feat(cdk): fixes for base - app compatibility

Author: briancaffey

Makefile

@@ -6,7 +6,7 @@ ad-hoc-base-diff:
 	cdk diff --app='./lib/examples/ad-hoc/index.js' -e ExampleAdHocBaseStack
 
 ad-hoc-base-deploy:
-	cdk deploy --verbose --app='./lib/examples/ad-hoc/index.js' -e ExampleAdHocBaseStack
+	cdk deploy --app='./lib/examples/ad-hoc/index.js' -e ExampleAdHocBaseStack
 
 ad-hoc-base-deploy-approve:
 	cdk deploy --app='./lib/examples/ad-hoc/index.js' --require-approval never -e ExampleAdHocBaseStack

packages/ecs-run-task/action.yml

@@ -0,0 +1,60 @@
+name: 'Action for running an ECS task in a GHA workflow'
+description: 'Action for running ECS task'
+author: 'Brian Caffey'
+inputs:
+  BASE_ENV:
+    required: true
+    description: 'Base env name (e.g. dev)'
+  APP_ENV:
+    required: true
+    description: 'App env name (e.g. alpha)'
+  VERSION:
+    required: true
+    description: 'Application version git tag (e.g. v1.2.3)'
+  ECR_REPO:
+    required: true
+    description: 'ECR repo to use'
+  CONTAINER_NAME:
+    required: true
+    description: 'Name of the container to update'
+  AWS_REGION:
+    required: false
+    description: 'AWS Region'
+    default: 'us-east-1'
+
+# Trigger / Inputs
+runs:
+  using: "composite"
+  steps:
+    # Note: this assumes that your ECR repo lives in the same AWS account as your ECS cluster
+    - name: Get current AWS Account
+      id: get-aws-account
+      shell: bash
+      run: |
+        AWS_ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account)
+        echo "AWS_ACCOUNT_ID=$AWS_ACCOUNT_ID" >> $GITHUB_ENV
+
+    - name: Download existing task definition
+      id: download-task-definition
+      shell: bash
+      run: |
+        aws ecs describe-task-definition \
+          --task-definition ${{ env.FULL_TASK_NAME }} \
+          | jq '.taskDefinition' > task-definition.json
+
+    - name: Render new task definition
+      id: render-new-task-definition
+      uses: aws-actions/amazon-ecs-render-task-definition@v1
+      with:
+        task-definition: task-definition.json
+        container-name: ${{ inputs.CONTAINER_NAME }}
+        image: ${{ env.AWS_ACCOUNT_ID }}.dkr.ecr.${{ inputs.AWS_REGION}}.amazonaws.com/${{ inputs.ECR_REPO }}:${{ inputs.VERSION }}
+
+    - name: Deploy new task definition
+      id: deploy-new-task-definition
+      uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+      with:
+        cluster: ${{ inputs.APP_ENV }}-cluster
+        service: ${{ inputs.APP_ENV }}-${{ inputs.CONTAINER_NAME }}
+        task-definition: ${{ steps.render-new-task-definition.outputs.task-definition }}
+

src/constructs/ad-hoc/app/index.ts

@@ -79,6 +79,9 @@ export class AdHocApp extends Construct {
     // define ecsTaskRole and taskExecutionRole for ECS
     const ecsRoles = new EcsRoles(scope, 'EcsRoles');
 
+    // allow the task role to read and write to the bucket
+    props.assetsBucket.grantReadWrite(ecsRoles.ecsTaskRole);
+
     // Route53
     const hostedZone = HostedZone.fromLookup(this, 'HostedZone', { domainName: props.domainName });
     const cnameRecord = new CnameRecord(this, 'CnameApiRecord', {
@@ -159,7 +162,7 @@ export class AdHocApp extends Construct {
     // scheduler service
 
     // management command task definition
-    const backendUpdateTask = new ManagementCommandTask(this, 'BackendUpdateTask', {
+    const backendUpdateTask = new ManagementCommandTask(this, 'update', {
       cluster,
       environmentVariables,
       vpc: props.vpc,
@@ -168,7 +171,7 @@ export class AdHocApp extends Construct {
       executionRole: ecsRoles.taskExecutionRole,
       image: backendImage,
       command: ['python', 'manage.py', 'pre_update'],
-      name: 'backendUpdate',
+      name: 'update',
     });
 
