Amazon CodeCatalyst is no longer open to new customers. Existing customers can continue to use the service as normal. For more information, see [How to migrate from CodeCatalyst](migration.md). # Deploying to Amazon ECS with a workflow This section describes how to deploy a containerized application into an Amazon Elastic Container Service cluster using a CodeCatalyst workflow. To accomplish this, you must add the **Deploy to Amazon ECS** action to your workflow. This action registers a [task definition](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html#welcome-task-definitions) file that you provide. Upon registration, the task definition is instantiated by your [Amazon ECS service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html) running in your [Amazon ECS cluster](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html#welcome-clusters). "Instantiating a task definition" is equivalent to deploying an application into Amazon ECS. To use this action, you must have an Amazon ECS cluster, service, and task definition file ready. For more information about Amazon ECS, see the *Amazon Elastic Container Service Developer Guide*. **Tip** For a tutorial that shows you how to use the **Deploy to Amazon ECS ** action, see [Tutorial: Deploy an application to Amazon ECS](deploy-tut-ecs.md). **Tip** For a working example of the **Deploy to Amazon ECS** action, create a project with either the **Node.js API with AWS Fargate** or **Java API with AWS Fargate** blueprint. For more information, see [Creating a project with a blueprint](projects-create.md#projects-create-console-template). **Topics** + [ ## Runtime image used by the 'Deploy to Amazon ECS' action ](#deploy-action-ecs-runtime) + [ # Tutorial: Deploy an application to Amazon ECS ](deploy-tut-ecs.md) + [ # Adding the 'Deploy to Amazon ECS' action ](deploy-action-ecs-adding.md) + [ # 'Deploy to Amazon ECS' variables ](deploy-action-ecs-variables.md) + [ # 'Deploy to Amazon ECS' action YAML ](deploy-action-ref-ecs.md) ## Runtime image used by the 'Deploy to Amazon ECS' action The **Deploy to Amazon ECS** action runs on a [November 2022 image](build-images.md#build.previous-image). For more information, see [Active images](build-images.md#build-curated-images). # Tutorial: Deploy an application to Amazon ECS In this tutorial, you learn how to deploy a serverless application into Amazon Elastic Container Service (Amazon ECS) using a workflow, Amazon ECS, and a few other AWS services. The deployed application is a simple Hello World website built on an Apache web server Docker image. The tutorial walks you through the required preparation work such as setting up a cluster, and then describes how to create a workflow to build and deploy the application. **Tip** Instead of working your way through this tutorial, you can use a blueprint that does a complete Amazon ECS setup for you. You'll need to use either the **Node.js API with AWS Fargate** or **Java API with AWS Fargate** blueprint. For more information, see [Creating a project with a blueprint](projects-create.md#projects-create-console-template). **Topics** + [ ## Prerequisites ](#deploy-tut-ecs-prereqs) + [ ## Step 1: Set up an AWS user and AWS CloudShell ](#deploy-tut-ecs-user-cloudshell) + [ ## Step 2: Deploy a placeholder application into Amazon ECS ](#deploy-tut-ecs-placeholder) + [ ## Step 3: Create an Amazon ECR image repository ](#deploy-tut-ecs-ecr) + [ ## Step 4: Create AWS roles ](#deploy-tut-ecs-build-deploy-roles) + [ ## Step 5: Add AWS roles to CodeCatalyst ](#deploy-tut-ecs-import-roles) + [ ## Step 6: Create a source repository ](#deploy-tut-ecs-source-repo) + [ ## Step 7: Add source files ](#deploy-tut-ecs-source-files) + [ ## Step 8: Create and run a workflow ](#deploy-tut-ecs-workflow) + [ ## Step 9: Make a change to your source files ](#deploy-tut-ecs-change) + [ ## Clean up ](#deploy-tut-ecs-cleanup) ## Prerequisites Before you begin: + You need a CodeCatalyst **space** with a connected AWS account. For more information, see [Creating a space](spaces-create.md). + In your space, you need an empty project called: ``` codecatalyst-ecs-project ``` Use the **Start from scratch** option to create this project. For more information, see [Creating an empty project in Amazon CodeCatalyst](projects-create.md#projects-create-empty). + In your project, you need a CodeCatalyst **environment** called: ``` codecatalyst-ecs-environment ``` Configure this environment as follows: + Choose any type, such as **Non-production**. + Connect your AWS account to it. + For the **Default IAM role**, choose any role. You'll specify a different role later. For more information, see [Deploying into AWS accounts and VPCs](deploy-environments.md). ## Step 1: Set up an AWS user and AWS CloudShell The first step in this tutorial is to create a user in AWS IAM Identity Center, and launch an AWS CloudShell instance as this user. For the duration of this tutorial, CloudShell is your development computer and is where you configure AWS resources and services. Delete this user after completing the tutorial. **Note** Do not use your root user for this tutorial. You must create a separate user or else you may experience problems when performing actions in the AWS Command Line Interface (CLI) later on. For more information about IAM Identity Center users and CloudShell, see the *AWS IAM Identity Center User Guide* and *AWS CloudShell User Guide*. **To create an IAM Identity Center user** 1. Sign in to the AWS Management Console and open the AWS IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/). **Note** Make sure you sign in using the AWS account that is connected to your CodeCatalyst space. You can verify which account is connected by navigating to your space and choosing the **AWS accounts** tab. For more information, see [Creating a space](spaces-create.md). 1. In the navigation pane, choose **Users**, and then choose **Add user**. 1. In **Username**, enter: ``` CodeCatalystECSUser ``` 1. Under **Password**, choose **Generate a one-time password that you can share with this user**. 1. In **Email address** and **Confirm email address**, enter an email address that doesn't already exist in IAM Identity Center. 1. In **First name** and **Last name**, enter: ``` CodeCatalystECSUser ``` 1. In **Display name**, keep the automatically generated name: ``` CodeCatalystECSUser CodeCatalystECSUser ``` 1. Choose **Next**. 1. On the **Add user to groups** page, choose **Next**. 1. On the **Review and add user** page, review the information and choose **Add user**. A **One-time password** dialog box appears. 1. Choose **Copy** and then paste the sign-in information, including the AWS access portal URL and the one-time password. 1. Choose **Close**. **To create a permission set** You'll assign this permission set to `CodeCatalystECSUser` later. 1. In the navigation pane, choose **Permission sets**, and then choose **Create permission set**. 1. Choose **Predefined permission set** and then select **AdministratorAccess**. This policy provides full permissions to all AWS services. 1. Choose **Next**. 1. In **Permission set name**, enter: ``` CodeCatalystECSPermissionSet ``` 1. Choose **Next**. 1. On the **Review and create** page, review the information and choose **Create**. **To assign the permission set to CodeCatalystECSUser** 1. In the navigation pane, choose **AWS accounts**, and then select the check box next to the AWS account that you're currently signed in to. 1. Choose **Assign users or groups**. 1. Choose the **Users** tab. 1. Select the check box next to `CodeCatalystECSUser`. 1. Choose **Next**. 1. Select the check box next to `CodeCatalystECSPermissionSet`. 1. Choose **Next**. 1. Review the information and choose **Submit**. You have now assigned `CodeCatalystECSUser` and `CodeCatalystECSPermissionSet` to your AWS account, binding them together. **To sign out and sign back in as CodeCatalystECSUser** 1. Before you sign out, make sure you have the AWS access portal URL and the username and one-time password for `CodeCatalystECSUser`. You should have copied this information to a text editor earlier. **Note** If you do not have this information, go to the `CodeCatalystECSUser` details page in IAM Identity Center, choose **Reset password**, **Generate a one-time password [...]**, and **Reset password** again to display the information on the screen. 1. Sign out of AWS. 1. Paste the AWS access portal URL into your browser's address bar. 1. Sign in with the username and one-time password for `CodeCatalystECSUser`. 