From 0dc6e5f2d410e5e0099a0259ad14e267be70d508 Mon Sep 17 00:00:00 2001 From: fujiwara Date: Tue, 19 Nov 2024 10:27:15 +0900 Subject: [PATCH 1/7] update sdk to latest service/ecs@v1.50.0 --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index 4225af19..256a8696 100644 --- a/go.mod +++ b/go.mod @@ -5,14 +5,14 @@ go 1.21 require ( github.com/Songmu/prompter v0.5.1 github.com/alecthomas/kong v0.8.1 - github.com/aws/aws-sdk-go-v2 v1.32.2 + github.com/aws/aws-sdk-go-v2 v1.32.5 github.com/aws/aws-sdk-go-v2/config v1.27.27 github.com/aws/aws-sdk-go-v2/credentials v1.17.27 github.com/aws/aws-sdk-go-v2/service/applicationautoscaling v1.31.0 github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.37.3 github.com/aws/aws-sdk-go-v2/service/codedeploy v1.27.3 github.com/aws/aws-sdk-go-v2/service/ecr v1.31.0 - github.com/aws/aws-sdk-go-v2/service/ecs v1.47.4 + github.com/aws/aws-sdk-go-v2/service/ecs v1.50.0 github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.34.0 github.com/aws/aws-sdk-go-v2/service/iam v1.34.3 github.com/aws/aws-sdk-go-v2/service/s3 v1.58.3 @@ -20,7 +20,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/servicediscovery v1.31.3 github.com/aws/aws-sdk-go-v2/service/ssm v1.52.3 github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 - github.com/aws/smithy-go v1.22.0 + github.com/aws/smithy-go v1.22.1 github.com/fatih/color v1.16.0 github.com/fujiwara/cfn-lookup v1.1.0 github.com/fujiwara/ecsta v0.4.5 @@ -70,8 +70,8 @@ require ( github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.3 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.24 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.15 // indirect github.com/aws/aws-sdk-go-v2/service/cloudformation v1.42.3 // indirect diff --git a/go.sum b/go.sum index 2b756b81..5b723d6f 100644 --- a/go.sum +++ b/go.sum @@ -55,8 +55,8 @@ github.com/alecthomas/kong v0.8.1/go.mod h1:n1iCIO2xS46oE8ZfYCNDqdR0b0wZNrXAIAqr github.com/alecthomas/repr v0.1.0 h1:ENn2e1+J3k09gyj2shc0dHr/yjaWSHRlrJ4DPMevDqE= github.com/alecthomas/repr v0.1.0/go.mod h1:2kn6fqh/zIyPLmm3ugklbEi5hg5wS435eygvNfaDQL8= github.com/aws/aws-sdk-go-v2 v1.16.15/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= -github.com/aws/aws-sdk-go-v2 v1.32.2 h1:AkNLZEyYMLnx/Q/mSKkcMqwNFXMAvFto9bNsHqcTduI= -github.com/aws/aws-sdk-go-v2 v1.32.2/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo= +github.com/aws/aws-sdk-go-v2 v1.32.5 h1:U8vdWJuY7ruAkzaOdD7guwJjD06YSKmnKCJs7s3IkIo= +github.com/aws/aws-sdk-go-v2 v1.32.5/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.3 h1:tW1/Rkad38LA15X4UQtjXZXNKsCgkshC3EbmcUmghTg= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.3/go.mod h1:UbnqO+zjqk3uIt9yCACHJ9IVNhyhOCnYk8yA19SAWrM= github.com/aws/aws-sdk-go-v2/config v1.17.6/go.mod h1:CrxsoI/AcKUoWyL9Zo0YaDxRlBfSnDZKBYKDdkNYDQ0= @@ -71,11 +71,11 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11/go.mod h1:SeSUYBLsMYFoRvH github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.24 h1:FzNwpVTZDCvm597Ty6mGYvxTolyC1oup0waaKntZI4E= github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.24/go.mod h1:wM9NElT/Wn6n3CT1eyVcXtfCy8lSVjjQXfdawQbSShc= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.22/go.mod h1:/vNv5Al0bpiF8YdX2Ov6Xy05VTiXsql94yUqJMYaj0w= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 h1:UAsR3xA31QGf79WzpG/ixT9FZvQlh5HY1NRqSHBNOCk= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21/go.mod h1:JNr43NFf5L9YaG3eKTm7HQzls9J+A9YYcGI5Quh1r2Y= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24 