From 1124a3d95f6b33c1734bf5712e462469e4d077fb Mon Sep 17 00:00:00 2001 From: Shoan Motwani Date: Tue, 12 May 2020 13:17:16 +0530 Subject: [PATCH 1/2] Added explicit environment to role This will ensure clarity when looking for the roles in AWS. While cloudformation would prefix the environment, it would get truncated, if the service name were too long. Also bumped the boto3 version to ensure that some of the new capabilities such as ECR image scanning work on all deployments. --- .../deployment/service_template_generator.py | 2 +- cloudlift/version/__init__.py | 2 +- requirements.txt | 2 +- .../expected_fargate_service_template.yml | 52 +++++++++--------- test/templates/expected_service_template.yml | 54 +++++++++---------- test/test_cloudlift.py | 2 +- 6 files changed, 57 insertions(+), 57 deletions(-) diff --git a/cloudlift/deployment/service_template_generator.py b/cloudlift/deployment/service_template_generator.py index ac31d725..8b5c52ff 100644 --- a/cloudlift/deployment/service_template_generator.py +++ b/cloudlift/deployment/service_template_generator.py @@ -184,7 +184,7 @@ def _add_service(self, service_name, config): cd = ContainerDefinition(**container_definition_arguments) task_role = self.template.add_resource(Role( - service_name + "Role", + self.env + service_name + "Role", AssumeRolePolicyDocument=PolicyDocument( Statement=[ Statement( diff --git a/cloudlift/version/__init__.py b/cloudlift/version/__init__.py index 7bd82a81..b98a2e97 100644 --- a/cloudlift/version/__init__.py +++ b/cloudlift/version/__init__.py @@ -1 +1 @@ -VERSION = '1.4.3' \ No newline at end of file +VERSION = '1.4.4' \ No newline at end of file diff --git a/requirements.txt b/requirements.txt index d0fb49cf..3f92f4d6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -boto3>=1.9.89 +boto3>=1.13.1 awscli certifi==2017.7.27.1 cfn-flip==1.0.3 diff --git a/test/templates/expected_fargate_service_template.yml b/test/templates/expected_fargate_service_template.yml index 535ac4d6..ebf9ebc4 100644 --- a/test/templates/expected_fargate_service_template.yml +++ b/test/templates/expected_fargate_service_template.yml @@ -1,7 +1,7 @@ Outputs: CloudliftOptions: Description: Options used with cloudlift when building this service - Value: '{"cloudlift_version": "1.4.3", "services": {"DummyFargateRunSidekiqsh": {"command": null, "fargate": {"cpu": 256, "memory": 512}, "memory_reservation": 512}, "DummyFargateService": {"command": null, "fargate": {"cpu": 256, "memory": 512}, "http_interface": {"container_port": 80, "internal": false, "restrict_access_to": ["0.0.0.0/0"], "health_check_path": "/elb-check"}, "memory_reservation": 512}}}' + Value: '{"cloudlift_version": "1.4.4", "services": {"DummyFargateRunSidekiqsh": {"command": null, "fargate": {"cpu": 256, "memory": 512}, "memory_reservation": 512}, "DummyFargateService": {"command": null, "fargate": {"cpu": 256, "memory": 512}, "http_interface": {"container_port": 80, "internal": false, "restrict_access_to": ["0.0.0.0/0"], "health_check_path": "/elb-check"}, "memory_reservation": 512}}}' DummyFargateRunSidekiqshEcsServiceName: Description: The ECS name which needs to be entered Value: !GetAtt 'DummyFargateRunSidekiqsh.Name' @@ -78,17 +78,6 @@ Resources: - !Ref 