Fix CI/CD

colto · colto · commit 5de6003f3be8 · 2026-03-02T16:48:32.000-06:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -152,3 +152,87 @@ jobs:
           tags: |
             ${{ steps.login-ecr.outputs.registry }}/cloudpulse-frontend:${{ github.sha }}
             ${{ steps.login-ecr.outputs.registry }}/cloudpulse-frontend:latest
+
+  deploy-ecs:
+    name: Deploy to ECS (Register Task Def + Update Service)
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    needs: [backend-ecr-push, frontend-ecr-push]
+
+    steps:
+      - name: Configure AWS credentials (OIDC)
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Install jq
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y jq
+
+      - name: Register new task definition revision and update service
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          CLUSTER="cloudpulse-dev-cluster"
+          SERVICE="cloudpulse-dev-app"
+          REGION="${{ secrets.AWS_REGION }}"
+          ACCOUNT_ID="413576439231"
+          ECR_BASE="${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com"
+
+          BACKEND_IMAGE="${ECR_BASE}/cloudpulse-backend:${{ github.sha }}"
+          FRONTEND_IMAGE="${ECR_BASE}/cloudpulse-frontend:${{ github.sha }}"
+
+          CURRENT_TASK_DEF_ARN=$(aws ecs describe-services \
+            --cluster "$CLUSTER" \
+            --services "$SERVICE" \
+            --region "$REGION" \
+            --query "services[0].taskDefinition" \
+            --output text)
+
+          aws ecs describe-task-definition \
+            --task-definition "$CURRENT_TASK_DEF_ARN" \
+            --region "$REGION" \
+            --query "taskDefinition" \
+            --output json > taskdef.json
+
+          jq --arg BACKEND_IMAGE "$BACKEND_IMAGE" \
+             --arg FRONTEND_IMAGE "$FRONTEND_IMAGE" \
+             '
+             del(
+               .taskDefinitionArn,
+               .revision,
+               .status,
+               .requiresAttributes,
+               .compatibilities,
+               .registeredAt,
+               .registeredBy
+             )
+             | .containerDefinitions |= map(
+                 if .name == "backend" then .image = $BACKEND_IMAGE
+                 elif .name == "frontend" then .image = $FRONTEND_IMAGE
+                 else .
+                 end
+               )
+             ' taskdef.json > taskdef-new.json
+
+          NEW_TASK_DEF_ARN=$(aws ecs register-task-definition \
+            --region "$REGION" \
+            --cli-input-json file://taskdef-new.json \
+            --query "taskDefinition.taskDefinitionArn" \
+            --output text)
+
+          aws ecs update-service \
+            --cluster "$CLUSTER" \
+            --service "$SERVICE" \
+            --task-definition "$NEW_TASK_DEF_ARN" \
+            --region "$REGION"
+
+          aws ecs wait services-stable \
+            --cluster "$CLUSTER" \
+            --services "$SERVICE" \
+            --region "$REGION"
+
+          echo "Deployment complete: $NEW_TASK_DEF_ARN"
diff --git a/gh-actions-cloudpulse-policy.json b/gh-actions-cloudpulse-policy.json
@@ -0,0 +1,47 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "ECRAuth",
+      "Effect": "Allow",
+      "Action": [
+        "ecr:GetAuthorizationToken"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "ECRPushPull",
+      "Effect": "Allow",
+      "Action": [
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:BatchGetImage",
+        "ecr:CompleteLayerUpload",
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:InitiateLayerUpload",
+        "ecr:PutImage",
+        "ecr:UploadLayerPart"
+      ],
+      "Resource": [
+        "arn:aws:ecr:us-east-1:413576439231:repository/cloudpulse-backend",
+        "arn:aws:ecr:us-east-1:413576439231:repository/cloudpulse-frontend"
+      ]
+    },
+    {
+      "Sid": "ECSDeploy",
+      "Effect": "Allow",
+      "Action": [
+        "ecs:DescribeServices",
+        "ecs:DescribeTaskDefinition",
+        "ecs:RegisterTaskDefinition",
+        "ecs:UpdateService"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "PassTaskExecRole",
+      "Effect": "Allow",
+      "Action": "iam:PassRole",
+      "Resource": "arn:aws:iam::413576439231:role/cloudpulse-dev-task-exec-role"
+    }
+  ]
+}
diff --git a/trust-policy.json b/trust-policy.json
@@ -0,0 +1,20 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::413576439231:oidc-provider/token.actions.githubusercontent.com"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+        },
+        "StringLike": {
+          "token.actions.githubusercontent.com:sub": "repo:colecodesdev/cloudpulse:*"
+        }
+      }
+    }
+  ]
+}