h1:4usbeaes3yJnCFC7kfeyhkdkPtoRYPa/hTmCqMpKpLI= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24/go.mod h1:5CI1JemjVwde8m2WG3cz23qHKPOxbpkq0HaoreEgLIY= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.16/go.mod h1:62dsXI0BqTIGomDl8Hpm33dv0OntGaVblri3ZRParVQ= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 h1:6jZVETqmYCadGFvrYEQfC5fAQmlo80CeL5psbno6r0s= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21/go.mod h1:1SR0GbLlnN3QUmYaflZNiH1ql+1qrSiB2vwcJ+4UM60= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24 h1:N1zsICrQglfzaBnrfM0Ys00860C+QFwu6u/5+LomP+o= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24/go.mod h1:dCn9HbJ8+K31i8IQ8EWmWj0EiIk0+vKiHNMxTTYveAg= github.com/aws/aws-sdk-go-v2/internal/ini v1.3.23/go.mod h1:XtEkQMmxls+Tb5dZLmpa1QAk0OzSIFDAXanC9Jkf81E= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= @@ -92,8 +92,8 @@ github.com/aws/aws-sdk-go-v2/service/codedeploy v1.27.3 h1:MSA1lrc/3I1rDQtLKmCe0 github.com/aws/aws-sdk-go-v2/service/codedeploy v1.27.3/go.mod h1:Zqk3aokH+BfnsAfJl10gz9zWU3TC28e5rR5N/U7yYDk= github.com/aws/aws-sdk-go-v2/service/ecr v1.31.0 h1:vi/MwojjLGATEEUFn2GEdLiom7CFlB+qCIx4tDWqKfQ= github.com/aws/aws-sdk-go-v2/service/ecr v1.31.0/go.mod h1:RhaP7Wil0+uuuhiE4FzOOEFZwkmFAk1ZflXzK+O3ptU= -github.com/aws/aws-sdk-go-v2/service/ecs v1.47.4 h1:CTkPGE8fiElvLtYWl/U+Eu5+1fVXiZbJUjyVCRSRgxk= -github.com/aws/aws-sdk-go-v2/service/ecs v1.47.4/go.mod h1:sMFLFhL27cKYa/eQYZp4asvIwHsnJWrAzTUpy9AQdnU= +github.com/aws/aws-sdk-go-v2/service/ecs v1.50.0 h1:NW+6/MPclDxOWcuZZxIJSMt6cVPWVojmJ4R3HsICCsI= +github.com/aws/aws-sdk-go-v2/service/ecs v1.50.0/go.mod h1:dPTOvmjJQ1T7Q+2+Xs2KSPrMvx+p0rpyV+HsQVnUK4o= github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.34.0 h1:8rDRtPOu3ax8jEctw7G926JQlnFdhZZA4KJzQ+4ks3Q= github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.34.0/go.mod h1:L5bVuO4PeXuDuMYZfL3IW69E6mz6PDCYpp6IKDlcLMA= github.com/aws/aws-sdk-go-v2/service/iam v1.34.3 h1:p4L/tixJ3JUIxCteMGT6oMlqCbEv/EzSZoVwdiib8sU= @@ -127,8 +127,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.16.18/go.mod h1:AE4zMc8qCw1JnDvy0ZrD github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 h1:ZsDKRLXGWHk8WdtyYMoGNO7bTudrvuKpDKgMVRlepGE= github.com/aws/aws-sdk-go-v2/service/sts v1.30.3/go.mod h1:zwySh8fpFyXp9yOr/KVzxOl8SRqgf/IDw5aUt9UKFcQ= github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/aws/smithy-go v1.22.0 h1:uunKnWlcoL3zO7q+gG2Pk53joueEOsnNB28QdMsmiMM= -github.com/aws/smithy-go v1.22.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= +github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro= +github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= From cbbe81b2203c4553f95ee0bee580e677459b1608 Mon Sep 17 00:00:00 2001 From: fujiwara Date: Tue, 19 Nov 2024 12:08:31 +0900 Subject: [PATCH 2/7] supports VpcLatticeConfigurations --- create.go | 1 + deploy.go | 1 + ecspresso.go | 7 +++++++ 3 files changed, 9 insertions(+) diff --git a/create.go b/create.go index cc7a3f5f..a40bc955 100644 --- a/create.go +++ b/create.go @@ -76,6 +76,7 @@ func (d *App) createService(ctx context.Context, opt DeployOption) error { Tags: svd.Tags, TaskDefinition: aws.String(tdArn), VolumeConfigurations: svd.VolumeConfigurations, + VpcLatticeConfigurations: svd.VpcLatticeConfigurations, } if _, err := d.ecs.CreateService(ctx, createServiceInput); err != nil { return fmt.Errorf("failed to create service: %w", err) diff --git a/deploy.go b/deploy.go index ebc47bee..d2a50b26 100644 --- a/deploy.go +++ b/deploy.go @@ -212,6 +212,7 @@ func svToUpdateServiceInput(sv *Service) *ecs.UpdateServiceInput { ServiceConnectConfiguration: sv.ServiceConnectConfiguration, ServiceRegistries: sv.ServiceRegistries, VolumeConfigurations: sv.VolumeConfigurations, + VpcLatticeConfigurations: sv.VpcLatticeConfigurations, } if sv.SchedulingStrategy == types.SchedulingStrategyDaemon { in.PlacementStrategy = nil diff --git a/ecspresso.go b/ecspresso.go index 13ae923c..6bcadff1 100644 --- a/ecspresso.go +++ b/ecspresso.go @@ -57,6 +57,7 @@ type Service struct { types.Service ServiceConnectConfiguration *types.ServiceConnectConfiguration VolumeConfigurations []types.ServiceVolumeConfiguration + VpcLatticeConfigurations []types.VpcLatticeConfiguration DesiredCount *int32 } @@ -105,6 +106,12 @@ func (d *App) newServiceFromTypes(ctx context.Context, in types.Service) (*Servi sv.VolumeConfigurations = dp.VolumeConfigurations } + // VPC Lattice + if dp.VpcLatticeConfigurations != nil { + d.Log("[DEBUG] VpcLatticeConfigurations: %#v", dp.VpcLatticeConfigurations) + sv.VpcLatticeConfigurations = dp.VpcLatticeConfigurations + } + return &sv, nil } From c89cf42b316846ace9278e961175f0736768edc2 Mon Sep 17 00:00:00 2001 From: fujiwara Date: Tue, 19 Nov 2024 16:49:21 +0900 Subject: [PATCH 3/7] fix test configurations --- tests/ci/ecs-service-def.jsonnet | 7 +++++++ tests/ci/ecs-task-def.jsonnet | 10 +++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/tests/ci/ecs-service-def.jsonnet b/tests/ci/ecs-service-def.jsonnet index a952920a..e4b2be00 100644 --- a/tests/ci/ecs-service-def.jsonnet +++ b/tests/ci/ecs-service-def.jsonnet @@ -95,4 +95,11 @@ local isCodeDeploy = env('DEPLOYMENT_CONTROLLER', 'ECS') == 'CODE_DEPLOY'; name: 'ebs', }, ], + vpcLatticeConfigurations: [ + { + portName: 'nginx-http', + roleArn: 'arn:aws:iam::%s:role/ecsInfrastructureRole' % must_env('AWS_ACCOUNT_ID'), + targetGroupArn: 'arn:aws:vpc-lattice:ap-northeast-1:%s:targetgroup/tg-009147df264a0bacb' % must_env('AWS_ACCOUNT_ID'), + }, + ], } diff --git a/tests/ci/ecs-task-def.jsonnet b/tests/ci/ecs-task-def.jsonnet index d31cc87e..4de5c505 100644 --- a/tests/ci/ecs-task-def.jsonnet +++ b/tests/ci/ecs-task-def.jsonnet @@ -45,6 +45,7 @@ local isCodeDeploy = env('DEPLOYMENT_CONTROLLER', 'ECS') == 'CODE_DEPLOY'; name: 'nginx', portMappings: [ { + name: 'nginx-http', containerPort: 80, hostPort: 80, protocol: 'tcp', @@ -78,6 +79,13 @@ local isCodeDeploy = env('DEPLOYMENT_CONTROLLER', 'ECS') == 'CODE_DEPLOY'; }, }, name: 'bash', + portMappings: [ + { + name: 'bash-http-proxy', + containerPort: 8080, + protocol: 'tcp', + }, + ], secrets: [ { name: 'FOO', @@ -120,7 +128,7 @@ local isCodeDeploy = env('DEPLOYMENT_CONTROLLER', 'ECS') == 'CODE_DEPLOY'; ephemeralStorage: { sizeInGiB: 50, }, - executionRoleArn: 'arn:aws:iam::{{must_env `AWS_ACCOUNT_ID`}}:role/ecsTaskRole', + executionRoleArn: 'arn:aws:iam::{{must_env `AWS_ACCOUNT_ID`}}:role/ecsTaskExecutionRole', family: 'ecspresso-test', memory: '512', networkMode: 'awsvpc', From 68632d3af40f480aa09b47ba0dfde6b398da18b5 Mon Sep 17 00:00:00 2001 From: fujiwara Date: Tue, 19 Nov 2024 16:55:31 +0900 Subject: [PATCH 4/7] verify vpc lattice configurations. --- deploy.go | 8 +++++++ diff.go | 7 ++++++ ecspresso.go | 3 +++ verify.go | 64 ++++++++++++++++++++++++++++++++++++++++++++++++---- 4 files changed, 77 insertions(+), 5 deletions(-) diff --git a/deploy.go b/deploy.go index d2a50b26..19d5f94d 100644 --- a/deploy.go +++ b/deploy.go @@ -217,6 +217,14 @@ func svToUpdateServiceInput(sv *Service) *ecs.UpdateServiceInput { if sv.SchedulingStrategy == types.SchedulingStrategyDaemon { in.PlacementStrategy = nil } + + // explicitly