1. In **New password**, enter a password, and choose **Set new password**. An **AWS account** box appears on the screen. 1. Choose **AWS account**, and then choose the name of the AWS account to which you assigned the `CodeCatalystECSUser` user and permission set. 1. Next to the `CodeCatalystECSPermissionSet`, choose **Management console**. The AWS Management Console appears. You are now signed in as `CodeCatalystECSUser` with the appropriate permissions. **To launch an AWS CloudShell instance** 1. As `CodeCatalystECSUser`, in the top navigation bar, choose the AWS icon (![\[AWS icon\]](http://docs.aws.amazon.com/codecatalyst/latest/userguide/images/deploy/aws-logo.png)). The main page of the AWS Management Console appears. 1. In the top navigation bar, choose the AWS CloudShell icon (![\[CloudShell icon\]](http://docs.aws.amazon.com/codecatalyst/latest/userguide/images/deploy/CloudShell.png)). CloudShell opens. Wait while the CloudShell environment is created. **Note** If you don't see the CloudShell icon, make sure that you're in a [Region supported by CloudShell](https://docs.aws.amazon.com/cloudshell/latest/userguide/faq-list.html#regions-available). This tutorial assumes you are in the US West (Oregon) Region. **To verify that the AWS CLI is installed** 1. In the CloudShell terminal, enter: ``` aws --version ``` 1. Check that a version appears. The AWS CLI is already configured for the current user, `CodeCatalystECSUser`, so there is no need to configure AWS CLI keys and credentials, as is normally the case. ## Step 2: Deploy a placeholder application into Amazon ECS In this section, you manually deploy a placeholder application into Amazon ECS. This placeholder application will be replaced by the Hello World application deployed by your workflow. The placeholder application is Apache Web Server. For more information about Amazon ECS, see the *Amazon Elastic Container Service Developer Guide*. Complete the following series of procedures to deploy the placeholder application. **To create the task execution role** This role grants Amazon ECS and AWS Fargate permission to make API calls on your behalf. 1. Create a trust policy: 1. In AWS CloudShell, enter the following command: ``` cat > codecatalyst-ecs-trust-policy.json ``` A blinking prompt appears in the CloudShell terminal. 1. Enter the following code at the prompt: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------ 1. Place your cursor after the last curly bracket (`}`). 1. Press **Enter** and then **Ctrl\$1d** to save the file and exit cat. 1. Create a task execution role: ``` aws iam create-role \ --role-name codecatalyst-ecs-task-execution-role \ --assume-role-policy-document file://codecatalyst-ecs-trust-policy.json ``` 1. Attach the AWS managed `AmazonECSTaskExecutionRolePolicy` policy to the role: ``` aws iam attach-role-policy \ --role-name codecatalyst-ecs-task-execution-role \ --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy ``` 1. Display the role’s details: ``` aws iam get-role \ --role-name codecatalyst-ecs-task-execution-role ``` 1. Note the role's `"Arn":` value, for example, `arn:aws:iam::111122223333:role/codecatalyst-ecs-task-execution-role`. You will need this Amazon Resource Name (ARN) later. **To create an Amazon ECS cluster** This cluster will contain the Apache placeholder application, and later, the Hello World application. 1. As `CodeCatalystECSUser`, in AWS CloudShell, create an empty cluster: ``` aws ecs create-cluster --cluster-name codecatalyst-ecs-cluster ``` 1. (Optional) Verify that the cluster was created successfully: ``` aws ecs list-clusters ``` The ARN of the `codecatalyst-ecs-cluster` cluster should appear in the list, indicating a successful creation. **To create a task definition file** The task definition file indicates to run the [Apache 2.4 Web server](https://hub.docker.com/_/httpd) Docker image (`httpd:2.4`) which is pulled from DockerHub. 1. As `CodeCatalystECSUser`, in AWS CloudShell, create a task definition file: ``` cat > taskdef.json ``` 1. Paste the following code at the prompt: ``` { "executionRoleArn": "arn:aws:iam::111122223333:role/codecatalyst-ecs-task-execution-role", "containerDefinitions": [ { "name": "codecatalyst-ecs-container", "image": "httpd:2.4", "essential": true, "portMappings": [ { "hostPort": 80, "protocol": "tcp", "containerPort": 80 } ] } ], "requiresCompatibilities": [ "FARGATE" ], "cpu": "256", "family": "codecatalyst-ecs-task-def", "memory": "512", "networkMode": "awsvpc" } ``` In the preceding code, replace *arn:aws:iam::111122223333:role/codecatalyst-ecs-task-execution-role* with the ARN of the task execution role that you noted in [To create the task execution role](#deploy-tut-ecs-create-task-execution-role). 1. Place your cursor after the last curly bracket (`}`). 1. Press **Enter** and then **Ctrl\$1d** to save the file and exit cat. **To register the task definition file with Amazon ECS** 1. As `CodeCatalystECSUser`, in AWS CloudShell, register the task definition: ``` aws ecs register-task-definition \ --cli-input-json file://taskdef.json ``` 1. (Optional) Verify that the task definition was registered: ``` aws ecs list-task-definitions ``` The `codecatalyst-ecs-task-def` task definition should appear in the list. **To create the Amazon ECS service** The Amazon ECS service runs the tasks (and associated Docker containers) of the Apache placeholder application, and later, the Hello World application. 1. As `CodeCatalystECSUser`, switch to the Amazon Elastic Container Service console if you haven't done so already. 1. Choose the cluster you created earlier, `codecatalyst-ecs-cluster`. 1. In the **Services** tab, choose **Create**. 1. In the **Create** page, do the following: 1. Keep all default settings except for those listed next. 1. For **Launch type**, choose **FARGATE**. 1. Under **Task definition**, in the **Family** drop-down list, choose: `codecatalyst-ecs-task-def` 1. For **Service name**, enter: ``` codecatalyst-ecs-service ``` 1. For **Desired tasks**, enter: ``` 3 ``` In this tutorial, each task launches a single Docker container. 1. Expand the **Networking** section. 1. For **VPC**, choose any VPC. 1. For **Subnets**, choose any subnet. **Note** Only specify one subnet. That's all that is needed for this tutorial. **Note** If you don’t have a VPC and subnet, create them. See [Create a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html#Create-VPC), and [Create a subnet in your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html#AddaSubnet) in the *Amazon VPC User Guide*. 1. For **Security group**, choose **Create a new security group**, and then do the following: 1. For **Security group name**, enter: ``` codecatalyst-ecs-security-group ``` 1. For **Security group description**, enter: ``` CodeCatalyst ECS security group ``` 1. Choose **Add rule**. For **Type**, choose **HTTP**, and for **Source**, choose **Anywhere**. 1. At the bottom, choose **Create**. 1. Wait while the service is created. This may take a few minutes. 1. Choose the **Tasks** tab, and then choose the refresh button. Verify that all three tasks have their **Last Status** column set to **Running**. **(Optional) To verify that your Apache placeholder application is running** 1. In the **Tasks** tab, choose any one of the three tasks. 1. In the **Public IP** field, choose **open address**. An `It Works!