Only recreate task definition in infrastructure on critical chances

- Also update deployment pipeline to reset parameter store variable from
  config

Author: TheOneFromNorway

.github/workflows/deploy-application.yml

@@ -41,6 +41,10 @@ on:
         description: The git commit SHA to deploy.
         required: true
         type: string
+      git_ref_to_deploy:
+        description: The git ref to deploy (branch, tag, or commit SHA).
+        required: false
+        type: string
 
 permissions: {}
 
@@ -52,11 +56,8 @@ env:
     && 'arn:aws:iam::820242920762:role/GithubDeployMavisAndInfrastructure'
     || 'arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure' }}
   aws_account_id: ${{ inputs.environment == 'production' && '820242920762' || '393416225559' }}
-  web_codedeploy_application: mavis-${{ inputs.environment }}
-  web_codedeploy_group: blue-green-group-${{ inputs.environment }}
   cluster_name: mavis-${{ inputs.environment }}
-  good_job_service: mavis-${{ inputs.environment }}-good-job
-  web_service: mavis-${{ inputs.environment }}-web
+  app_version: ${{ inputs.git_ref_to_deploy == '' && 'unknown' || inputs.git_ref_to_deploy }}
 
 jobs:
   prepare-deployment:
@@ -75,6 +76,13 @@ jobs:
         with:
           role-to-assume: ${{ env.aws-role }}
           aws-region: eu-west-2
+      - name: Setup python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.12.3
+          cache: pip
+      - name: Install Python dependencies
+        run: python3 -m pip install -r script/requirements.txt
       - name: Get image digest
         id: get-image-digest
         run: |
@@ -90,33 +98,39 @@ jobs:
           parsed_env_vars=$(yq -r '.environments.${{ inputs.environment }} | to_entries | .[] | .key + "=" + .value' config/container_variables.yml)
           echo "parsed_env_vars=$parsed_env_vars" >> $GITHUB_OUTPUT
       - name: Populate web task definition
-        if: inputs.server_types == 'web' || inputs.server_types == 'all'
+        if: ${{ inputs.server_types == 'web' || inputs.server_types == 'all' }}
         id: create-web-task-definition
         uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
           task-definition-family: "mavis-web-task-definition-${{ inputs.environment }}"
           container-name: "application"
           image: "${{ env.aws_account_id }}.dkr.ecr.eu-west-2.amazonaws.com/mavis/webapp@${{ steps.get-image-digest.outputs.digest }}"
           environment-variables: ${{ steps.parse-environment-variables.outputs.parsed_env_vars }}
-          secrets: |  # We can define secrets here too if we want
-            RAILS_MASTER_KEY=/copilot/mavis/secrets/STAGING_RAILS_MASTER_KEY
       - name: Populate good-job task definition
-        if: inputs.server_types == 'good-job' || inputs.server_types == 'all'
+        if: ${{ inputs.server_types == 'good-job' || inputs.server_types == 'all' }}
         id: create-good-job-task-definition
         uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
           task-definition-family: "mavis-good-job-task-definition-${{ inputs.environment }}"
           container-name: "application"
           image: "${{ env.aws_account_id }}.dkr.ecr.eu-west-2.amazonaws.com/mavis/webapp@${{ steps.get-image-digest.outputs.digest }}"
           environment-variables: ${{ steps.parse-environment-variables.outputs.parsed_env_vars }}
+      - name: Populate SSM parameters for web service
+        if: ${{ inputs.server_types == 'web' || inputs.server_types == 'all' }}
+        run: |
+          python3 script/populate_ssm_parameters.py ${{ inputs.environment }} web --app_version=${{ env.app_version }}
+      - name: Populate SSM parameters for good-job service
+        if: ${{ inputs.server_types == 'good-job' || inputs.server_types == 'all' }}
+        run: |
+          python3 script/populate_ssm_parameters.py ${{ inputs.environment }} good-job --app_version=${{ env.app_version }}
       - name: Upload artifact for web task definition
-        if: inputs.server_types == 'web' || inputs.server_types == 'all'
+        if: ${{ inputs.server_types == 'web' || inputs.server_types == 'all' }}
         uses: actions/upload-artifact@v4
         with:
           name: ${{ inputs.environment }}-web-task-definition
           path: ${{ steps.create-web-task-definition.outputs.task-definition }}
       - name: Upload artifact for good-job task definition
-        if: inputs.server_types == 'good-job' || inputs.server_types == 'all'
+        if: ${{ inputs.server_types == 'good-job' || inputs.server_types == 'all' }}
         uses: actions/upload-artifact@v4
         with:
           name: ${{ inputs.environment }}-good-job-task-definition
@@ -132,7 +146,7 @@ jobs:
   deploy-web:
     name: Deploy web service
     runs-on: ubuntu-latest
-    if: inputs.server_types == 'web' || inputs.server_types == 'all'
+    if: ${{ inputs.server_types == 'web' || inputs.server_types == 'all' }}
     needs: [ prepare-deployment, approve-deployments ]
     permissions:
       id-token: write
@@ -164,9 +178,9 @@ jobs:
           task-definition: ${{ needs.prepare-deployment.outputs.web-task-definition-path }}
           codedeploy-appspec: appspec.yaml
           cluster: ${{ env.cluster_name }}
-          service: ${{ env.web_service }}
-          codedeploy-application: ${{ env.web_codedeploy_application }}
-          codedeploy-deployment-group: ${{ env.web_codedeploy_group }}
+          service: mavis-${{ inputs.environment }}-web
+          codedeploy-application: mavis-${{ inputs.environment }}
+          codedeploy-deployment-group: blue-green-group-${{ inputs.environment }}
       - name: Wait for deployment to complete
         run: |
           echo "Waiting for CodeDeploy deployment ${{ steps.deploy-web-service.outputs.codedeploy-deployment-id }} to complete..."
@@ -176,7 +190,7 @@ jobs:
   deploy-good-job:
     name: Deploy good-job service
     runs-on: ubuntu-latest
-    if: inputs.server_types == 'good-job' || inputs.server_types == 'all'
+    if: ${{ inputs.server_types == 'good-job' || inputs.server_types == 'all' }}
     needs: [ prepare-deployment, approve-deployments ]
     permissions:
       id-token: write
@@ -196,6 +210,6 @@ jobs:
         with:
           task-definition: ${{ needs.prepare-deployment.outputs.good-job-task-definition-path }}
           cluster: ${{ env.cluster_name }}
-          service: ${{ env.good_job_service }}
+          service: mavis-${{ inputs.environment }}-good-job
           force-new-deployment: true
           wait-for-service-stability: true

