chore: add automation script to release images (#58)

aws-samples · Oct 9, 2024 · c1ee1b4 · c1ee1b4
1 parent 552578a
commit c1ee1b4
Show file tree

Hide file tree

Showing 3 changed files with 92 additions and 30 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,35 @@
+name: release
+on:
+  workflow_dispatch:
+    inputs:
+      reason:
+        description: 'the reason for triggering this workflow'
+        required: false
+        default: 'manually publish the pre-built ecr images'
+jobs:
+  ecr_images:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    env:
+      iam_role_to_assume: ${{ secrets.ROLE_ARN }}
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Configure AWS Credentials
+        if: ${{ env.iam_role_to_assume != '' }}
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.iam_role_to_assume }}
+          aws-region: us-east-1
+      - name: Build and Publish
+        run: |-
+          cd scripts
+          bash push-to-ecr.sh
diff --git a/scripts/push-to-ecr.sh b/scripts/push-to-ecr.sh
@@ -1,35 +1,62 @@
-# Make sure you have created the Repo in AWS ECR in every regions you want to push to before executing this script.
+# NOTE: The script will try to create the ECR repository if it doesn't exist. Please grant the necessary permissions to the IAM user or role.
 # Usage:
 #    cd scripts
-#    chmod +x push-to-ecr.sh
-#    ./push-to-ecr.sh
+#    bash ./push-to-ecr.sh
 
+set -o errexit  # exit on first error
+set -o nounset  # exit on using unset variables
+set -o pipefail # exit on any error in a pipeline
 
 # Define variables
-IMAGE_NAME="bedrock-proxy-api"
 TAG="latest"
-AWS_REGIONS=("us-west-2") # List of AWS regions
-#AWS_REGIONS=("us-east-1" "us-west-2" "eu-central-1" "ap-southeast-1" "ap-northeast-1") # List of AWS regions
-
-# Build Docker image
-docker build -t $IMAGE_NAME:$TAG ../src/
-
-# Loop through each AWS region
-for REGION in "${AWS_REGIONS[@]}"
-do
-    # Get the account ID for the current region
-    ACCOUNT_ID=$(aws sts get-caller-identity --region $REGION --query Account --output text)
-
-    # Create repository URI
-    REPOSITORY_URI="${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com/${IMAGE_NAME}"
-
-    # Log in to ECR
-    aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin $REPOSITORY_URI
-
-    # Tag the image for the current region
-    docker tag $IMAGE_NAME:$TAG $REPOSITORY_URI:$TAG
-
-    # Push the image to ECR
-    docker push $REPOSITORY_URI:$TAG
-    echo "Pushed $IMAGE_NAME:$TAG to $REPOSITORY_URI"
-done
+ARCHS=("arm64" "amd64")
+AWS_REGIONS=("us-east-1") # List of AWS region, use below liest if you don't enable ECR repository replication
+# AWS_REGIONS=("us-east-1" "us-west-2" "eu-central-1" "ap-southeast-1" "ap-southeast-2" "ap-northeast-1" "eu-central-1" "eu-west-3") # List of supported AWS regions
+
+build_and_push_images() {
+    local IMAGE_NAME=$1
+    local TAG=$2
+
+    # Build Docker image for each architecture
+    for ARCH in "${ARCHS[@]}"
+    do
+        docker buildx build --platform linux/$ARCH -t $IMAGE_NAME:$TAG-$ARCH -f ../src/Dockerfile_ecs --load ../src/
+    done
+
+    # Push Docker image to ECR for each architecture in each AWS region
+    for REGION in "${AWS_REGIONS[@]}"
+    do
+        # Get the account ID for the current region
+        ACCOUNT_ID=$(aws sts get-caller-identity --region $REGION --query Account --output text)
+
+        # Create repository URI
+        REPOSITORY_URI="${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com/${IMAGE_NAME}"
+
+        # Create ECR repository if it doesn't exist
+        aws ecr create-repository --repository-name "${IMAGE_NAME}" --region $REGION || true
+
+        # Log in to ECR
+        aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin $REPOSITORY_URI
+
+        # Push the image to ECR for each architecture
+        for ARCH in "${ARCHS[@]}"
+        do
+            # Tag the image for the current region
+            docker tag $IMAGE_NAME:$TAG-$ARCH $REPOSITORY_URI:$TAG-$ARCH
+            # Push the image to ECR
+            docker push $REPOSITORY_URI:$TAG-$ARCH
+            # Create a manifest for the image
+            docker manifest create $REPOSITORY_URI:$TAG $REPOSITORY_URI:$TAG-$ARCH --amend
+            # Annotate the manifest with architecture information
+            docker manifest annotate $REPOSITORY_URI:$TAG "$REPOSITORY_URI:$TAG-$ARCH" --os linux --arch $ARCH
+        done
+
+        # Push the manifest to ECR
+        docker manifest push $REPOSITORY_URI:$TAG
+
+        echo "Pushed $IMAGE_NAME:$TAG to $REPOSITORY_URI"
+    done
+}
+
+build_and_push_images "bedrock-proxy-api" "$TAG"
+build_and_push_images "bedrock-proxy-api-ecs" "$TAG"
diff --git a/src/Dockerfile_ecs b/src/Dockerfile_ecs
@@ -1,4 +1,4 @@
-FROM python:3.12-slim
+FROM public.ecr.aws/docker/library/python:3.12-slim
 
 WORKDIR /app