How to deploy a Docker image from GitLab CI registry to Amazon ECS?

Question

The only documentation I could find is with an Amazon registry (ECR) but nothing with a GitLab registry.

Here is my .gitlab-ci.yml that includes the steps build and push to the GitLab registry:

image: docker:19

services:
  - docker:dind

stages:
  - build
  - registry-update

.build-template: &buildTemplate
  stage: build
  script:
    - docker build --build-arg VERSION=$BUILD_VERSION --target $BUILD_TARGET -t $BUILD_IMAGE:$BUILD_TARGET -f $BUILD_DOCKERFILE $BUILD_CONTEXT
  after_script:
    - mkdir -p build/$BUILD_IMAGE
    - docker save $BUILD_IMAGE:$BUILD_TARGET -o build/$BUILD_IMAGE/$BUILD_TARGET.tar
  artifacts:
    name: $CI_JOB_NAME-${CI_COMMIT_SHORT_SHA}
    expire_in: 1 day
    paths:
      - build/$BUILD_IMAGE
  dependencies: []

build-php-fpm-test:
  <<: *buildTemplate
  variables:
    BUILD_IMAGE: myproject-php-fpm
    BUILD_TARGET: dev
    BUILD_DOCKERFILE: docker/php/Dockerfile
    BUILD_CONTEXT: .
  before_script:
    - source .env && export BUILD_VERSION=$PHP_TAG

.registry-update-template: &registryUpdateTemplate
  stage: registry-update
  before_script:
    - docker load -i build/$BUILD_IMAGE/$BUILD_TARGET.tar
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
  script:
    - docker tag $BUILD_IMAGE:$BUILD_TARGET $IMAGE_TAG
    - docker push $IMAGE_TAG

registry-update-php-fpm-test:
  <<: *registryUpdateTemplate
  variables:
    BUILD_IMAGE: myproject-php-fpm
    BUILD_TARGET: dev
    IMAGE_TAG: $CI_REGISTRY_IMAGE/$BUILD_IMAGE:$CI_COMMIT_REF_SLUG
  dependencies:
    - build-php-fpm-test

But now I need to deploy to Amazon ECS. I checked the documentation but it does not mention how to define the image name for the task definition. I also found this issue but there is no mention about how to use the related feature.

What is the correct way to define a deploy step from GitLab registry to Amazon ECS?

Answer 1

Checkout ecs-deploy tool: https://github.com/fabfuel/ecs-deploy You can deploy your task using any registry (quay, dockerhub etc.), e.g:

ecs deploy <ecs_cluster> <ecs_service> --image <container_name> <container_repo>:<container_tag>

If you want to deploy a specific task you can also add parameter --task <task_family>:<task_revision> to ecs deploy. Of course it should be in another step in your .gitlab-ci.yml

Answer 2

I managed to do it with deploy token from Gitlab + task role for private registry on Amazon:

1. Create deploy token in Settings -> Repository with read_registry scope
2. Follow the guide to create 1) a secret holding the token, 2) a task role with access to the secret
3. Now create a task definition with new role:
   • One setting
   • And another below
4. Then add container with auth using the secret:

Both AWS and Gitlab docs are incredibly confusing to me. Try following AWS docs literally, e.g. make sure you add secrets access to new role as Inline as the docs say. Trying to do what I thought I need to do instead of just following the docs lost me couple of hours..