Skip to content

feat: Add ECS Fargate infrastructure and deployment configuration#362

Open
e9e4e5f0faef wants to merge 1 commit intostagefrom
feat/ecs-fargate-migration
Open

feat: Add ECS Fargate infrastructure and deployment configuration#362
e9e4e5f0faef wants to merge 1 commit intostagefrom
feat/ecs-fargate-migration

Conversation

@e9e4e5f0faef
Copy link
Collaborator

@e9e4e5f0faef e9e4e5f0faef commented Jan 24, 2026
edited
Loading

Description

This PR adds infrastructure and tooling to deploy addons-server on AWS ECS Fargate

Files added (9):

Category File Purpose
Docker Dockerfile.ecs ECS-optimised image (non-root, tini, health check)
Docker docker/docker-entrypoint.sh Multi-mode entrypoint (web/worker/versioncheck/manage)
CI/CD .github/workflows/build-and-push.yml GitHub Actions for ECR build/push
Pulumi infra/pulumi/__main__.py IaC program (VPC, ECR, Fargate, ElastiCache, Scheduled Tasks)
Pulumi infra/pulumi/config.stage.yaml Stage environment config (~109 resources)
Pulumi infra/pulumi/Pulumi.yaml Project definition
Pulumi infra/pulumi/README.md Setup guide with AI-assisted editorial review
Pulumi infra/pulumi/requirements.txt Python deps (tb_pulumi v0.0.16, Python 3.13+)
Config settings_local_stage.py Stage settings with Secrets Manager integration

Context

This is the initial PR for migrating ATN from EC2/Ansible to ECS Fargate, as discussed with @Sancus. Key decisions:

  • Region: us-west-2 (matching existing infrastructure)
  • 16 cron jobs implemented as ECS Scheduled Tasks via EventBridge Scheduler
  • Secrets Manager paths verified against live AWS (atn/stage/*)
  • OIDC federation implemented for publish job, gated on repo var AWS_ROLE_ARN and push to stage
  • Pulumi code is colocated under infra/pulumi/ for now; this layout can be adjusted based on feedback
  • SG ingress currently VPC CIDR scoped, can harden to ALB SG to task SG once SG refs are supported
  • IAM role with strict trust policy (aud, iss, sub, job_workflow_ref)
  • Minimal ECR push permissions derived from actual repo ARN
  • Fixed image tags to :stage-latest across all task definitions
  • Updated lifecycle policy to catch SHA tags (keep 50, expire untagged after 7d)

History squashed to present a clean change-set; no functional changes

Testing

# Pulumi preview (requires Python 3.13+)
cd infra/pulumi
python3.13 -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt
pulumi stack init thunderbird/thunderbird-addons/stage
pulumi preview  # Shows 109 resources to create

# Docker build test
docker build -f Dockerfile.ecs -t addons-server:test .

Validated:

  • Pulumi preview: 109 resources planned (including 16 scheduled tasks)
  • AWS Secrets Manager paths exist
  • ElastiCache/RDS endpoints confirmed in us-west-2

Checklist

  • Add a description of the changes introduced in this PR
  • The change has been successfully run locally (Pulumi preview passes)
  • Add tests to cover the changes - Infrastructure code; tested via Pulumi preview
  • Screenshots - N/A - no UI changes

Sancus
Sancus reviewed Jan 24, 2026
View reviewed changes
@e9e4e5f0faef e9e4e5f0faef force-pushed the feat/ecs-fargate-migration branch from 60d4f86 to 2ee8f25 Compare January 24, 2026 01:42
@e9e4e5f0faef e9e4e5f0faef self-assigned this Jan 25, 2026
feat: deploy addons-server on ECS Fargate
c54436f 
Add Pulumi-managed ECS Fargate service and scheduled tasks, stage configuration, container runtime wiring, and a GHA OIDC-based build/publish pipeline
@e9e4e5f0faef e9e4e5f0faef force-pushed the feat/ecs-fargate-migration branch from 699facf to c54436f Compare January 31, 2026 17:07
@e9e4e5f0faef e9e4e5f0faef mentioned this pull request Feb 3, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Sancus Sancus Sancus left review comments

Assignees

@e9e4e5f0faef e9e4e5f0faef

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@e9e4e5f0faef @Sancus