set empty slice (to remove the attribute) + if len(sv.VolumeConfigurations) == 0 { + in.VolumeConfigurations = []types.ServiceVolumeConfiguration{} + } + if len(sv.VpcLatticeConfigurations) == 0 { + in.VpcLatticeConfigurations = []types.VpcLatticeConfiguration{} + } return in } diff --git a/diff.go b/diff.go index 56de4ba8..6b60bdb2 100644 --- a/diff.go +++ b/diff.go @@ -282,6 +282,13 @@ func ServiceDefinitionForDiff(sv *Service) *ServiceForDiff { sort.SliceStable(sv.Tags, func(i, j int) bool { return aws.ToString(sv.Tags[i].Key) < aws.ToString(sv.Tags[j].Key) }) + sort.SliceStable(sv.VolumeConfigurations, func(i, j int) bool { + return aws.ToString(sv.VolumeConfigurations[i].Name) < aws.ToString(sv.VolumeConfigurations[j].Name) + }) + sort.SliceStable(sv.VpcLatticeConfigurations, func(i, j int) bool { + return aws.ToString(sv.VpcLatticeConfigurations[i].PortName) < aws.ToString(sv.VpcLatticeConfigurations[j].PortName) + }) + if sv.LaunchType == types.LaunchTypeFargate && sv.PlatformVersion == nil { sv.PlatformVersion = aws.String("LATEST") } diff --git a/ecspresso.go b/ecspresso.go index 6bcadff1..d9a20a45 100644 --- a/ecspresso.go +++ b/ecspresso.go @@ -23,6 +23,7 @@ import ( "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2" "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/servicediscovery" + "github.com/aws/aws-sdk-go-v2/service/vpclattice" "github.com/aws/smithy-go" "github.com/goccy/go-yaml" "github.com/samber/lo" @@ -130,6 +131,7 @@ type App struct { iam *iam.Client elbv2 *elasticloadbalancingv2.Client sd *servicediscovery.Client + lattice *vpclattice.Client verifier *verifier config *Config @@ -206,6 +208,7 @@ func New(ctx context.Context, opt *CLIOptions, newAppOptions ...AppOption) (*App iam: iam.NewFromConfig(conf.awsv2Config), elbv2: elasticloadbalancingv2.NewFromConfig(conf.awsv2Config), sd: servicediscovery.NewFromConfig(conf.awsv2Config), + lattice: vpclattice.NewFromConfig(conf.awsv2Config), loader: appOpts.loader, config: appOpts.config, logger: appOpts.logger, diff --git a/verify.go b/verify.go index 00e91786..9d6dc60d 100644 --- a/verify.go +++ b/verify.go @@ -25,8 +25,10 @@ import ( "github.com/aws/aws-sdk-go-v2/service/secretsmanager" "github.com/aws/aws-sdk-go-v2/service/ssm" "github.com/aws/aws-sdk-go-v2/service/sts" + "github.com/aws/aws-sdk-go-v2/service/vpclattice" "github.com/fatih/color" "github.com/kayac/ecspresso/v2/registry" + "github.com/samber/lo" ) type verifier struct { @@ -362,6 +364,58 @@ func (d *App) verifyServiceDefinition(ctx context.Context) error { if len(ebs.TagSpecifications) > 1 { d.Log("[WARNING] %s has more than one tag specifications. Only the first tag specification is used.", name) } + roleArn := aws.ToString(ebs.RoleArn) + if err := verifyResource(ctx, fmt.Sprintf("RoleArn[%s]", roleArn), func(ctx context.Context) error { + return d.verifyRole(ctx, roleArn, "ecs.amazonaws.com") + }); err != nil { + return err + } + } + return nil + }) + if err != nil { + return err + } + } + + // VPC Lattice + for i, lc := range sv.VpcLatticeConfigurations { + name := fmt.Sprintf("VpcLatticeConfiguration[%d]", i) + err := verifyResource(ctx, name, func(context.Context) error { + roleArn := aws.ToString(lc.RoleArn) + if err := verifyResource(ctx, fmt.Sprintf("RoleArn[%s]", roleArn), func(ctx context.Context) error { + return d.verifyRole(ctx, roleArn, "ecs.amazonaws.com") + }); err != nil { + return err + } + + tgArn := aws.ToString(lc.TargetGroupArn) + if err := verifyResource(ctx, fmt.Sprintf("TargetGroup[%s]", tgArn), func(ctx