     // worker service

src/constructs/ad-hoc/base/index.ts

@@ -5,7 +5,6 @@ import { DatabaseInstance } from 'aws-cdk-lib/aws-rds';
 import { Bucket } from 'aws-cdk-lib/aws-s3';
 import { Construct } from 'constructs';
 import { AlbResources } from '../../internal/alb';
-import { BastionHostResources } from '../../internal/bastion';
 import { ElastiCacheCluster } from '../../internal/ec';
 import { RdsInstance } from '../../internal/rds';
 import { SecurityGroupResources } from '../../internal/sg';
@@ -40,6 +39,12 @@ export class AdHocBase extends Construct {
     const assetsBucket = new Bucket(scope, 'AssetsBucket', {
       bucketName: `${props.domainName.replace('.', '-')}-${stackName}-assets-bucket`,
       removalPolicy: RemovalPolicy.DESTROY,
+      blockPublicAccess: {
+        blockPublicAcls: false,
+        blockPublicPolicy: false,
+        ignorePublicAcls: false,
+        restrictPublicBuckets: false,
+      },
       autoDeleteObjects: true,
     });
     this.assetsBucket = assetsBucket;
@@ -64,7 +69,6 @@ export class AdHocBase extends Construct {
       dbSecretName: this.node.tryGetContext('config')?.dbSecretName ?? 'DB_SECRET_NAME',
     });
     this.databaseInstance = rdsInstance.rdsInstance;
-    const { dbInstanceEndpointAddress } = rdsInstance.rdsInstance;
 
     // elasticache cluster
     const elastiCacheCluster = new ElastiCacheCluster(this, 'ElastiCacheCluster', {
@@ -75,13 +79,5 @@ export class AdHocBase extends Construct {
     // get the elasticache cluster hostname
     this.elastiCacheHostname = elastiCacheCluster.elastiCacheHost;
 
-    // TODO: is this needed?
-    new BastionHostResources(this, 'BastionHostResources', {
-      appSecurityGroup,
-      vpc: this.vpc,
-      rdsAddress: dbInstanceEndpointAddress,
-      instanceClass: this.node.tryGetContext('config').instanceClass,
-      // instanceType: this.node.tryGetContext('config').instanceType,
-    });
   }
 }

src/constructs/internal/sg/index.ts

@@ -1,4 +1,4 @@
-// import { Stack } from 'aws-cdk-lib';
+import { Stack, Tags } from 'aws-cdk-lib';
 import { IVpc, Peer, Port, SecurityGroup } from 'aws-cdk-lib/aws-ec2';
 import { Construct } from 'constructs';
 
@@ -25,10 +25,16 @@ export class SecurityGroupResources extends Construct {
     albSecurityGroup.addIngressRule(Peer.anyIpv4(), Port.tcp(443), 'HTTPS');
     albSecurityGroup.addIngressRule(Peer.anyIpv4(), Port.tcp(80), 'HTTP');
 
+    const appSgName = `${Stack.of(this).stackName}-app-sg`;
+
     // create application security group
     const appSecurityGroup = new SecurityGroup(scope, 'AppSecurityGroup', {
+      securityGroupName: appSgName,
       vpc: props.vpc,
     });
+
+    Tags.of(appSecurityGroup).add('Name', `${Stack.of(this).stackName}-app-sg`);
+
     appSecurityGroup.connections.allowFrom(appSecurityGroup, Port.allTcp());
 
     this.appSecurityGroup = appSecurityGroup;

src/constructs/internal/vpc/index.ts

@@ -1,4 +1,4 @@
-import { Stack } from 'aws-cdk-lib';
+import { Stack, Tags } from 'aws-cdk-lib';
 import { IVpc, SubnetType, Vpc } from 'aws-cdk-lib/aws-ec2';
 
 import { Construct } from 'constructs';
@@ -28,5 +28,8 @@ export class ApplicationVpc extends Construct {
       ],
     });
     this.vpc = vpc;
+
+    // having trouble making sure the VPC resources are getting tagged correctly
+    Tags.of(vpc).add('base-env', Stack.of(this).stackName);
   }
 }

src/examples/ad-hoc/index.ts

@@ -45,4 +45,5 @@ const addHocApp = new AdHocApp(appStack, 'AdHocApp', {
  * Add tagging for this construct and all child constructs
  */
 Tags.of(adHocBase).add('base-env', adHocBaseEnvName);
+Tags.of(adHocBase).add('ad-hoc', 'true');
 Tags.of(addHocApp).add('app-env', adHocAppEnvName);