feat: ECR caching for PROD environment (#108)

* feat: ECR caching for PROD environment

* copilot suggestion

Co-authored-by: Copilot <[email protected]>

* fix: immutability

* fix: idempotency

* fix: ECR and tagging

* fix: ecr

* fix lifecycle policy

* fix: grouping in if clause

---------

Co-authored-by: Copilot <[email protected]>

Author: mishraomp

.github/workflows/.deployer.yml

@@ -66,57 +66,69 @@ jobs:
   steps:
     - name: Checkout
       uses: actions/checkout@v4
+    
     - name: Configure AWS Credentials
       uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
       with:
-          role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }}
-          role-session-name: ${{ inputs.environment_name }}-deployment
-          aws-region: ${{ env.AWS_REGION }}
+        role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }}
+        role-session-name: ${{ inputs.environment_name }}-deployment
+        aws-region: ${{ env.AWS_REGION }}
+    
     - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
       with:
         terraform_version: ${{ env.TF_VERSION }}
+    
     - name: Setup Terragrunt
       uses: autero1/action-terragrunt@aefb0a43c4f5503a91fefb307745c4d51c26ed0e # v3
       with:
           terragrunt-version: ${{ env.TG_VERSION }}
+    
+    - name: Get ECR Registry
+      if: inputs.app_env == 'prod'
+      id: ecr-check
+      run: |
+        ECR_REGISTRY=$(aws sts get-caller-identity --query Account --output text).dkr.ecr.ca-central-1.amazonaws.com
+        echo "ecr-registry=$ECR_REGISTRY" >> $GITHUB_OUTPUT
+    
     - name: Terragrunt ${{inputs.command}}
       working-directory: terraform/${{ inputs.working_directory }}/${{ inputs.environment_name }}
       env:
           target_env: ${{ inputs.environment_name }}
           aws_license_plate: ${{ secrets.AWS_LICENSE_PLATE }}
-          flyway_image: ghcr.io/${{github.repository}}/migrations:${{inputs.tag}}
-          api_image: ghcr.io/${{github.repository}}/backend:${{inputs.tag}}
+          flyway_image: ${{ (inputs.app_env == 'prod' && inputs.working_directory == 'api' && format('{0}/quickstart-aws-containers-migrations-prod:{1}', steps.ecr-check.outputs.ecr-registry, inputs.tag)) || (format('ghcr.io/{0}/migrations:{1}', github.repository, inputs.tag)) }}
+          api_image: ${{ (inputs.app_env == 'prod' && inputs.working_directory == 'api' && format('{0}/quickstart-aws-containers-backend-prod:{1}', steps.ecr-check.outputs.ecr-registry, inputs.tag)) || (format('ghcr.io/{0}/backend:{1}', github.repository, inputs.tag)) }}
           app_env: ${{inputs.app_env}}
           stack_prefix: ${{ inputs.stack_prefix }}
       run: |
           # Run terraform
           terragrunt run-all ${{inputs.command}} --terragrunt-non-interactive
+    
     - name: Terragrunt API Outputs
       if: ( inputs.working_directory == 'api'  && inputs.command == 'apply' )
       working-directory: terraform/${{ inputs.working_directory }}/${{ inputs.environment_name }}
       id: tg-outputs
       env:
           target_env: ${{ inputs.environment_name }}
           aws_license_plate: ${{ secrets.AWS_LICENSE_PLATE }}
-          flyway_image: ghcr.io/${{github.repository}}/migrations:${{inputs.tag}}
-          api_image: ghcr.io/${{github.repository}}/backend:${{inputs.tag}}
+          flyway_image: ${{ inputs.app_env == 'prod' && format('{0}/quickstart-aws-containers-migrations-prod:{1}', steps.ecr-check.outputs.ecr-registry, inputs.tag) || format('ghcr.io/{0}/migrations:{1}', github.repository, inputs.tag) }}
+          api_image: ${{ inputs.app_env == 'prod' && format('{0}/quickstart-aws-containers-backend-prod:{1}', steps.ecr-check.outputs.ecr-registry, inputs.tag) || format('ghcr.io/{0}/backend:{1}', github.repository, inputs.tag) }}
           app_env: ${{inputs.app_env}}
           stack_prefix: ${{ inputs.stack_prefix }}
       run: |
           terragrunt output -json > outputs.json
           #print the output
           cat outputs.json
-          
-          echo "API_GW_URL=$(jq -r .apigw_url.value outputs.json)" >> $GITHUB_OUTPUT
+            echo "API_GW_URL=$(jq -r .apigw_url.value outputs.json)" >> $GITHUB_OUTPUT
+    
     - name: Terragrunt Frontend Outputs
       if: ( inputs.working_directory == 'frontend' && inputs.command == 'apply' )
       working-directory: terraform/${{ inputs.working_directory }}/${{ inputs.environment_name }}
       id: tg-outputs-frontend
       env:
           target_env: ${{ inputs.environment_name }}
           aws_license_plate: ${{ secrets.AWS_LICENSE_PLATE }}
-          flyway_image: ghcr.io/${{github.repository}}/migrations:${{inputs.tag}}
-          api_image: ghcr.io/${{github.repository}}/backend:${{inputs.tag}}
+          flyway_image: ${{ inputs.app_env == 'prod' && format('{0}/quickstart-aws-containers-migrations-prod:{1}', steps.ecr-check.outputs.ecr-registry, inputs.tag) || format('ghcr.io/{0}/migrations:{1}', github.repository, inputs.tag) }}
+          api_image: ${{ inputs.app_env == 'prod' && format('{0}/quickstart-aws-containers-backend-prod:{1}', steps.ecr-check.outputs.ecr-registry, inputs.tag) || format('ghcr.io/{0}/backend:{1}', github.repository, inputs.tag) }}
           app_env: ${{inputs.app_env}}
           stack_prefix: ${{ inputs.stack_prefix }}
       run: |