context.Context) error { + _, err := d.lattice.GetTargetGroup(ctx, &vpclattice.GetTargetGroupInput{ + TargetGroupIdentifier: lc.TargetGroupArn, + }) + return err + }); err != nil { + return err + } + + portName := aws.ToString(lc.PortName) + if err := verifyResource(ctx, fmt.Sprintf("PortName[%s]", portName), func(ctx context.Context) error { + if portName == "" { + return fmt.Errorf("portName is required for vpcLatticeConfiguration") + } + var portMappings []types.PortMapping + for _, cd := range td.ContainerDefinitions { + portMappings = append(portMappings, cd.PortMappings...) + } + if _, found := lo.Find(portMappings, func(pm types.PortMapping) bool { + return portName == aws.ToString(pm.Name) + }); !found { + return fmt.Errorf("portName %s is not found in any containerDefinitions", portName) + } + return nil + }); err != nil { + return err } return nil }) @@ -382,7 +436,7 @@ func (d *App) verifyTaskDefinition(ctx context.Context) error { if execRole := td.ExecutionRoleArn; execRole != nil { name := fmt.Sprintf("ExecutionRole[%s]", *execRole) err := verifyResource(ctx, name, func(ctx context.Context) error { - return d.verifyRole(ctx, *execRole) + return d.verifyRole(ctx, *execRole, "ecs-tasks.amazonaws.com") }) if err != nil { return err @@ -391,7 +445,7 @@ func (d *App) verifyTaskDefinition(ctx context.Context) error { if taskRole := td.TaskRoleArn; taskRole != nil { name := fmt.Sprintf("TaskRole[%s]", *taskRole) err := verifyResource(ctx, name, func(ctx context.Context) error { - return d.verifyRole(ctx, *taskRole) + return d.verifyRole(ctx, *taskRole, "ecs-tasks.amazonaws.com") }) if err != nil { return err @@ -666,7 +720,7 @@ func extractRoleName(roleArn string) (string, error) { } } -func (d *App) verifyRole(ctx context.Context, roleArn string) error { +func (d *App) verifyRole(ctx context.Context, roleArn, principalService string) error { roleName, err := extractRoleName(roleArn) if err != nil { return err @@ -682,11 +736,11 @@ func (d *App) verifyRole(ctx context.Context, roleArn string) error { return fmt.Errorf("failed to parse IAM policy document: %w", err) } for _, st := range doc.Statement { - if st.Principal.Service == "ecs-tasks.amazonaws.com" && st.Action == "sts:AssumeRole" { + if st.Principal.Service == principalService && st.Action == "sts:AssumeRole" { return nil } } - return fmt.Errorf("executionRole %s has not a valid policy document: %w", roleName, err) + return fmt.Errorf("role %s has not a valid policy document", roleName) } type iamPolicyDocument struct { From 8dc1c29efc52ebeaf33b559cf361a0a81db8fcca Mon Sep 17 00:00:00 2001 From: fujiwara Date: Tue, 19 Nov 2024 17:41:03 +0900 Subject: [PATCH 5/7] add go.mod --- go.mod | 1 + go.sum | 2 ++ 2 files changed, 3 insertions(+) diff --git a/go.mod b/go.mod index 256a8696..ca2d4fb6 100644 --- a/go.mod +++ b/go.mod @@ -82,6 +82,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/sns v1.26.7 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect + github.com/aws/aws-sdk-go-v2/service/vpclattice v1.12.7 // indirect github.com/creack/pty v1.1.20 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect diff --git a/go.sum b/go.sum index 5b723d6f..58b859b1 100644 --- a/go.sum +++ b/go.sum @@ -126,6 +126,8 @@ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4/go.mod h1:0oxfLkpz3rQ/CHlx5 github.com/aws/aws-sdk-go-v2/service/sts v1.16.18/go.mod h1:AE4zMc8qCw1JnDvy0ZrDVb/OXRuuweG3BcT2Nv7Qh3E= github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 h1:ZsDKRLXGWHk8WdtyYMoGNO7bTudrvuKpDKgMVRlepGE= github.com/aws/aws-sdk-go-v2/service/sts