From 9c65c3b6051061f07a30716324969aca7bbb3970 Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Fri, 19 Apr 2024 15:04:30 +0100 Subject: [PATCH 01/13] make singleton readonly (this will probably break) --- packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap | 1 + packages/cdk/lib/cloudquery/task.ts | 1 + 2 files changed, 2 insertions(+) diff --git a/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap b/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap index dfa0d30b3..59ce50c33 100644 --- a/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap +++ b/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap @@ -10931,6 +10931,7 @@ spec: }, }, "Name": "CloudquerySource-OrgWideEc2AwsCli", + "ReadonlyRootFilesystem": true, }, { "Command": [ diff --git a/packages/cdk/lib/cloudquery/task.ts b/packages/cdk/lib/cloudquery/task.ts index cf0fe1267..e4474c68f 100644 --- a/packages/cdk/lib/cloudquery/task.ts +++ b/packages/cdk/lib/cloudquery/task.ts @@ -320,6 +320,7 @@ export class ScheduledCloudqueryTask extends ScheduledFargateTask { `[[ $\{RUNNING} > 1 ]] && exit ${operationInProgress} || exit ${success}`, ].join(';'), ], + readonlyRootFilesystem: true, logging: fireLensLogDriver, /* From f02619f9e1e4b2c020509a78fdfc3616af115a53 Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Fri, 19 Apr 2024 15:25:35 +0100 Subject: [PATCH 02/13] make volumes variables for easier referencing --- packages/cdk/lib/cloudquery/task.ts | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/packages/cdk/lib/cloudquery/task.ts b/packages/cdk/lib/cloudquery/task.ts index e4474c68f..a59ef20cf 100644 --- a/packages/cdk/lib/cloudquery/task.ts +++ b/packages/cdk/lib/cloudquery/task.ts @@ -11,7 +11,7 @@ import { PropagatedTagSource, Secret, } from 'aws-cdk-lib/aws-ecs'; -import type { Cluster, RepositoryImage } from 'aws-cdk-lib/aws-ecs'; +import type { Cluster, RepositoryImage, Volume } from 'aws-cdk-lib/aws-ecs'; import type { ScheduledFargateTaskProps } from 'aws-cdk-lib/aws-ecs-patterns'; import { ScheduledFargateTask } from 'aws-cdk-lib/aws-ecs-patterns'; import type { IManagedPolicy, PolicyStatement } from 'aws-cdk-lib/aws-iam'; @@ -227,33 +227,38 @@ export class ScheduledCloudqueryTask extends ScheduledFargateTask { logging: fireLensLogDriver, }); - task.addVolume({ + const configVolume: Volume = { name: 'config-volume', - }); - task.addVolume({ + }; + task.addVolume(configVolume); + + const cqVolume: Volume = { name: 'cloudquery-volume', - }); - task.addVolume({ + }; + task.addVolume(cqVolume); + + const tmpVolume: Volume = { name: 'tmp-volume', - }); + }; + task.addVolume(tmpVolume); cloudqueryTask.addMountPoints( { // So that we can write task config to this directory containerPath: serviceCatalogueConfigDirectory, - sourceVolume: 'config-volume', + sourceVolume: configVolume.name, readOnly: false, }, { // So that Cloudquery can write to this directory containerPath: '/app/.cq', - sourceVolume: 'cloudquery-volume', + sourceVolume: cqVolume.name, readOnly: false, }, { // So that Cloudquery can write temporary data containerPath: '/tmp', - sourceVolume: 'tmp-volume', + sourceVolume: tmpVolume.name, readOnly: false, }, ); From 585955168d4ac6452b47c82d6492a6b751b1f044 Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Fri, 19 Apr 2024 15:30:21 +0100 Subject: [PATCH 03/13] add singleton volume for yum packages --- .../lib/__snapshots__/service-catalogue.test.ts.snap | 9 +++++++++ packages/cdk/lib/cloudquery/config.ts | 3 ++- packages/cdk/lib/cloudquery/task.ts | 12 ++++++++++++ 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap b/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap index 59ce50c33..8416e3e5a 100644 --- a/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap +++ b/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap @@ -10930,6 +10930,12 @@ spec: }, }, }, + "MountPoints": [ + { + "ReadOnly": false, + "SourceVolume": "cache-volume", + }, + ], "Name": "CloudquerySource-OrgWideEc2AwsCli", "ReadonlyRootFilesystem": true, }, @@ -11099,6 +11105,9 @@ spec: { "Name": "tmp-volume", }, + { + "Name": "cache-volume", + }, ], }, "Type": "AWS::ECS::TaskDefinition", diff --git a/packages/cdk/lib/cloudquery/config.ts b/packages/cdk/lib/cloudquery/config.ts index 6d541ed36..8dd56a7a5 100644 --- a/packages/cdk/lib/cloudquery/config.ts +++ b/packages/cdk/lib/cloudquery/config.ts @@ -344,4 +344,5 @@ export const skipTables = [ 'aws_stepfunctions_executions', ]; -export const serviceCatalogueConfigDirectory = '/usr/share/cloudquery'; +export const yumCache = '/usr/share'; +export const serviceCatalogueConfigDirectory = `${yumCache}/cloudquery`; diff --git a/packages/cdk/lib/cloudquery/task.ts b/packages/cdk/lib/cloudquery/task.ts index a59ef20cf..586e09bdc 100644 --- a/packages/cdk/lib/cloudquery/task.ts +++ b/packages/cdk/lib/cloudquery/task.ts @@ -21,6 +21,7 @@ import type { DatabaseInstance } from 'aws-cdk-lib/aws-rds'; import { dump } from 'js-yaml'; import type { CloudqueryConfig } from './config'; import { + localCache, postgresDestinationConfig, serviceCatalogueConfigDirectory, } from './config'; @@ -335,6 +336,17 @@ export class ScheduledCloudqueryTask extends ScheduledFargateTask { essential: false, }); + const cacheVolume: Volume = { + name: 'cache-volume', + }; + task.addVolume(cacheVolume); + + singletonTask.addMountPoints({ + containerPath: localCache, + sourceVolume: cacheVolume.name, + readOnly: false, + }); + cloudqueryTask.addContainerDependencies({ container: singletonTask, condition: ContainerDependencyCondition.SUCCESS, From 67c3de15a421759791e77c426ed5d7c459cf014e Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Fri, 19 Apr 2024 17:05:01 +0100 Subject: [PATCH 04/13] update singleton path --- packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap | 1 + packages/cdk/lib/cloudquery/task.ts | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap b/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap index 8416e3e5a..7d078ec52 100644 --- a/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap +++ b/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap @@ -10932,6 +10932,7 @@ spec: }, "MountPoints": [ { + "ContainerPath": "/usr", "ReadOnly": false, "SourceVolume": "cache-volume", }, diff --git a/packages/cdk/lib/cloudquery/task.ts b/packages/cdk/lib/cloudquery/task.ts index 586e09bdc..8d19e486e 100644 --- a/packages/cdk/lib/cloudquery/task.ts +++ b/packages/cdk/lib/cloudquery/task.ts @@ -337,12 +337,13 @@ export class ScheduledCloudqueryTask extends ScheduledFargateTask { }); const cacheVolume: Volume = { + // So that yum can install jq and awscli name: 'cache-volume', }; task.addVolume(cacheVolume); singletonTask.addMountPoints({ - containerPath: localCache, + containerPath: '/usr', //I think jq lives in /usr/bin and awscli in /usr/local/bin sourceVolume: cacheVolume.name, readOnly: false, }); From e9be8dc0a0e9d670c8c5a01c455cf847c163c4e7 Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Fri, 19 Apr 2024 17:11:58 +0100 Subject: [PATCH 05/13] linting --- packages/cdk/lib/cloudquery/config.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/packages/cdk/lib/cloudquery/config.ts b/packages/cdk/lib/cloudquery/config.ts index 8dd56a7a5..6d541ed36 100644 --- a/packages/cdk/lib/cloudquery/config.ts +++ b/packages/cdk/lib/cloudquery/config.ts @@ -344,5 +344,4 @@ export const skipTables = [ 'aws_stepfunctions_executions', ]; -export const yumCache = '/usr/share'; -export const serviceCatalogueConfigDirectory = `${yumCache}/cloudquery`; +export const serviceCatalogueConfigDirectory = '/usr/share/cloudquery'; From 99836619236a39611dafc567e400ec8b27cfaa00 Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Fri, 19 Apr 2024 17:14:22 +0100 Subject: [PATCH 06/13] more linting --- packages/cdk/lib/cloudquery/task.