.github/workflows/release.yml

@@ -70,6 +70,7 @@ jobs:
           echo "tags<<EOF" >> $GITHUB_OUTPUT
           echo "$tags" | sed 's/^[[:space:]]*//;s/[[:space:]]*$//' >> $GITHUB_OUTPUT
           echo "EOF" >> $GITHUB_OUTPUT
+  
   retag-images:
     name: Retag Images
     needs: [vars]
@@ -86,23 +87,80 @@ jobs:
           target:  ${{inputs.containers_tag || 'test'}} # this is the tag of the containers to deploy, defaults to test
           tags: |
             ${{ needs.vars.outputs.tags }}
+  
+  push-to-ecr:
+    name: Push Images to ECR
+    needs: [vars, retag-images]
+    runs-on: ubuntu-24.04
+    strategy:
+      matrix:
+        package: [backend, migrations]
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
+        with:
+          role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }}
+          role-session-name: gha-ecr-push
+          aws-region: ca-central-1
+      
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+        
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          
+      - name: Pull, tag and push image to ECR
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository }}/${{ matrix.package }}:${{ needs.vars.outputs.tag }}
+        run: |
+          # Create ECR repository if it doesn't exist
+            aws ecr create-repository \
+            --repository-name quickstart-aws-containers-${{ matrix.package }}-prod \
+            --image-tag-mutability IMMUTABLE \
+            --image-scanning-configuration scanOnPush=true \
+            || true
+            
+            # Apply lifecycle policy separately
+            aws ecr put-lifecycle-policy \
+            --repository-name quickstart-aws-containers-${{ matrix.package }}-prod \
+            --lifecycle-policy '{"rules":[{"rulePriority":1,"description":"Keep only 5 tagged images","selection":{"tagStatus":"tagged","countType":"imageCountMoreThan","countNumber":5},"action":{"type":"expire"}},{"rulePriority":2,"description":"Remove untagged images","selection":{"tagStatus":"untagged","countType":"imageCountMoreThan","countNumber":0},"action":{"type":"expire"}}]}' \
+            || true
+          
+          # Pull image from GHCR
+          docker pull $GHCR_IMAGE
+          
+          # Tag for ECR
+          ECR_IMAGE=$ECR_REGISTRY/quickstart-aws-containers-${{ matrix.package }}-prod:${{ needs.vars.outputs.tag }}
+          docker tag $GHCR_IMAGE $ECR_IMAGE
+          
+          # Push to ECR
+          docker push $ECR_IMAGE
+          
   resume-resources:
     name: Resume Resources # This job resumes resources for the merged PR which is needed if the resources were paused.
     needs: [vars]
     uses: ./.github/workflows/resume-resources.yml
     with:
       app_env: prod
     secrets: inherit
+    
   deploy:
     name: Deploy Stack
-    needs: [vars, resume-resources, retag-images]
+    needs: [vars, resume-resources, retag-images, push-to-ecr]
     uses: ./.github/workflows/.deploy_stack.yml
     secrets: inherit
     with:
       environment_name: dev # since we only have one namespace dev, update this to PROD
       command: apply
       tag: ${{ needs.vars.outputs.tag}} # this is the tag of the containers to deploy
       app_env: prod
+      
   release:
     name: Github Release
     runs-on: ubuntu-24.04
@@ -120,6 +178,7 @@ jobs:
           tag_name: ${{ needs.vars.outputs.tag }}
           name: ${{ needs.vars.outputs.tag }}
           body: ${{ needs.vars.outputs.clean_changelog }}
+          
   pause-resources:
     name: Pause Resources # This job pauses resources for the merged PR which is needed if the resources were not paused, this is to save money, remove it after cloning.
     needs: [release]

