From e45e658c9ce1f78e8ee07782f626aa4562f634ba Mon Sep 17 00:00:00 2001 From: hozkaya2000 <63765239+hozkaya2000@users.noreply.github.com> Date: Wed, 6 Dec 2023 13:12:31 -0800 Subject: [PATCH] Add generateConfig action, updates to check-update-security and generate-release-vars.sh (#174) * Modify generate-release-vars.sh to include ecs init, docker, and containerd versions similar to previously existing release vars * Add generateConfig action, small updates to check-update-security --- .github/workflows/generateconfig.yml | 37 ++++++++++++++++ generate-release-vars.sh | 2 +- release-al1.auto.pkrvars.hcl | 7 ++- .../check-update-security.sh | 6 +-- scripts/check-update.sh | 43 +++++++++++++++++++ 5 files changed, 89 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/generateconfig.yml rename check-update-security.sh => scripts/check-update-security.sh (99%) create mode 100755 scripts/check-update.sh diff --git a/.github/workflows/generateconfig.yml b/.github/workflows/generateconfig.yml new file mode 100644 index 0000000..21b3ae2 --- /dev/null +++ b/.github/workflows/generateconfig.yml @@ -0,0 +1,37 @@ +name: GenerateConfig + +on: workflow_dispatch + +jobs: + GenerateConfig: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: write + env: + IAM_INSTANCE_PROFILE_ARN: ${{secrets.IAM_INSTANCE_PROFILE_ARN}} + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Install xmllint + run: sudo apt-get update && sudo apt-get install libxml2-utils + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{secrets.AMI_GENERATE_CONFIG_ROLE}} + aws-region: us-west-2 + - name: Configure prereqs + run: | + git config --global user.name "GenerateConfig Action" + git config --global user.email "gcaction@github.com" + - name: Check AL1 Updates + run: ./scripts/check-update.sh al1 + - name: Check AL2 Base AMI Update + run: ./scripts/check-update.sh al2 + - name: Check AL2023 Base AMI Update + run: ./scripts/check-update.sh al2023 + - name: Commit and Push Changes if Update Is Required + run: | + git commit -m "Release Kickoff" + git status + git push \ No newline at end of file diff --git a/generate-release-vars.sh b/generate-release-vars.sh index 176ae13..c5dfe38 100755 --- a/generate-release-vars.sh +++ b/generate-release-vars.sh @@ -99,7 +99,7 @@ EOF readonly ecs_agent_version=$(sed -n '/variable "ecs_agent_version" {/,/}/p' variables.pkr.hcl | grep "default" | awk -F '"' '{ print $2 }') readonly ecs_init_rev=$(sed -n '/variable "ecs_init_rev" {/,/}/p' variables.pkr.hcl | grep "default" | awk -F '"' '{ print $2 }') - readonly docker_version_2023=$(sed -n '/variable "docker_version_al2023" {/,/}/p' variables.pkr.hcl | grep "default" | awk -F '"' '{ print $2 }') + readonly docker_version_al2023=$(sed -n '/variable "docker_version_al2023" {/,/}/p' variables.pkr.hcl | grep "default" | awk -F '"' '{ print $2 }') readonly containerd_version_al2023=$(sed -n '/variable "containerd_version_al2023" {/,/}/p' variables.pkr.hcl | grep "default" | awk -F '"' '{ print $2 }') readonly exec_ssm_version=$(sed -n '/variable "exec_ssm_version" {/,/}/p' variables.pkr.hcl | grep "default" | awk -F '"' '{ print $2 }') diff --git a/release-al1.auto.pkrvars.hcl b/release-al1.auto.pkrvars.hcl index fb4028a..accc8e1 100644 --- a/release-al1.auto.pkrvars.hcl +++ b/release-al1.auto.pkrvars.hcl @@ -1,2 +1,5 @@ -ami_version = "20231024" -source_ami_al1 = "amzn-ami-minimal-hvm-2018.03.0.20231002.0-x86_64-ebs" +ami_version = "20231205" +ecs_version_al1 = "1.51.0" +docker_version_al1 = "20.10.13" +exec_ssm_version = "3.2.1630.0" +source_ami_al1 = "amzn-ami-minimal-hvm-2018.03.0.20231106.0-x86_64-ebs" diff --git a/check-update-security.sh b/scripts/check-update-security.sh similarity index 99% rename from check-update-security.sh rename to scripts/check-update-security.sh index 44b7550..a902b93 100755 --- a/check-update-security.sh +++ b/scripts/check-update-security.sh @@ -89,7 +89,7 @@ esac # Query ssm to get latest ecs optimized ami ami_id=$(aws ssm get-parameters --names $ami_path --region us-west-2 | jq -r '.Parameters[0].Value' | jq -r '.image_id') -user_data=$(mktemp user_data.txt) +user_data=$(touch user_data.txt) if [ "$install_and_start_ssm_agent" -eq 1 ]; then cat <>user_data.txt @@ -153,7 +153,7 @@ check_wait_response $(echo $?) # Instance has been launched, terminate in case of an error trap 'failure_cleanup' ERR -rm "$user_data" +rm user_data.txt # Assert that ssm agent is running before moving forward ssm_agent_status() { @@ -195,12 +195,12 @@ command_status() { max_retries=20 success=0 for ((r = 0; r < max_retries; r++)); do + sleep 5 cmd_status=$(command_status) if [ "$cmd_status" = "Failed" ] || [ "$cmd_status" = "Success" ]; then success=1 break fi - sleep 5 done if [ $success -ne 1 ]; then echo "Command execution timed out" diff --git a/scripts/check-update.sh b/scripts/check-update.sh new file mode 100755 index 0000000..b11f958 --- /dev/null +++ b/scripts/check-update.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash +set -io pipefail + +usage() { + echo "Usage:" + echo " $0 AMI_TYPE" + echo "Example:" + echo " $0 al2" + echo "AMI_TYPE Must be one of: al1, al2, al2023" +} + +error() { + local msg="$1" + echo "ERROR: $msg" + usage + exit 1 +} + +readonly ami_type="$1" +if [ -z "$ami_type" ]; then + error "AMI_TYPE must be provided" +fi + +cp release-$ami_type.auto.pkrvars.hcl release-$ami_type.old.hcl +./generate-release-vars.sh $ami_type +diff_val=$(diff <(grep -v ami_version release-$ami_type.old.hcl) <(grep -v ami_version release-$ami_type.auto.pkrvars.hcl)) +if [ -z "$diff_val" ]; then + Update=$(./scripts/check-update-security.sh $ami_type) + if [ "$Update" != "true" ] && [ "$ami_type" != "al1" ]; then + Update=$(./scripts/check-update-security.sh "$ami_type"_arm) + fi +else + Update="true" +fi + +rm "release-$ami_type.old.hcl" + +if [ "$Update" = "true" ]; then + echo "Update exists for $ami_type" + git add release-$ami_type.auto.pkrvars.hcl +else + echo "Update does not exist for $ami_type" +fi