🚀 AWS App Runner Demo with Spring Boot and GitHub Actions CI/CD

Welcome to a complete deployment pipeline for your Spring Boot app using:

• 🐳 Docker
• ☁️ Amazon ECR
• ⚙️ AWS App Runner
• 🤖 GitHub Actions

This project shows how to go from code ➡️ container ➡️ deployed app automatically using CI/CD. This README.md will guide you through every step including screenshots, IAM setup, Dockerization, and deployment.

---

🧰 Tech Stack

• ☕ Spring Boot (Java 21)
• 🐳 Docker (multi-stage)
• 🛢️ Amazon ECR
• 🚀 AWS App Runner
• 🔐 IAM for secure access
• 🤖 GitHub Actions (CI/CD)

---

You're welcome! Here's a simple yet clear flow diagram that shows the end-to-end process — from code to cloud — using your Spring Boot, Docker, GitHub Actions, ECR, and AWS App Runner stack.

---

🔁 Code to Cloud Flow Diagram

graph TD
  A[💻 Developer Writes Code] --> B[🐙 Push to GitHub Repo]
  B --> C[🤖 GitHub Actions Triggered]
  C --> D[🐳 Build Docker Image]
  D --> E[☁️ Push to Amazon ECR]
  E --> F[🚀 AWS App Runner Pulls Image]
  F --> G[🌐 App Deployed to Public URL]

Loading

---

📦 Components Explained:

Symbol	Description
💻	Developer writes Spring Boot code
🐙	Code pushed to GitHub triggers workflow
🤖	GitHub Actions builds app, pushes to ECR
🐳	Docker image created and uploaded to AWS ECR
🚀	App Runner pulls from ECR and deploys the app
🌐	App is now live on a public URL

---

📦 Dockerfile Explained

🔍 What is a Multi-Stage Build?

In Docker, a multi-stage build allows you to:

• Compile and build your application in one stage
• Copy only the final .jar to a clean runtime image in another stage

👉 This reduces image size and keeps the production image clean and secure.

🐳 Dockerfile Breakdown

# 🏗️ Stage 1: Builder
FROM eclipse-temurin:21-jdk AS builder
WORKDIR /app
COPY . .
RUN ./mvnw clean package -DskipTests

• Uses JDK to build the Spring Boot JAR
• Skips tests for faster CI builds
• Packages everything into target/app.jar

# 🚀 Stage 2: Runtime
FROM eclipse-temurin:21-jre
WORKDIR /app
COPY --from=builder /app/target/*.jar app.jar
EXPOSE 8080
ENTRYPOINT ["java", "-jar", "app.jar"]

• Uses a smaller JRE image (Java Runtime only)
• Only the JAR is copied from the builder stage
• Exposes port 8080 and starts your Spring Boot app

✅ Benefits:

• Smaller image size
• Faster startup
• No Maven or source code in the final container

---

📁 .dockerignore

Keeps your Docker image clean by ignoring unnecessary files:

target/
.git
.gitignore
README.md
Dockerfile

---

🔐 IAM Setup (Security First)

🧑‍💻 IAM User for GitHub Actions

Create an IAM user (e.g., springboot-app-runner) with:

• AmazonEC2ContainerRegistryFullAccess ✅
• AWSAppRunnerFullAccess ✅
• Custom inline policy:

{
  "Effect": "Allow",
  "Action": "iam:PassRole",
  "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/AppRunnerECRAccessRole"
}

This allows GitHub Actions to pass a role to App Runner.

---

🎟️ IAM Role for App Runner (access-role-arn)

Create a new IAM Role with:

Trust Policy (custom):

{
	"Version": "2012-10-17",
	"Statement": [
		{
          "Effect": "Allow",
          "Principal": {
            "Service": "build.apprunner.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
	]
}

Permissions:

• Attach: AmazonEC2ContainerRegistryReadOnly

---

🏗️ GitHub Actions Workflow: Step-by-Step

✅ 1. Checkout Code

- uses: actions/checkout@v3

➡️ Pulls your latest source code from GitHub.

---

🔐 2. Authenticate to AWS

- uses: aws-actions/configure-aws-credentials@v4

➡️ Uses AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to allow access to AWS services.

Below Shows a Step by Step Guide for the Key creation

---

📦 3. Log in to Amazon ECR

- uses: aws-actions/amazon-ecr-login@v2

➡️ Logs Docker into your ECR registry so it can push the image.

---

🐳 4. Build and Push Docker Image

docker build -t $IMAGE_URI .
docker push $IMAGE_URI

➡️ Builds your app into a Docker image and pushes it to ECR.

---

🚀 5. Deploy to App Runner

- uses: awslabs/amazon-app-runner-deploy@main
  with:
    service: springboot-apprunner
    image: 66656744752.dkr.ecr.us-east-1.amazonaws.com/my-springboot-app:latest
    region: us-east-1
    access-role-arn: ${{ secrets.APP_RUNNER_ACCESS_ROLE_ARN }}

➡️ Deploys the latest image from ECR to AWS App Runner ➡️ Uses the IAM role to pull the image securely

---

📬 GitHub Secrets Required

In your GitHub repo → Settings > Secrets and variables > Actions:

Key	Description
AWS_ACCESS_KEY_ID	From IAM user
AWS_SECRET_ACCESS_KEY	From IAM user
APP_RUNNER_ACCESS_ROLE_ARN	IAM role used by App Runner

---

📸 Screenshots

• ✅ Spring Initializr setup
  
  

• 📦 ECR repository screen
  
  

• 🚀 App Runner deployment success
  
  
  

• 📬 Github Action Execution
  
  

---

🌐 Final Result

Once deployed, App Runner will give you a public URL like:

https://pnxwcd9w25.ap-southeast-1.awsapprunner.com

You can test it by visiting:

GET /
Response:
{
  "status": "success",
  "data": {
    "message": "Server is online",
    "code": 200
  }
}

---

🚧 Future Improvements

• 🔜 Add custom domain to App Runner
• 🔜 Add health checks and alerting
• 🔜 Switch to Terraform IaC
• 🔜 Add staging environment

---

🙌 Acknowledgements

• AWS App Runner Docs
• GitHub Actions Marketplace
• You — for deploying Java apps the cloud-native way ☁️

---

✨ Done!

You now have:

✅ Dockerized Spring Boot app
✅ Pushed to Amazon ECR
✅ Deployed to AWS App Runner
✅ Automated with GitHub Actions

Enjoy shipping with confidence! 🛳️💻🌐