Tutorial: Amazon ECS Standard Deployment with CodePipeline
This tutorial helps you to create a complete, end-to-end continuous deployment (CD) pipeline with Amazon ECS with CodePipeline.
Important
As part of creating a pipeline in the console, an S3 artifact bucket will be used by CodePipeline for artifacts. (This is different from the bucket used for an S3 source action.) If the S3 artifact bucket is in a different account from the account for your pipeline, make sure that the S3 artifact bucket is owned by AWS accounts that are safe and will be dependable.
Note
This tutorial is for the Amazon ECS standard deployment action for CodePipeline. For a tutorial that uses the Amazon ECS to CodeDeploy blue/green deployment action in CodePipeline, see Tutorial: Create a pipeline with an Amazon ECR source and ECS-to-CodeDeploy deployment.
Prerequisites
There are a few resources that you must have in place before you can use this tutorial to create your CD pipeline. Here are the things you need to get started:
Note
All of these resources should be created within the same AWS Region.
-
A source control repository (this tutorial uses CodeCommit) with your Dockerfile and application source. For more information, see Create a CodeCommit Repository in the AWS CodeCommit User Guide.
-
A Docker image repository (this tutorial uses Amazon ECR) that contains an image you have built from your Dockerfile and application source. For more information, see Creating a Repository and Pushing an Image in the Amazon Elastic Container Registry User Guide.
-
An Amazon ECS task definition that references the Docker image hosted in your image repository. For more information, see Creating a Task Definition in the Amazon Elastic Container Service Developer Guide.
Important
The Amazon ECS standard deployment action for CodePipeline creates its own revision of the task definition based on the the revision used by the Amazon ECS service. If you create new revisions for the task definition without updating the Amazon ECS service, the deployment action will ignore those revisions.
Below is a sample task definition used for this tutorial. The value you use for
name
andfamily
will be used in the next step for your build specification file.{ "ipcMode": null, "executionRoleArn": "
role_ARN
", "containerDefinitions": [ { "dnsSearchDomains": null, "environmentFiles": null, "logConfiguration": { "logDriver": "awslogs", "secretOptions": null, "options": { "awslogs-group": "/ecs/hello-world
", "awslogs-region": "us-west-2", "awslogs-stream-prefix": "ecs" } }, "entryPoint": null, "portMappings": [ { "hostPort": 80, "protocol": "tcp", "containerPort": 80 } ], "command": null, "linuxParameters": null, "cpu": 0, "environment": [], "resourceRequirements": null, "ulimits": null, "dnsServers": null, "mountPoints": [], "workingDirectory": null, "secrets": null, "dockerSecurityOptions": null, "memory": null, "memoryReservation": 128, "volumesFrom": [], "stopTimeout": null, "image": "image_name
", "startTimeout": null, "firelensConfiguration": null, "dependsOn": null, "disableNetworking": null, "interactive": null, "healthCheck": null, "essential": true, "links": null, "hostname": null, "extraHosts": null, "pseudoTerminal": null, "user": null, "readonlyRootFilesystem": null, "dockerLabels": null, "systemControls": null, "privileged": null, "name": "hello-world
" } ], "placementConstraints": [], "memory": "2048", "taskRoleArn": null, "compatibilities": [ "EC2", "FARGATE" ], "taskDefinitionArn": "ARN
", "family": "hello-world
", "requiresAttributes": [], "pidMode": null, "requiresCompatibilities": [ "FARGATE" ], "networkMode": "awsvpc", "cpu": "1024", "revision": 1, "status": "ACTIVE", "inferenceAccelerators": null, "proxyConfiguration": null, "volumes": [] } -
An Amazon ECS cluster that is running a service that uses your previously mentioned task definition. For more information, see Creating a Cluster and Creating a Service in the Amazon Elastic Container Service Developer Guide.
After you have satisfied these prerequisites, you can proceed with the tutorial and create your CD pipeline.
Step 1: Add a Build Specification File to Your Source Repository
This tutorial uses CodeBuild to build your Docker image and push the image to Amazon ECR. Add a
buildspec.yml
file to your source code repository to tell CodeBuild
how to do that. The example build specification below does the following:
-
Pre-build stage:
-
Log in to Amazon ECR.
-
Set the repository URI to your ECR image and add an image tag with the first seven characters of the Git commit ID of the source.
-
-
Build stage:
-
Build the Docker image and tag the image both as
latest
and with the Git commit ID.
-
-
Post-build stage:
-
Push the image to your ECR repository with both tags.
-
Write a file called
imagedefinitions.json
in the build root that has your Amazon ECS service's container name and the image and tag. The deployment stage of your CD pipeline uses this information to create a new revision of your service's task definition, and then it updates the service to use the new task definition. Theimagedefinitions.json
file is required for the ECS job worker.