` page appears. This indicates that the Amazon ECS service successfully started a task that launched a Docker container with the Apache image. At this point in the tutorial, you have manually deployed an Amazon ECS cluster, service, and task definition, as well as an Apache placeholder application. With all these items in place, you are now ready to create a workflow that will replace the Apache placeholder application with the tutorial’s Hello World application. ## Step 3: Create an Amazon ECR image repository In this section, you create a private image repository in Amazon Elastic Container Registry (Amazon ECR). This repository stores the tutorial’s Docker image that will replace the Apache placeholder image you deployed previously. For more information about Amazon ECR, see the *Amazon Elastic Container Registry User Guide*. **To create an image repository in Amazon ECR** 1. As `CodeCatalystECSUser`, in AWS CloudShell, create an empty repository in Amazon ECR: ``` aws ecr create-repository --repository-name codecatalyst-ecs-image-repo ``` 1. Display the Amazon ECR repository’s details: ``` aws ecr describe-repositories \ --repository-names codecatalyst-ecs-image-repo ``` 1. Note the `“repositoryUri”:` value, for example, `111122223333.dkr.ecr.us-west-2.amazonaws.com/codecatalyst-ecs-image-repo`. You need it later when adding the repository to your workflow. ## Step 4: Create AWS roles In this section, you create AWS IAM roles that your CodeCatalyst workflow will need in order to function. These roles are: + **Build role** – Grants the CodeCatalyst build action (in the workflow) permission to access your AWS account and write to Amazon ECR and Amazon EC2. + **Deploy role** – Grants the CodeCatalyst **Deploy to ECS** action (in the workflow) permission to access your AWS account, Amazon ECS, and a few other AWS services. For more information about IAM roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *AWS Identity and Access Management User Guide*. **Note** To save time, you can create a single role, called the `CodeCatalystWorkflowDevelopmentRole-spaceName` role, instead of the two roles listed previously. For more information, see [Creating the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role for your account and space](ipa-iam-roles.md#ipa-iam-roles-service-create). Understand that the `CodeCatalystWorkflowDevelopmentRole-spaceName` role has very broad permissions which may pose a security risk. We recommend that you only use this role in tutorials and scenarios where security is less of a concern. This tutorial assumes you are creating the two roles listed previously. To create the build and deploy roles, you can use either the AWS Management Console or the AWS CLI. ------ #### [ AWS Management Console ] To create the build and deploy roles, complete the following series of procedures. **To create a build role** 1. Create a policy for the role, as follows: 1. Sign in to AWS. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane, choose **Policies**. 1. Choose **Create policy**. 1. Choose the **JSON** tab. 1. Delete the existing code. 1. Paste the following code: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:*", "ec2:*" ], "Resource": "*" } ] } ``` ------ **Note** The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available. ``` "Resource": "*" ``` 1. Choose **Next: Tags**. 1. Choose **Next: Review**. 1. In **Name**, enter: ``` codecatalyst-ecs-build-policy ``` 1. Choose **Create policy**. You have now created a permissions policy. 1. Create the build role, as follows: 1. In the navigation pane, choose **Roles**, and then choose **Create role**. 1. Choose **Custom trust policy**. 1. Delete the existing custom trust policy. 1. Add the following custom trust policy: 1. Choose **Next**. 1. In **Permissions policies**, search for `codecatalyst-ecs-build-policy`, select its check box. 1. Choose **Next**. 1. For **Role name**, enter: ``` codecatalyst-ecs-build-role ``` 1. For **Role description**, enter: ``` CodeCatalyst ECS build role ``` 1. Choose **Create role**. You have now created a build role with a permissions policy and a trust policy. 1. Obtain the build role ARN, as follows: 1. In the navigation pane, choose **Roles**. 1. In the search box, enter the name of the role you just created (`codecatalyst-ecs-build-role`). 1. Choose the role from the list. The role's **Summary** page appears. 1. At the top, copy the **ARN** value. You need it later. **To create a deploy role** 1. Create a policy for the role, as follows: 1. Sign in to AWS. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane, choose **Policies**. 1. Choose **Create Policy**. 1. Choose the **JSON** tab. 1. Delete the existing code. 1. Paste the following code: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [{ "Action":[ "ecs:DescribeServices", "ecs:CreateTaskSet", "ecs:DeleteTaskSet", "ecs:ListClusters", "ecs:RegisterTaskDefinition", "ecs:UpdateServicePrimaryTaskSet", "ecs:UpdateService", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:ModifyRule", "lambda:InvokeFunction", "lambda:ListFunctions", "cloudwatch:DescribeAlarms", "sns:Publish", "sns:ListTopics", "s3:GetObject", "s3:GetObjectVersion", "codedeploy:CreateApplication", "codedeploy:CreateDeployment", "codedeploy:CreateDeploymentGroup", "codedeploy:GetApplication", "codedeploy:GetDeployment", "codedeploy:GetDeploymentGroup", "codedeploy:ListApplications", "codedeploy:ListDeploymentGroups", "codedeploy:ListDeployments", "codedeploy:StopDeployment", "codedeploy:GetDeploymentTarget", "codedeploy:ListDeploymentTargets", "codedeploy:GetDeploymentConfig", "codedeploy:GetApplicationRevision", "codedeploy:RegisterApplicationRevision", "codedeploy:BatchGetApplicationRevisions", "codedeploy:BatchGetDeploymentGroups", "codedeploy:BatchGetDeployments", "codedeploy:BatchGetApplications", "codedeploy:ListApplicationRevisions", "codedeploy:ListDeploymentConfigs", "codedeploy:ContinueDeployment" ], "Resource":"*", "Effect":"Allow" },{"Action":[ "iam:PassRole" ], "Effect":"Allow", "Resource":"*", "Condition":{"StringLike":{"iam:PassedToService":[ "ecs-tasks.amazonaws.com", "codedeploy.amazonaws.com" ] } } }] } ``` ------ **Note** The first time the role is used to run workflow actions, use the wildcard in the resource policy statement. You can then scope down the policy with the resource name after it is available. ``` "Resource": "*" ``` 1. Choose **Next: Tags**. 1. Choose **Next: Review**. 1. In **Name**, enter: ``` codecatalyst-ecs-deploy-policy ``` 1. Choose **Create policy**. You have now created a permissions policy. 1. Create the deploy role, as follows: 1. In the navigation pane, choose **Roles**, and then choose **Create role**. 1. Choose **Custom trust policy**. 1. Delete the existing custom trust policy. 1. Add the following custom trust policy: 1. Choose **Next**. 1. In **Permissions policies**, search for `codecatalyst-ecs-deploy-policy`, select its check box. 1. Choose **Next**. 1. For **Role name**, enter: ``` codecatalyst-ecs-deploy-role ``` 1. For **Role description**, enter: ``` CodeCatalyst ECS deploy role ``` 1. Choose **Create role**. You have now created a deploy role with a trust policy. 1. Obtain the deploy role ARN, as follows: 1. In the navigation pane, choose **Roles**. 1. In the search box, enter the name of the role you just created (`codecatalyst-ecs-deploy-role`). 1. Choose the role from the list. The role's **Summary** page appears. 1. At the top, copy the **ARN** value. You need it later. ------ #### [ AWS CLI ] To create the build and deploy roles, complete the following series of procedures. **To create a trust policy for both roles** As `CodeCatalystECSUser`, in AWS CloudShell, create a trust policy file: 1. Create the file: ``` cat > codecatalyst-ecs-trust-policy.json ``` 1. At the terminal prompt, paste the following code: 1. Place your cursor after the last curly bracket (`}`). 1. Press **Enter** and then **Ctrl\$1d** to save the file and exit cat. **To create the build policy and build role** 1. Create the build policy: 1. As `CodeCatalystECSUser`, in AWS CloudShell, create a build policy file: ``` cat > codecatalyst-ecs-build-policy.json ``` 1. At the prompt, enter the following code: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:*", "ec2:*" ], "Resource": "*" } ] } ``` ------ 1. Place your cursor after the last curly bracket (`}`). 1. Press **Enter** and then **Ctrl\$1d** to save the file and exit cat. 1. Add the build policy to AWS: ``` aws iam create-policy \ --policy-name codecatalyst-ecs-build-policy \ --policy-document file://codecatalyst-ecs-build-policy.json ``` 1. In the command output, note the `"arn":` value, for example, `arn:aws:iam::111122223333:policy/codecatalyst-ecs-build-policy`. You need this ARN later. 1. Create the build role and attach the trust policy to it: ``` aws iam create-role \ --role-name codecatalyst-ecs-build-role \ --assume-role-policy-document file://codecatalyst-ecs-trust-policy.json ``` 1. Attach the build policy to the build role: ``` aws iam attach-role-policy \ --role-name codecatalyst-ecs-build-role \ --policy-arn arn:aws:iam::111122223333:policy/codecatalyst-ecs-build-policy ``` Where *arn:aws:iam::111122223333:policy/codecatalyst-ecs-build-policy* is replaced with the ARN of the build policy you noted earlier. 