chore: deploy to app runner

Author: rcmonteiro

.github/workflows/ci.yml

@@ -71,12 +71,29 @@ jobs:
         uses: aws-actions/amazon-ecr-login@v2
 
       - name: Build and Push Docker image
+        id: build-docker-image
         env: 
           ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
           TAG: ${{ steps.create_tag.outputs.sha }}
         run: | 
           docker build -t $ECR_REGISTRY/rcmonteiro_devops_nest_ci:$TAG .
           docker push $ECR_REGISTRY/rcmonteiro_devops_nest_ci:$TAG
+          IMAGE=$(echo $ECR_REGISTRY/rcmonteiro_devops_nest_ci:$TAG)
+          echo "image=$IMAGE" >> $GITHUB_OUTPUT
+
+      - name: Deploy to AWS App Runner
+        uses: awslabs/amazon-app-runner-deploy@main
+        env: 
+          IMAGE: ${{ steps.build-docker-image.outputs.image }}
+        with: 
+          service: rcmonteiro_devops_nest_api
+          image: $IMAGE
+          access-role-arn: arn:aws:iam::381492262362:role/app_runner_role
+          region: us-east-2
+          cpu: 1
+          memory: 1
+          port: 3000
+
 
       # ------------------------------------------------------------
       # Exemplo de publicação no Docker Hub

iac/iam.tf

@@ -43,22 +43,36 @@ resource "aws_iam_role" "ecr_role" {
   inline_policy {
     name = "ecr-app-permission"
 
+    # Step 5: Insert the Statement for the apprunner and IAM
     policy = jsonencode({
       "Version": "2012-10-17",
       "Statement": [
         {
-            "Effect": "Allow",
-            "Action": [
-                "ecr:GetDownloadUrlForLayer",
-                "ecr:BatchGetImage",
-                "ecr:BatchCheckLayerAvailability",
-                "ecr:PutImage",
-                "ecr:InitiateLayerUpload",
-                "ecr:UploadLayerPart",
-                "ecr:CompleteLayerUpload",
-                "ecr:GetAuthorizationToken"
-            ],
-            "Resource": "*"
+         "Action": "apprunner:*" 
+         "Effect": "Allow",
+         "Resource": "*"
+        },
+        {
+         "Action": [
+            "iam:PassRole",
+            "iam:CreateServiceLinkedRole"
+         ],
+         "Effect": "Allow",
+         "Resource": "*"
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+              "ecr:GetDownloadUrlForLayer",
+              "ecr:BatchGetImage",
+              "ecr:BatchCheckLayerAvailability",
+              "ecr:PutImage",
+              "ecr:InitiateLayerUpload",
+              "ecr:UploadLayerPart",
+              "ecr:CompleteLayerUpload",
+              "ecr:GetAuthorizationToken"
+          ],
+          "Resource": "*"
         }
       ]
     })
@@ -69,5 +83,30 @@ resource "aws_iam_role" "ecr_role" {
   }
 }
 
+# Step 4: Create an IAM role for the App Runner
+resource "aws_iam_role" "app_runner_role" {
+  name = "app_runner_role"
 
+  assume_role_policy = jsonencode({
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Principal": {
+          "Service": "build.apprunner.amazonaws.com"
+        },
+        "Action": "sts:AssumeRole"
+      }
+    ]
+  })
+
+  managed_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  ]
+
+  tags = {
+    IaC = "True"
+  }
+}
 
+  

iac/terraform.tfstate

@@ -1,7 +1,7 @@
 {
   "version": 4,
   "terraform_version": "1.8.5",
-  "serial": 13,
+  "serial": 20,
   "lineage": "822cea9a-3abf-0b83-a30a-b80aa636cd29",
   "outputs": {},
   "resources": [
@@ -75,6 +75,43 @@
         }
       ]
     },
+    {
+      "mode": "managed",
+      "type": "aws_iam_role",
+      "name": "app_runner_role",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:iam::381492262362:role/app_runner_role",
+            "assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"build.apprunner.amazonaws.com\"}}],\"Version\":\"2012-10-17\"}",
+            "create_date": "2024-06-13T16:11:52Z",
+            "description": "",
+            "force_detach_policies": false,
+            "id": "app_runner_role",
+            "inline_policy": [],
+            "managed_policy_arns": [
+              "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+            ],
+            "max_session_duration": 3600,
+            "name": "app_runner_role",
+            "name_prefix": "",
+            "path": "/",
+            "permissions_boundary": "",
+            "tags": {
+              "IaC": "True"
+            },
+            "tags_all": {
+              "IaC": "True"
+            },
+            "unique_id": "AROAVRUVV6XNP2VO6CZER"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA=="
+        }
+      ]
+    },
     {
       "mode": "managed",
       "type": "aws_iam_role",
@@ -93,7 +130,7 @@
             "inline_policy": [
               {
                 "name": "ecr-app-permission",
-                "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"ecr:GetDownloadUrlForLayer\",\"ecr:BatchGetImage\",\"ecr:BatchCheckLayerAvailability\",\"ecr:PutImage\",\"ecr:InitiateLayerUpload\",\"ecr:UploadLayerPart\",\"ecr:CompleteLayerUpload\",\"ecr:GetAuthorizationToken\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"
+                "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"apprunner:*\",\"Effect\":\"Allow\",\"Resource\":\"*\"},{\"Action\":[\"iam:PassRole\",\"iam:CreateServiceLinkedRole\"],\"Effect\":\"Allow\",\"Resource\":\"*\"},{\"Action\":[\"ecr:GetDownloadUrlForLayer\",\"ecr:BatchGetImage\",\"ecr:BatchCheckLayerAvailability\",\"ecr:PutImage\",\"ecr:InitiateLayerUpload\",\"ecr:UploadLayerPart\",\"ecr:CompleteLayerUpload\",\"ecr:GetAuthorizationToken\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"
               }
             ],
             "managed_policy_arns": [],