.github/workflows/deploy-infrastructure.yml

@@ -48,25 +48,6 @@ jobs:
         with:
           role-to-assume: ${{ env.aws_role }}
           aws-region: eu-west-2
-      - name: Set image tag
-        run: |
-          IMAGE_TAG="${{ inputs.image_tag || github.sha }}"
-          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
-      - name: Login to ECR
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
-      - name: Pull Docker image
-        run: |
-          set -e
-          DOCKER_IMAGE="${{ steps.login-ecr.outputs.registry }}/mavis/webapp:${IMAGE_TAG}"
-          docker pull "$DOCKER_IMAGE"
-          echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> $GITHUB_ENV
-      - name: Extract image digest
-        run: |
-          set -e
-          DOCKER_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$DOCKER_IMAGE")
-          DIGEST="${DOCKER_DIGEST#*@}"
-          echo "DIGEST=$DIGEST" >> $GITHUB_ENV
       - name: Install terraform
         uses: hashicorp/setup-terraform@v3
         with:
@@ -78,7 +59,7 @@ jobs:
         run: |
           set -e
           terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
-          terraform plan -var="image_digest=$DIGEST" -var="app_version=${{ env.git_ref_to_deploy }}"  \
+          terraform plan \
           -var-file="env/${{ inputs.environment }}.tfvars" \
           -out ${{ runner.temp }}/tfplan | tee ${{ runner.temp }}/tf_stdout
           TF_EXIT_CODE=${PIPESTATUS[0]}

.github/workflows/deploy.yml

@@ -155,3 +155,4 @@ jobs:
       environment: ${{ inputs.environment }}
       server_types: ${{ inputs.server_types }}
       git_sha_to_deploy: ${{ needs.determine-git-sha.outputs.git-sha }}
+      app_version: ${{ inputs.git_ref_to_deploy }}

script/populate_ssm_parameters.py

@@ -33,11 +33,11 @@ def extract_cloud_variables(config: Dict[str, Any], environment: str, server_typ
     return cloud_vars
 
