awslabs/ecs-refarch-continuous-deployment

Is it possible to use this architecture to deploy to ECS in another account?

Leoat12 opened this issue ยท 10 comments

I would like to use a similar architecture to deploy my application to ECS in another account, that way I would have the source (in my case, CodeCommit) and CodeBuild project in one account and the deployment on an ECS in another account. I found something similar in this article, but it uses CloudFormation to deploy to Lambda and since things can vary greatly from service to service, I decided to ask your opinions. Is it can be done with CodePipeline integration with ECS? If not, CloudFormation should work, right?
Thanks in advance for the help!

You can. You just have to add a cross-account role as the RoleArn for the Actions like you do for Lambda, and the pipeline role needs permissions to assume that role.

@joehillen Thank you for the answer!
You mean here, right? Like in this snippet.

- Name: Deploy
          Actions:
            - Name: Deploy
              ActionTypeId:
                Category: Deploy
                Owner: AWS
                Version: 1
                Provider: ECS
              Configuration:
                ClusterName: !Ref Cluster
                ServiceName: !Ref Service
                FileName: images.json
              InputArtifacts:
                - Name: BuildOutput
              RunOrder: 1
              RoleArn: [ROLE ARN]

On ClusterName and ServiceName I put the ARN, right? Since it is in another account.

No, you can use the simple names for the ClusterName and ServiceName. I don't know if the ARNs will work, it's worth a shot.

Okay, I will try and I will give feedback here which one works. Thanks!

Sorry for asking one more question, but I think I'm stuck on the deploy stage. I did exactly what I said above, I added the RoleArn on the deploy stage as illustrated below:

- Name: Deploy
          Actions:
            - Name: Deploy
              ActionTypeId:
                Category: Deploy
                Owner: AWS
                Version: 1
                Provider: ECS
              Configuration:
                ClusterName: !Ref Cluster
                ServiceName: !Ref Service
                FileName: images.json
              InputArtifacts:
                - Name: BuildOutput
              RunOrder: 1
              RoleArn: !Sub arn:aws:iam::${DevAccount}:role/toolsAccountRole

The pipeline goes just fine until the deploy stage where it gives this error:
Unable to access the artifact with Amazon S3 object key 'XXXX' located in the Amazon S3 artifact bucket 'YYYY'. The provided role does not have sufficient permissions.

I think it is referring to the role the pipeline assumed describe in the snippet above, but I'm sure it has all the permissions required to access the bucket. I gave full access to S3 on the policy itself, I gave full access to this role on the Bucket Policy as well and I gave permission to the role to use the KMS key the pipeline is using to encrypt and decrypt the artifacts. Am I missing something?

Thanks again for the help!

I was able to make it work after deleting the role I was using above and redoing it with CloudFormation (have done the previous one with the visual editor). I don't know what was the difference exactly, but it worked. Very strange... Anyway, thank you for the help so far!

May I know something detail how it worked

i also have a problem, like ''The cluster xxx does not exist', any idea? thanks

it seems like it doesn't assume that role correctly ???

I have same issue. I get "The AWS ECS cluster ****** does not exist." even though my pipeline role has enough permissions. Any one who can provide a working sample?

I had to delete the action (temporarily remove from cloudformation/cdk) and then add it back in order to work around the "cluster does not exist" issue so it would respect the account/region props I added late. Still stuck on the permission issue mentioned here.