1. Display the build role’s details: ``` aws iam get-role \ --role-name codecatalyst-ecs-build-role ``` 1. Note the role's `"Arn":` value, for example, `arn:aws:iam::111122223333:role/codecatalyst-ecs-build-role`. You need this ARN later. **To create the deploy policy and deploy role** 1. Create a deploy policy: 1. In AWS CloudShell, create a deploy policy file: ``` cat > codecatalyst-ecs-deploy-policy.json ``` 1. At the prompt, enter the following code: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [{ "Action":[ "ecs:DescribeServices", "ecs:CreateTaskSet", "ecs:DeleteTaskSet", "ecs:ListClusters", "ecs:RegisterTaskDefinition", "ecs:UpdateServicePrimaryTaskSet", "ecs:UpdateService", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:ModifyRule", "lambda:InvokeFunction", "lambda:ListFunctions", "cloudwatch:DescribeAlarms", "sns:Publish", "sns:ListTopics", "s3:GetObject", "s3:GetObjectVersion", "codedeploy:CreateApplication", "codedeploy:CreateDeployment", "codedeploy:CreateDeploymentGroup", "codedeploy:GetApplication", "codedeploy:GetDeployment", "codedeploy:GetDeploymentGroup", "codedeploy:ListApplications", "codedeploy:ListDeploymentGroups", "codedeploy:ListDeployments", "codedeploy:StopDeployment", "codedeploy:GetDeploymentTarget", "codedeploy:ListDeploymentTargets", "codedeploy:GetDeploymentConfig", "codedeploy:GetApplicationRevision", "codedeploy:RegisterApplicationRevision", "codedeploy:BatchGetApplicationRevisions", "codedeploy:BatchGetDeploymentGroups", "codedeploy:BatchGetDeployments", "codedeploy:BatchGetApplications", "codedeploy:ListApplicationRevisions", "codedeploy:ListDeploymentConfigs", "codedeploy:ContinueDeployment" ], "Resource":"*", "Effect":"Allow" },{"Action":[ "iam:PassRole" ], "Effect":"Allow", "Resource":"*", "Condition":{"StringLike":{"iam:PassedToService":[ "ecs-tasks.amazonaws.com", "codedeploy.amazonaws.com" ] } } }] } ``` ------ **Note** The first time the role is used to run workflow actions, use the wildcard in the resource policy statement and then scope down the policy with the resource name after it is available. ``` "Resource": "*" ``` 1. Place your cursor after the last curly bracket (`}`). 1. Press **Enter** and then **Ctrl\$1d** to save the file and exit cat. 1. Add the deploy policy to AWS: ``` aws iam create-policy \ --policy-name codecatalyst-ecs-deploy-policy \ --policy-document file://codecatalyst-ecs-deploy-policy.json ``` 1. In the command output, note the deploy policy's `"arn":` value, for example, `arn:aws:iam::111122223333:policy/codecatalyst-ecs-deploy-policy`. You need this ARN later. 1. Create the deploy role and attach the trust policy to it: ``` aws iam create-role \ --role-name codecatalyst-ecs-deploy-role \ --assume-role-policy-document file://codecatalyst-ecs-trust-policy.json ``` 1. Attach the deploy policy to the deploy role, where *arn:aws:iam::111122223333:policy/codecatalyst-ecs-deploy-policy* is replaced with the ARN of the deploy policy you noted earlier. ``` aws iam attach-role-policy \ --role-name codecatalyst-ecs-deploy-role \ --policy-arn arn:aws:iam::111122223333:policy/codecatalyst-ecs-deploy-policy ``` 1. Display the deploy role’s details: ``` aws iam get-role \ --role-name codecatalyst-ecs-deploy-role ``` 1. Note the role's `"Arn":` value, for example, `arn:aws:iam::111122223333:role/codecatalyst-ecs-deploy-role`. You need this ARN later. ------ ## Step 5: Add AWS roles to CodeCatalyst In this step, you add the build role (`codecatalyst-ecs-build-role`) and deploy role (`codecatalyst-ecs-deploy-role`) to the CodeCatalyst account connection in your space. **To add build and deploy roles to your account connection** 1. In CodeCatalyst, navigate to your space. 1. Choose **AWS accounts**. A list of account connections appears. 1. Choose the account connection that represents the AWS account where you created your build and deploy roles. 1. Choose **Manage roles from AWS management console**. The **Add IAM role to Amazon CodeCatalyst space** page appears. You might need to sign in to access the page. 1. Select **Add an existing role you have created in IAM**. A drop-down list appears. The list displays all IAM roles with a trust policy that includes the `codecatalyst-runner.amazonaws.com` and `codecatalyst.amazonaws.com` service principals. 1. In the drop-down list, choose `codecatalyst-ecs-build-role`, and choose **Add role**. **Note** If you see `The security token included in the request is invalid`, it might be because you do not have the right permissions. To fix this issue, sign out of AWS as sign back in with the AWS account that you used when you created your CodeCatalyst space. 1. Choose **Add IAM role**, choose **Add an existing role you have created in IAM**, and in the drop-down list, choose `codecatalyst-ecs-deploy-role`. Choose **Add role**. You have now added the build and deploy roles to your space. 1. Copy the value of the **Amazon CodeCatalyst display name**. You'll need this value later, when creating your workflow. ## Step 6: Create a source repository In this step, you create a source repository in CodeCatalyst. This repository stores the tutorial's source files, such as the task definition file. For more information about source repositories, see [Creating a source repository](source-repositories-create.md). **To create a source repository** 1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/). 1. Navigate to your project, `codecatalyst-ecs-project`. 1. In the navigation pane, choose **Code**, and then choose **Source repositories**. 1. Choose **Add repository**, and then choose **Create repository**. 1. In **Repository name**, enter: ``` codecatalyst-ecs-source-repository ``` 1. Choose **Create**. ## Step 7: Add source files In this section, you add the Hello World source files to your CodeCatalyst repository, `codecatalyst-ecs-source-repository`. They consist of: + An `index.html` file – Displays a Hello World message in the browser. + A Dockerfile – Describes the base image to use for your Docker image and the Docker commands to apply to it. + A `taskdef.json` file – Defines the Docker image to use when launching tasks into your cluster. The folder structure is as follows: ``` . |— public-html | |— index.html |— Dockerfile |— taskdef.json ``` **Note** The following instructions show you how to add the files using the CodeCatalyst console but you can use Git if you prefer. For details, see [Cloning a source repository](source-repositories-clone.md). **Topics** + [ ### index.html ](#deploy-tut-ecs-source-files-index) + [ ### Dockerfile ](#deploy-tut-ecs-source-files-dockerfile) + [ ### taskdef.json ](#deploy-tut-ecs-source-files-taskdef) ### index.html The `index.html` file displays a Hello World message in the browser. **To add the index.html file** 1. In the CodeCatalyst console, go to your source repository, `codecatalyst-ecs-source-repository`. 1. In **Files**, choose **Create file**. 1. For **File name**, enter: ``` public-html/index.html ``` **Important** Make sure to include the `public-html/` prefix to create a folder of the same name. The `index.html` is expected to be in this folder. 1. In the text box, enter the following code: ``` Hello World

Hello World

``` 1. Choose **Commit**, and then choose **Commit** again. The `index.html` is added to your repository in a `public-html` folder. ### Dockerfile The Dockerfile describes the base Docker image to use and the Docker commands to apply to it. For more information about the Dockerfile, see the [Dockerfile Reference](https://docs.docker.com/engine/reference/builder/). The Dockerfile specified here indicates to use the Apache 2.4 base image (`httpd`). It also includes instructions for copying a source file called `index.html` to a folder on the Apache server that serves webpages. The `EXPOSE` instruction in the Dockerfile tells Docker that the container is listening on port 80. **To add the Dockerfile** 1. In your source repository, choose **Create file**. 1. For **File name**, enter: ``` Dockerfile ``` Do not include a file extension. **Important** The Dockerfile must reside in your repository’s root folder. The workflow’s `Docker build` command expects it to be there. 1. In the text box, enter the following code: ``` FROM httpd:2.4 COPY ./public-html/index.html /usr/local/apache2/htdocs/index.html EXPOSE 80 ``` 1. Choose **Commit**, and then choose **Commit** again. The Dockerfile is added to your repository. ### taskdef.json The `taskdef.json` file that you add in this step is the same as the one you already specified in [Step 2: Deploy a placeholder application into Amazon ECS](#deploy-tut-ecs-placeholder) with the following difference: Instead of specifying a hardcoded Docker image name in the `image:` field (`httpd:2.4`), the task definition here uses a couple of variables to denote the image: `$REPOSITORY_URI` and `$IMAGE_TAG`. These variables will be replaced with real values generated by the workflow’s build action when you run the workflow in a later step. For details on the task definition parameters, see [Task definition parameters](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html) in the *Amazon Elastic Container Service Developer Guide*. **To add the taskdef.json file** 1. In your source repository, choose **Create file**. 