infrastructure/api/ecs.tf

@@ -48,7 +48,7 @@ resource "aws_ecs_task_definition" "flyway_task" {
   execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
   task_role_arn            = aws_iam_role.app_container_role.arn
   container_definitions = jsonencode([
-    {      
+    { 
       name      = "${var.app_name}-flyway"
       image     = "${var.flyway_image}"
       essential = true
@@ -171,7 +171,7 @@ resource "aws_ecs_task_definition" "node_api_task" {
   execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
   task_role_arn            = aws_iam_role.app_container_role.arn
   container_definitions = jsonencode([
-    {
+    {      
       name      = "${local.container_name}"
       image     = "${var.api_image}"
       essential = true

infrastructure/api/iam.tf

@@ -1,4 +1,3 @@
-
 data "aws_caller_identity" "current" {}
 # ECS task execution role data
 data "aws_iam_policy_document" "ecs_task_execution_role" {
@@ -103,4 +102,29 @@ EOF
 resource "aws_iam_role_policy_attachment" "rdsAttach" {
   role       = aws_iam_role.app_container_role.name
   policy_arn = data.aws_iam_policy.appRDS.arn
+}
+
+# ECR permissions for production environment
+resource "aws_iam_role_policy" "ecs_task_execution_ecr" {
+  count = var.app_env == "prod" ? 1 : 0
+  name  = "${var.app_name}-ecs_task_execution_ecr"
+  role  = aws_iam_role.ecs_task_execution_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ecr:BatchCheckLayerAvailability",
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:BatchGetImage",
+          "ecr:GetAuthorizationToken"
+        ]
+        Resource = [
+          "arn:aws:ecr:*:*:*"
+        ]
+      }
+    ]
+  })
 }

infrastructure/api/vars.tf

@@ -129,7 +129,7 @@ variable "repository_names" {
 }
 variable "image_tag_mutability" {
   description = "Tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE."
-  default     = "MUTABLE"
+  default     = "IMMUTABLE"
 }
 
 variable "image_scanning_enabled" {
@@ -149,6 +149,11 @@ variable "write_principals" {
   type        = list(any)
   default     = []
 }
+variable "ecr_image_retention_count" {
+  description = "Number of images to retain in ECR repository"
+  type        = number
+  default     = 5
+}
 
 variable "tags" {
   description = "A set of of one or more tags to provide some metadata for the provisioned resources."