 
-def update_ssm_parameter(parameter_name: str, values: List[str]) -> None:
+def update_ssm_parameter(parameter_name: str, values: List[str], app_version: str) -> None:
     """Update SSM parameter with StringList values."""
     try:
         ssm = boto3.client('ssm')
-
+        values.append(f"app_version={app_version}")
         string_list = ','.join(values)
 
         print(f"Updating SSM parameter: {parameter_name}")
@@ -69,6 +69,7 @@ def main():
     parser.add_argument('server_type', help='Server type')
     parser.add_argument('-c', '--config-file', default='config/container_variables.yml', 
                        help='Container variables file path (default: config/container_variables.yml)')
+    parser.add_argument('--app-version', default='unknown', help='Application version (default: unknown)')
 
     args = parser.parse_args()
 
@@ -81,7 +82,7 @@ def main():
     cloud_vars = extract_cloud_variables(config, args.environment, args.server_type)
 
     ssm_parameter_path = f"/{args.environment}/envs/{args.server_type}"
-    update_ssm_parameter(ssm_parameter_path, cloud_vars)
+    update_ssm_parameter(ssm_parameter_path, cloud_vars, args.app_version)
 
     print(f"Cloud variables updated successfully")
 

terraform/app/ecs.tf

@@ -31,7 +31,6 @@ module "web_service" {
     }])
     cpu                  = 1024
     memory               = 2048
-    docker_image         = "${var.account_id}.dkr.ecr.eu-west-2.amazonaws.com/${var.docker_image}@${var.image_digest}"
     execution_role_arn   = aws_iam_role.ecs_task_execution_role.arn
     task_role_arn        = aws_iam_role.ecs_task_role.arn
     log_group_name       = aws_cloudwatch_log_group.ecs_log_group.name
@@ -75,7 +74,6 @@ module "good_job_service" {
     }])
     cpu                  = 1024
     memory               = 2048
-    docker_image         = "${var.account_id}.dkr.ecr.eu-west-2.amazonaws.com/${var.docker_image}@${var.image_digest}"
     execution_role_arn   = aws_iam_role.ecs_task_execution_role.arn
     task_role_arn        = aws_iam_role.ecs_task_role.arn
     log_group_name       = aws_cloudwatch_log_group.ecs_log_group.name

terraform/app/modules/ecs_service/main.tf

@@ -69,6 +69,12 @@ resource "aws_ecs_service" "this" {
   }
 }
 
+resource "terraform_data" "this" {
+  input = [
+    var.server_type, var.task_config, var.container_name
+  ]
+}
+
 resource "aws_ecs_task_definition" "this" {
   family                   = "mavis-${local.server_type_name}-task-definition-${var.environment}"
   requires_compatibilities = ["FARGATE"]
@@ -80,7 +86,7 @@ resource "aws_ecs_task_definition" "this" {
   container_definitions = jsonencode([
     {
       name      = var.container_name
-      image     = var.task_config.docker_image
+      image     = "CHANGE_ME"
       essential = true
       portMappings = [
         {
@@ -108,7 +114,8 @@ resource "aws_ecs_task_definition" "this" {
     }
   ])
   lifecycle {
-    ignore_changes = all
+    ignore_changes       = all
+    replace_triggered_by = [terraform_data.this]
   }
 }
 

terraform/app/modules/ecs_service/variables.tf

@@ -58,7 +58,6 @@ variable "task_config" {
     }))
     cpu                  = number
     memory               = number
-    docker_image         = string
     execution_role_arn   = string
     task_role_arn        = string
     log_group_name       = string

terraform/app/variables.tf

@@ -104,19 +104,6 @@ variable "rails_master_key_path" {
   nullable    = false
 }
 
-variable "docker_image" {
-  type        = string
-  default     = "mavis/webapp"
-  description = "The docker image name for the essential container in the task definition"
-  nullable    = false
-}
-
-variable "image_digest" {
-  type        = string
-  description = "The docker image digest for the essential container in the task definition."
-  nullable    = false
-}
-
 locals {
   is_production = var.environment == "production"
   parameter_store_variables = tomap({ #TODO: Remove this once all variables are sourced from application config