Skip to main content
Version: v3.7 (deprecated)

CircleCI

Deploy to AWS ECS from ECR via CircleCI 2.0

This is an example of how to build and test a Dockerized web application on CircleCI, push the Docker image to an Amazon Elastic Container Registry (ECR).

Alternative branches

Configure environment variables on CircleCI

The following environment variables must be set for the project on CircleCI via the project settings page, before the project can be built successfully.

VariableDescription
AWS_ACCESS_KEY_IDUsed by the AWS CLI
AWS_SECRET_ACCESS_KEYUsed by the AWS CLI
AWS_DEFAULT_REGIONUsed by the AWS CLI. Example value: "us-east-1" (Please make sure the specified region is supported by the Fargate launch type)
AWS_ACCOUNT_IDAWS account id. This information is required for deployment.
AWS_RESOURCE_NAME_PREFIXPrefix that some of the required AWS resources are assumed to have in their names. The value should correspond to the AWS ECR repository name or aws_resource_prefix variable value in terraform_setup/terraform.tfvars.
DEEPFENCE_CONSOLE_URLDeepfence management console url
FAIL_CVE_COUNTFail the build if number of vulnerabilities found >= this value. Set -1 to pass regardless of vulnerabilities.
FAIL_CRITICAL_CVE_COUNTFail the build if number of critical vulnerabilities found >= this value. Set -1 to pass regardless of critical vulnerabilities.
FAIL_HIGH_CVE_COUNTFail the build if number of high vulnerabilities found >= this value. Set -1 to pass regardless of high vulnerabilities.
FAIL_MEDIUM_CVE_COUNTFail the build if number of medium vulnerabilities found >= this value. Set -1 to pass regardless of medium vulnerabilities.
FAIL_LOW_CVE_COUNTFail the build if number of low vulnerabilities found >= this value. Set -1 to pass regardless of low vulnerabilities.
FAIL_CVE_SCOREFail the build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score.

Sample Circle CI YAML

version: 2
jobs:
build:
docker:
- image: circleci/golang:1.8
steps:
- checkout
- setup_remote_docker
- run:
name: Make the executable
command: |
go build -o demo-app src/main.go
- run:
name: Setup common environment variables
command: |
echo 'export ECR_REPOSITORY_NAME="${AWS_RESOURCE_NAME_PREFIX}"' >> $BASH_ENV
echo 'export FULL_IMAGE_NAME="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/${ECR_REPOSITORY_NAME}:${CIRCLE_SHA1}"' >> $BASH_ENV
- run:
name: Build image
command: |
docker build -t $FULL_IMAGE_NAME .
- run:
name: Run Deepfence Vulnerability Scan
command: |
docker run -it --rm --net=host -v /var/run/docker.sock:/var/run/docker.sock quay.io/deepfenceio/deepfence_package_scanner:3.7.3 -mgmt-console-url=$DEEPFENCE_CONSOLE_URL -deepfence-key="$DEEPFENCE_KEY" -vulnerability-scan=true -output=table -mode=local -source="$FULL_IMAGE_NAME" -fail-on-count=$FAIL_CVE_COUNT -fail-on-critical-count=$FAIL_CRITICAL_CVE_COUNT -fail-on-high-count=$FAIL_HIGH_CVE_COUNT -fail-on-medium-count=$FAIL_MEDIUM_CVE_COUNT -fail-on-low-count=$FAIL_LOW_CVE_COUNT -fail-on-score=$FAIL_CVE_SCORE -scan-type=base,java,python,ruby,php,nodejs,js,dotnet
- run:
name: Test image
command: |
docker run -d -p 8080:8080 --name built-image $FULL_IMAGE_NAME
sleep 10
docker run --network container:built-image appropriate/curl --retry 10 --retry-connrefused http://localhost:8080 | grep "Hello World!"
- run:
name: Save image to an archive
command: |
mkdir docker-image
docker save -o docker-image/image.tar $FULL_IMAGE_NAME
- persist_to_workspace:
root: .
paths:
- docker-image
deploy:
docker:
- image: circleci/python:3.6.1
environment:
AWS_DEFAULT_OUTPUT: json
steps:
- checkout
- setup_remote_docker
- attach_workspace:
at: workspace
- restore_cache:
key: v1-{{ checksum "requirements.txt" }}
- run:
name: Install awscli
command: |
python3 -m venv venv
. venv/bin/activate
pip install -r requirements.txt
- save_cache:
key: v1-{{ checksum "requirements.txt" }}
paths:
- "venv"
- run:
name: Load image
command: |
docker load --input workspace/docker-image/image.tar
- run:
name: Setup common environment variables
command: |
echo 'export ECR_REPOSITORY_NAME="${AWS_RESOURCE_NAME_PREFIX}"' >> $BASH_ENV
- run:
name: Push image
command: |
. venv/bin/activate
eval $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email)
docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$ECR_REPOSITORY_NAME:$CIRCLE_SHA1
workflows:
version: 2
build-deploy:
jobs:
- build
- deploy:
requires:
- build

References