1. For **File name**, enter: ``` taskdef.json ``` 1. In the text box, enter the following code: ``` { "executionRoleArn": "arn:aws:iam::account_ID:role/codecatalyst-ecs-task-execution-role", "containerDefinitions": [ { "name": "codecatalyst-ecs-container", # The $REPOSITORY_URI and $IMAGE_TAG variables will be replaced # by the workflow at build time (see the build action in the # workflow) "image": $REPOSITORY_URI:$IMAGE_TAG, "essential": true, "portMappings": [ { "hostPort": 80, "protocol": "tcp", "containerPort": 80 } ] } ], "requiresCompatibilities": [ "FARGATE" ], "networkMode": "awsvpc", "cpu": "256", "memory": "512", "family": "codecatalyst-ecs-task-def" } ``` In the preceding code, replace *arn:aws:iam::account\$1ID:role/codecatalyst-ecs-task-execution-role* with the ARN of the task execution role that you noted in [To create the task execution role](#deploy-tut-ecs-create-task-execution-role). 1. Choose **Commit**, and then choose **Commit** again. The `taskdef.json` file is added to your repository. ## Step 8: Create and run a workflow In this step, you create a workflow that takes your source files, builds them into a Docker image, and then deploys the image to your Amazon ECS cluster. This deployment replaces the existing Apache placeholder application. The workflow consists of the following building blocks that run sequentially: + A trigger – This trigger starts the workflow run automatically when you push a change to your source repository. For more information about triggers, see [Starting a workflow run automatically using triggers](workflows-add-trigger.md). + A build action (`BuildBackend`) – On trigger, the action builds the Docker image using the Dockerfile and pushes the image to Amazon ECR. The build action also updates the `taskdef.json` with the correct `image` field value, and then creates an output artifact of this file. This artifact is used as the input for the deploy action, which is next. For more information about the build action, see [Building with workflows](build-workflow-actions.md). + A deploy action (`DeployToECS`) – On completion of the build action, the deploy action looks for the output artifact generated by the build action (`TaskDefArtifact`), finds the `taskdef.json` inside of it, and registers it with your Amazon ECS service. The service then follows the instructions in the `taskdef.json` file to run three Amazon ECS tasks—and associated Hello World Docker containers—inside your Amazon ECS cluster. **To create a workflow** 1. In the CodeCatalyst console, in the navigation pane, choose **CI/CD**, and then choose **Workflows**. 1. Choose **Create workflow**. 1. For **Source repository**, choose `codecatalyst-ecs-source-repository`. 1. For **Branch**, choose `main`. 1. Choose **Create**. 1. Delete the YAML sample code. 1. Add the following YAML code: **Note** In the YAML code that follows, you can omit the `Connections:` sections if you want. If you omit these sections, you must ensure that the role specified in the **Default IAM role** field in your environment includes the permissions and trust policies of both roles described in [Step 5: Add AWS roles to CodeCatalyst](#deploy-tut-ecs-import-roles). For more information about setting up an environment with a default IAM role, see [Creating an environment](deploy-environments-creating-environment.md). ``` Name: codecatalyst-ecs-workflow SchemaVersion: 1.0 Triggers: - Type: PUSH Branches: - main Actions: BuildBackend: Identifier: aws/build@v1 Environment: Name: codecatalyst-ecs-environment Connections: - Name: codecatalyst-account-connection Role: codecatalyst-ecs-build-role Inputs: Sources: - WorkflowSource Variables: - Name: REPOSITORY_URI Value: 111122223333.dkr.ecr.us-west-2.amazonaws.com/codecatalyst-ecs-image-repo - Name: IMAGE_TAG Value: ${WorkflowSource.CommitId} Configuration: Steps: #pre_build: - Run: echo Logging in to Amazon ECR... - Run: aws --version - Run: aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 111122223333.dkr.ecr.us-west-2.amazonaws.com #build: - Run: echo Build started on `date` - Run: echo Building the Docker image... - Run: docker build -t $REPOSITORY_URI:latest . - Run: docker tag $REPOSITORY_URI:latest $REPOSITORY_URI:$IMAGE_TAG #post_build: - Run: echo Build completed on `date` - Run: echo Pushing the Docker images... - Run: docker push $REPOSITORY_URI:latest - Run: docker push $REPOSITORY_URI:$IMAGE_TAG # Replace the variables in taskdef.json - Run: find taskdef.json -type f | xargs sed -i "s|\$REPOSITORY_URI|$REPOSITORY_URI|g" - Run: find taskdef.json -type f | xargs sed -i "s|\$IMAGE_TAG|$IMAGE_TAG|g" - Run: cat taskdef.json # The output artifact will be a zip file that contains a task definition file. Outputs: Artifacts: - Name: TaskDefArtifact Files: - taskdef.json DeployToECS: DependsOn: - BuildBackend Identifier: aws/ecs-deploy@v1 Environment: Name: codecatalyst-ecs-environment Connections: - Name: codecatalyst-account-connection Role: codecatalyst-ecs-deploy-role Inputs: Sources: [] Artifacts: - TaskDefArtifact Configuration: region: us-west-2 cluster: codecatalyst-ecs-cluster service: codecatalyst-ecs-service task-definition: taskdef.json ``` In the preceding code, replace: + Both instances of *codecatalyst-ecs-environment* with the name of the environment you created in [Prerequisites](#deploy-tut-ecs-prereqs). + Both instances of *codecatalyst-account-connection* with the display name of your account connection. The display name might be a number. For more information, see [Step 5: Add AWS roles to CodeCatalyst](#deploy-tut-ecs-import-roles). + *codecatalyst-ecs-build-role* with the name of the build role you created in [Step 4: Create AWS roles](#deploy-tut-ecs-build-deploy-roles). + *111122223333.dkr.ecr.us-west-2.amazonaws.com/codecatalyst-ecs-image-repo* (in the `Value:` property) with the URI of the Amazon ECR repository you created in [Step 3: Create an Amazon ECR image repository](#deploy-tut-ecs-ecr). + *111122223333.dkr.ecr.us-west-2.amazonaws.com* (in the `Run: aws ecr` command) with the URI of the Amazon ECR repository without the image suffix (`/codecatalyst-ecs-image-repo`). + *codecatalyst-ecs-deploy-role* with the name of the deploy role you created in [Step 4: Create AWS roles](#deploy-tut-ecs-build-deploy-roles). + Both instances of *us-west-2* with your AWS Region code. For a list of Region codes, see [Regional endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints) in the *AWS General Reference*. **Note** If you decided not to create build and deploy roles, replace *codecatalyst-ecs-build-role* and *codecatalyst-ecs-deploy-role* with the name of the `CodeCatalystWorkflowDevelopmentRole-spaceName` role. For more information about this role, see [Step 4: Create AWS roles](#deploy-tut-ecs-build-deploy-roles). **Tip** Instead of using the `find` and `sed` commands shown in the previous workflow code to update the repository and image name, you can use the **Render Amazon ECS task definition** action for this purpose. For more information, see [Modifying an Amazon ECS task definition](render-ecs-action.md). 1. (Optional) Choose **Validate** to make sure that the YAML code is valid before committing. 1. Choose **Commit**. 1. In the **Commit workflow** dialog box, enter the following: 1. For **Commit message**, remove the text and enter: ``` Add first workflow ``` 1. For **Repository**, choose `codecatalyst-ecs-source-repository`. 1. For **Branch name**, choose main. 1. Choose **Commit**. You have now created a workflow. A workflow run starts automatically because of the trigger defined at the top of the workflow. Specifically, when you committed (and pushed) the `workflow.yaml` file to your source repository, the trigger started the workflow run. **To view the workflow run progress** 1. In the navigation pane of the CodeCatalyst console, choose **CI/CD**, and then choose **Workflows**. 1. Choose the workflow you just created, `codecatalyst-ecs-workflow`. 1. Choose **BuildBackend** to see the build progress. 1. Choose **DeployToECS** to see the deployment progress. For more information about viewing run details, see [Viewing workflow run status and details](workflows-view-run.md). **To verify the deployment** 1. Open the Amazon ECS classic console at [https://console.aws.amazon.com/ecs/](https://console.aws.amazon.com/ecs/). 