This project demonstrates deploying the AWS Containers Retail Sample UI Application Deployment to Amazon ECS Express Mode with automated deployment pipeline using Amazon ECS "Deploy Express Service" Action for GitHub Actions
The UI original Dockerfile is available here
This project is intended for educational purposes only and not for production use
your-app/
├── Dockerfile
└── .github/
└── workflows/
└── deploy.yml- Containerized Deployment: Docker-based deployment with Nginx
- CI/CD Pipeline: Automated build and deployment using GitHub Actions
- ECS Integration: Seamless deployment to Amazon ECS Express Mode
- Health Monitoring: Built-in health check endpoint
- AWS Command Line Interface (AWS CLI) installed and configured with credentials for your AWS account
- Docker installed locally
- A default Amazon Virtual Private Cloud (Amazon VPC) and default subnets, otherwise, see Create a default VPC
- First, create an OpenID Connect provider to allow GitHub Actions to assume an IAM role, then create the IAM Role with ECS Express and ECR Permissions.
- Create the two IAM roles required by an Express Mode service. The Task Execution Role (
ecsTaskExecutionRole) and the Infrastructure Role (ecsInfrastructureRoleForExpressServices). - Configure GitHub repository variables
Your GitHub Actions workflow references your AWS account details and resource names through repository variables. Since these values aren’t sensitive, you can store them as variables rather than secrets, making them easier to reference in your workflow file. Navigate to your GitHub repository on the GitHub website. Go to Settings → Secrets and variables → Actions → Variables tab, then add each of the following variables by clicking New repository variable:
| Variable Name | Example Value | Description |
|---|---|---|
AWS_REGION |
us-east-1 |
AWS region where your resources are deployed |
AWS_ACCOUNT_ID |
123456789012 |
Your 12-digit AWS account ID |
ECR_REPOSITORY |
my-app |
Name of your Amazon ECR repository |
ECS_SERVICE |
my-app-service |
Name for your Amazon ECS service |
ECS_CLUSTER |
default |
Name for your Amazon ECS cluster |
The action will:
- Check if the specified cluster exists (creates it if using the default cluster)
- Note: To specify an existing Amazon ECS cluster name other than default, you must create the cluster beforehand.
Estimated time: 20-30 minutes Estimated cost: Costs vary based on usage. You’ll incur charges for Amazon ECS tasks, Amazon ECR storage, and data transfer. GitHub Actions usage is free for public repositories. Remember to clean up resources after testing.
# Build Docker image
docker build -t retail-store-sample-ui .
# Run container locally
docker run -p 8080:8080 retail-store-sample-uiIf you're familiar with ECS and just want to get started:
# 1. Clone the repository
git clone https://github.com/aws-samples/sample-amazon-ecs-express-github-actions.git
cd sample-amazon-ecs-express-github-actions
# 2. Create ECR repository
ECR_REPOSITORY="my-app"
echo "🏗️ Creating ECR repository: $ECR_REPOSITORY"
aws ecr create-repository \
--repository-name $ECR_REPOSITORY \
--region $REGION \
--image-scanning-configuration scanOnPush=true \
--encryption-configuration encryptionType=AES256 \
2>/dev/null || echo "Repository already exists"
# 3. Fork the repository on GitHub
# 4. Configure GitHub repository variables (see table above)
# 5. Push changes to your main branch to trigger deployment
git add .
git commit -m "Initial deployment"
git push origin mainThe GitHub Actions workflow will automatically:
- Build the Docker image
- Push to ECR
- Deploy to ECS Express Mode
- Provide the service URL in the deployment logs
- Amazon ECS Documentation
- Amazon ECS "Deploy Express Service" Action for GitHub Actions
- Best practices for Amazon ECS Express Mode services
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.
This project contains suppressed security findings from Checkov and Semgrep static analysis tools. All suppressions have been reviewed and documented with technical justifications.
| Finding | Tool | Justification | Risk |
|---|---|---|---|
| CKV_DOCKER_3: User creation | Checkov | Base image already implements non-root user (source) | ✅ Low |
| CKV_DOCKER_2: HEALTHCHECK | Checkov | Health checks handled by ECS/ALB at infrastructure layer | ✅ Low |
| CKV2_GHA_1: GHA Permissions | Checkov | Write permissions required for deployment with branch protection | ✅ Low |
| third-party-action-not-pinned | Semgrep | Official AWS actions pinned to semantic versions for maintainability | ✅ Low |
| dockerfile-source-not-pinned | Semgrep | Base image pinned to version 1.3.0 from official AWS ECR Public | ✅ Low |
📄 Full Details: See SECURITY-SCAN-SUPPRESSIONS.md for complete technical justifications and risk assessments.