From c75829da4733bb5e6633d45e0e4d13e63123c17d Mon Sep 17 00:00:00 2001 From: "Keith A. Taylor" <120050018+fractal360@users.noreply.github.com> Date: Sat, 23 May 2026 17:20:17 +0100 Subject: [PATCH] Clean up AWS docs development posture --- README.md | 3 +- docs/TRACKER.md | 4 +- docs/aws_cli_reference.md | 227 ---------------------- docs/aws_terraform_deployment_sequence.md | 1 - 4 files changed, 4 insertions(+), 231 deletions(-) delete mode 100644 docs/aws_cli_reference.md diff --git a/README.md b/README.md index 20bdf45..95c6309 100644 --- a/README.md +++ b/README.md @@ -544,7 +544,7 @@ Planned hardening should remain tied to production-relevant gaps. Credible next improvements include: -- extend immutable image tagging consistently across manual and Terraform-driven deployment paths +- add a manual rollback workflow for redeploying a previous known-good ECS task definition or image SHA - HTTPS listener with ACM certificate - optional HTTP-to-HTTPS redirect - optional NAT Gateway or controlled egress path only if future app behaviour requires general external access @@ -579,4 +579,5 @@ Current status: - deployed MCP allow and deny paths have been smoke-tested - IAM Identity Center admin access is configured for normal AWS console work - manual GitHub Actions CD is implemented using OIDC, ECR image push, ECS task definition revision deployment, ECS service rollout, and `/health` smoke check +- manual GitHub Actions CD checks that the `test` check passed for the exact commit SHA before deploying - deployed ECS task definitions now use immutable Git commit SHA image tags rather than relying on `latest` diff --git a/docs/TRACKER.md b/docs/TRACKER.md index 6f0e0b8..cac2191 100644 --- a/docs/TRACKER.md +++ b/docs/TRACKER.md @@ -266,6 +266,8 @@ Verified AWS checks: - The ECS service is updated to a new task definition revision during CD. - The deployed ECS task definition uses the Git commit SHA image tag, not `latest`. - The CD workflow waits for ECS service stability and checks `/health` after deployment. +- Manual CD requires the `test` check to have passed for the exact commit SHA before deployment proceeds. +- Terraform uses a bootstrap image tag for initial ECS task definition creation while GitHub Actions CD owns SHA-based runtime deployment revisions. Current AWS networking posture: @@ -286,8 +288,6 @@ Deferred AWS hardening: - Terraform remote state backend - migration version tracking - production-grade credential registration/rotation workflow -- CI-before-deploy safety clarification and deployment guardrails -- Terraform image tag handling alignment with SHA-based CD --- diff --git a/docs/aws_cli_reference.md b/docs/aws_cli_reference.md deleted file mode 100644 index 52ea9a8..0000000 --- a/docs/aws_cli_reference.md +++ /dev/null @@ -1,227 +0,0 @@ -# AWS CLI Reference - -## Purpose - -This document lists the AWS CLI commands used to inspect and support the local-to-AWS deployment path for `aws-python-service-platform`. - -The main deployment flow is: - -```text -Dockerfile - -> local Docker image - -> ECR repository - -> ECS/Fargate service - -> ALB - -> RDS PostgreSQL - -> CloudWatch logs -``` - -Terraform creates the AWS infrastructure. The AWS CLI is used for authentication checks, ECR login, and operational inspection. - ---- - -## Confirm current AWS identity - -Check which AWS account and identity the local machine is currently using. - -```powershell -aws sts get-caller-identity -``` - -Show the active AWS CLI configuration, including region, profile, and credential source. - -```powershell -aws configure list -``` - ---- - -## Authenticate Docker to ECR - -Authenticate the local Docker client to the AWS ECR registry. - -```powershell -aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin 702630738731.dkr.ecr.eu-west-2.amazonaws.com -``` - -This does not push an image. It only allows Docker to push to the ECR registry. - ---- - -## Check ECR repository - -Confirm that the ECR repository exists. - -```powershell -aws ecr describe-repositories --region eu-west-2 --repository-names