Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add option to pin service to task def revision #331

Merged
merged 5 commits into from
Nov 22, 2024

Conversation

georgepstaylor
Copy link
Contributor

@georgepstaylor georgepstaylor commented Nov 22, 2024

This pull request includes updates to the ECS service configuration to add a new variable for pinning task definition revisions, and to removes the now unused ignore_changes variable.

If you pin the revision, the ECS service won't be redeployed by terraform unless you manually update it. Task definitions will continue to be recreated, they just won't take effect.

ECS Service Configuration Updates:

  • service/README.md: Added a new input variable pin_task_definition_revision to specify the revision of the task definition to use. Removed the ignore_changes input variable.
  • service/service.tf: Updated the task_definition attribute to use the pin_task_definition_revision variable if it is set. Adjusted the triggers attribute to use an empty map instead of null when force_new_deployment is true. [1] [2]
  • service/variables.tf: Added a new variable pin_task_definition_revision to specify the revision of the task definition. Removed the ignore_changes variable. [1] [2]

@georgepstaylor georgepstaylor requested a review from a team as a code owner November 22, 2024 14:11
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
service


Running Trivy in service
2024-11-22T14:14:00Z INFO [vulndb] Need to update DB
2024-11-22T14:14:00Z INFO [vulndb] Downloading vulnerability DB...
2024-11-22T14:14:00Z INFO [vulndb] Downloading artifact... repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-11-22T14:14:03Z INFO [vulndb] Artifact successfully downloaded repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-11-22T14:14:03Z INFO [vuln] Vulnerability scanning is enabled
2024-11-22T14:14:03Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-22T14:14:03Z INFO [misconfig] Need to update the built-in checks
2024-11-22T14:14:03Z INFO [misconfig] Downloading the built-in checks...
2024-11-22T14:14:04Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16442a4593a0395452e678ef699a880eec94d9211dfc887d52574beb78b95030: TOOMANYREQUESTS: retry-after: 553.965µs, allowed: 44000/minute"
2024-11-22T14:14:04Z INFO [secret] Secret scanning is enabled
2024-11-22T14:14:04Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T14:14:04Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T14:14:04Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-22T14:14:04Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="cluster_arn, container_definitions, name, security_groups, service_load_balancers, service_role_arn, subnets, task_exec_role_arn, task_role_arn"
2024-11-22T14:14:04Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_ecs_service.default" err="1 error occurred:\n\t* invalid for-each in aws_ecs_service.default.dynamic.load_balancer block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T14:14:04Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_ecs_service.default" err="1 error occurred:\n\t* invalid for-each in aws_ecs_service.default.dynamic.load_balancer block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T14:14:04Z INFO Number of language-specific files num=0
2024-11-22T14:14:04Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
service

*****************************

Running Checkov in service
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 4, Failed checks: 0, Skipped checks: 1


checkov_exitcode=0

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
service

*****************************

Running tflint in service
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on service/task_def.tf line 1:
   1: resource "aws_ecs_task_definition" "default" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on service/terraform.tf line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_version.md

tflint_exitcode=2

Trivy Scan Success

Show Output
*****************************

Trivy will check the following folders:
service

*****************************

Running Trivy in service
2024-11-22T14:14:00Z	INFO	[vulndb] Need to update DB
2024-11-22T14:14:00Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-22T14:14:00Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-11-22T14:14:03Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-11-22T14:14:03Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-22T14:14:03Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-22T14:14:03Z	INFO	[misconfig] Need to update the built-in checks
2024-11-22T14:14:03Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-22T14:14:04Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16442a4593a0395452e678ef699a880eec94d9211dfc887d52574beb78b95030: TOOMANYREQUESTS: retry-after: 553.965µs, allowed: 44000/minute"
2024-11-22T14:14:04Z	INFO	[secret] Secret scanning is enabled
2024-11-22T14:14:04Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T14:14:04Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T14:14:04Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-22T14:14:04Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="cluster_arn, container_definitions, name, security_groups, service_load_balancers, service_role_arn, subnets, task_exec_role_arn, task_role_arn"
2024-11-22T14:14:04Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_ecs_service.default" err="1 error occurred:\n\t* invalid for-each in aws_ecs_service.default.dynamic.load_balancer block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T14:14:04Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_ecs_service.default" err="1 error occurred:\n\t* invalid for-each in aws_ecs_service.default.dynamic.load_balancer block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T14:14:04Z	INFO	Number of language-specific files	num=0
2024-11-22T14:14:04Z	INFO	Detected config files	num=1
trivy_exitcode=0

Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
service


Running Trivy in service
2024-11-22T14:18:09Z INFO [vulndb] Need to update DB
2024-11-22T14:18:09Z INFO [vulndb] Downloading vulnerability DB...
2024-11-22T14:18:09Z INFO [vulndb] Downloading artifact... repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-11-22T14:18:12Z INFO [vulndb] Artifact successfully downloaded repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-11-22T14:18:12Z INFO [vuln] Vulnerability scanning is enabled
2024-11-22T14:18:12Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-22T14:18:12Z INFO [misconfig] Need to update the built-in checks
2024-11-22T14:18:12Z INFO [misconfig] Downloading the built-in checks...
2024-11-22T14:18:12Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 249.803µs, allowed: 44000/minute\n\n"
2024-11-22T14:18:12Z INFO [secret] Secret scanning is enabled
2024-11-22T14:18:12Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T14:18:12Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T14:18:13Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-22T14:18:13Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="cluster_arn, container_definitions, name, security_groups, service_load_balancers, service_role_arn, subnets, task_exec_role_arn, task_role_arn"
2024-11-22T14:18:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_ecs_service.default" err="1 error occurred:\n\t* invalid for-each in aws_ecs_service.default.dynamic.load_balancer block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T14:18:13Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_ecs_service.default" err="1 error occurred:\n\t* invalid for-each in aws_ecs_service.default.dynamic.load_balancer block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T14:18:13Z INFO Number of language-specific files num=0
2024-11-22T14:18:13Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
service