v1.30.3/go.mod h1:zwySh8fpFyXp9yOr/KVzxOl8SRqgf/IDw5aUt9UKFcQ= +github.com/aws/aws-sdk-go-v2/service/vpclattice v1.12.7 h1:UnKWGVI1ZeCaUZDOE/UhLLy8i9ggmT2WcZ9AFhssDA8= +github.com/aws/aws-sdk-go-v2/service/vpclattice v1.12.7/go.mod h1:X0X0qZ4S3qpAm8NfTdW4lacTf2VusIV3sbwF+CN3d4k= github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro= github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= From c8528b1ba2537fc0d8042d505a5970e09ada461c Mon Sep 17 00:00:00 2001 From: fujiwara Date: Tue, 19 Nov 2024 17:55:22 +0900 Subject: [PATCH 6/7] update readme for vpc lattice. --- README.md | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/README.md b/README.md index 7858b804..42836580 100644 --- a/README.md +++ b/README.md @@ -676,6 +676,53 @@ $ ecspresso run --no-ebs-delete-on-termination For tasks run by ECS services, EBS volumes are always deleted when the task stops. This is an ECS specification that ecspresso cannot override. + +### VPC Lattice support + +ecspresso supports [VPC Lattice](https://aws.amazon.com/vpc/lattice/) integration. + +1. Define `portMappings` in the task definition. The `name` field is required. +```json +{ + "containerDefinitions": [ + { + "name": "webserver", + "portMappings": [ + { + "name": "web-80-tcp", + "containerPort": 80, + "hostPort": 80, + "protocol": "tcp", + "appProtocol": "http" + } + ], + // ... +``` + +2. Define `vpcLatticeConfigurations` in the service definition. The `portName`, `roleArn`, and `targetGroupArn` fields are required.` + +- The `portName` must match the `name` field of the `portMappings` in the task definition. +- The `roleArn` is the IAM role that the ECS service assumes to call the VPC Lattice API. + - The role must have the `ecs.amazonaws.com` service principal. + - The role should have the `AmazonECSInfrastructureRolePolicyForVpcLattice` policy or equivalent permissions. +- The `targetGroupArn` is the ARN of the VPC Lattice target group. + +```json +{ + "vpcLatticeConfigurations": [ + { + "portName": "web-80-tcp", + "roleArn": "arn:aws:iam::123456789012:role/ecsInfrastructureRole", + "targetGroupArn": "arn:aws:vpc-lattice:ap-northeast-1:123456789012:targetgroup/tg-009147df264a0bacb" + } + ], + // ... +``` + +ecspresso doesn't create or modify any VPC Lattice resources. You must create and associate a VPC Lattice target group with the ECS service. + +See also [Use Amazon VPC Lattice to connect, observe, and secure your Amazon ECS services](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-vpc-lattice.html). + ### How to check diff and verify service/task definitions before deploy. ecspresso supports `diff` and `verify` commands. From 6a60f2a38e225b2878e4ca72686371a7dfc30969 Mon Sep 17 00:00:00 2001 From: fujiwara Date: Tue, 19 Nov 2024 17:56:52 +0900 Subject: [PATCH 7/7] fix // --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 42836580..fee7cee9 100644 --- a/README.md +++ b/README.md @@ -696,7 +696,6 @@ ecspresso supports [VPC Lattice](https://aws.amazon.com/vpc/lattice/) integratio "appProtocol": "http" } ], - // ... ``` 2. Define `vpcLatticeConfigurations` in the service definition. The `portName`, `roleArn`, and `targetGroupArn` fields are required.` @@ -716,7 +715,6 @@ ecspresso supports [VPC Lattice](https://aws.amazon.com/vpc/lattice/) integratio "targetGroupArn": "arn:aws:vpc-lattice:ap-northeast-1:123456789012:targetgroup/tg-009147df264a0bacb" } ], - // ... ``` ecspresso doesn't create or modify any VPC Lattice resources. You must create and associate a VPC Lattice target group with the ECS service.