Skip to main content
Version: v3.8 (deprecated)

CircleCI

Deploy to AWS ECS from ECR via CircleCI 2.0

This is an example of how to build and test a Dockerized web application on CircleCI, push the Docker image to an Amazon Elastic Container Registry (ECR).

Alternative branches

Configure environment variables on CircleCI

The following environment variables must be set for the project on CircleCI via the project settings page, before the project can be built successfully.

VariableDescription
AWS_ACCESS_KEY_IDUsed by the AWS CLI
AWS_SECRET_ACCESS_KEYUsed by the AWS CLI
AWS_DEFAULT_REGIONUsed by the AWS CLI. Example value: "us-east-1" (Please make sure the specified region is supported by the Fargate launch type)
AWS_ACCOUNT_IDAWS account id. This information is required for deployment.
AWS_RESOURCE_NAME_PREFIXPrefix that some of the required AWS resources are assumed to have in their names. The value should correspond to the AWS ECR repository name or aws_resource_prefix variable value in terraform_setup/terraform.tfvars.
DEEPFENCE_CONSOLE_URLDeepfence management console url
FAIL_CVE_COUNTFail the build if number of vulnerabilities found >= this value. Set -1 to pass regardless of vulnerabilities.
FAIL_CRITICAL_CVE_COUNTFail the build if number of critical vulnerabilities found >= this value. Set -1 to pass regardless of critical vulnerabilities.
FAIL_HIGH_CVE_COUNTFail the build if number of high vulnerabilities found >= this value. Set -1 to pass regardless of high vulnerabilities.
FAIL_MEDIUM_CVE_COUNTFail the build if number of medium vulnerabilities found >= this value. Set -1 to pass regardless of medium vulnerabilities.
FAIL_LOW_CVE_COUNTFail the build if number of low vulnerabilities found >= this value. Set -1 to pass regardless of low vulnerabilities.
FAIL_CVE_SCOREFail the build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score.

Sample Circle CI YAML

version: 2
jobs:
  build:
    docker:
      - image: circleci/golang:1.8
    steps:
      - checkout
      - setup_remote_docker
      - run:
          name: Make the executable
          command: |
            go build -o demo-app src/main.go
      - run:
          name: Setup common environment variables
          command: |
            echo 'export ECR_REPOSITORY_NAME="${AWS_RESOURCE_NAME_PREFIX}"' >> $BASH_ENV
            echo 'export FULL_IMAGE_NAME="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/${ECR_REPOSITORY_NAME}:${CIRCLE_SHA1}"' >> $BASH_ENV
      - run:
          name: Build image
          command: |
            docker build -t $FULL_IMAGE_NAME .
      - run:
          name: Run Deepfence Vulnerability Scan
          command: |
            docker run -it --rm --net=host -v /var/run/docker.sock:/var/run/docker.sock quay.io/deepfenceio/deepfence_package_scanner:3.8.0 -mgmt-console-url=$DEEPFENCE_CONSOLE_URL -deepfence-key="$DEEPFENCE_KEY" -vulnerability-scan=true -output=table -mode=local -source="$FULL_IMAGE_NAME" -fail-on-count=$FAIL_CVE_COUNT -fail-on-critical-count=$FAIL_CRITICAL_CVE_COUNT -fail-on-high-count=$FAIL_HIGH_CVE_COUNT -fail-on-medium-count=$FAIL_MEDIUM_CVE_COUNT -fail-on-low-count=$FAIL_LOW_CVE_COUNT -fail-on-score=$FAIL_CVE_SCORE -scan-type=base,java,python,ruby,php,nodejs,js,dotnet
      - run:
          name: Test image
          command: |
            docker run -d -p 8080:8080 --name built-image $FULL_IMAGE_NAME
            sleep 10
            docker run --network container:built-image appropriate/curl --retry 10 --retry-connrefused http://localhost:8080 | grep "Hello World!"
      - run:
          name: Save image to an archive
          command: |
            mkdir docker-image
            docker save -o docker-image/image.tar $FULL_IMAGE_NAME
      - persist_to_workspace:
          root: .
          paths:
            - docker-image
  deploy:
    docker:
      - image: circleci/python:3.6.1
    environment:
      AWS_DEFAULT_OUTPUT: json
    steps:
      - checkout
      - setup_remote_docker
      - attach_workspace:
          at: workspace
      - restore_cache:
          key: v1-{{ checksum "requirements.txt" }}
      - run:
          name: Install awscli
          command: |
            python3 -m venv venv
            . venv/bin/activate
            pip install -r requirements.txt
      - save_cache:
          key: v1-{{ checksum "requirements.txt" }}
          paths:
            - "venv"
      - run:
          name: Load image
          command: |
            docker load --input workspace/docker-image/image.tar
      - run:
          name: Setup common environment variables
          command: |
            echo 'export ECR_REPOSITORY_NAME="${AWS_RESOURCE_NAME_PREFIX}"' >> $BASH_ENV
      - run:
          name: Push image
          command: |
            . venv/bin/activate
            eval $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email)
            docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$ECR_REPOSITORY_NAME:$CIRCLE_SHA1
workflows:
  version: 2
  build-deploy:
    jobs:
      - build
      - deploy:
          requires:
            - build

References