*****************************

Running Checkov in service
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 4, Failed checks: 0, Skipped checks: 1


checkov_exitcode=0

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
service

*****************************

Running tflint in service
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on service/task_def.tf line 1:
   1: resource "aws_ecs_task_definition" "default" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on service/terraform.tf line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_version.md

tflint_exitcode=2

Trivy Scan Success

Show Output
*****************************

Trivy will check the following folders:
service

*****************************

Running Trivy in service
2024-11-22T14:18:09Z	INFO	[vulndb] Need to update DB
2024-11-22T14:18:09Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-22T14:18:09Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-11-22T14:18:12Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-11-22T14:18:12Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-22T14:18:12Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-22T14:18:12Z	INFO	[misconfig] Need to update the built-in checks
2024-11-22T14:18:12Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-22T14:18:12Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 249.803µs, allowed: 44000/minute\n\n"
2024-11-22T14:18:12Z	INFO	[secret] Secret scanning is enabled
2024-11-22T14:18:12Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T14:18:12Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T14:18:13Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-22T14:18:13Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="cluster_arn, container_definitions, name, security_groups, service_load_balancers, service_role_arn, subnets, task_exec_role_arn, task_role_arn"
2024-11-22T14:18:13Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_ecs_service.default" err="1 error occurred:\n\t* invalid for-each in aws_ecs_service.default.dynamic.load_balancer block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T14:18:13Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_ecs_service.default" err="1 error occurred:\n\t* invalid for-each in aws_ecs_service.default.dynamic.load_balancer block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T14:18:13Z	INFO	Number of language-specific files	num=0
2024-11-22T14:18:13Z	INFO	Detected config files	num=1
trivy_exitcode=0

Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
service


Running Trivy in service
2024-11-22T15:13:19Z INFO [vulndb] Need to update DB
2024-11-22T15:13:19Z INFO [vulndb] Downloading vulnerability DB...
2024-11-22T15:13:19Z INFO [vulndb] Downloading artifact... repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-11-22T15:13:22Z INFO [vulndb] Artifact successfully downloaded repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-11-22T15:13:22Z INFO [vuln] Vulnerability scanning is enabled
2024-11-22T15:13:22Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-22T15:13:22Z INFO [misconfig] Need to update the built-in checks
2024-11-22T15:13:22Z INFO [misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-22T15:13:22Z INFO [secret] Secret scanning is enabled
2024-11-22T15:13:22Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T15:13:22Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T15:13:24Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-22T15:13:24Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="cluster_arn, container_definitions, name, security_groups, service_load_balancers, service_role_arn, subnets, task_exec_role_arn, task_role_arn"
2024-11-22T15:13:24Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_ecs_service.default" err="1 error occurred:\n\t* invalid for-each in aws_ecs_service.default.dynamic.load_balancer block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T15:13:24Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_ecs_service.default" err="1 error occurred:\n\t* invalid for-each in aws_ecs_service.default.dynamic.load_balancer block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T15:13:24Z INFO Number of language-specific files num=0
2024-11-22T15:13:24Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
service

*****************************

Running Checkov in service
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 4, Failed checks: 0, Skipped checks: 1


checkov_exitcode=0

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
service

*****************************

Running tflint in service
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on service/task_def.tf line 1:
   1: resource "aws_ecs_task_definition" "default" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on service/terraform.tf line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_version.md

tflint_exitcode=2

Trivy Scan Success

Show Output
*****************************

Trivy will check the following folders:
service

*****************************

Running Trivy in service
2024-11-22T15:13:19Z	INFO	[vulndb] Need to update DB
2024-11-22T15:13:19Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-22T15:13:19Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-11-22T15:13:22Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-11-22T15:13:22Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-22T15:13:22Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-22T15:13:22Z	INFO	[misconfig] Need to update the built-in checks
2024-11-22T15:13:22Z	INFO	[misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-22T15:13:22Z	INFO	[secret] Secret scanning is enabled
2024-11-22T15:13:22Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T15:13:22Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T15:13:24Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-22T15:13:24Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="cluster_arn, container_definitions, name, security_groups, service_load_balancers, service_role_arn, subnets, task_exec_role_arn, task_role_arn"
2024-11-22T15:13:24Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_ecs_service.default" err="1 error occurred:\n\t* invalid for-each in aws_ecs_service.default.dynamic.load_balancer block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T15:13:24Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_ecs_service.default" err="1 error occurred:\n\t* invalid for-each in aws_ecs_service.default.dynamic.load_balancer block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T15:13:24Z	INFO	Number of language-specific files	num=0
2024-11-22T15:13:24Z	INFO	Detected config files	num=1
trivy_exitcode=0

Copy link
Contributor

@mikereiddigital mikereiddigital left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lg2m

@georgepstaylor georgepstaylor merged commit 46be04c into main Nov 22, 2024
6 of 7 checks passed
@georgepstaylor georgepstaylor deleted the add-task-def-pinning branch November 22, 2024 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants