How to Run Secure Docker Apps on ECS Fargate with GitHub Actions and SSL


Running containerized applications securely in the cloud is a key priority for modern DevOps workflows. Amazon ECS Fargate and GitHub Actions provide a scalable and secure way to build, deploy, and manage Docker applications without managing servers. This guide will create a secure CI/CD pipeline to deploy Docker apps to ECS Fargate with HTTPS support via SSL certificates.

 Why ECS Fargate and GitHub Actions?

  • ECS Fargate eliminates the need to manage EC2 infrastructure for containers. It abstracts the server layer, allowing you to focus solely on your application.

  • GitHub Actions provides a robust CI/CD platform integrated with your source code repository.

  • SSL (via AWS Certificate Manager and Load Balancer) ensures encrypted data transmission and secure communication.

Step-by-Step Guide

1. Containerize Your Application

Start with a simple Docker app. Your Dockerfile might look like:

FROM node:18-alpine

WORKDIR /app

COPY . .

RUN npm install

CMD ["npm", "start"]

EXPOSE 3000


Push this to your GitHub repository.

2. Create ECS Fargate Infrastructure

Use Terraform or AWS Console to set up:

  • VPC, Subnets, and Security Groups

  • ECS Cluster

  • Task Definition

  • Application Load Balancer (ALB) with:

    • Listener on port 443

    • SSL certificate via AWS Certificate Manager

  • ECS Service linked to ALB

Ensure your container's port (e.g., 3000) is correctly mapped to the ALB listener rules.

3. Set Up SSL with AWS Certificate Manager (ACM)

  1. Go to AWS ACM → Request a public certificate for your domain (e.g., api.yourdomain.com).

  2. Validate it via DNS or email.

  3. Attach the certificate to your ALB's HTTPS listener.

Tip: Use Route 53 to automate DNS-based validation.

4. Configure GitHub Actions for CI/CD

Create a .github/workflows/deploy.yml file:


name: Deploy to ECS Fargate


on:

  push:

    branches: [main]


jobs:

  deploy:

    runs-on: ubuntu-latest

    steps:

      - name: Checkout code

        uses: actions/checkout@v4


      - name: Set up Docker

        uses: docker/setup-buildx-action@v3


      - name: Login to Amazon ECR

        uses: aws-actions/amazon-ecr-login@v2


      - name: Build and Push Docker image

        run: |

          IMAGE_TAG=latest

          docker build -t ${{ secrets.ECR_REPOSITORY }}:$IMAGE_TAG .

          docker tag ${{ secrets.ECR_REPOSITORY }}:$IMAGE_TAG ${{ secrets.ECR_URI }}:$IMAGE_TAG

          docker push ${{ secrets.ECR_URI }}:$IMAGE_TAG


      - name: Deploy to ECS

        uses: aws-actions/amazon-ecs-deploy-task-definition@v1

        with:

          task-definition: ecs-task-def.json

          service: my-ecs-service

          cluster: my-ecs-cluster

          wait-for-service-stability: true


Don’t forget to define the ECR_URI, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY in your GitHub repo secrets.

5. Secure Your ECS Service

  • Ensure the ECS Task and Execution roles have the minimum necessary IAM permissions.

  • Restrict inbound traffic to the ALB using Security Groups (e.g., only allow ports 80 and 443).

  • Use HTTPS listener rules to redirect HTTP to HTTPS.

6. Test Everything

  • Push your code to main.

  • GitHub Actions should build and push the image to ECR.

  • ECS Fargate should pick the latest image and deploy.

  • Visit https://api.yourdomain.com and ensure you see a valid SSL padlock in the browser.

Security Best Practices

  • Use HTTPS-only access to your endpoints.

  • Rotate AWS credentials regularly and use OIDC federated identity.

  • Enable WAF (Web Application Firewall) on the ALB.

  • Use private subnets with a NAT gateway for ECS tasks if outbound internet is needed.

Conclusion

You can deploy highly secure, scalable, and automated container-based applications by combining ECS Fargate, GitHub Actions, and SSL via ACM. This serverless approach drastically reduces operational overhead while enhancing security and deployment velocity.


Comments

Post a Comment

Popular posts from this blog

Podcast - How to Obfuscate Code and Protect Your Intellectual Property (IP) Across PHP, JavaScript, Node.js, React, Java, .NET, Android, and iOS Apps

Image
How to Obfuscate Code and Protect Your Intellectual Property (IP) Across PHP, JavaScript, Node.js, React, Java, .NET, Android, and iOS Apps   https://businesscompassllc.com/web   Code obfuscation is essential for  protecting intellectual property (IP) , preventing  reverse engineering , and  securing applications . Whether you're building a  WordPress plugin, Laravel app, React/Vue project, Spring Boot service, .NET application, or mobile app (Android/iOS) , attackers can  decompile or modify  your code if it's not properly obfuscated. This guide covers  how to obfuscate your code  across multiple platforms: PHP  (WordPress, Laravel, Joomla, Drupal, CakePHP, Symfony) Static Websites  (HTML + JavaScript) JavaScript Frameworks  (Node.js, React, Vue, Angular) Java (Spring Boot - Tomcat) .NET Applications Android Mobile Apps (Java/Kotlin) iOS Mobile Apps (Swift/Objective-C)
Read more

YouTube Channel

Follow us on X