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/cdk/lib/cloudquery/task.ts b/packages/cdk/lib/cloudquery/task.ts index 8d19e486e..f9d1fb268 100644 --- a/packages/cdk/lib/cloudquery/task.ts +++ b/packages/cdk/lib/cloudquery/task.ts @@ -21,7 +21,6 @@ import type { DatabaseInstance } from 'aws-cdk-lib/aws-rds'; import { dump } from 'js-yaml'; import type { CloudqueryConfig } from './config'; import { - localCache, postgresDestinationConfig, serviceCatalogueConfigDirectory, } from './config'; From bb44e2b07e8fb01034c4562695b2f286e8181efc Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Fri, 19 Apr 2024 17:28:38 +0100 Subject: [PATCH 07/13] use sh as bash lives in usr/bin/bash, which is mounted --- packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap | 2 +- packages/cdk/lib/cloudquery/task.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap b/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap index 7d078ec52..3dbb6eb41 100644 --- a/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap +++ b/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap @@ -10908,7 +10908,7 @@ spec: }, { "Command": [ - "/bin/bash", + "/bin/sh", "-c", "yum install -y -q jq awscli;ECS_CLUSTER=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.Cluster');ECS_FAMILY=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.Family');ECS_TASK_ARN=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.TaskARN');RUNNING=$(aws ecs list-tasks --cluster $ECS_CLUSTER --family $ECS_FAMILY | jq '.taskArns | length');[[ \${RUNNING} > 1 ]] && exit 114 || exit 0", ], diff --git a/packages/cdk/lib/cloudquery/task.ts b/packages/cdk/lib/cloudquery/task.ts index f9d1fb268..c85a2cf03 100644 --- a/packages/cdk/lib/cloudquery/task.ts +++ b/packages/cdk/lib/cloudquery/task.ts @@ -307,7 +307,7 @@ export class ScheduledCloudqueryTask extends ScheduledFargateTask { image: Images.amazonLinux, entryPoint: [''], command: [ - '/bin/bash', + '/bin/sh', '-c', [ // Install jq to handle JSON, and awscli to query ECS From 5e5a52c90aeb83e9a3c74dd520a5f91658f0634c Mon Sep 17 00:00:00 2001 From: Ashleigh Carr Date: Mon, 22 Apr 2024 10:13:25 +0100 Subject: [PATCH 08/13] Install jq to `/usr/local/bin` Co-authored-by: Natasha <67543397+NovemberTang@users.noreply.github.com> --- .../lib/__snapshots__/service-catalogue.test.ts.snap | 4 ++-- packages/cdk/lib/cloudquery/task.ts | 11 ++++++++--- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap b/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap index 3dbb6eb41..1acba9492 100644 --- a/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap +++ b/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap @@ -10910,7 +10910,7 @@ spec: "Command": [ "/bin/sh", "-c", - "yum install -y -q jq awscli;ECS_CLUSTER=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.Cluster');ECS_FAMILY=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.Family');ECS_TASK_ARN=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.TaskARN');RUNNING=$(aws ecs list-tasks --cluster $ECS_CLUSTER --family $ECS_FAMILY | jq '.taskArns | length');[[ \${RUNNING} > 1 ]] && exit 114 || exit 0", + "yum install -y -q awscli;echo "Installed AWS";echo $(aws --help);curl -L -v -o /usr/local/bin/jq https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-arm64;chmod +x /usr/local/bin/jq;ECS_CLUSTER=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.Cluster');ECS_FAMILY=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.Family');ECS_TASK_ARN=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.TaskARN');RUNNING=$(aws ecs list-tasks --cluster $ECS_CLUSTER --family $ECS_FAMILY | jq '.taskArns | length');[[ \${RUNNING} > 1 ]] && exit 114 || exit 0", ], "EntryPoint": [ "", @@ -10932,7 +10932,7 @@ spec: }, "MountPoints": [ { - "ContainerPath": "/usr", + "ContainerPath": "/usr/local/bin", "ReadOnly": false, "SourceVolume": "cache-volume", }, diff --git a/packages/cdk/lib/cloudquery/task.ts b/packages/cdk/lib/cloudquery/task.ts index c85a2cf03..026f1e808 100644 --- a/packages/cdk/lib/cloudquery/task.ts +++ b/packages/cdk/lib/cloudquery/task.ts @@ -311,8 +311,13 @@ export class ScheduledCloudqueryTask extends ScheduledFargateTask { '-c', [ // Install jq to handle JSON, and awscli to query ECS - 'yum install -y -q jq awscli', - + 'yum install -y -q awscli', + 'echo "Installed AWS"', + 'echo $(aws --help)', + // TODO: