Skip to content

Added additional verifications that may interfere with SSM #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Added additional verifications that may interfere with SSM #63

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions check-ecs-exec.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -711,6 +711,68 @@ for containerName in $containerNameList; do
*AWS_SECRET_ACCESS_KEY* ) printf ": ${COLOR_YELLOW}defined${COLOR_DEFAULT}\n";;
* ) printf ": ${COLOR_GREEN}not defined${COLOR_DEFAULT}\n";;
esac
# find AWS_EXECUTION_ENV
printf " ${COLOR_DEFAULT}- AWS_EXECUTION_ENV"
AWS_EXECUTION_ENV_FOUND=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[${idx}].environment[] | select(.name==\"AWS_EXECUTION_ENV\") | .name")
case "${AWS_EXECUTION_ENV_FOUND}" in
*AWS_EXECUTION_ENV* ) printf ": ${COLOR_YELLOW}defined${COLOR_DEFAULT}\n";;
* ) printf ": ${COLOR_GREEN}not defined${COLOR_DEFAULT}\n";;
esac
# find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
printf " ${COLOR_DEFAULT}- AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI_FOUND=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[${idx}].environment[] | select(.name==\"AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\") | .name")
case "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI_FOUND}" in
*AWS_CONTAINER_CREDENTIALS_RELATIVE_URI* ) printf ": ${COLOR_YELLOW}defined${COLOR_DEFAULT}\n";;
* ) printf ": ${COLOR_GREEN}not defined${COLOR_DEFAULT}\n";;
esac

idx=$((idx+1))
done

# 12. Check task definition containers for secrets variables AWS_ACCESS_KEY, AWS_ACCESS_KEY_ID, AWS_EXECUTION_ENV, AWS_CONTAINER_CREDENTIALS_RELATIVE_URI and AWS_SECRET_ACCESS_KEY
# if AWS_ACCESS_KEY, AWS_ACCESS_KEY_ID, AWS_EXECUTION_ENV, AWS_CONTAINER_CREDENTIALS_RELATIVE_URI, and AWS_SECRET_ACCESS_KEY are defined in a container, they will be used by the SSM service
# if the key defined does not have requirement permissions, the execute-command will not work.
containerNameList=$(echo "${taskDefJson}" | jq -r ".taskDefinition.containerDefinitions[].name")
idx=0
printf "${COLOR_DEFAULT} Secrets Variables | (${taskDefFamily}:${taskDefRevision})\n"
for containerName in $containerNameList; do
printf " ${COLOR_DEFAULT}$((idx+1)). container \"${containerName}\"\n"
# find AWS_ACCESS_KEY
printf " ${COLOR_DEFAULT}- AWS_ACCESS_KEY"
AWS_ACCESS_KEY_FOUND=$(echo "${taskDefJson}" | jq -r "try .taskDefinition.containerDefinitions[${idx}].secrets[] | select(.name==\"AWS_ACCESS_KEY\") | .name")
case "${AWS_ACCESS_KEY_FOUND}" in
*AWS_ACCESS_KEY* ) printf ": ${COLOR_YELLOW}defined${COLOR_DEFAULT}\n";;
* ) printf ": ${COLOR_GREEN}not defined${COLOR_DEFAULT}\n";;
esac
# find AWS_ACCESS_KEY_ID
printf " ${COLOR_DEFAULT}- AWS_ACCESS_KEY_ID"
AWS_ACCESS_KEY_ID_FOUND=$(echo "${taskDefJson}" | jq -r "try .taskDefinition.containerDefinitions[${idx}].secrets[] | select(.name==\"AWS_ACCESS_KEY_ID\") | .name")
case "${AWS_ACCESS_KEY_ID_FOUND}" in
*AWS_ACCESS_KEY_ID* ) printf ": ${COLOR_YELLOW}defined${COLOR_DEFAULT}\n";;
* ) printf ": ${COLOR_GREEN}not defined${COLOR_DEFAULT}\n";;
esac
# find AWS_SECRET_ACCESS_KEY
printf " ${COLOR_DEFAULT}- AWS_SECRET_ACCESS_KEY"
AWS_SECRET_ACCESS_KEY_FOUND=$(echo "${taskDefJson}" | jq -r "try .taskDefinition.containerDefinitions[${idx}].secrets[] | select(.name==\"AWS_SECRET_ACCESS_KEY\") | .name")
case "${AWS_SECRET_ACCESS_KEY_FOUND}" in
*AWS_SECRET_ACCESS_KEY* ) printf ": ${COLOR_YELLOW}defined${COLOR_DEFAULT}\n";;
* ) printf ": ${COLOR_GREEN}not defined${COLOR_DEFAULT}\n";;
esac
# find AWS_EXECUTION_ENV
printf " ${COLOR_DEFAULT}- AWS_EXECUTION_ENV"
AWS_EXECUTION_ENV_FOUND=$(echo "${taskDefJson}" | jq -r "try .taskDefinition.containerDefinitions[${idx}].secrets[] | select(.name==\"AWS_EXECUTION_ENV\") | .name")
case "${AWS_EXECUTION_ENV_FOUND}" in
*AWS_EXECUTION_ENV* ) printf ": ${COLOR_YELLOW}defined${COLOR_DEFAULT}\n";;
* ) printf ": ${COLOR_GREEN}not defined${COLOR_DEFAULT}\n";;
esac
# find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
printf " ${COLOR_DEFAULT}- AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI_FOUND=$(echo "${taskDefJson}" | jq -r "try .taskDefinition.containerDefinitions[${idx}].secrets[] | select(.name==\"AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\") | .name")
case "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI_FOUND}" in
*AWS_CONTAINER_CREDENTIALS_RELATIVE_URI* ) printf ": ${COLOR_YELLOW}defined${COLOR_DEFAULT}\n";;
* ) printf ": ${COLOR_GREEN}not defined${COLOR_DEFAULT}\n";;
esac

idx=$((idx+1))
done

Expand Down