Github secret values are exposed as environment variables in AWS App Runner console, everyone can access them. Am I missing something?

https://aws.amazon.com/jp/about-aws/whats-new/2023/01/aws-app-runner-secrets-configuration-aws-secrets-systems-manager/

Currently the action creates or updates the service accordingly. If support is added for a flag that jsut calls a StartDeployment for the use-cases where a user may not want to update any configuration and jiust trigger a new version of their code/image.

My pipeline is this:

` name: Deploy to App Runner
on:
push:
branches: [main]

jobs:
deploy:
name: Deploy
runs-on: ubuntu-latest

steps:
- name: Checkout
  uses: actions/checkout@v3

- name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@v1
  with:
    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    aws-region: ${{ secrets.AWS_REGION }}
      
- name: Deploy to App Runner
  id: deploy-apprunner
  uses: awslabs/amazon-app-runner-deploy@main
  env:
    SERVER_PORT: 80
    SECRET_ENV: secret_env
  with:
    service: DEVOPS-NA-INFRA
    source-connection-arn: ${{ secrets.AWS_CONNECTION_SOURCE_ARN }}
    repo: https://github.com/${{ github.repository }}
    branch: ${{ github.ref }}
    runtime: NODEJS_16
    build-command: npm install
    start-command: npm start
    port: 80
    region: ${{ secrets.AWS_REGION }}
    cpu : 1
    memory : 2
    copy-env-vars: |
      SERVER_PORT
    copy-secret-env-vars: |
      SECRET_ENV
  
- name: App Runner URL
  run: echo "App runner URL ${{ steps.deploy-apprunner.outputs.service-url }}" `

I used this blog post as an example: https://aws.amazon.com/pt/blogs/containers/deploy-applications-in-aws-app-runner-with-github-actions/ and it's not working.
My service user has maximum permission to deploy to App Runner

Reviewing the .yml file in the README.md of this repo:

name: Deploy to App Runner
on:
  push:
    branches: [main] # Trigger workflow on git push to main branch
  workflow_dispatch: # Allow manual invocation of the workflow

jobs:  
  deploy:
    runs-on: ubuntu-latest
    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
    permissions:
      id-token: write
      contents: read
    
    steps:      
      - name: Checkout
        uses: actions/checkout@v2
        with:
          persist-credentials: false
          
      - name: Configure AWS credentials
        id: aws-credentials
        uses: aws-actions/configure-aws-credentials@v1-node16
        with:
          # Use GitHub OIDC provider
          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
          aws-region: ${{ secrets.AWS_REGION }}

        ....
          
      - name: Deploy to App Runner Image
        id: deploy-apprunner
        uses: awslabs/amazon-app-runner-deploy@main
        with:
          service: app-runner-git-deploy-service
          image: ${{ steps.build-image.outputs.image }}
          access-role-arn: ${{ secrets.ROLE_ARN }}

      - name: App Runner URL
        run: echo "App runner URL ${{ steps.deploy-apprunner.outputs.service-url }}" 

Is there a discrepancy between the ${{ secrets.AWS_ASSUME_ROLE_ARN }} in configure-aws-credentials and access-role-arn: ${{ secrets.ROLE_ARN }}?

Thanks for clarifying.

Description:
Current behavior does not catch when deployment fail but successfully recover to previous version.

Current behavior:
Action uses build from repository or ECR, updates service and waits for status !== operation_in_progress.

Suggested behavior:
Action should store OperationID on updateServiceCommand() and then poll that operation until status !== operation_in_progress. Then return success on status == succeded or else fail

We have to pass some environment variables to image based services.
Is it planned to support this?

After completing deployment, there might a situation when the deployment isn't successful and App Runner is performing rollback. In this case, we don't see any error in the action performed on Github side. Is there a flag to configure this behavior?
If not, I was hoping to get the operation id from the outputs to be able to access aws cli listOperations with it?
Would be glad to hear how to deal with this case

To manage resources with tags

Setting cpu or memory with value less than 1 (floating point) yield validation error.

e.g.:

cpu: 0.25
memory: 0.5

output:

2 validation errors detected: Value '0 GB' at 'instanceConfiguration.memory' failed to satisfy constraint: Member must satisfy regular expression pattern: 512|1024|2048|3072|4096|6144|8192|10240|12288|(0.5|1|2|3|4|6|8|10|12) GB; Value '0 vCPU' at 'instanceConfiguration.cpu' failed to satisfy constraint: Member must satisfy regular expression pattern: 256|512|1024|2048|4096|(0.25|0.5|1|2|4) vCPU

Probably because the input field is parsed as int.

