Add generateConfig action, small updates to check-update-security

aws · Dec 6, 2023 · 7e6ba2e · 7e6ba2e
1 parent 8b1dcde
commit 7e6ba2e
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 3 deletions.
diff --git a/.github/workflows/generateconfig.yml b/.github/workflows/generateconfig.yml
@@ -0,0 +1,37 @@
+name: GenerateConfig
+
+on: workflow_dispatch
+
+jobs:
+  GenerateConfig:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+    env: 
+      IAM_INSTANCE_PROFILE_ARN: ${{secrets.IAM_INSTANCE_PROFILE_ARN}} 
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Install xmllint
+      run: sudo apt-get update && sudo apt-get install libxml2-utils
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with: 
+        role-to-assume: ${{secrets.AMI_GENERATE_CONFIG_ROLE}}
+        aws-region: us-west-2
+    - name: Configure prereqs
+      run: |
+        git config --global user.name "GenerateConfig Action"
+        git config --global user.email "[email protected]"
+    - name: Check AL1 Updates
+      run: ./scripts/check-update.sh al1
+    - name: Check AL2 Base AMI Update
+      run: ./scripts/check-update.sh al2
+    - name: Check AL2023 Base AMI Update
+      run: ./scripts/check-update.sh al2023
+    - name: Commit and Push Changes if Update Is Required
+      run: |
+        git commit -m "Release Kickoff"
+        git status
+        git push
diff --git a/check-update-security.sh b/check-update-security.sh
@@ -89,7 +89,7 @@ esac
 # Query ssm to get latest ecs optimized ami
 ami_id=$(aws ssm get-parameters --names $ami_path --region us-west-2 | jq -r '.Parameters[0].Value' | jq -r '.image_id')
 
-user_data=$(mktemp user_data.txt)
+user_data=$(touch user_data.txt)
 if [ "$install_and_start_ssm_agent" -eq 1 ]; then
 
     cat <<EOT >>user_data.txt
@@ -153,7 +153,7 @@ check_wait_response $(echo $?)
 # Instance has been launched, terminate in case of an error
 trap 'failure_cleanup' ERR
 
-rm "$user_data"
+rm user_data.txt
 
 # Assert that ssm agent is running before moving forward
 ssm_agent_status() {
@@ -195,12 +195,12 @@ command_status() {
 max_retries=20
 success=0
 for ((r = 0; r < max_retries; r++)); do
+    sleep 5
     cmd_status=$(command_status)
     if [ "$cmd_status" = "Failed" ] || [ "$cmd_status" = "Success" ]; then
         success=1
         break
     fi
-    sleep 5
 done
 if [ $success -ne 1 ]; then
     echo "Command execution timed out"

diff --git a/scripts/check-update.sh b/scripts/check-update.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -io pipefail
+
+usage() {
+    echo "Usage:"
+    echo "  $0 AMI_TYPE"
+    echo "Example:"
+    echo "  $0 al2"
+    echo "AMI_TYPE Must be one of: al1, al2, al2023"
+}
+
+error() {
+    local msg="$1"
+    echo "ERROR: $msg"
+    usage
+    exit 1
+}
+
+readonly ami_type="$1"
+if [ -z "$ami_type" ]; then
+    error "AMI_TYPE must be provided"
+fi
+
+cp release-$ami_type.auto.pkrvars.hcl release-$ami_type.old.hcl
+./generate-release-vars.sh $ami_type
+diff_val=$(diff <(grep -v ami_version release-$ami_type.old.hcl) <(grep -v ami_version release-$ami_type.auto.pkrvars.hcl))
+if [ -z "$diff_val" ]; then
+    Update=$(./check-update-security.sh $ami_type)
+    if [ "$Update" != "true" ] && [ "$ami_type" != "al1" ]; then
+        Update=$(./check-update-security.sh "$ami_type"_arm)
+    fi
+else
+    Update="true"
+fi
+
+rm "release-$ami_type.old.hcl"
+
+if [ "$Update" = "true" ]; then
+    echo "Update exists for $ami_type"
+    git add release-$ami_type.auto.pkrvars.hcl
+else
+    echo "Update does not exist for $ami_type"
+fi