Make 1.7.1 configurable + // TODO: Verify hash matches + 'curl -L -v -o /usr/local/bin/jq https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-arm64', + 'chmod +x /usr/local/bin/jq', // Who am I? `ECS_CLUSTER=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.Cluster')`, `ECS_FAMILY=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.Family')`, @@ -342,7 +347,7 @@ export class ScheduledCloudqueryTask extends ScheduledFargateTask { task.addVolume(cacheVolume); singletonTask.addMountPoints({ - containerPath: '/usr', //I think jq lives in /usr/bin and awscli in /usr/local/bin + containerPath: '/usr/local/bin', //I think jq lives in /usr/bin and awscli in /usr/local/bin sourceVolume: cacheVolume.name, readOnly: false, }); From 9699edb13ee663815b292703cef80047d63f3cfe Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Mon, 22 Apr 2024 11:49:10 +0100 Subject: [PATCH 09/13] temporarily make filesystem writeable again --- packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap | 2 +- packages/cdk/lib/cloudquery/task.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap b/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap index 1acba9492..ad9fa6008 100644 --- a/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap +++ b/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap @@ -10938,7 +10938,7 @@ spec: }, ], "Name": "CloudquerySource-OrgWideEc2AwsCli", - "ReadonlyRootFilesystem": true, + "ReadonlyRootFilesystem": false, }, { "Command": [ diff --git a/packages/cdk/lib/cloudquery/task.ts b/packages/cdk/lib/cloudquery/task.ts index 026f1e808..16169bfbe 100644 --- a/packages/cdk/lib/cloudquery/task.ts +++ b/packages/cdk/lib/cloudquery/task.ts @@ -330,7 +330,7 @@ export class ScheduledCloudqueryTask extends ScheduledFargateTask { `[[ $\{RUNNING} > 1 ]] && exit ${operationInProgress} || exit ${success}`, ].join(';'), ], - readonlyRootFilesystem: true, + readonlyRootFilesystem: false, logging: fireLensLogDriver, /* From a28fd22110996e29068d75b6c7238ad21295afd1 Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Mon, 22 Apr 2024 11:58:45 +0100 Subject: [PATCH 10/13] we give up. use a custom docker image instead --- .github/workflows/singleton.yml | 66 +++++++++++++++++++ containers/singleton/Dockerfile | 3 + .../service-catalogue.test.ts.snap | 4 +- packages/cdk/lib/cloudquery/images.ts | 4 +- packages/cdk/lib/cloudquery/task.ts | 10 +-- 5 files changed, 74 insertions(+), 13 deletions(-) create mode 100644 .github/workflows/singleton.yml create mode 100644 containers/singleton/Dockerfile diff --git a/.github/workflows/singleton.yml b/.github/workflows/singleton.yml new file mode 100644 index 000000000..eb4d38c08 --- /dev/null +++ b/.github/workflows/singleton.yml @@ -0,0 +1,66 @@ +# Find full documentation here https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions +name: Singleton image + +on: + pull_request: + paths: + - 'containers/singleton/**' + push: + branches: + - main + - nt/more-readonly + paths: + - 'containers/singleton/**' + + # Manual invocation. + workflow_dispatch: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }}/singleton + +# Ensure we only ever have one build running at a time. +# If we push twice in quick succession, the first build will be stopped once the second starts. +# This avoids any race conditions. +concurrency: + group: ${{ github.ref }}/singleton + cancel-in-progress: true + +jobs: + build-and-push: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + + - name: Log in to the Container registry + uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=sha,format=long + + - name: Build and push Docker image + uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 + with: + context: ./ + file: containers/singleton/Dockerfile + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/containers/singleton/Dockerfile b/containers/singleton/Dockerfile new file mode 100644 index 000000000..d6ba3a7cd --- /dev/null +++ b/containers/singleton/Dockerfile @@ -0,0 +1,3 @@ +FROM amazonlinux:latest + +RUN yum install -y -q aws-cli