1. Choose your cluster, `codecatalyst-ecs-cluster`. 1. Choose the **Tasks** tab. 1. Choose any one of the three tasks. 1. In the **Public IP** field, choose **open address**. A "Hello World" page appears in the browser, indicating that the Amazon ECS service successfully deployed your application. ## Step 9: Make a change to your source files In this section, you make a change to the `index.html` file in your source repository. This change causes the workflow to build a new Docker image, tag it with a commit ID, push it to Amazon ECR, and deploy it to Amazon ECS. **To change the index.html** 1. In the CodeCatalyst console, in the navigation pane, choose **Code**, then choose **Source repositories**, and then choose your repository, `codecatalyst-ecs-source-repository`. 1. Choose `public-html`, and then choose `index.html`. The contents of `index.html` appear. 1. Choose **Edit**. 1. On line 14, change the `Hello World` text to `Tutorial complete!`. 1. Choose **Commit**, and then choose **Commit** again. The commit causes a new workflow run to start. 1. (Optional) Go to your source repository's main page, choose **View commits**, and then note the commit ID for the `index.html` change. 1. Watch the deployment progress: 1. In the navigation pane, choose **CI/CD**, and then choose **Workflows**. 1. Choose `codecatalyst-ecs-workflow` to view the latest run. 1. Choose **BuildBackend**, and **DeployToECS** to see the workflow run progress. 1. Verify that your application was updated, as follows: 1. Open the Amazon ECS classic console at [https://console.aws.amazon.com/ecs/](https://console.aws.amazon.com/ecs/). 1. Choose your cluster, `codecatalyst-ecs-cluster`. 1. Choose the **Tasks** tab. 1. Choose any one of the three tasks. 1. In the **Public IP** field, choose **open address**. A `Tutorial complete!` page appears. 1. (Optional) In AWS, switch to the Amazon ECR console and verify that the new Docker image was tagged with the commit ID from step 6. ## Clean up Clean up the files and services used in this tutorial to avoid being charged for them. In the AWS Management Console, clean up in this order: 1. In Amazon ECS, do the following: 1. Delete `codecatalyst-ecs-service`. 1. Delete `codecatalyst-ecs-cluster`. 1. Deregister `codecatalyst-ecs-task-definition`. 1. In Amazon ECR, delete `codecatalyst-ecs-image-repo`. 1. In Amazon EC2, delete `codecatalyst-ecs-security-group`. 1. In IAM Identity Center, delete: 1. `CodeCatalystECSUser` 1. `CodeCatalystECSPermissionSet` In the CodeCatalyst console, clean up as follows: 1. Delete `codecatalyst-ecs-workflow`. 1. Delete `codecatalyst-ecs-environment`. 1. Delete `codecatalyst-ecs-source-repository`. 1. Delete `codecatalyst-ecs-project`. In this tutorial, you learned how to deploy an application to an Amazon ECS service using a CodeCatalyst workflow and a **Deploy to Amazon ECS** action. # Adding the 'Deploy to Amazon ECS' action Use the following instructions to add the **Deploy to Amazon ECS** action to your workflow. ------ #### [ Visual ] **To add the 'Deploy to Amazon ECS' action using the visual editor** 1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/). 1. Choose your project. 1. In the navigation pane, choose **CI/CD**, and then choose **Workflows**. 1. Choose the name of your workflow. You can filter by the source repository or branch name where the workflow is defined, or filter by workflow name or status. 1. Choose **Edit**. 1. Choose **Visual**. 1. At the top-left, choose **\$1 Actions** to open the action catalog. 1. From the drop-down list, choose **Amazon CodeCatalyst**. 1. Search for the **Deploy to Amazon ECS** action, and do one of the following: + Choose the plus sign (**\$1**) to add the action to the workflow diagram and open its configuration pane. Or + Choose **Deploy to Amazon ECS**. The action details dialog box appears. On this dialog box: + (Optional) Choose **Download** to [view the action's source code](workflows-view-source.md#workflows-view-source.title). + Choose **Add to workflow** to add the action to the workflow diagram and open its configuration pane. 1. In the **Inputs** and **Configuration** tabs, complete the fields according to your needs. For a description of each field, see the ['Deploy to Amazon ECS' action YAML](deploy-action-ref-ecs.md). This reference provides detailed information about each field (and corresponding YAML property value) as it appears in both the YAML and visual editors. 1. (Optional) Choose **Validate** to validate the workflow's YAML code before committing. 1. Choose **Commit**, enter a commit message, and choose **Commit** again. ------ #### [ YAML ] **To add the 'Deploy to Amazon ECS' action using the YAML editor** 1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/). 1. Choose your project. 1. In the navigation pane, choose **CI/CD**, and then choose **Workflows**. 1. Choose the name of your workflow. You can filter by the source repository or branch name where the workflow is defined, or filter by workflow name or status. 1. Choose **Edit**. 1. Choose **YAML**. 1. At the top-left, choose **\$1 Actions** to open the action catalog. 1. From the drop-down list, choose **Amazon CodeCatalyst**. 1. Search for the **Deploy to Amazon ECS** action, and do one of the following: + Choose the plus sign (**\$1**) to add the action to the workflow diagram and open its configuration pane. Or + Choose **Deploy to Amazon ECS**. The action details dialog box appears. On this dialog box: + (Optional) Choose **Download** to [view the action's source code](workflows-view-source.md#workflows-view-source.title). + Choose **Add to workflow** to add the action to the workflow diagram and open its configuration pane. 1. Modify the properties in the YAML code according to your needs. An explanation of each available property is provided in the ['Deploy to Amazon ECS' action YAML](deploy-action-ref-ecs.md). 1. (Optional) Choose **Validate** to validate the workflow's YAML code before committing. 1. Choose **Commit**, enter a commit message, and choose **Commit** again. ------ # 'Deploy to Amazon ECS' variables The **Deploy to Amazon ECS** action produces and sets the following variables at run time. These are known as *predefined variables*. For information about referencing these variables in a workflow, see [Using predefined variables](workflows-using-predefined-variables.md). | Key | Value | | --- | --- | | cluster | The name of the Amazon ECS cluster that was deployed to during the workflow run. Example: `codecatalyst-ecs-cluster` | | deployment-platform | The name of the deployment platform. Hardcoded to `AWS:ECS`. | | service | The name of the Amazon ECS service that was deployed to during the workflow run. Example: `codecatalyst-ecs-service` | | task-definition-arn | The Amazon Resource Name (ARN) of the task definition that was registered during the workflow run. Example: `arn:aws:ecs:us-west-2:111122223333:task-definition/codecatalyst-task-def:8`The `:8` in the preceding example indicates the revision that was registered. | | deployment-url | A link to the Amazon ECS console's **Events** tab, where you can view details of the Amazon ECS deployment associated with the workflow run. Example: `https://console.aws.amazon.com/ecs/home?region=us-west-2#/clusters/codecatalyst-ecs-cluster/services/codecatalyst-ecs-service/events` | | region | The region code of the AWS Region that was deployed to during the workflow run. Example: `us-west-2` | # 'Deploy to Amazon ECS' action YAML The following is the YAML definition of the **Deploy to Amazon ECS** action. To learn how to use this action, see [Deploying to Amazon ECS with a workflow](deploy-action-ecs.md). This action definition exists as a section within a broader workflow definition file. For more information about this file, see [Workflow YAML definition](workflow-reference.md). **Note** Most of the YAML properties that follow have corresponding UI elements in the visual editor. To look up a UI element, use **Ctrl\$1F**. The element will be listed with its associated YAML property. ``` # The workflow definition starts here. # See Top-level properties for details. Name: MyWorkflow SchemaVersion: 1.0 Actions: # The action definition starts here. ECSDeployAction\$1nn: Identifier: aws/ecs-deploy@v1 DependsOn: - build-action Compute: Type: EC2 | Lambda Fleet: fleet-name Timeout: timeout-minutes Environment: Name: environment-name Connections: - Name: account-connection-name Role: iam-role-name Inputs: # Specify a source or an