Skip to content

Commit

Permalink
Update CircleCI workflow to work without ECR access key
Browse files Browse the repository at this point in the history
  • Loading branch information
@ushkarev
ushkarev committed Aug 11, 2023
1 parent 00b1c2b commit c7e6923
Showing 1 changed file with 31 additions and 11 deletions.
42 changes: 31 additions & 11 deletions .circleci/config.yml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,20 @@
# generated by https://github.com/ministryofjustice/money-to-prisoners-deploy
version: 2.1

orbs:
aws-cli: circleci/aws-cli@4.0
aws-ecr: circleci/aws-ecr@9.0

parameters:
kubectl-version:
type: string
default: v1.24.16

jobs:
build-test-push:
docker:
- image: ${ECR_ENDPOINT}/prisoner-money/money-to-prisoners:tools
executor:
name: aws-ecr/default
docker_layer_caching: true
environment:
app: cashbook
working_directory: /tmp/repo
Expand All @@ -14,7 +25,7 @@ jobs:
command: |
CIRCLE_BRANCH_LOWERCASE=$(echo $CIRCLE_BRANCH | tr '[:upper:]' '[:lower:]')
registry=${ECR_ENDPOINT}/prisoner-money/money-to-prisoners
registry=${ECR_REGISTRY}/${ECR_REPOSITORY}
version=${CIRCLE_BRANCH_LOWERCASE}.${CIRCLE_SHA1:0:7}
tag=${app}.${version}
Expand All @@ -24,13 +35,21 @@ jobs:
echo export tag=${tag} >> /tmp/mtp-env.sh
echo "Building ${tag}"
- setup_remote_docker:
docker_layer_caching: true
- aws-cli/setup:
region: ${AWS_DEFAULT_REGION}
role_arn: ${ECR_ROLE_TO_ASSUME}
- run:
name: Log into ECR
name: Install kubectl
command: |
curl -LO https://dl.k8s.io/release/<< pipeline.parameters.kubectl-version >>/bin/linux/amd64/kubectl
echo "$(curl -L -s https://dl.k8s.io/<< pipeline.parameters.kubectl-version >>/bin/linux/amd64/kubectl.sha256) kubectl" | sha256sum --check
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
kubectl version --client --output yaml
- run:
name: Log docker into ECR
command: |
source /tmp/mtp-env.sh
aws ecr get-login-password --region ${AWS_DEFAULT_REGION} | docker login --username AWS --password-stdin ${ECR_ENDPOINT}
aws ecr get-login-password --region ${AWS_DEFAULT_REGION} | docker login --username AWS --password-stdin ${ECR_REGISTRY}
- run:
name: Pull base image
command: |
Expand Down Expand Up @@ -85,7 +104,7 @@ jobs:
name: Log out of ECR
command: |
source /tmp/mtp-env.sh
docker logout ${ECR_ENDPOINT}
docker logout ${ECR_REGISTRY}
- deploy:
name: Deploy to test
command: |
Expand Down Expand Up @@ -116,19 +135,20 @@ jobs:
for IMAGE_TO_DELETE in ${IMAGES_TO_DELETE}; do
AWS_ECR_ARGS="${AWS_ECR_ARGS} imageDigest=${IMAGE_TO_DELETE}"
done
aws ecr batch-delete-image --repository-name prisoner-money/money-to-prisoners --image-ids ${AWS_ECR_ARGS}
aws ecr batch-delete-image --repository-name ${ECR_REPOSITORY} --image-ids ${AWS_ECR_ARGS}
fi
}
echo "Deleting untagged images"
IMAGES_TO_DELETE=$(aws ecr list-images --repository-name prisoner-money/money-to-prisoners --filter tagStatus=UNTAGGED --query 'imageIds[*].imageDigest' --output text)
IMAGES_TO_DELETE=$(aws ecr list-images --repository-name ${ECR_REPOSITORY} --filter tagStatus=UNTAGGED --query 'imageIds[*].imageDigest' --output text)
delete_images
if [[ "${CIRCLE_BRANCH}" != "main" ]]; then
echo "Deleting other images from branch ${CIRCLE_BRANCH}"
IMAGES_TO_DELETE=$(aws ecr describe-images --repository-name prisoner-money/money-to-prisoners --query 'imageDetails[?contains(map(&starts_with(@, '"'"${app}.${CIRCLE_BRANCH_LOWERCASE}."'"'), @.imageTags), `true`) && ! contains(@.imageTags, '"'"${tag}"'"')].imageDigest' --output text)
IMAGES_TO_DELETE=$(aws ecr describe-images --repository-name ${ECR_REPOSITORY} --query 'imageDetails[?contains(map(&starts_with(@, '"'"${app}.${CIRCLE_BRANCH_LOWERCASE}."'"'), @.imageTags), `true`) && ! contains(@.imageTags, '"'"${tag}"'"')].imageDigest' --output text)
delete_images
fi
workflows:
version: 2
build-test-push:
Expand Down

0 comments on commit c7e6923

Please sign in to comment.