'PrivateSubnet2' TaskDefinition: !Ref 'DummyFargateRunSidekiqshTaskDefinition' Type: AWS::ECS::Service - DummyFargateRunSidekiqshRole: - Properties: - AssumeRolePolicyDocument: - Statement: - - Action: - - sts:AssumeRole - Effect: Allow - Principal: - Service: - - ecs-tasks.amazonaws.com - Type: AWS::IAM::Role DummyFargateRunSidekiqshTaskDefinition: Properties: ContainerDefinitions: @@ -113,7 +102,7 @@ Resources: NetworkMode: awsvpc RequiresCompatibilities: - FARGATE - TaskRoleArn: !Ref 'DummyFargateRunSidekiqshRole' + TaskRoleArn: !Ref 'stagingDummyFargateRunSidekiqshRole' Type: AWS::ECS::TaskDefinition DummyFargateService: DependsOn: SslLoadBalancerListenerDummyFargateService @@ -134,17 +123,6 @@ Resources: - !Ref 'PrivateSubnet2' TaskDefinition: !Ref 'DummyFargateServiceTaskDefinition' Type: AWS::ECS::Service - DummyFargateServiceRole: - Properties: - AssumeRolePolicyDocument: - Statement: - - Action: - - sts:AssumeRole - Effect: Allow - Principal: - Service: - - ecs-tasks.amazonaws.com - Type: AWS::IAM::Role DummyFargateServiceTaskDefinition: Properties: ContainerDefinitions: @@ -171,7 +149,7 @@ Resources: NetworkMode: awsvpc RequiresCompatibilities: - FARGATE - TaskRoleArn: !Ref 'DummyFargateServiceRole' + TaskRoleArn: !Ref 'stagingDummyFargateServiceRole' Type: AWS::ECS::TaskDefinition ECSServiceRole: Properties: @@ -447,4 +425,26 @@ Resources: TargetType: ip UnhealthyThresholdCount: 3 VpcId: !Ref 'VPC' - Type: AWS::ElasticLoadBalancingV2::TargetGroup \ No newline at end of file + Type: AWS::ElasticLoadBalancingV2::TargetGroup + stagingDummyFargateRunSidekiqshRole: + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: + - sts:AssumeRole + Effect: Allow + Principal: + Service: + - ecs-tasks.amazonaws.com + Type: AWS::IAM::Role + stagingDummyFargateServiceRole: + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: + - sts:AssumeRole + Effect: Allow + Principal: + Service: + - ecs-tasks.amazonaws.com + Type: AWS::IAM::Role \ No newline at end of file diff --git a/test/templates/expected_service_template.yml b/test/templates/expected_service_template.yml index 78634b9a..438b2317 100644 --- a/test/templates/expected_service_template.yml +++ b/test/templates/expected_service_template.yml @@ -1,7 +1,7 @@ Outputs: CloudliftOptions: Description: Options used with cloudlift when building this service - Value: '{"cloudlift_version": "1.4.3", "services": {"Dummy": {"memory_reservation": 1000, "command": null, "http_interface": {"internal": false, "container_port": 7003, "restrict_access_to": ["0.0.0.0/0"], "health_check_path": "/elb-check"}}, "DummyRunSidekiqsh": {"memory_reservation": 1000, "command": "./run-sidekiq.sh"}}}' + Value: '{"cloudlift_version": "1.4.4", "services": {"Dummy": {"memory_reservation": 1000, "command": null, "http_interface": {"internal": false, "container_port": 7003, "restrict_access_to": ["0.0.0.0/0"], "health_check_path": "/elb-check"}}, "DummyRunSidekiqsh": {"memory_reservation": 1000, "command": "./run-sidekiq.sh"}}}' DummyEcsServiceName: Description: 'The ECS name which needs to be entered' Value: !GetAtt 'Dummy.Name' @@ -65,7 +65,7 @@ Resources: DependsOn: SslLoadBalancerListenerDummy Properties: Cluster: cluster-staging - DesiredCount: 1 + DesiredCount: 0 LaunchType: 