From e17983abd583d0878a1b2482bbf0ab7cd5bc02c5 Mon Sep 17 00:00:00 2001 From: Khai Do <3697686+zaro0508@users.noreply.github.com> Date: Fri, 22 Nov 2024 08:19:59 -0800 Subject: [PATCH 1/6] Update role for github CI (#3) --- .github/workflows/deploy-dev.yaml | 2 +- .github/workflows/deploy-prod.yaml | 2 +- .github/workflows/deploy-stage.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy-dev.yaml b/.github/workflows/deploy-dev.yaml index 279d80b..f1edc35 100644 --- a/.github/workflows/deploy-dev.yaml +++ b/.github/workflows/deploy-dev.yaml @@ -13,6 +13,6 @@ jobs: aws-deploy: uses: "./.github/workflows/aws-deploy.yaml" with: - role-to-assume: "arn:aws:iam::607346494281:role/sagebase-github-oidc-sage-bionetworks-it-agora-infra-v3" + role-to-assume: "arn:aws:iam::607346494281:role/sagebase-github-oidc-agora-infra-v3" role-session-name: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }} environment: dev diff --git a/.github/workflows/deploy-prod.yaml b/.github/workflows/deploy-prod.yaml index 0e81ef2..5ef839a 100644 --- a/.github/workflows/deploy-prod.yaml +++ b/.github/workflows/deploy-prod.yaml @@ -13,6 +13,6 @@ jobs: aws-deploy: uses: "./.github/workflows/aws-deploy.yaml" with: - role-to-assume: "arn:aws:iam::681175625864:role/sagebase-github-oidc-sage-bionetworks-it-agora-infra-v3" + role-to-assume: "arn:aws:iam::681175625864:role/sagebase-github-oidc-agora-infra-v3" role-session-name: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }} environment: prod diff --git a/.github/workflows/deploy-stage.yaml b/.github/workflows/deploy-stage.yaml index 9250646..13a964d 100644 --- a/.github/workflows/deploy-stage.yaml +++ b/.github/workflows/deploy-stage.yaml @@ -13,6 +13,6 @@ jobs: aws-deploy: uses: "./.github/workflows/aws-deploy.yaml" with: - role-to-assume: "arn:aws:iam::681175625864:role/sagebase-github-oidc-sage-bionetworks-it-agora-infra-v3" + role-to-assume: "arn:aws:iam::681175625864:role/sagebase-github-oidc-agora-infra-v3" role-session-name: ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ github.run_id }} environment: stage From 6f88b061853523beb65bd25b464904757b95592b Mon Sep 17 00:00:00 2001 From: Khai Do <3697686+zaro0508@users.noreply.github.com> Date: Fri, 22 Nov 2024 14:40:54 -0800 Subject: [PATCH 2/6] Fix cloudformation load balancer ouput (#4) We depend on the cloudformation's load balancer exported DNS endpoint to configure a DNS redirect in organizations-infra repo[1]. The export name needs to be unique in the account. [1] https://github.com/Sage-Bionetworks-IT/organizations-infra/blob/master/org-formation/800-redirects/_tasks.yaml --- src/load_balancer_stack.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/load_balancer_stack.py b/src/load_balancer_stack.py index b9061ad..32dd73f 100644 --- a/src/load_balancer_stack.py +++ b/src/load_balancer_stack.py @@ -21,4 +21,9 @@ def __init__( self.alb = elbv2.ApplicationLoadBalancer( self, "AppLoadBalancer", vpc=vpc, internet_facing=True ) - cdk.CfnOutput(self, "dns", value=self.alb.load_balancer_dns_name) + cdk.CfnOutput( + self, + "LoadBalancerDns", + value=self.alb.load_balancer_dns_name, + export_name=f"{construct_id}-dns", + ) From 549502b288276dbf18c94fceeb98c3d54b25b2b0 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 2 Dec 2024 10:45:24 -0800 Subject: [PATCH 3/6] [pre-commit.ci] pre-commit autoupdate (#5) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/awslabs/cfn-python-lint: v1.19.0 → v1.20.0](https://github.com/awslabs/cfn-python-lint/compare/v1.19.0...v1.20.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 32b7a9f..5bcc3c0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -17,7 +17,7 @@ repos: hooks: - id: yamllint - repo: https://github.com/awslabs/cfn-python-lint - rev: v1.19.0 + rev: v1.20.0 hooks: - id: cfn-python-lint args: From 2dc5f0ae55633d58448c50b2c712b4f4462becdc Mon Sep 17 00:00:00 2001 From: Khai Do <3697686+zaro0508@users.noreply.github.com> Date: Tue, 3 Dec 2024 12:44:36 -0800 Subject: [PATCH 4/6] [IT-3951] Fix guardduty container (#8) We enable guardduty security monitoring for ECS in every account. For that to work we need to give the Fragate task execution role access to do ECS stuff with the service-role/AmazonECSTaskExecutionRolePolicy[1]. [1] https://docs.aws.amazon.com/guardduty/latest/ug/prereq-runtime-monitoring-ecs-support.html#before-enable-runtime-monitoring-ecs --- src/service_stack.py | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/src/service_stack.py b/src/service_stack.py index 26775a3..19319b7 100644 --- a/src/service_stack.py +++ b/src/service_stack.py @@ -58,6 +58,28 @@ def __init__( ) ) + # default ECS execution policy plus Guardduty access + execution_role = iam.Role( + self, + "ExecutionRole", + assumed_by=iam.ServicePrincipal("ecs-tasks.amazonaws.com"), + managed_policies=[ + iam.ManagedPolicy.from_aws_managed_policy_name( + "service-role/AmazonECSTaskExecutionRolePolicy" + ), + ], + ) + execution_role.add_to_policy( + iam.PolicyStatement( + actions=[ + "logs:CreateLogStream", + "logs:PutLogEvents", + ], + resources=["*"], + effect=iam.Effect.ALLOW, + ) + ) + # ECS task with fargate self.task_definition = ecs.FargateTaskDefinition( self, @@ -65,6 +87,7 @@ def __init__( cpu=1024, memory_limit_mib=4096, task_role=task_role, + execution_role=execution_role, ) image = ecs.ContainerImage.from_registry(props.container_location) From a11a2b5f38f4a619893f21e86c38e5ccc722f37a Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 3 Dec 2024 13:03:40 -0800 Subject: [PATCH 5/6] [pre-commit.ci] pre-commit autoupdate (#6) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/awslabs/cfn-python-lint: v1.20.0 → v1.20.1](https://github.com/awslabs/cfn-python-lint/compare/v1.20.0...v1.20.1) - [github.com/sirosen/check-jsonschema: 0.29.4 → 0.30.0](https://github.com/sirosen/check-jsonschema/compare/0.29.4...0.30.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5bcc3c0..655db99 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -17,7 +17,7 @@ repos: hooks: - id: yamllint - repo: https://github.com/awslabs/cfn-python-lint - rev: v1.20.0 + rev: v1.20.1 hooks: - id: cfn-python-lint args: @@ -36,7 +36,7 @@ repos: hooks: - id: black - repo: https://github.com/sirosen/check-jsonschema - rev: 0.29.4 + rev: 0.30.0 hooks: - id: check-github-workflows - id: check-github-actions From d43d71962c358d9817d61601aee379e27e90d3be Mon Sep 17 00:00:00 2001 From: Khai Do <3697686+zaro0508@users.noreply.github.com> Date: Wed, 4 Dec 2024 07:52:08 -0800 Subject: [PATCH 6/6] [IT-4003] Auto-update pre-commit hook versions monthly (#9) Change the frequency that PRs to update pre-commit hook versions are auto-generated from weekly (the default) to monthly. --- .pre-commit-config.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 655db99..d843665 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,3 +1,6 @@ +ci: + autoupdate_schedule: monthly + default_language_version: python: python3