-
Paste this sample text to create your buildspec.yml
file, and
replace the values for your image and task definition. This text uses the example
account ID 111122223333.
version: 0.2 phases: pre_build: commands: - echo Logging in to Amazon ECR... - aws --version - aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin 111122223333.dkr.ecr.us-west-2.amazonaws.com - REPOSITORY_URI=012345678910.dkr.ecr.us-west-2.amazonaws.com/hello-world - COMMIT_HASH=$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | cut -c 1-7) - IMAGE_TAG=${COMMIT_HASH:=latest} build: commands: - echo Build started on `date` - echo Building the Docker image... - docker build -t $REPOSITORY_URI:latest . - docker tag $REPOSITORY_URI:latest $REPOSITORY_URI:$IMAGE_TAG post_build: commands: - echo Build completed on `date` - echo Pushing the Docker images... - docker push $REPOSITORY_URI:latest - docker push $REPOSITORY_URI:$IMAGE_TAG - echo Writing image definitions file... - printf '[{"name":"hello-world","imageUri":"%s"}]' $REPOSITORY_URI:$IMAGE_TAG > imagedefinitions.json artifacts: files: imagedefinitions.json
The build specification was written for the sample task definition that was provided
in Prerequisites, used by the Amazon ECS
service for this tutorial. The REPOSITORY_URI
value corresponds to the
image
repository (without any image tag), and the
value near the end of the
file corresponds to the container name in the service's task definition. hello-world
To add a buildspec.yml
file to your source
repository
-
Open a text editor and then copy and paste the build specification above into a new file.
-
Replace the
REPOSITORY_URI
value (
) with your Amazon ECR repository URI (without any image tag) for your Docker image. Replace012345678910.dkr.ecr.us-west-2.amazonaws.com/hello-world
with the container name in your service's task definition that references your Docker image.hello-world
-
Commit and push your
buildspec.yml
file to your source repository.-
Add the file.
git add .
-
Commit the change.
git commit -m "Adding build specification."
-
Push the commit.
git push
-
Step 2: Creating Your Continuous Deployment Pipeline
Use the CodePipeline wizard to create your pipeline stages and connect your source repository to your ECS service.
To create your pipeline
Open the CodePipeline console at https://console.aws.amazon.com/codepipeline/
. -
On the Welcome page, choose Create pipeline.
If this is your first time using CodePipeline, an introductory page appears instead of Welcome. Choose Get Started Now.
-
On the Step 1: Name page, for Pipeline name, type the name for your pipeline. For this tutorial, the pipeline name is hello-world.
-
In Pipeline type, choose V2. For more information, see Pipeline types. Choose Next.
-
On the Step 2: Add source stage page, for Source provider, choose AWS CodeCommit.
-
For Repository name, choose the name of the CodeCommit repository to use as the source location for your pipeline.
-
For Branch name, choose the branch to use and choose Next.
-
-
On the Step 3: Add build stage page, for Build provider choose AWS CodeBuild, and then choose Create project.
-
For Project name, choose a unique name for your build project. For this tutorial, the project name is hello-world.
-
For Environment image, choose Managed image.
-
For Operating system, choose Amazon Linux 2.
-
For Runtime(s), choose Standard.
-
For Image, choose
aws/codebuild/amazonlinux2-x86_64-standard:3.0
. -
For Image version and Environment type, use the default values.
-
Select Enable this flag if you want to build Docker images or want your builds to get elevated privileges.
-
Deselect CloudWatch logs. You might need to expand Advanced.
-
Choose Continue to CodePipeline.
-
Choose Next.
Note
The wizard creates a CodeBuild service role for your build project, called codebuild-
build-project-name
-service-role. Note this role name, as you add Amazon ECR permissions to it later.
-
-
On the Step 4: Add deploy stage page, for Deployment provider, choose Amazon ECS.
-
For Cluster name, choose the Amazon ECS cluster in which your service is running. For this tutorial, the cluster is default.
-
For Service name, choose the service to update and choose Next. For this tutorial, the service name is hello-world.
-
-
On the Step 5: Review page, review your pipeline configuration and choose Create pipeline to create the pipeline.
Note
Now that the pipeline has been created, it attempts to run through the different pipeline stages. However, the default CodeBuild role created by the wizard does not have permissions to execute all of the commands contained in the
buildspec.yml
file, so the build stage fails. The next section adds the permissions for the build stage.
Step 3: Add Amazon ECR Permissions to the CodeBuild Role
The CodePipeline wizard created an IAM role for the CodeBuild build project, called
codebuild-build-project-name
-service-role.
For this tutorial, the name is codebuild-hello-world-service-role.
Because the buildspec.yml
file makes calls to Amazon ECR API operations,
the role must have a policy that allows permissions to make these Amazon ECR calls. The
following procedure helps you attach the proper permissions to the role.
To add Amazon ECR permissions to the CodeBuild role
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the left navigation pane, choose Roles.
-
In the search box, type codebuild- and choose the role that was created by the CodePipeline wizard. For this tutorial, the role name is codebuild-hello-world-service-role.
-
On the Summary page, choose Attach policies.
-
Select the box to the left of the AmazonEC2ContainerRegistryPowerUser policy, and choose Attach policy.
Step 4: Test Your Pipeline
Your pipeline should have everything for running an end-to-end native AWS continuous deployment. Now, test its functionality by pushing a code change to your source repository.
To test your pipeline
-
Make a code change to your configured source repository, commit, and push the change.
Open the CodePipeline console at https://console.aws.amazon.com/codepipeline/
. -
Choose your pipeline from the list.
-
Watch the pipeline progress through its stages. Your pipeline should complete and your Amazon ECS service runs the Docker image that was created from your code change.