According to the documentation it is possible to configure a HTTP based health check via CLI.
Is it planned to support this?

The version of the aws-sdk/client-apprunner did not include the python 3.11 runtime, as it was launched on december 2023.

Using this github action to deploy on a PR I can almost get PR Previews setup (like heroku, netlify, render, etc).

The only roadblock that I'm running into is I need to know the URL ahead of time-- I need a predictable URL.

If we could set the URL through the apprunner step, I have access to the PR number inside the github action so it would be easy to formulate a url to pass in pretty easily.

It seems like maybe I can create my own action/step in the mean time using the API?

https://docs.aws.amazon.com/apprunner/latest/api/API_AssociateCustomDomain.html

Otherwise, only other missing thing to match heroku etc would be shutting down a service when a PR get's closed

I have a valid instance-role-arn with the necessary SSM and KMS permission. I have created 2 ssm parameters pointing to each app runner environment variable AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY respectively.

while running the git hub action pipeline it fails with UnrecognizedClientException: The security token included in the request is invalid.

But if I edit App Runner Environment values directly with the same parameter value (SSM) and update the service manually through the console - it is working.

Is there any additional setting needed?

I followed the README and https://aws.amazon.com/blogs/containers/deploy-applications-in-aws-app-runner-with-github-actions/ documentation to implement GitHub action flow for image-based service. I am also successfully able to implement copy-env-vars. While implementing copy-secret-env-vars first it errored about not including instance-role-arn. I tried to follow a similar approach to create a role with SSM Read Only access and used that ARN as instance-role-arn. But it failed with error Failed to assume instance-role-arn.

Trusted Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}

Permission: (AmazonSSMReadOnlyAccess)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:Describe*",
"ssm:Get*",
"ssm:List*"
],
"Resource": "*"
}
]
}

How to resolve this issue or what is the correct role should be used with instance-role-arn?

Summary

I have a pipeline that was working fine until yesterday. Without making any changes, it started failing today with this error:

Error: The auto scaling configuration ARN you specified isn't valid. ARN: ''

Relevant

I highly suspect #33 and this change are relevant.

Reproduction

Step configuration that fails:

      - name: Deploy to App Runner Image
        id: deploy-apprunner
        uses: awslabs/amazon-app-runner-deploy@main
        with:
          service: my-app-staging-app-runner-service
          image: ${{ steps.login-ecr.outputs.registry }}/my-app-staging-dotnet-backend:${{ github.sha }}
          access-role-arn: ${{ secrets.ROLE_ARN }}
          region: eu-west-1
          cpu: 1
          memory: 2
          wait-for-service-stability: true

Error screenshot:

Contributing Guidelines checklist:

• A reproducible test case or series of steps -> Done, to some extent.
• The version of our code being used -> awslabs/amazon-app-runner-deploy@main
• Any modifications you've made relevant to the bug -> Nope. But there are 2.20 changes that might be relevant.
• Anything unusual about your environment or deployment -> Nope.

Update: A workaround

You can lock the version of awslabs/amazon-app-runner-deploy to 54d9f229e41b80f7cace6480c45ab6dcb1d1af0f, a version that seems to work.

In your yaml, change:

uses: awslabs/amazon-app-runner-deploy@main

to:

uses: awslabs/amazon-app-runner-deploy@54d9f229e41b80f7cace6480c45ab6dcb1d1af0f

It may be a good idea to lock the version even regardless of this issue.

It is useful to have serviceUrl in the output to comment or notify url.
If that's not a problem, I'll be happy to throw pr

Hi!

I have a backend app that needs to access other AWS resources during its work. It would be nice to have options to set a "InstanceRoleArn" in configuration params, to pass this inside the service.

Thanks in advance!

