Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ecs): outdated linux commands for canContainersAccessInstanceRole=false and also deprecate property #32763

Merged
merged 4 commits into from
Jan 7, 2025
Merged

fix(ecs): outdated linux commands for canContainersAccessInstanceRole=false and also deprecate property #32763

merged 4 commits into from
Jan 7, 2025

Conversation

samson-keung
Copy link
Contributor

Issue # (if applicable)

Closes #28518.

Reason for this change

When canContainersAccessInstanceRole=false, wrong commands are added to the ASG UserData, as described in the issue linked above.

Reason for deprecating the canContainersAccessInstanceRole option is detailed in #32609.

Description of changes

  • Added deprecation tag to all canContainersAccessInstanceRole options.
  • Created two feature flags to control the canContainersAccessInstanceRole behaviour
  • Added new commands if customer opted to use them via setting the right feature flags

Describe any new or updated permissions being added

None

Description of how you validated changes

A new integ test is added to ensure the commands in UserData executes without throwing errors.

The existing integ tests are updated to have the default feature flag values and they are passing. This should prove that there will not be any change to existing CDK apps.

Unit tests are added for each platform, combination of possible values for canContainersAccessInstanceRole + possible values for the feature flags (3 platforms * 3 possible values for canContainersAccessInstanceRole * 2 possible values for @aws-cdk/aws-ecs:disableEcsImdsBlocking * 2 possible values for @aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature = 36 unit tests).

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p1 labels Jan 6, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team January 6, 2025 23:12
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Jan 6, 2025
@godwingrs22 godwingrs22 changed the title fix(ecs): canContainersAccessInstanceRole=false adds wrong commands for AL2023 fix(ecs): Outdated Linux commands for canContainersAccessInstanceRole=false and also deprecate property Jan 6, 2025
aws-cdk-automation
aws-cdk-automation previously requested changes Jan 6, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@godwingrs22 godwingrs22 self-requested a review January 6, 2025 23:26
@godwingrs22 godwingrs22 changed the title fix(ecs): Outdated Linux commands for canContainersAccessInstanceRole=false and also deprecate property fix(ecs): uutdated linux commands for canContainersAccessInstanceRole=false and also deprecate property Jan 6, 2025
@godwingrs22 godwingrs22 changed the title fix(ecs): uutdated linux commands for canContainersAccessInstanceRole=false and also deprecate property fix(ecs): outdated linux commands for canContainersAccessInstanceRole=false and also deprecate property Jan 6, 2025
@aws-cdk-automation aws-cdk-automation dismissed their stale review January 6, 2025 23:29

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@codecov Codecov
Copy link

codecov bot commented Jan 6, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.52%. Comparing base (3d56efa) to head (6690e25).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #32763   +/-   ##
=======================================
  Coverage   81.52%   81.52%           
=======================================
  Files         222      222           
  Lines       13715    13715           
  Branches     2417     2417           
=======================================
  Hits        11181    11181           
  Misses       2254     2254           
  Partials      280      280
Flag Coverage Δ
suite.unit 81.52% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk 80.97% <ø> (ø)
packages/aws-cdk-lib/core 82.09% <ø> (ø)

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 6, 2025
godwingrs22
godwingrs22 reviewed Jan 7, 2025
View reviewed changes
Copy link
Member

@godwingrs22 godwingrs22 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @samson-keung for the contribution. LGTM. Just left a nit comment.

packages/aws-cdk-lib/aws-ecs/lib/cluster.ts Outdated
Comment on lines 705 to 707
// new commands
autoScalingGroup.addUserData('sudo yum install -y iptables-services; sudo iptables --insert DOCKER-USER 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP');
autoScalingGroup.addUserData('sudo iptables-save | sudo tee /etc/sysconfig/iptables && sudo systemctl enable --now iptables');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: May be it would be nice to add the official AWS link doc as a comment above this line from where these commands were taken.

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html#task-iam-role-considerations

@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 7, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 7, 2025
@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 7, 2025

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated

You should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it.

If you want to requeue this pull request, you need to post a comment with the text: @mergifyio requeue

@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 7, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 7, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 6690e25
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 7, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit bbdd42c into aws:main Jan 7, 2025
19 checks passed
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 7, 2025

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 7, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@godwingrs22 godwingrs22 godwingrs22 approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees
No one assigned
Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

aws-ecs: Cloud-init script for EC2 fails when using AWS Linux 2023
3 participants
@samson-keung @aws-cdk-automation @godwingrs22