feat(ci): setup container image management

Signed-off-by: Theo Bob Massard <tbobm@protonmail.com>

Author: tbobm

.github/workflows/migration.yaml

@@ -14,6 +14,7 @@ jobs:
     env:
       AWS_REGION: eu-west-1
       CLUSTER_NAME: sample-cluster
+      ECR_REPO: db-migration
       TASK_DEFINITION: db-migration-job
       SUBNET_ID: subnet-abc123
       SECURITY_GROUP_ID: sg-abc123
@@ -27,14 +28,33 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsDeploymentRole
-          aws-region: ${{ env.AWS_REGION }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Get container image tag (git hash)
+        id: image-vars
+        run: |
+          echo "image-uri=${{ steps.login-ecr.outputs.registry }}/${{ vars.ECR_REPO }}:${GITHUB_SHA::8}" >> "$GITHUB_OUTPUT"
+
+      - name: Build and push Container Image to ECR
+        id: build-image
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          tags: ${{ steps.image-vars.outputs.image-uri }}
+          provenance: false
+          platforms: "linux/amd64"
 
       - name: Fetch latest task definition
         id: get-task-def
         run: |
-          aws ecs describe-task-definition --task-definition $TASK_DEFINITION \
-            --region $AWS_REGION > taskdef.json
+          aws ecs describe-task-definition --task-definition "$TASK_DEFINITION" \
+            --region "$AWS_REGION" > taskdef.json
 
       - name: Fill in the new image ID in the Amazon ECS task definition
         id: updated-task-def
@@ -54,30 +74,30 @@ jobs:
         id: run-task
         run: |
           TASK_ARN=$(aws ecs run-task \
-            --cluster $CLUSTER_NAME \
+            --cluster "$CLUSTER_NAME" \
             --launch-type FARGATE \
             --network-configuration "awsvpcConfiguration={subnets=[$SUBNET_ID],securityGroups=[$SECURITY_GROUP_ID],assignPublicIp=DISABLED}" \
-            --task-definition ${{ steps.register-task-def.outputs.task_def_arn }} \
-            --region $AWS_REGION \
+            --task-definition "${{ steps.register-task-def.outputs.task_def_arn }}" \
+            --region "$AWS_REGION" \
             --started-by github-actions \
             --query 'tasks[0].taskArn' \
             --output text)
 
-          echo "task_arn=$TASK_ARN" >> $GITHUB_OUTPUT
+          echo "task_arn=$TASK_ARN" >> "$GITHUB_OUTPUT"
 
       - name: Wait for task to complete
         run: |
           aws ecs wait tasks-stopped \
-            --cluster $CLUSTER_NAME \
-            --tasks ${{ steps.run-task.outputs.task_arn }} \
-            --region $AWS_REGION
+            --cluster "$CLUSTER_NAME" \
+            --tasks "${{ steps.run-task.outputs.task_arn }}" \
+            --region "$AWS_REGION"
 
       - name: Check task exit code
         run: |
           EXIT_CODE=$(aws ecs describe-tasks \
-            --cluster $CLUSTER_NAME \
+            --cluster "$CLUSTER_NAME" \
             --tasks ${{ steps.run-task.outputs.task_arn }} \
-            --region $AWS_REGION \
+            --region "$AWS_REGION" \
             --query "tasks[0].containers[?name=='${CONTAINER_NAME}'].exitCode" \
             --output text)
 
@@ -87,4 +107,3 @@ jobs:
             echo "Migration task failed with exit code $EXIT_CODE"
             exit 1
           fi
-

terraform/ecr.tf

@@ -0,0 +1,9 @@
+resource "aws_ecr_repository" "migration" {
+  name                 = "db-migration"
+  image_tag_mutability = "MUTABLE"
+  force_delete         = true
+
+  lifecycle {
+    prevent_destroy = false
+  }
+}

terraform/outputs.tf

@@ -3,3 +3,7 @@ output "migration_task_definition_arn" {
   description = "ARN of the migration ECS Task"
 }
 
+output "ecr_repository_url" {
+  description = "URL of the ECR repository"
+  value       = aws_ecr_repository.migration.repository_url
+}