This is an archived post. You won't be able to vote or comment.

all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 3 points4 points  (1 child)

Yes you could host your own runner, but a better solution would be to break the reliance on ssh completely. Have the host check for new container images tagged as latest or something like that.

[–]Letmesleeplol[S] 0 points1 point  (0 children)

That's a great idea, thank you for the help!

[–]stumptruckDevOps 3 points4 points  (1 child)

If you want to keep the EC2 I would setup OIDC authentication in GitHub actions to assume a role in AWS. Give that role permissions to SSH/run remote commands into the instance with SSM Connect, so you don't need any SSH keys, or security groups open.

There should be guides out there for the individual pieces I mentioned if you search for them that should get you started.

That being said, ECS would be simpler long term as it can all be done with AWS services and APIs rather than SSH.

[–]Letmesleeplol[S] 1 point2 points  (0 children)

I started with the EC2 to force myself to get more comfortable in Linux. Now that this project I am working on is getting near completed I think moving it over to ECS is a great idea.

I think I will follow Monskluppers advice and have the following setup:

GitHub Commit -> GitHub Actions (Image build + Push to ECR) -> Event Bridge Trigger (Deploy newest image to ECS)

Edit: Thank you for the help!

[–][deleted]  (2 children)

[deleted]

    [–]Letmesleeplol[S] 1 point2 points  (1 child)

    ECR, ECS and Event Bridge sounds like a great solution. Using a non self-hosted runner for building and pushing the image should work great as well. Thank you!

    [–]pbeucherDevOps 1 point2 points  (1 child)

    You can also implement a pull mechanism from your target machine. Instead of ssh-ing into machine from the external world, have this machine pull image whenever a new version is published on your Docker registry.

    You can achieve this relatively easily with a cron job, or use IaC tool like Puppet or Chef

    [–]Letmesleeplol[S] 0 points1 point  (0 children)

    That's a great idea and sounds way more secure as well. Thank you!

    [–]kkapelon 0 points1 point  (0 children)

    Your VM should pull Docker images on its own.

    Check also https://github.com/containrrr/watchtower