Fixed updater failing to run using CFN stack as a cron job #51
Conversation
srgothi92
force-pushed
the
data-structure-instance
branch
from
59e357a
to
918d804
Compare
srgothi92
force-pushed
the
cron-updater
branch
2 times, most recently
from
b985344
to
c18de65
Compare
updater/aws.go
Outdated
| } | ||
| if len(resp.Failures) != 0 { | ||
| return fmt.Errorf("Container instance %s failed to activate: %#v", aws.StringValue(containerInstance), resp.Failures) | ||
| return fmt.Errorf("api failures while activating: %#v", resp.Failures) |
There was a problem hiding this comment.
nit: it looks like in your previous changes to error messages you're dropping "#" from the formatting. Looks like this one got missed.
There was a problem hiding this comment.
Thanks for pointing that out.
I will just add reason why I removed "#": Adding "#" was making error split in multiple lines in Cloud watch and it was getting hard to read. By removing "#" we only lose field name which anyway did not add much value in my opinion.
There was a problem hiding this comment.
By default, the awslogs driver will split log events on newlines. We can change this to split based on a regular expression with the awslogs-multiline-pattern log option or a strftime pattern with the awslogs-datetime-format log option.
There was a problem hiding this comment.
what would you recommend "%v" or "%#v" with awlogs-multiline-pattern ? I have changed error wrapping to use "%w", but while printing l am still using "%v".
stacks/bottlerocket-ecs-updater.yaml
Outdated
| - Effect: Allow | ||
| Action: | ||
| - 'ecs:ListContainerInstances' | ||
| Resource: | ||
| - !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${ClusterName}' | ||
| # Allows describe container instances to get ec2 instance ID |
There was a problem hiding this comment.
nit: this also allows us to get attributes, which is how we determine that a given container instance is running Bottlerocket
There was a problem hiding this comment.
Added more details.
stacks/bottlerocket-ecs-updater.yaml
Outdated
| Resource: | ||
| - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:container-instance/*" |
There was a problem hiding this comment.
Since the resource that DescribeContainerInstances operates on is the container instance and since ECS does not enable cross-account actions, the only effect of this resource condition is constraining the permission to the stack region. It would be a better approach to leverage the ecs.cluster condition key and specify the cluster ARN so that the only instances that can be described are in the expected cluster.
There was a problem hiding this comment.
Nice. Changed as suggested.
There was a problem hiding this comment.
I'd recommend removing this Resource since it provides no additional value over the Condition.
srgothi92
force-pushed
the
cron-updater
branch
3 times, most recently
from
06f240d
to
f920185
Compare
stacks/bottlerocket-ecs-updater.yaml
Outdated
| Resource: | ||
| - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:container-instance/*" |
There was a problem hiding this comment.
I'd recommend removing this Resource since it provides no additional value over the Condition.
stacks/bottlerocket-ecs-updater.yaml
Outdated
| Resource: | ||
| - !Sub "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task/${ClusterName}/*" |
There was a problem hiding this comment.
It looks to me like this Resource doesn't provide any additional constraint over the Condition, and that the Condition is the same one as used for the previous statement. I'd recommend combining this permission into that previous statement and removing the Resource.
* Previously, complete HTTP Body of aws sdk api calls were logged, this change disables the aws sdk logging. * Exiting logs were hard to interpret and were formatted incorrectly, this change fixes those logs which were found incorrect during stack permission update.
Previously, when waiting on instance to be ok fails after starting update, error was returned and updater was exited. However, instance remained in drained state even if it would have become Ok after some time. This change, changes instance state back to active irrespective of success or failure of wait.
| @@ -47,11 +47,38 @@ Resources: | |||
| PolicyDocument: | |||
| Version: 2012-10-17 | |||
| Statement: | |||
| # Allows listing all container instances in a cluster | |||
| - Effect: Allow | |||
| Action: | |||
| - 'ecs:ListContainerInstances' | |||
| Resource: | |||
There was a problem hiding this comment.
Just realized we can combine this as well with below action. Will try removing and test.
There was a problem hiding this comment.
Based on doc here we cannot use cluster condition key with ListContainerInstances. Therefore existing changes looks good.
Issue number:
partially #42
Description of changes:
To run updater using stack 3 changes were made:
Testing done:
bottlerocket-ecs-updater.yamland verified all the instances getting updated.Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.