fix the 404 error and tag issue

bcgov · Oct 3, 2024 · d956d3b · d956d3b
1 parent 8d4a154
commit d956d3b
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 3 deletions.
diff --git a/.github/workflows/terragrunt-deploy.yml b/.github/workflows/terragrunt-deploy.yml
@@ -93,6 +93,21 @@ jobs:
             echo "TARGET_LIQUIBASE_TAG=--tag=${{inputs.TARGET_LIQUIBASE_TAG}}" >> $GITHUB_OUTPUT
           fi
 
+      - name: Get digest of docker image
+        id: getDigest
+        run: |
+          export IMAGE='ghcr.io/${{github.repository_owner}}/${{ steps.updateImageName.outputs.IMAGE_NAME}}:${{ inputs.TAG }}'
+          docker pull $IMAGE
+          echo "IMAGE_BY_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE)" >> $GITHUB_OUTPUT
+
+      # digest for api image, change the value of WFPREV_API_IMAGE
+      # - name: Get digest of WFPREV API image
+      #   id: getApiDigest
+      #   run: |
+      #     export API_IMAGE='ghcr.io/${{github.repository_owner}}/${{ steps.updateImageName.outputs.IMAGE_NAME}}-wfprev-api:${{ inputs.TAG }}'
+      #     docker pull $API_IMAGE
+      #     echo "API_IMAGE_BY_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $API_IMAGE)" >> $GITHUB_OUTPUT
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v2
         with:
@@ -112,6 +127,7 @@ jobs:
       - name: Terragrunt Apply
         working-directory: ${{env.TG_SRC_PATH}}
 
+
         env:
           # Necessary for all components
           TFC_PROJECT: ${{ secrets.TFC_PROJECT }}
@@ -127,7 +143,7 @@ jobs:
           WFPREV_API_PORT: ${{vars.WFPREV_API_PORT}}
           TARGET_AWS_ACCOUNT_ID: ${{secrets.TARGET_AWS_ACCOUNT_ID}}
           # WFPREV UI
-          CLIENT_IMAGE: ${{ vars.REPOSITORY }}/${{ github.repository }}-wfprev-war:${{ inputs.IMAGE_TAG }}
+          CLIENT_IMAGE: ${{ steps.getDigest.outputs.IMAGE_BY_DIGEST }}
           WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET: ${{ secrets.WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET }}
           WFPREV_CLIENT_MEMORY: ${{vars.WFPREV_CLIENT_MEMORY}}
           WFPREV_CLIENT_CPU_UNITS : ${{vars.WFPREV_CLIENT_CPU_UNITS}}

diff --git a/terraform/ecs.tf b/terraform/ecs.tf
@@ -245,7 +245,7 @@ resource "aws_ecs_service" "wfprev_server" {
   }
 
   network_configuration {
-    security_groups  = [data.aws_security_group.app.id]
+    security_groups  = [data.aws_security_group.app.id, aws_security_group.wfprev_tomcat_access.id]
     subnets          = module.network.aws_subnet_ids.app.ids
     assign_public_ip = true
   }
@@ -286,7 +286,7 @@ resource "aws_ecs_service" "client" {
 
 
   network_configuration {
-    security_groups  = [data.aws_security_group.app.id]
+    security_groups  = [data.aws_security_group.app.id, aws_security_group.wfprev_tomcat_access.id]
     subnets          = module.network.aws_subnet_ids.app.ids
     assign_public_ip = true
   }

diff --git a/terraform/security.tf b/terraform/security.tf
@@ -8,4 +8,15 @@ data "aws_security_group" "app" {
 
 data "aws_security_group" "data" {
   name = "Data_sg"
+}
+resource "aws_security_group" "wfprev_tomcat_access" {
+  name = "wfprev-ecs-tasks-allow-access"
+  description = "Explicitly allow traffic on ports used by WFPREV"
+  vpc_id = module.network.aws_vpc.id
+  ingress {
+    protocol = "tcp"
+    from_port = var.WFPREV_CLIENT_PORT
+    to_port = var.WFPREV_API_PORT
+    cidr_blocks = ["0.0.0.0/0"]
+  }
 }