Repro steps:

1. Push two different images/tags to the ECR private registry (e.g. main and develop)
2. Configure App Runner manual to deploy one of those, e.g. main
3. Configure and run App Runner to deploy/refresh that service but with image set to the second image, e.g. develop
4. After the job is finished check whether the develop image is deployed

Current result:
Service was refreshed but with the first image (main)

Expected result:
Image from the image field should be used for the new service instance.

My setup:

1. demo:main and demo:develop are uploaded to ECR
2. demo-env App Runner service is configured with main image
3. I'm triggering the workflow with imageTag set to develop

name: Deploy to demo env

on:
  workflow_dispatch:
    inputs:
      imageTag:
        description: "Image tag to deploy"
        required: true
        default: "develop"

jobs:
  deploy-demo:
    # avoid running the job when build for the branch is running
    concurrency:
      group: refs/heads/${{ github.event.inputs.imageTag }}
      cancel-in-progress: false
    runs-on: ubuntu-latest
    env:
      AWS_REGION: <<redacted>>
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Deploy to App Runner Image
        id: deploy-apprunner
        uses: awslabs/amazon-app-runner-deploy@main
        with:
          service: demo-env
          image: ${{ secrets.AWS_ECR_REPOSITORY }}/<<redacted>>/demo:${{ github.event.inputs.imageTag }}
          access-role-arn: ${{ secrets.AWS_ECR_ACCESS_ROLE_ARN }}
          region: ${{ env.AWS_REGION }}
          cpu: 1
          memory: 2
          wait-for-service-stability: true

      - name: Demo output
        run: |
          echo "App runner service-id ${{ steps.deploy-apprunner.outputs.service-id }}"
          echo "Visit <<redacted>>"

Job log:

Run awslabs/amazon-app-runner-deploy@main
  with:
    service: demo-env
    image: ***/<<redacted>>/demo:develop
    access-role-arn: ***
    region: <<redacted>>
    cpu: 1
    memory: 2
    wait-for-service-stability: true
  env:
    AWS_REGION: <<redacted>>
    AWS_DEFAULT_REGION: <<redacted>>
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***
Updating existing service demo-env
Service update initiated with operation ID - <<redacted>>
Waiting for the service <<redacted>> to reach stable state
Service <<redacted>> has reached the stable state RUNNING
App Runner step - DONE!

Any plans to support other image services like dockerhub and github registry? Or is it already supported?

Hey all,

We started making use of this action to deploy an App Runner Private Service, after making use of this action many times for standard "public" app runner deployments.

The issue is that the AWS CLI/API does not report back a serviceUrl when describing an app runner private service, which causes this action to wrongfully fail (the service is deployed correctly, but the action fails because it didn't report a URL back).

I looked inside the code a bit and it seems that a PR that doesn't fail in case a serviceUrl is not returned can be easy to make, so I'd be happy to help if that solution works for everyone.

If not, please let me know if you have plans to fix this issue.

Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: awslabs/amazon-app-runner-deploy@main. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/.

Currently the only supported runtime for Node.js is Node.js 12. With Node.js 12 in maintenance mode, are there plans to support active versions including Node.js 16?

I have the following in my package.json file:

"scripts": {
    "migrate": "knex migrate:latest"
},

Running npm run migrate works fine on my local machine. When I try to add this command onto my existing build command:

App Runner always gives an error and rolls back my change:

Does App Runner not support multiple build commands?

I have been following this guide to integrate a custom apprunner.yaml file into my Node 18 application. I added apprunner.yaml to the root folder of my ExpressJS repo. The file looks like:

version: 1.0
runtime: nodejs18
build:
  commands:
    build:
      - npm install
    post-build:
      - knex migrate:latest
      - knex seed:run

After adding this to my repo and triggering a build, the App Runner instance deploys without any errors. But when I look at the Postgres instance that's connected to my app, I notice that the migration and seed commands under the post-build section of my apprunner.yaml file did not run.

Looking through the deployment logs, I also don't see any mention of the post-build commands of knex migrate:latest or knex seed:run. There are also no errors reported in the logs.

It seems like App Runner is ignoring the apprunner.yaml file in my repo. Is there another step that needs to be taken into account to get it to use the apprunner.yaml file?