AWS Deployment Skill
This skill helps with AWS ECS deployment and infrastructure management for the ActivityTracking application.
When to Use
- Deploying to AWS ECS for the first time
- Updating existing ECS deployment
- Troubleshooting AWS infrastructure issues
- Configuring AWS services (RDS, S3, SES)
Architecture Overview
┌─────────────────────────────────────────────┐
│ Internet Gateway │
└─────────────────┬───────────────────────────┘
│
┌─────────────────▼───────────────────────────┐
│ Application Load Balancer (ALB) │
│ - Health checks on /actuator/health │
└─────────────────┬───────────────────────────┘
│
┌─────────────────▼───────────────────────────┐
│ ECS Fargate Service │
│ - Task Definition: 512 CPU / 1024 MB │
│ - Auto-scaling: 1-3 tasks │
└─────────────────┬───────────────────────────┘
│
┌─────────┴─────────┐
│ │
┌───────▼─────┐ ┌────────▼────────┐
│ RDS │ │ S3 Bucket │
│ PostgreSQL │ │ (Receipts) │
│ Multi-AZ │ │ + Lifecycle │
└─────────────┘ └─────────────────┘
Deployment Steps
1. Pre-Deployment Checklist
- Docker image built and tested locally
- Environment variables defined (JWT_SECRET, DB_PASSWORD, etc.)
- CloudFormation templates reviewed
- AWS CLI configured with appropriate credentials
- ECR repository created for Docker images
2. Initial Infrastructure Deployment
# Using CloudFormation
cd cloudformation
.\scripts\deploy-stack.sh infrastructure-stack templates/infrastructure.yaml parameters/production.json
# Or using PowerShell script
.\aws\deploy-aws.ps1 -Environment production -StackName taskactivity-prod
3. Database Configuration
# Configure RDS endpoint in environment variables
$env:DATABASE_URL = "jdbc:postgresql://rds-endpoint:5432/taskactivity"
# Run schema initialization (first time only)
psql -h rds-endpoint -U dbuser -d taskactivity -f src/main/resources/schema.sql
4. S3 Receipt Storage Setup
# Create S3 bucket with lifecycle policy
aws s3 mb s3://taskactivity-receipts-prod
# Apply lifecycle policy
aws s3api put-bucket-lifecycle-configuration `
--bucket taskactivity-receipts-prod `
--lifecycle-configuration file://aws/s3-receipts-lifecycle-policy.json
# Enable encryption
aws s3api put-bucket-encryption `
--bucket taskactivity-receipts-prod `
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}]
}'
5. SES Email Configuration
# Configure SES
.\aws\configure-ses.ps1 -Region us-east-1 -FromEmail noreply@yourdomain.com
# Verify email addresses (if in sandbox)
.\aws\enable-ses-email.ps1 -EmailAddress user@example.com
6. Deploy Application
# Build and push Docker image to ECR
docker build -t taskactivity:latest .
aws ecr get-login-password | docker login --username AWS --password-stdin <account-id>.dkr.ecr.us-east-1.amazonaws.com
docker tag taskactivity:latest <account-id>.dkr.ecr.us-east-1.amazonaws.com/taskactivity:latest
docker push <account-id>.dkr.ecr.us-east-1.amazonaws.com/taskactivity:latest
# Update ECS service
aws ecs update-service `
--cluster taskactivity-cluster `
--service taskactivity-service `
--force-new-deployment
Environment Variables for AWS
# Application
JWT_SECRET=<from-secrets-manager>
JWT_EXPIRATION=86400000
JWT_REFRESH_EXPIRATION=604800000
# Database
DATABASE_URL=jdbc:postgresql://<rds-endpoint>:5432/taskactivity
DB_USERNAME=<from-secrets-manager>
DB_PASSWORD=<from-secrets-manager>
# Storage
storage.type=s3
storage.s3.bucket-name=taskactivity-receipts-prod
storage.s3.region=us-east-1
# Email
email.provider=ses
email.ses.region=us-east-1
email.from=noreply@yourdomain.com
# Admin
APP_ADMIN_INITIAL_PASSWORD=<from-secrets-manager>
# Profile
SPRING_PROFILES_ACTIVE=aws
Common AWS Issues
Issue: Task keeps restarting
Causes:
- Health check failing
- Missing environment variables
- Database connection issues
Solutions:
- Check CloudWatch logs:
/ecs/taskactivity-service - Verify security group rules allow outbound to RDS
- Test database connection from task
- Verify all required env vars are set
Issue: 502 Bad Gateway from ALB
Causes:
- Application not responding on correct port
- Health check endpoint failing
- Security group blocking ALB to ECS
Solutions:
- Verify
server.port=8080in application properties - Test
/actuator/healthendpoint - Check target group health in ALB console
- Verify security group rules
Issue: S3 upload fails
Causes:
- Incorrect IAM permissions
- Bucket doesn't exist
- Incorrect region configuration
Solutions:
- Verify ECS task role has S3 permissions
- Check bucket name in environment variables
- Verify S3 region matches configuration
Cost Management
# Check current costs
.\aws\check-billing.ps1 -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date)
Cost Optimization Tips:
- Use Fargate Spot for non-production
- Right-size RDS instance based on CloudWatch metrics
- Enable S3 lifecycle policies (IA, Glacier)
- Use Reserved Instances for steady-state workloads
Monitoring
Key CloudWatch Metrics:
- ECS: CPUUtilization, MemoryUtilization
- ALB: TargetResponseTime, HealthyHostCount
- RDS: DatabaseConnections, CPUUtilization
- Application: Custom metrics from Actuator
Alarms to Set:
- ECS tasks < 1 healthy instance
- RDS CPU > 80%
- ALB 5xx errors > threshold
- Database connections > 80% of max
Memory Bank References
- Check
ai/devops-practices.mdfor AWS infrastructure details - Check
ai/project-overview.mdfor deployment models - Check
aws/AWS_Deployment.mdfor comprehensive deployment guide
Rollback Procedure
# Rollback to previous task definition
aws ecs update-service `
--cluster taskactivity-cluster `
--service taskactivity-service `
--task-definition taskactivity-service:<previous-revision>
# Or use CloudFormation rollback
aws cloudformation rollback-stack --stack-name taskactivity-prod