jq diff --git a/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap b/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap index ad9fa6008..62dbe4d98 100644 --- a/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap +++ b/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap @@ -10910,13 +10910,13 @@ spec: "Command": [ "/bin/sh", "-c", - "yum install -y -q awscli;echo "Installed AWS";echo $(aws --help);curl -L -v -o /usr/local/bin/jq https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-arm64;chmod +x /usr/local/bin/jq;ECS_CLUSTER=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.Cluster');ECS_FAMILY=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.Family');ECS_TASK_ARN=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.TaskARN');RUNNING=$(aws ecs list-tasks --cluster $ECS_CLUSTER --family $ECS_FAMILY | jq '.taskArns | length');[[ \${RUNNING} > 1 ]] && exit 114 || exit 0", + "ECS_CLUSTER=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.Cluster');ECS_FAMILY=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.Family');ECS_TASK_ARN=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.TaskARN');RUNNING=$(aws ecs list-tasks --cluster $ECS_CLUSTER --family $ECS_FAMILY | jq '.taskArns | length');[[ \${RUNNING} > 1 ]] && exit 114 || exit 0", ], "EntryPoint": [ "", ], "Essential": false, - "Image": "public.ecr.aws/amazonlinux/amazonlinux:latest", + "Image": "ghcr.io/guardian/service-catalogue/singleton:latest", "LogConfiguration": { "LogDriver": "awsfirelens", "Options": { diff --git a/packages/cdk/lib/cloudquery/images.ts b/packages/cdk/lib/cloudquery/images.ts index 043adb86a..4ec0ef9ab 100644 --- a/packages/cdk/lib/cloudquery/images.ts +++ b/packages/cdk/lib/cloudquery/images.ts @@ -6,8 +6,8 @@ export const Images = { `ghcr.io/guardian/service-catalogue/cloudquery:sha-0f2713edae5157260cfbf4eaa1f2d682e980fe7e`, ), devxLogs: ContainerImage.fromRegistry('ghcr.io/guardian/devx-logs:2'), - amazonLinux: ContainerImage.fromRegistry( - 'public.ecr.aws/amazonlinux/amazonlinux:latest', + singletonImage: ContainerImage.fromRegistry( + 'ghcr.io/guardian/service-catalogue/singleton:latest', //TODO pin this ), // https://github.com/guardian/cq-source-ns1 ns1Source: ContainerImage.fromRegistry( diff --git a/packages/cdk/lib/cloudquery/task.ts b/packages/cdk/lib/cloudquery/task.ts index 16169bfbe..0070685e2 100644 --- a/packages/cdk/lib/cloudquery/task.ts +++ b/packages/cdk/lib/cloudquery/task.ts @@ -304,20 +304,12 @@ export class ScheduledCloudqueryTask extends ScheduledFargateTask { const success = 0; const singletonTask = task.addContainer(`${id}AwsCli`, { - image: Images.amazonLinux, + image: Images.singletonImage, entryPoint: [''], command: [ '/bin/sh', '-c', [ - // Install jq to handle JSON, and awscli to query ECS - 'yum install -y -q awscli', - 'echo "Installed AWS"', - 'echo $(aws --help)', - // TODO: Make 1.7.1 configurable - // TODO: Verify hash matches - 'curl -L -v -o /usr/local/bin/jq https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-arm64', - 'chmod +x /usr/local/bin/jq', // Who am I? `ECS_CLUSTER=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.Cluster')`, `ECS_FAMILY=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.Family')`, From cede3b21f3e3d256c38ea9e61e4711bc95535af6 Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Mon, 22 Apr 2024 12:21:58 +0100 Subject: [PATCH 11/13] pin singleton image to a hash, misc cleanup --- .../__snapshots__/service-catalogue.test.ts.snap | 16 +++------------- packages/cdk/lib/cloudquery/images.ts | 2 +- packages/cdk/lib/cloudquery/task.ts | 16 ++-------------- 3 files changed, 6 insertions(+), 28 deletions(-) diff --git a/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap b/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap index 62dbe4d98..ac225eaa5 100644 --- a/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap +++ b/packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap @@ -10908,7 +10908,7 @@ spec: }, { "Command": [ - "/bin/sh", + "/bin/bash", "-c", "ECS_CLUSTER=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.Cluster');ECS_FAMILY=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.Family');ECS_TASK_ARN=$(curl -s $ECS_CONTAINER_METADATA_URI/task | jq -r '.TaskARN');RUNNING=$(aws ecs list-tasks --cluster $ECS_CLUSTER --family $ECS_FAMILY | jq '.taskArns | length');[[ \${RUNNING} > 1 ]] && exit 114 || exit 0", ], @@ -10916,7 +10916,7 @@ spec: "", ], "Essential": false, - "Image": "ghcr.io/guardian/service-catalogue/singleton:latest", + "Image": "ghcr.io/guardian/service-catalogue/singleton:sha-855e948a9669e1edb9b72a37118f7372bb3282fb", "LogConfiguration": { "LogDriver": "awsfirelens", "Options": { @@ -10930,15 +10930,8 @@ spec: }, }, }, - "MountPoints": [ - { - "ContainerPath": "/usr/local/bin", - "ReadOnly": false, - "SourceVolume": "cache-volume", - }, - ], "Name": "CloudquerySource-OrgWideEc2AwsCli", - "ReadonlyRootFilesystem": false, + "ReadonlyRootFilesystem": true, }, { "Command": [ @@ -11106,9 +11099,6 @@ spec: { "Name": "tmp-volume", }, - { - "Name": "cache-volume", - }, ], }, "Type": "AWS::ECS::TaskDefinition", diff --git a/packages/cdk/lib/cloudquery/images.ts b/packages/cdk/lib/cloudquery/images.ts index 4ec0ef9ab..34bd8814b 100644 --- a/packages/cdk/lib/cloudquery/images.ts +++ b/packages/cdk/lib/cloudquery/images.ts @@ -7,7 +7,7 @@ export const Images = { ), devxLogs: ContainerImage.fromRegistry('ghcr.io/guardian/devx-logs:2'), singletonImage: ContainerImage.fromRegistry( - 'ghcr.io/guardian/service-catalogue/singleton:latest', //TODO pin this + 'ghcr.io/guardian/service-catalogue/singleton:sha-855e948a9669e1edb9b72a37118f7372bb3282fb', ), // https://github.com/guardian/cq-source-ns1 ns1Source: ContainerImage.fromRegistry( diff --git a/packages/cdk/lib/cloudquery/task.ts b/packages/cdk/lib/cloudquery/task.ts index 0070685e2..593cced55 100644 --- a/packages/cdk/lib/cloudquery/task.ts +++ b/packages/cdk/lib/cloudquery/task.ts @@ -307,7 +307,7 @@ export class ScheduledCloudqueryTask extends ScheduledFargateTask { image: Images.singletonImage, entryPoint: [''], command: [ - '/bin/sh', + '/bin/bash', '-c', [ // Who am I? @@ -322,7 +322,7 @@ export class ScheduledCloudqueryTask extends ScheduledFargateTask { `[[ $\{RUNNING} > 1 ]] && exit ${operationInProgress} || exit ${success}`, ].join(';'), ], - readonlyRootFilesystem: false, + readonlyRootFilesystem: true, logging: fireLensLogDriver, /* @@ -332,18 +332,6 @@ export class ScheduledCloudqueryTask extends ScheduledFargateTask { essential: false, }); - const cacheVolume: Volume = { - // So that yum can install jq and awscli - name: 'cache-volume', - }; - task.addVolume(cacheVolume); - - singletonTask.addMountPoints({ - containerPath: '/usr/local/bin', //I think jq lives in /usr/bin and awscli in /usr/local/bin - sourceVolume: cacheVolume.name, - readOnly: false, - }); - cloudqueryTask.addContainerDependencies({ container: singletonTask, condition: ContainerDependencyCondition.SUCCESS, From c8e9b5b7743eec4839e46581295b5d30c365ca23 Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Mon, 22 Apr 2024 13:03:12 +0100 Subject: [PATCH 12/13] delete branch trigger --- .github/workflows/singleton.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/singleton.yml b/.github/workflows/singleton.yml index eb4d38c08..bb1fdab52 100644 --- a/.github/workflows/singleton.yml +++ b/.github/workflows/singleton.yml @@ -8,7 +8,6 @@ on: push: branches: - main - - nt/more-readonly paths: - 'containers/singleton/**' From df4860f1b086b5e1402b7864afd6505bb286667e Mon Sep 17 00:00:00 2001 From: Natasha <67543397+NovemberTang@users.noreply.github.com> Date: Tue, 23 Apr 2024 12:22:35 +0100 Subject: [PATCH 13/13] Pin to amazonlinux version --- containers/singleton/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containers/singleton/Dockerfile b/containers/singleton/Dockerfile index d6ba3a7cd..8d7a95285 100644 --- a/containers/singleton/Dockerfile +++ b/containers/singleton/Dockerfile @@ -1,3 +1,3 @@ -FROM amazonlinux:latest +FROM amazonlinux:2.0.20240412.0 RUN yum install -y -q aws-cli jq