Fix ECS deployment workflow: YAML syntax, OIDC auth, dynamic vars, and correct Docker context#146
Conversation
…er build path Co-authored-by: elifouts <116454864+elifouts@users.noreply.github.com>
* Enable manual trigger for ECS deployment workflow Added workflow_dispatch trigger for manual deployment. * Fix ECS deployment workflow: YAML syntax, OIDC auth, dynamic vars, and correct Docker context (#146) * Initial plan * Fix aws.yml: YAML syntax, OIDC auth, vars context, steps indent, docker build path Co-authored-by: elifouts <116454864+elifouts@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: elifouts <116454864+elifouts@users.noreply.github.com> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: elifouts <116454864+elifouts@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the GitHub Actions workflow used to deploy the backend container to AWS ECS so it parses correctly and uses GitHub OIDC + repo/environment variables instead of hardcoded values and long-lived AWS keys.
Changes:
- Fixes YAML parsing/indentation issues and clarifies the workflow is manual-only (
workflow_dispatch). - Switches configuration from hardcoded env placeholders to
${{ vars.* }}and replaces static AWS keys with OIDC role assumption. - Fixes Docker build to use
backend/Dockerfilewithbackend/as the build context.
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| aws-region: ${{ env.AWS_REGION }} | ||
| - name: Configure AWS credentials | ||
| uses: aws-actions/configure-aws-credentials@v1 |
There was a problem hiding this comment.
aws-actions/configure-aws-credentials@v1 is quite old and the AWS Actions generally recommend newer majors (and ideally pinning to a commit SHA) for security fixes and OIDC improvements. Consider upgrading this to the current major version used by the project and/or pinning the action to a specific commit hash to reduce supply-chain risk.
| uses: aws-actions/configure-aws-credentials@v1 | |
| uses: aws-actions/configure-aws-credentials@v4 |
| env: | ||
| AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 | ||
| ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name | ||
| ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name | ||
| ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name | ||
| ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition | ||
| # file, e.g. .aws/task-definition.json | ||
| CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the | ||
| # containerDefinitions section of your task definition | ||
| AWS_REGION: ${{ vars.AWS_REGION }} | ||
| ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY }} | ||
| ECS_SERVICE: ${{ vars.ECS_SERVICE }} | ||
| ECS_CLUSTER: ${{ vars.ECS_CLUSTER }} | ||
| ECS_TASK_DEFINITION: ${{ vars.ECS_TASK_DEFINITION }} | ||
| CONTAINER_NAME: ${{ vars.CONTAINER_NAME }} |
There was a problem hiding this comment.
Because these values come from ${{ vars.* }}, missing repository/environment variables will resolve to empty strings and can lead to hard-to-diagnose failures later (e.g., during docker build/push or ECS deploy). Consider adding an early step that validates AWS_REGION, ECR_REPOSITORY, ECS_SERVICE, ECS_CLUSTER, ECS_TASK_DEFINITION, CONTAINER_NAME, and AWS_ROLE_ARN are set and fails with a clear message if any are empty.
| uses: aws-actions/amazon-ecr-login@v1 | ||
| - name: Login to Amazon ECR | ||
| id: login-ecr | ||
| uses: aws-actions/amazon-ecr-login@v1 |
There was a problem hiding this comment.
aws-actions/amazon-ecr-login@v1 is an older major. Consider upgrading to the current major version (and ideally pinning to a commit SHA) to pick up security and bug fixes in the login flow.
| uses: aws-actions/amazon-ecr-login@v1 | |
| uses: aws-actions/amazon-ecr-login@v2 |
| - name: Fill in the new image ID in the Amazon ECS task definition | ||
| id: task-def | ||
| uses: aws-actions/amazon-ecs-render-task-definition@v1 | ||
| with: |
There was a problem hiding this comment.
The ECS render/deploy actions are referenced as @v1. Consider upgrading these AWS actions to their current major versions (and/or pinning to SHAs) to reduce supply-chain risk and benefit from recent fixes, especially since this workflow is responsible for production deployments.
The
aws.ymlECS deployment workflow had several issues preventing it from parsing or running correctly: invalid YAML syntax, hardcoded placeholder values, static AWS credentials, and a broken Docker build path.Changes
workflow_dispatch:and correctedsteps:indentation (items were aligned withsteps:instead of nested under it)varscontext: All six env vars (AWS_REGION,ECR_REPOSITORY,ECS_SERVICE,ECS_CLUSTER,ECS_TASK_DEFINITION,CONTAINER_NAME) now read from${{ vars.* }}instead of hardcoded placeholders; no file edits required before runningAWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEYsecrets with GitHub OIDC — addedid-token: writepermission and switched torole-to-assume: ${{ secrets.AWS_ROLE_ARN }}docker build ... .(broken — no Dockerfile at repo root) to:✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.