iac/terraform.tfstate.backup

@@ -1,10 +1,50 @@
 {
   "version": 4,
   "terraform_version": "1.8.5",
-  "serial": 10,
+  "serial": 18,
   "lineage": "822cea9a-3abf-0b83-a30a-b80aa636cd29",
   "outputs": {},
   "resources": [
+    {
+      "mode": "managed",
+      "type": "aws_ecr_repository",
+      "name": "rcmonteiro_devops_nest_api",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:ecr:us-east-2:381492262362:repository/rcmonteiro_devops_nest_ci",
+            "encryption_configuration": [
+              {
+                "encryption_type": "AES256",
+                "kms_key": ""
+              }
+            ],
+            "force_delete": null,
+            "id": "rcmonteiro_devops_nest_ci",
+            "image_scanning_configuration": [
+              {
+                "scan_on_push": true
+              }
+            ],
+            "image_tag_mutability": "MUTABLE",
+            "name": "rcmonteiro_devops_nest_ci",
+            "registry_id": "381492262362",
+            "repository_url": "381492262362.dkr.ecr.us-east-2.amazonaws.com/rcmonteiro_devops_nest_ci",
+            "tags": {
+              "IaC": "True"
+            },
+            "tags_all": {
+              "IaC": "True"
+            },
+            "timeouts": null
+          },
+          "sensitive_attributes": [],
+          "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjoxMjAwMDAwMDAwMDAwfX0="
+        }
+      ]
+    },
     {
       "mode": "managed",
       "type": "aws_iam_openid_connect_provider",
@@ -35,6 +75,43 @@
         }
       ]
     },
+    {
+      "mode": "managed",
+      "type": "aws_iam_role",
+      "name": "app_runner_role",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "arn": "arn:aws:iam::381492262362:role/app_runner_role",
+            "assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"build.apprunner.amazonaws.com\"}}],\"Version\":\"2012-10-17\"}",
+            "create_date": "2024-06-13T16:11:52Z",
+            "description": "",
+            "force_detach_policies": false,
+            "id": "app_runner_role",
+            "inline_policy": [],
+            "managed_policy_arns": [
+              "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+            ],
+            "max_session_duration": 3600,
+            "name": "app_runner_role",
+            "name_prefix": "",
+            "path": "/",
+            "permissions_boundary": "",
+            "tags": {
+              "IaC": "True"
+            },
+            "tags_all": {
+              "IaC": "True"
+            },
+            "unique_id": "AROAVRUVV6XNP2VO6CZER"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA=="
+        }
+      ]
+    },
     {
       "mode": "managed",
       "type": "aws_iam_role",
@@ -53,7 +130,7 @@
             "inline_policy": [
               {
                 "name": "ecr-app-permission",
-                "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"ecr:GetDownloadUrlForLayer\",\"ecr:BatchGetImage\",\"ecr:BatchCheckLayerAvailability\",\"ecr:PutImage\",\"ecr:InitiateLayerUpload\",\"ecr:UploadLayerPart\",\"ecr:CompleteLayerUpload\",\"ecr:GetAuthorizationToken\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"
+                "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"apprunner:*\",\"Effect\":\"Allow\",\"Resource\":\"*\"},{\"Action\":[\"ecr:GetDownloadUrlForLayer\",\"ecr:BatchGetImage\",\"ecr:BatchCheckLayerAvailability\",\"ecr:PutImage\",\"ecr:InitiateLayerUpload\",\"ecr:UploadLayerPart\",\"ecr:CompleteLayerUpload\",\"ecr:GetAuthorizationToken\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"
               }
             ],
             "managed_policy_arns": [],