'EC2' LoadBalancers: - ContainerName: DummyContainer @@ -79,17 +79,6 @@ Resources: Role: !Ref 'ECSServiceRole' TaskDefinition: !Ref 'DummyTaskDefinition' Type: AWS::ECS::Service - DummyRole: - Properties: - AssumeRolePolicyDocument: - Statement: - - Action: - - sts:AssumeRole - Effect: Allow - Principal: - Service: - - ecs-tasks.amazonaws.com - Type: AWS::IAM::Role DummyRunSidekiqsh: Properties: Cluster: cluster-staging @@ -105,17 +94,6 @@ Resources: Type: spread TaskDefinition: !Ref 'DummyRunSidekiqshTaskDefinition' Type: AWS::ECS::Service - DummyRunSidekiqshRole: - Properties: - AssumeRolePolicyDocument: - Statement: - - Action: - - sts:AssumeRole - Effect: Allow - Principal: - Service: - - ecs-tasks.amazonaws.com - Type: AWS::IAM::Role DummyRunSidekiqshTaskDefinition: Properties: ContainerDefinitions: @@ -136,7 +114,7 @@ Resources: MemoryReservation: 1000 Name: DummyRunSidekiqshContainer Family: DummyRunSidekiqshFamily - TaskRoleArn: !Ref 'DummyRunSidekiqshRole' + TaskRoleArn: !Ref 'stagingDummyRunSidekiqshRole' Type: AWS::ECS::TaskDefinition DummyTaskDefinition: Properties: @@ -158,7 +136,7 @@ Resources: PortMappings: - ContainerPort: 7003 Family: DummyFamily - TaskRoleArn: !Ref 'DummyRole' + TaskRoleArn: !Ref 'stagingDummyRole' Type: AWS::ECS::TaskDefinition ECSServiceRole: Properties: @@ -415,4 +393,26 @@ Resources: Value: '30' UnhealthyThresholdCount: 3 VpcId: !Ref 'VPC' - Type: AWS::ElasticLoadBalancingV2::TargetGroup \ No newline at end of file + Type: AWS::ElasticLoadBalancingV2::TargetGroup + stagingDummyRole: + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: + - sts:AssumeRole + Effect: Allow + Principal: + Service: + - ecs-tasks.amazonaws.com + Type: AWS::IAM::Role + stagingDummyRunSidekiqshRole: + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: + - sts:AssumeRole + Effect: Allow + Principal: + Service: + - ecs-tasks.amazonaws.com + Type: AWS::IAM::Role \ No newline at end of file diff --git a/test/test_cloudlift.py b/test/test_cloudlift.py index a49926e0..83c466bc 100644 --- a/test/test_cloudlift.py +++ b/test/test_cloudlift.py @@ -45,7 +45,7 @@ def mocked_fargate_service_config(cls, *args, **kwargs): environment_name = 'staging' service_name = 'dummy' -fargate_service_name = 'dummy-fargate' +fargate_service_name = f'{service_name}-fargate' def test_cloudlift_can_deploy_to_ec2(keep_resources): cfn_client = boto3.client('cloudformation') From 50b7de6bcfdf7f86cf86cf7823d3361548dd3f33 Mon Sep 17 00:00:00 2001 From: Shoan Motwani Date: Sat, 16 May 2020 14:23:52 +0530 Subject: [PATCH 2/2] Changed formatting of the Role name --- cloudlift/deployment/service_template_generator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloudlift/deployment/service_template_generator.py b/cloudlift/deployment/service_template_generator.py index 8b5c52ff..e3e6e6e0 100644 --- a/cloudlift/deployment/service_template_generator.py +++ b/cloudlift/deployment/service_template_generator.py @@ -184,7 +184,7 @@ def _add_service(self, service_name, config): cd = ContainerDefinition(**container_definition_arguments) task_role = self.template.add_resource(Role( - self.env + service_name + "Role", + pascalcase(self.env + service_name + "Role"), AssumeRolePolicyDocument=PolicyDocument( Statement=[ Statement(