups for ALB and ECS Service
ECS Fargate Service (Look at ecs.yml file for resources being created)
To verify the pipeline, go to tools account and CodePipeline service. You should find the pipeline created for the application (pipeline name is same as ApplicationName parameter used earlier in step 9 in Deploy Pipeline section, per lab instructions, mydemoapp
) and check its execution stages.
Once pipeline is done executing successfully, login to Application account and go to CloudFormation. You should find the cloudformation stack for the application (stack name is same as ApplicationName parameter used earlier in step 9 in Deploy Pipeline section, per lab instructions, mydemoapp
). Check the outputs and copy the AppDNSName value and paste into the browser. You should see the deployed application.
You can also verify that a FARGATE
cluster named mydemoapp
is running in Amazon ECS.