artifact, but not both. Sources: - source-name-1 Artifacts: - task-definition-artifact Configuration: region: us-east-1 cluster: ecs-cluster service: ecs-service task-definition: task-definition-path force-new-deployment: false|true codedeploy-appspec: app-spec-file-path codedeploy-application: application-name codedeploy-deployment-group: deployment-group-name codedeploy-deployment-description: deployment-description ``` ## ECSDeployAction (Required) Specify the name of the action. All action names must be unique within the workflow. Action names are limited to alphanumeric characters (a-z, A-Z, 0-9), hyphens (-), and underscores (\$1). Spaces are not allowed. You cannot use quotation marks to enable special characters and spaces in action names. Default: `ECSDeployAction_nn`. Corresponding UI: Configuration tab/**Action display name** ## Identifier (*ECSDeployAction*/**Identifier**) (Required) Identifies the action. Do not change this property unless you want to change the version. For more information, see [Specifying the action version to use](workflows-action-versions.md). Default: `aws/ecs-deploy@v1`. Corresponding UI: Workflow diagram/ECSDeployAction\$1nn/**aws/ecs-deploy@v1** label ## DependsOn (*ECSDeployAction*/**DependsOn**) (Optional) Specify an action, action group, or gate that must run successfully in order for this action to run. For more information about the 'depends on' functionality, see [Sequencing actions](workflows-depends-on.md). Corresponding UI: Inputs tab/**Depends on - optional** ## Compute (*ECSDeployAction*/**Compute**) (Optional) The computing engine used to run your workflow actions. You can specify compute either at the workflow level or at the action level, but not both. When specified at the workflow level, the compute configuration applies to all actions defined in the workflow. At the workflow level, you can also run multiple actions on the same instance. For more information, see [Sharing compute across actions](compute-sharing.md). Corresponding UI: *none* ## Type (*ECSDeployAction*/Compute/**Type**) (Required if [Compute](#deploy.action.ecs.computename) is included) The type of compute engine. You can use one of the following values: + **EC2** (visual editor) or `EC2` (YAML editor) Optimized for flexibility during action runs. + **Lambda** (visual editor) or `Lambda` (YAML editor) Optimized action start-up speeds. For more information about compute types, see [Compute types](workflows-working-compute.md#compute.types). Corresponding UI: Configuration tab/Advanced - optional/**Compute type** ## Fleet (*ECSDeployAction*/Compute/**Fleet**) (Optional) Specify the machine or fleet that will run your workflow or workflow actions. With on-demand fleets, when an action starts, the workflow provisions the resources it needs, and the machines are destroyed when the action finishes. Examples of on-demand fleets: `Linux.x86-64.Large`, `Linux.x86-64.XLarge`. For more information about on-demand fleets, see [On-demand fleet properties](workflows-working-compute.md#compute.on-demand). With provisioned fleets, you configure a set of dedicated machines to run your workflow actions. These machines remain idle, ready to process actions immediately. For more information about provisioned fleets, see [Provisioned fleet properties](workflows-working-compute.md#compute.provisioned-fleets). If `Fleet` is omitted, the default is `Linux.x86-64.Large`. Corresponding UI: Configuration tab/Advanced - optional/**Compute fleet** ## Timeout (*ECSDeployAction*/**Timeout**) (Optional) Specify the amount of time in minutes (YAML editor), or hours and minutes (visual editor), that the action can run before CodeCatalyst ends the action. The minimum is 5 minutes and the maximum is described in [Quotas for workflows in CodeCatalyst](workflows-quotas.md). The default timeout is the same as the maximum timeout. Corresponding UI: Configuration tab/**Timeout - optional ** ## Environment (*ECSDeployAction*/**Environment**) (Required) Specify the CodeCatalyst environment to use with the action. The action connects to the AWS account and optional Amazon VPC specified in the chosen environment. The action uses the default IAM role specified in the environment to connect to the AWS account, and uses the IAM role specified in the [Amazon VPC connection](https://docs.aws.amazon.com/codecatalyst/latest/adminguide/managing-vpcs.add.html) to connect to the Amazon VPC. **Note** If the default IAM role does not have the permissions required by the action, you can configure the action to use a different role. For more information, see [Changing the IAM role of an action](deploy-environments-switch-role.md). For more information about environments, see [Deploying into AWS accounts and VPCs](deploy-environments.md) and [Creating an environment](deploy-environments-creating-environment.md). Corresponding UI: Configuration tab/**Environment** ## Name (*ECSDeployAction*/Environment/**Name**) (Required if [Environment](#deploy.action.ecs.environment) is included) Specify the name of an existing environment that you want to associate with the action. Corresponding UI: Configuration tab/**Environment** ## Connections (*ECSDeployAction*/Environment/**Connections**) (Optional in newer versions of the action; required in older versions) Specify the account connection to associate with the action. You can specify a maximum of one account connection under `Environment`. If you do not specify an account connection: + The action uses the AWS account connection and default IAM role specified in the environment in the CodeCatalyst console. For information about adding an account connection and default IAM role to environment, see [Creating an environment](deploy-environments-creating-environment.md). + The default IAM role must include the policies and permissions required by the action. To determine what those policies and permissions are, see the description of the **Role** property in the action's YAML definition documentation. For more information about account connections, see [Allowing access to AWS resources with connected AWS accounts](ipa-connect-account.md). For information about adding an account connection to an environment, see [Creating an environment](deploy-environments-creating-environment.md). Corresponding UI: One of the following depending on the action version: + (Newer versions) Configuration tab/Environment/What's in *my-environment*?/three dot menu/**Switch role** + (Older versions) Configuration tab/'Environment/account/role'/**AWS account connection** ## Name (*ECSDeployAction*/Environment/Connections/**Name**) (Required if [Connections](#deploy.action.ecs.environment.connections) is included) Specify the name of the account connection. Corresponding UI: One of the following depending on the action version: + (Newer versions) Configuration tab/Environment/What's in *my-environment*?/three dot menu/**Switch role** + (Older versions) Configuration tab/'Environment/account/role'/**AWS account connection** ## Role (*ECSDeployAction*/Environment/Connections/**Role**) (Required if [Connections](#deploy.action.ecs.environment.connections) is included) Specify the name of the IAM role that the **Deploy to Amazon ECS** action uses to access AWS. Make sure that you have [added the role to your CodeCatalyst space](ipa-connect-account-addroles.md), and that the role includes the following policies. If you do not specify an IAM role, then the action uses the default IAM role listed in the [environment](deploy-environments.md) in the CodeCatalyst console. If you use the default role in the environment, make sure it has the following policies. + The following permissions policy: **Warning** Limit the permissions to those shown in the following policy. Using a role with broader permissions might pose a security risk. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [{ "Action":[ "ecs:DescribeServices", "ecs:CreateTaskSet", "ecs:DeleteTaskSet", "ecs:ListClusters", "ecs:RegisterTaskDefinition", "ecs:UpdateServicePrimaryTaskSet", "ecs:UpdateService", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:ModifyRule", "lambda:InvokeFunction", "lambda:ListFunctions", "cloudwatch:DescribeAlarms", "sns:Publish", "sns:ListTopics", "s3:GetObject", "s3:GetObjectVersion", "codedeploy:CreateApplication", "codedeploy:CreateDeployment", "codedeploy:CreateDeploymentGroup", "codedeploy:GetApplication", "codedeploy:GetDeployment", "codedeploy:GetDeploymentGroup", "codedeploy:ListApplications", "codedeploy:ListDeploymentGroups", "codedeploy:ListDeployments", "codedeploy:StopDeployment", "codedeploy:GetDeploymentTarget", "codedeploy:ListDeploymentTargets", "codedeploy:GetDeploymentConfig", "codedeploy:GetApplicationRevision", "codedeploy:RegisterApplicationRevision", "codedeploy:BatchGetApplicationRevisions", "codedeploy:BatchGetDeploymentGroups", "codedeploy:BatchGetDeployments", "codedeploy:BatchGetApplications", "codedeploy:ListApplicationRevisions", "codedeploy:ListDeploymentConfigs", "codedeploy:ContinueDeployment" ], "Resource":"*", "Effect":"Allow" },{"Action":[ "iam:PassRole" ], "Effect":"Allow", "Resource":"*", "Condition":{"StringLike":{"iam:PassedToService":[ "ecs-tasks.amazonaws.com", "codedeploy.amazonaws.com" ] } } }] } ``` ------ **Note** The first time the role is used, use the following wildcard in the resource policy statement and then scope down the policy with the resource name after it is available. ``` "Resource": "*" ``` + The following custom trust policy: **Note** You can use the `CodeCatalystWorkflowDevelopmentRole-spaceName` role with this action, if you'd like. For more information about this role, see [Creating the **CodeCatalystWorkflowDevelopmentRole-*spaceName*** role for your account and space](ipa-iam-roles.md#ipa-iam-roles-service-create). Understand that the `CodeCatalystWorkflowDevelopmentRole-spaceName` role has full access permissions which may pose a security risk. We recommend that you only use this role in tutorials and scenarios where security is less of a concern. Corresponding UI: One of the following depending on the action version: + (Newer versions) Configuration tab/Environment/What's in *my-environment*?/three dot menu/**Switch role** + (Older versions) Configuration tab/'Environment/account/role'/**Role** ## Inputs (*ECSDeployAction*/**Inputs**) (Optional) The `Inputs` section defines the data that the `ECSDeployAction` needs during a workflow run. **Note** Only one input (either a source or an artifact) is allowed per **Deploy to Amazon ECS** action. Corresponding UI: **Inputs** tab ## Sources (*ECSDeployAction*/Inputs/**Sources**) (Required if your task definition file is stored in a source repository) If your task definition file is stored in a source repository, specify the label of that source repository. Currently, the only supported label is `WorkflowSource`. If your task definition file is not contained within a source repository, it must reside in an artifact generated by another action. For more information about sources, see [Connecting source repositories to workflows](workflows-sources.md). Corresponding UI: Inputs tab/**Sources - optional** ## Artifacts - input (*ECSDeployAction*/Inputs/**Artifacts**) (Required if your task definition file is stored in an [output artifact](workflows-working-artifacts-output.md) from a previous action) If the task definition file that you want to deploy is contained in an artifact generated by a previous action, specify that artifact here. If your task definition file is not contained within an artifact, it must reside in your source repository. For more information about artifacts, including examples, see [Sharing artifacts and files between actions](workflows-working-artifacts.md). Corresponding UI: Configuration tab/**Artifacts - optional** ## Configuration (*ECSDeployAction*/**Configuration**) (Required) A section where you can define the configuration properties of the action. Corresponding UI: **Configuration** tab ## region (Configuration/**region**) (Required) Specify the AWS Region where your Amazon ECS cluster and service reside. For a list of Region codes, see [Regional endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints) in the *AWS General Reference*. Corresponding UI: Configuration tab/**Region** ## cluster (*ECSDeployAction*/Configuration/**cluster**) (Required) Specify the name of an existing Amazon ECS cluster. The **Deploy to Amazon ECS** action will deploy your containerized application as a task into this cluster. For more information about Amazon ECS clusters, see [Clusters](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html#welcome-clusters) in the *Amazon Elastic Container Service Developer Guide*. Corresponding UI: Configuration tab/**Cluster** ## service (*ECSDeployAction*/Configuration/**service**) (Required) Specify the name of an existing Amazon ECS service that will instantiate the task definition file. This service must reside under the cluster specified in the `cluster` field. For more information about Amazon ECS services, see [Amazon ECS services](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html) in the *Amazon Elastic Container Service Developer Guide*. Corresponding UI: Configuration tab/**Service** ## task-definition (*ECSDeployAction*/Configuration/**task-definition**) (Required) Specify the path to an existing task definition file. If the file resides in your source repository, the path is relative to the source repository root folder. If your file resides in an artifact from a previous workflow action, the path is relative to the artifact root folder. For more information about task definition files, see [Task definitions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html#welcome-task-definitions) in the *Amazon Elastic Container Service Developer Guide*. Corresponding UI: Configuration tab/**Task definition** ## force-new-deployment (*ECSDeployAction*/Configuration/**force-new-deployment**) (Required) If enabled, the Amazon ECS service is able to start new deployments without service definition changes. Forcing a deployment causes the service to stop all currently running tasks and launch new tasks. For more information about forcing new deployments, see [Updating a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-service.html) in the *Amazon Elastic Container Service Developer Guide*. Default: `false` Corresponding UI: Configuration tab/**Force a new deployment of the service** ## codedeploy-appspec (*ECSDeployAction*/Configuration/**codedeploy-appspec**) (Required if you have configured your Amazon ECS service to use blue/green deployments, otherwise, omit) Specify the name and path to an existing CodeDeploy application specification (AppSpec) file. This file must reside in the root of your CodeCatalyst source repository. For more information about AppSpec files, see [CodeDeploy application specification (AppSpec) files](https://docs.aws.amazon.com/codedeploy/latest/userguide/application-specification-files.html) in the *AWS CodeDeploy User Guide*. **Note** Only supply CodeDeploy information if you have configured your Amazon ECS service to perform blue/green deployments. For rolling update deployments (the default), omit CodeDeploy information. For more information about Amazon ECS deployments, see [Amazon ECS deployment types](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-types.html) in the *Amazon Elastic Container Service Developer Guide*. **Note** The **CodeDeploy** fields may be hidden in the visual editor. To get them to appear, see [Why are CodeDeploy fields missing from the visual editor?](troubleshooting-workflows.md#troubleshooting-workflows-codedeploy). Corresponding UI: Configuration tab/**CodeDeploy AppSpec** ## codedeploy-application (*ECSDeployAction*/Configuration/**codedeploy-application**) (Required if `codedeploy-appspec` is included) Specify the name of an existing CodeDeploy application. For more information about CodeDeploy applications, see [Working with applications in CodeDeploy](https://docs.aws.amazon.com/codedeploy/latest/userguide/applications.html) in the *AWS CodeDeploy User Guide*. Corresponding UI: Configuration tab/**CodeDeploy application** ## codedeploy-deployment-group (*ECSDeployAction*/Configuration/**codedeploy-deployment-group**) (Required if `codedeploy-appspec` is included) Specify the name of an existing CodeDeploy deployment group. For more information about CodeDeploy deployment groups, see [Working with deployment groups in CodeDeploy](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-groups.html) in the *AWS CodeDeploy User Guide*. Corresponding UI: Configuration tab/**CodeDeploy deployment group** ## codedeploy-deployment-description (*ECSDeployAction*/Configuration/**codedeploy-deployment-description**) (Optional) Specify a description of the deployment that this action will create. For more information, see [Working with deployments in CodeDeploy](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployments.html) in the *AWS CodeDeploy User Guide*. Corresponding UI: Configuration tab/**CodeDeploy deployment description**