This action was forked from smitp/amazon-ecs-run-task.
This action does two things:
- It runs the input task definition.
- After step 1 successfully completes, it registers the task definition.
The reason for registering the task definition after running the task is to allow the GITHUB_TOKEN to be used as a task definition envirionment variable. The task definition is registered only after the GITHUB_TOKEN is no longer valid.
To enable the action to run tasks with network_mode
set to awsvpc
, the action accepts subnet ids and security groups as inputs.
- Amazon ECS "Run Task" Action for GitHub Actions
- Usage
- Credentials and Region
- Permissions
- Troubleshooting
- License Summary
- name: Run Task on Amazon ECS
uses: Enterprise-CMCS/amazon-ecs-run-task@master
with:
task-definition: task-definition.json
task-definition-arn: arn:aws:ecs:us-east-1:12345:task-definition/mytask-dev:42
cluster: my-cluster
count: 1
subnets: subnet-1, subnet-2, subnet-3
security-groups: sg-1, sg-2
started-by: github-actions-${{ github.actor }}
wait-for-finish: true
security-groups
and subnets
can be single values or comma separated lists, such as in the example above. See action.yml for the full documentation for this action's inputs and outputs.
It is highly recommended to treat the task definition "as code" by checking it into your git repository as a JSON file. Changes to any task definition attributes like container images, environment variables, CPU, and memory can be deployed with this GitHub action by editing your task definition file and pushing a new git commit.
An existing task definition can be downloaded to a JSON file with the following command. Account IDs can be removed from the file by removing the taskDefinitionArn
attribute, and updating the executionRoleArn
and taskRoleArn
attribute values to contain role names instead of role ARNs.
aws ecs describe-task-definition \
--task-definition my-task-definition-family \
--query taskDefinition > task-definition.json
Alternatively, you can start a new task definition file from scratch with the following command. In the generated file, fill in your attribute values and remove any attributes not needed for your application.
aws ecs register-task-definition \
--generate-cli-skeleton > task-definition.json
If you do not wish to store your task definition as a file in your git repository, your GitHub Actions workflow can download the existing task definition.
- name: Download task definition
run: |
aws ecs describe-task-definition --task-definition my-task-definition-family --query taskDefinition > task-definition.json
It is highly recommended that each time your GitHub Actions workflow runs and builds a new container image for deployment, a new container image ID is generated. For example, use the commit ID as the new image's tag, instead of updating the 'latest' tag with the new image. Using a unique container image ID for each deployment allows rolling back to a previous container image.
The task definition file can be updated prior to deployment with the new container image ID using the aws-actions/amazon-ecs-render-task-definition
action. The following example builds a new container image tagged with the commit ID, inserts the new image ID as the image for the my-container
container in the task definition file, and then deploys the rendered task definition file to ECS:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-2
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: my-ecr-repo
IMAGE_TAG: ${{ github.sha }}
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: task-definition.json
container-name: my-container
image: ${{ steps.build-image.outputs.image }}
- name: Run Task on Amazon ECS
uses: Enterprise-CMCS/amazon-ecs-run-task@vXYZ
with:
task-definition: task-definition.json
task-definition-arn: arn:aws:ecs:us-east-1:12345:task-definition/mytask-dev:42
cluster: my-cluster
count: 1
started-by: github-actions-${{ github.actor }}
wait-for-finish: true
This action relies on the default behavior of the AWS SDK for Javascript to determine AWS credentials and region.
Use the aws-actions/configure-aws-credentials
action to configure the GitHub Actions environment with environment variables containing AWS credentials and your desired region.
We recommend following Amazon IAM best practices for the AWS credentials used in GitHub Actions workflows, including:
- Do not store credentials in your repository's code. You may use GitHub Actions secrets to store credentials and redact credentials from GitHub Actions workflow logs.
- Create an individual IAM user with an access key for use in GitHub Actions workflows, preferably one per repository. Do not use the AWS account root user access key.
- Grant least privilege to the credentials used in GitHub Actions workflows. Grant only the permissions required to perform the actions in your GitHub Actions workflows. See the Permissions section below for the permissions required by this action.
- Rotate the credentials used in GitHub Actions workflows regularly.
- Monitor the activity of the credentials used in GitHub Actions workflows.
This action requires the following minimum set of permissions:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"RegisterTaskDefinition",
"Effect":"Allow",
"Action":[
"ecs:RegisterTaskDefinition"
],
"Resource":"*"
},
{
"Sid":"PassRolesInTaskDefinition",
"Effect":"Allow",
"Action":[
"iam:PassRole"
],
"Resource":[
"arn:aws:iam::<aws_account_id>:role/<task_definition_task_role_name>",
"arn:aws:iam::<aws_account_id>:role/<task_definition_task_execution_role_name>"
]
},
{
"Sid": "RunTask",
"Effect": "Allow",
"Action": "ecs:RunTask",
"Resource": "arn:aws:ecs:<region>:<aws_account_id>:task-definition/*:*"
},
{
"Sid": "DescribeTasks",
"Effect": "Allow",
"Action": "ecs:DescribeTasks",
"Resource": "arn:aws:ecs:<region>:<aws_account_id>:task/*"
}
]
}
Note: the policy above assumes the account has opted in to the ECS long ARN format.
This action emits debug logs to help troubleshoot deployment failures. To see the debug logs, create a secret named ACTIONS_STEP_DEBUG
with value true
in your repository.
This code is made available under the MIT license.