Compliance Report too big to be compatible with AWS SSM #121
Description
Describe the bug
Hi!
We configured a workload on AWS EC2s and configured AWS SSM to run a baseline check of the EC2 AMIs using this repo. SSM failed to run the command due to its inability to download the baseline.
Expected behavior
Successful run of baseline which returns results.
Actual behavior
* Trying 169.254.169.254:80...
* Connected to 169.254.169.254 (169.254.169.254) port 80 (#0)
> GET /latest/meta-data/placement/availability-zone HTTP/1.1
> Host: 169.254.169.254
> User-Agent: curl/7.79.1
> Accept: */*
> X-aws-ec2-metadata-token: xxx
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Accept-Ranges: bytes
< Content-Length: 10
< Content-Type: text/plain
< Date: Tue, 12 Apr 2022 06:48:42 GMT
< Last-Modified: Tue, 12 Apr 2022 05:41:15 GMT
< X-Aws-Ec2-Metadata-Token-Ttl-Seconds: 21600
< Connection: close
< Server: EC2ws
<
{ [10 bytes data]
* Closing connection 0
/opt/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/aws-sdk-core-3.130.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:in `call': Compliance item can have up to 800 KB in total. (Aws::SSM::Errors::ItemSizeLimitExceededException)
from /opt/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/aws-sdk-core-3.130.0/lib/aws-sdk-core/plugins/checksum_algorithm.rb:111:in `call'
from /opt/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/aws-sdk-core-3.130.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:22:in `call'
from /opt/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/aws-sdk-core-3.130.0/lib/aws-sdk-core/plugins/idempotency_token.rb:19:in `call'
from /opt/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/aws-sdk-core-3.130.0/lib/aws-sdk-core/plugins/param_converter.rb:26:in `call'
from /opt/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/aws-sdk-core-3.130.0/lib/seahorse/client/plugins/request_callback.rb:71:in `call'
from /opt/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/aws-sdk-core-3.130.0/lib/aws-sdk-core/plugins/response_paging.rb:12:in `call'
from /opt/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/aws-sdk-core-3.130.0/lib/seahorse/client/plugins/response_target.rb:24:in `call'
from /opt/chef-workstation/embedded/lib/ruby/gems/3.0.0/gems/aws-sdk-core-3.130.0/lib/seahorse/client/request.rb:72:in `send_request'
from /root/.chefdk/gem/ruby/3.0.0/gems/aws-sdk-ssm-1.134.0/lib/aws-sdk-ssm/client.rb:8065:in `put_compliance_items'
from ./Report-Compliance-20200225:122:in `<main>'
failed to run commands: exit status 1
Example code
Follow the example provided by AWS. It was a manual setup, so no code to paste 😞
OS / Environment
Not relevant for this issue (see below).
Inspec Version
Not sure how to get this, but not relevant for this issue (see below).
Baseline Version
18fd9203d64e67f04d64fff9c5b60cd2b4065953
Additional context
AWS throws a Compliance item can have up to 800 KB in total. error which is outlined in their documentation as a service quota.
Per AWS Service Quota documentation, adjustments can be made. However, this particular item is not yet available in their automated service quota requests (through console) nor in the aws request-service-quota-increase (through the cli) and there is no guarantee that there is software in place to handle a request if one is made to customer service.
This issue was not hit by the linux-baseline because the total repo size is less than the 800KB requirement.
There is an option to set a path in the configuration of the AWS RunCommand,
{
"owner":"dev-sec",
"repository":"linux-baseline",
"path": "",
"getOptions" : "branch:master",
"tokenInfo":"{{ssm-secure:github-personal-token}}"
}
However, it seems like there are a few directories and files that are relevant. Can consolidating the code into a single directory and then specifying that work for AWS SSM?