This repo now includes:
.github/workflows/ci.yml- builds frontend and server on push/PR..github/workflows/deploy-aws-ecs.yml- deploys to AWS ECS on push tomain(or manual run).
Create an IAM role with trust policy for your repository and branch:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:<ORG>/<REPO>:ref:refs/heads/main"
}
}
}
]
}Attach permissions for:
- ECR push/pull
- ECS register task definition + update service
- CloudWatch logs (if needed for task definitions)
- IAM PassRole for task execution/task roles
AWS_ROLE_TO_ASSUME= IAM role ARN created above.
AWS_REGION(example:us-east-1)ECR_REPOSITORY_API(example:policy-api)ECR_REPOSITORY_FRONTEND(example:policy-frontend)ECS_CLUSTER(example:policy-cluster)ECS_SERVICE_API(example:policy-api-svc)ECS_SERVICE_FRONTEND(example:policy-frontend-svc)ECS_CONTAINER_NAME_API(must match task definition container name, defaultpolicy-api)ECS_CONTAINER_NAME_FRONTEND(must match task definition container name, defaultpolicy-frontend)
Files:
.github/ecs/task-definition-api.json.github/ecs/task-definition-frontend.json
Update these fields before first deploy:
executionRoleArntaskRoleArn- CloudWatch log groups/region
- Environment variables (
DATABASE_URL,JWT_SECRET,VITE_API_BASE_URL)
- CI runs on PR and push to
main. - CD runs on push to
mainandworkflow_dispatch. - CD builds Docker images, pushes to ECR (tag = commit SHA), renders task definitions, and deploys both ECS services.
- Move
DATABASE_URLandJWT_SECRETto AWS Secrets Manager and inject via ECS task secrets. - Keep deploy job in a protected GitHub environment (
production) with manual approvals. - Restrict OIDC trust policy to exact repo and branch.