From 7e6ba2e4a7c7a768c35dc9a4dfb37c88085c3b5a Mon Sep 17 00:00:00 2001 From: hozkaya2000 Date: Fri, 1 Dec 2023 16:10:35 -0800 Subject: [PATCH] Add generateConfig action, small updates to check-update-security --- .github/workflows/generateconfig.yml | 37 ++++++++++++++++++++++++ check-update-security.sh | 6 ++-- scripts/check-update.sh | 43 ++++++++++++++++++++++++++++ 3 files changed, 83 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/generateconfig.yml create mode 100755 scripts/check-update.sh diff --git a/.github/workflows/generateconfig.yml b/.github/workflows/generateconfig.yml new file mode 100644 index 00000000..21b3ae26 --- /dev/null +++ b/.github/workflows/generateconfig.yml @@ -0,0 +1,37 @@ +name: GenerateConfig + +on: workflow_dispatch + +jobs: + GenerateConfig: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: write + env: + IAM_INSTANCE_PROFILE_ARN: ${{secrets.IAM_INSTANCE_PROFILE_ARN}} + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Install xmllint + run: sudo apt-get update && sudo apt-get install libxml2-utils + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{secrets.AMI_GENERATE_CONFIG_ROLE}} + aws-region: us-west-2 + - name: Configure prereqs + run: | + git config --global user.name "GenerateConfig Action" + git config --global user.email "gcaction@github.com" + - name: Check AL1 Updates + run: ./scripts/check-update.sh al1 + - name: Check AL2 Base AMI Update + run: ./scripts/check-update.sh al2 + - name: Check AL2023 Base AMI Update + run: ./scripts/check-update.sh al2023 + - name: Commit and Push Changes if Update Is Required + run: | + git commit -m "Release Kickoff" + git status + git push \ No newline at end of file diff --git a/check-update-security.sh b/check-update-security.sh index 44b75507..a902b93a 100755 --- a/check-update-security.sh +++ b/check-update-security.sh @@ -89,7 +89,7 @@ esac # Query ssm to get latest ecs optimized ami ami_id=$(aws ssm get-parameters --names $ami_path --region us-west-2 | jq -r '.Parameters[0].Value' | jq -r '.image_id') -user_data=$(mktemp user_data.txt) +user_data=$(touch user_data.txt) if [ "$install_and_start_ssm_agent" -eq 1 ]; then cat <>user_data.txt @@ -153,7 +153,7 @@ check_wait_response $(echo $?) # Instance has been launched, terminate in case of an error trap 'failure_cleanup' ERR -rm "$user_data" +rm user_data.txt # Assert that ssm agent is running before moving forward ssm_agent_status() { @@ -195,12 +195,12 @@ command_status() { max_retries=20 success=0 for ((r = 0; r < max_retries; r++)); do + sleep 5 cmd_status=$(command_status) if [ "$cmd_status" = "Failed" ] || [ "$cmd_status" = "Success" ]; then success=1 break fi - sleep 5 done if [ $success -ne 1 ]; then echo "Command execution timed out" diff --git a/scripts/check-update.sh b/scripts/check-update.sh new file mode 100755 index 00000000..03348885 --- /dev/null +++ b/scripts/check-update.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash +set -io pipefail + +usage() { + echo "Usage:" + echo " $0 AMI_TYPE" + echo "Example:" + echo " $0 al2" + echo "AMI_TYPE Must be one of: al1, al2, al2023" +} + +error() { + local msg="$1" + echo "ERROR: $msg" + usage + exit 1 +} + +readonly ami_type="$1" +if [ -z "$ami_type" ]; then + error "AMI_TYPE must be provided" +fi + +cp release-$ami_type.auto.pkrvars.hcl release-$ami_type.old.hcl +./generate-release-vars.sh $ami_type +diff_val=$(diff <(grep -v ami_version release-$ami_type.old.hcl) <(grep -v ami_version release-$ami_type.auto.pkrvars.hcl)) +if [ -z "$diff_val" ]; then + Update=$(./check-update-security.sh $ami_type) + if [ "$Update" != "true" ] && [ "$ami_type" != "al1" ]; then + Update=$(./check-update-security.sh "$ami_type"_arm) + fi +else + Update="true" +fi + +rm "release-$ami_type.old.hcl" + +if [ "$Update" = "true" ]; then + echo "Update exists for $ami_type" + git add release-$ami_type.auto.pkrvars.hcl +else + echo "Update does not exist for $ami_type" +fi \ No newline at end of file