awslabs / amazon-app-runner-deploy

Registers an AWS AppRunner Service and deploys the application using the source code of a given GitHub repository. Supports both source code and Docker image based service
MIT No Attribution
50 stars 32 forks source link
apprunner automation aws build cicd containerization deployment github-actions

Amazon "App Runner Service Deploy" action for GitHub Actions

Registers an AWS App Runner Service and deploys the application using the source code of a given GitHub repository. Supports both source code and Docker image based service.

Table of Contents

V2 Changes

This action's codebase has been refactored to support future growth as well as to simplify to processes of adding new capabilities.

Refer to the Changelog for the change history.

Usage

This github action supports two types of App Runner services: source code based and docker image based.

See action.yml for the full documentation for this action's inputs and outputs.

Code based service

Source code is application code that App Runner builds and deploys for you. You point App Runner to a source code repository and choose a suitable runtime. App Runner builds an image that's based on the base image of the runtime and your application code. It then starts a service that runs a container based on this image.

Note: The list of supported runtime platforms is available here.

Here is the sample for deploying a NodeJS based service:

name: Deploy to App Runner 
on:
  push:
    branches: [main] # Trigger workflow on git push to main branch
  workflow_dispatch: # Allow manual invocation of the workflow

jobs:  
  deploy:
    runs-on: ubuntu-latest
    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
    permissions:
      id-token: write
      contents: read

    steps:            
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1-node16
        with:
          # Use GitHub OIDC provider
          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
          aws-region: ${{ secrets.AWS_REGION }}

      - name: Deploy to App Runner
        id: deploy-apprunner
        uses: awslabs/amazon-app-runner-deploy@main
        env:
          SERVER_PORT: 80
          SECRET_ENV: secret_env
        with:
          service: app-runner-git-deploy-service
          source-connection-arn: ${{ secrets.AWS_CONNECTION_SOURCE_ARN }}
          repo: https://github.com/${{ github.repository }}
          branch: ${{ github.ref }}
          runtime: NODEJS_16
          build-command: npm install
          start-command: npm start
          port: 18000
          region: ${{ secrets.AWS_REGION }}
          cpu : 1
          memory : 2
          # Deprecated: wait-for-service-stability: true
          # The new way to control service stability timeout
          wait-for-service-stability-seconds: 600
          copy-env-vars: |
            SERVER_PORT
          copy-secret-env-vars: |
            SECRET_ENV
          instance-role-arn: ${{ secrets.INSTANCE_ROLE_ARN }}
          tags: >
            { "env": "test" }

      - name: App Runner URL
        run: echo "App runner URL ${{ steps.deploy-apprunner.outputs.service-url }}" 

Note:

Image based service

Here, a source image (that could be a public or private container image stored in an image repository) can get used by App Runner to get the service running on a container. No build stage is necessary. Rather, you provide a ready-to-deploy image.

Here is the sample for deploying a App Runner service based on docker image:

name: Deploy to App Runner
on:
  push:
    branches: [main] # Trigger workflow on git push to main branch
  workflow_dispatch: # Allow manual invocation of the workflow

jobs:  
  deploy:
    runs-on: ubuntu-latest
    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
    permissions:
      id-token: write
      contents: read

    steps:      
      - name: Checkout
        uses: actions/checkout@v2
        with:
          persist-credentials: false

      - name: Configure AWS credentials
        id: aws-credentials
        uses: aws-actions/configure-aws-credentials@v1-node16
        with:
          # Use GitHub OIDC provider
          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
          aws-region: ${{ secrets.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1        

      - name: Build, tag, and push image to Amazon ECR
        id: build-image
        env:
          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          ECR_REPOSITORY: nodejs
          IMAGE_TAG: ${{ github.sha }}
        run: |
          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
          echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"  

      - name: Deploy to App Runner Image
        id: deploy-apprunner
        uses: awslabs/amazon-app-runner-deploy@main
        with:
          service: app-runner-git-deploy-service
          image: ${{ steps.build-image.outputs.image }}
          access-role-arn: ${{ secrets.ROLE_ARN }}
          region: ${{ secrets.AWS_REGION }}
          cpu : 1
          memory : 2
          # Deprecated: wait-for-service-stability: true
          # The new way to control service stability timeout
          wait-for-service-stability-seconds: 1200

      - name: App Runner URL
        run: echo "App runner URL ${{ steps.deploy-apprunner.outputs.service-url }}" 

Note:

Credentials and Region

This action relies on the default behavior of the AWS SDK for Javascript to determine AWS credentials and region. Use the aws-actions/configure-aws-credentials action to configure the GitHub Actions environment with environment variables containing AWS credentials and your desired region.

We recommend using GitHub's OIDC provider to get short-lived credentials needed for your actions.

It is recommended to follow Amazon IAM best practices for the AWS credentials used in GitHub Actions workflows, including:

Permissions

Generally this action requires the following minimum set of permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "apprunner:ListServices",
                "apprunner:CreateService",
                "apprunner:UpdateService",
                "apprunner:DescribeService",
                "apprunner:TagResource",
                "iam:PassRole"
            ],
            "Resource": "*"
        }
    ]
}

For Image based service this action requires additionally the following minimum set of permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:DescribeImages",
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "*"
        }
    ]
}

Troubleshooting

This action emits debug logs to help troubleshoot deployment failures. To see the debug logs, create a secret named ACTIONS_STEP_DEBUG with value true in your repository.

License Summary

This code is made available under the MIT-0 license, for details refer to LICENSE file.

Security Disclosures

If you would like to report a potential security issue in this project, please do not create a GitHub issue. Instead, please follow the instructions here or email AWS security directly.