aws-python-service-platform-dev-app -``` - -List image tags/digests currently stored in the ECR repository. - -```powershell -aws ecr list-images --region eu-west-2 --repository-name aws-python-service-platform-dev-app -``` - -Show detailed metadata for images in the ECR repository. - -```powershell -aws ecr describe-images --region eu-west-2 --repository-name aws-python-service-platform-dev-app -``` - ---- - -## Push local Docker image to ECR - -Tag the local image with the ECR repository URL. - -```powershell -docker tag aws-python-service-platform:local 702630738731.dkr.ecr.eu-west-2.amazonaws.com/aws-python-service-platform-dev-app:latest -``` - -Push the tagged image to ECR. - -```powershell -docker push 702630738731.dkr.ecr.eu-west-2.amazonaws.com/aws-python-service-platform-dev-app:latest -``` - -Verify that the image is now present in ECR. - -```powershell -aws ecr list-images --region eu-west-2 --repository-name aws-python-service-platform-dev-app -``` - ---- - -## Check ECS resources - -List ECS clusters in the target region. - -```powershell -aws ecs list-clusters --region eu-west-2 -``` - -Describe a specific ECS cluster. - -```powershell -aws ecs describe-clusters --region eu-west-2 --clusters -``` - -List ECS services in a cluster. - -```powershell -aws ecs list-services --region eu-west-2 --cluster -``` - -Describe a specific ECS service. - -```powershell -aws ecs describe-services --region eu-west-2 --cluster --services -``` - -List running tasks for a service. - -```powershell -aws ecs list-tasks --region eu-west-2 --cluster --service-name -``` - -Describe a specific ECS task. - -```powershell -aws ecs describe-tasks --region eu-west-2 --cluster --tasks -``` - ---- - -## Check Application Load Balancer resources - -List load balancers. - -```powershell -aws elbv2 describe-load-balancers --region eu-west-2 -``` - -List target groups. - -```powershell -aws elbv2 describe-target-groups --region eu-west-2 -``` - -Check target health for an ALB target group. - -```powershell -aws elbv2 describe-target-health --region eu-west-2 --target-group-arn -``` - ---- - -## Check RDS resources - -List RDS database instances. - -```powershell -aws rds describe-db-instances --region eu-west-2 -``` - -Describe a specific RDS database instance. - -```powershell -aws rds describe-db-instances --region eu-west-2 --db-instance-identifier -``` - ---- - -## Check Secrets Manager resources - -List Secrets Manager secrets. - -```powershell -aws secretsmanager list-secrets --region eu-west-2 -``` - -Describe a specific secret without printing the secret value. - -```powershell -aws secretsmanager describe-secret --region eu-west-2 --secret-id -``` - ---- - -## Check CloudWatch logs - -List CloudWatch log groups. - -```powershell -aws logs describe-log-groups --region eu-west-2 -``` - -Stream logs from a specific log group. - -```powershell -aws logs tail --region eu-west-2 --follow -``` - ---- - -## Immediate ECR image push sequence - -Use this sequence after Terraform has created the ECR repository. - -```powershell -aws sts get-caller-identity -``` - -```powershell -aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin 702630738731.dkr.ecr.eu-west-2.amazonaws.com -``` - -```powershell -docker tag aws-python-service-platform:local 702630738731.dkr.ecr.eu-west-2.amazonaws.com/aws-python-service-platform-dev-app:latest -``` - -```powershell -docker push 702630738731.dkr.ecr.eu-west-2.amazonaws.com/aws-python-service-platform-dev-app:latest -``` - -```powershell -aws ecr list-images --region eu-west-2 --repository-name aws-python-service-platform-dev-app -``` \ No newline at end of file diff --git a/docs/aws_terraform_deployment_sequence.md b/docs/aws_terraform_deployment_sequence.md index 78928da..d997bcb 100644 --- a/docs/aws_terraform_deployment_sequence.md +++ b/docs/aws_terraform_deployment_sequence.md @@ -751,7 +751,6 @@ Deferred production hardening: - Terraform remote state - production credential registry/admin process - migration version table -- CI-before-deploy safety clarification and deployment guardrails ---