Registers an Amazon ECS task definition and deploys it to scheduled tasks in a given ECS cluster
Table of Contents
This project is a fork of the amazon-ecs-deploy-task-definition that has been modified and re-tooled to work with ECS scheduled tasks. As such its initial release version starts at 2.0.0. Be sure to use the correct tag.
The action assumes you have already setup 1 or more tasks to run as a scheduled task in the ECS environment. This action will update all of the tasks who cluster, task ARN (without version), and rule-prefix match existing scheduled actions or cloudwatch events. To use this action simply add the following step to your deploy process:
- name: Deploy to Amazon ECS Scheduled Tasks
uses: airfordable/[email protected]
with:
cluster: my-cluster (optional, defaults to 'default')
rule-prefix: my-rule-prefix (optional, defaults to '')
task-definition: task-definition.jsonThe action requires a task-definition. Your task-definition will likely be dynamically generated via the aws-actions/amazon-ecs-render-task-definition action or equivalent action.
See action.yml for the full documentation for this action's inputs and outputs.
This action relies on the default behavior of the AWS SDK for Javascript to determine AWS credentials and region.
Use the aws-actions/configure-aws-credentials action to configure the GitHub Actions environment with environment variables containing AWS credentials and your desired region.
Amazon recommends following Amazon IAM best practices for the AWS credentials used in GitHub Actions workflows, including:
- Do not store credentials in your repository's code. You may use GitHub Actions secrets to store credentials and redact credentials from GitHub Actions workflow logs.
- Create an individual IAM user with an access key for use in GitHub Actions workflows, preferably one per repository. Do not use the AWS account root user access key.
- Grant least privilege to the credentials used in GitHub Actions workflows. Grant only the permissions required to perform the actions in your GitHub Actions workflows. See the Permissions section below for the permissions required by this action.
- Rotate the credentials used in GitHub Actions workflows regularly.
- Monitor the activity of the credentials used in GitHub Actions workflows.
This action requires the following minimum set of permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["ecs:RegisterTaskDefinition"],
"Effect": "Allow",
"Resource": "*",
"Sid": "RegisterTaskDefinition"
},
{
"Action": ["events:ListRules", "events:ListTargetsByRule"],
"Effect": "Allow",
"Resource": "*",
"Sid": "ListRulesAndTargets"
},
{
"Action": ["events:PutTargets"],
"Effect": "Allow",
"Resource": "arn:aws:events::<aws_account_id>:rule/<cloudwatch_event_rule_name>",
"Sid": "PutTargets"
},
{
"Action": ["iam:PassRole"],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::<aws_account_id>:role/<task_definition_task_role_name>",
"arn:aws:iam::<aws_account_id>:role/<task_definition_task_execution_role_name>"
],
"Sid": "PassRolesInTaskDefinition"
}
]
}Note: the policy above assumes the account has opted in to the ECS long ARN format.
This action emits debug logs to help troubleshoot deployment failures. To see the debug logs, create a secret named ACTIONS_STEP_DEBUG with value true in your repository.
This code is made available under the MIT license.