-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(aws-tools)!: Update AWS CLI to v2 #1562
Conversation
c701477
to
c0ba959
Compare
c0ba959
to
948851b
Compare
66165ec
to
a5da2ba
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "image bakery" model means we do this work once, properly. With that in mind, should we be verifying the signature as well? The verification mechanism uses pgp, so we'd need gpg installed on the box as well is the only real downside.
The instructions are fairly simple once gpg is installed
- include the AWS public key in this role
- make sure that the public key is imported into the poublic key ring
- also download the signature file for the AWS CLI
- Verify the signature of the downloaded zip file with gpg
gpg --verify awscliv2.sig awscliv2.zip
I think generally in these image builds if we're downloading stuff off the internet we should be taking the extra step of verifying it, where possible.
Very happy to think about adding this separately though, we don't have those checks now and should focus on unblocking the 24.04 image creation!
This PR is stale because it has been open 30 days with no activity. Unless a comment is added or the “stale” label removed, this will be closed in 3 days |
ccbc544
to
41088b5
Compare
ec72c8a
to
bd9414b
Compare
roles/aws-tools/files/aws.pub
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The contents of this file are from https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html.
Resolved in ffbb78f. There's still more stdout detail than possibly desired, but we never really read the AMIgo build log so 🤷🏽: |
65aa5d3
to
d5c7d6e
Compare
# It is not uncommon for this role to be run once in a base image, and again in a recipe. | ||
# There's no point installing the AWS CLI twice, so check if it's already installed. | ||
- shell: which aws 2>/dev/null || echo aws_cli_not_installed | ||
register: aws_cli_installed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this role, we're creating a gpg key for user AMIgo
. This means on first run, it succeeds but on second it fails as the key we're trying to create already exists.
This register
syntax was the only way I could see to create a variable in ansible. Ultimately, aws_cli_installed
is used to detect if this role has already been executed or not.
Install the latest version of the AWS CLI (v2) using an AWS maintained mechanism. It looks like installing the AWS CLI via `pip3` isn't maintained by AWS as: - It (still) installs v1 - It is not listed on https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html Install the AWS CLI via an AWS provided zip file instead.
Follows the instructions on https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html to verify the ZIP file.
Looks like `[]` is not valid YAML. Maybe it would be if enclosed in quotes, but use parens for ease.
d5c7d6e
to
e31f338
Compare
What does this change?
Install the latest version of the AWS CLI (v2) using an AWS maintained mechanism.
It looks like installing the AWS CLI via
pip3
isn't maintained by AWS as:Install the AWS CLI via an AWS provided zip file instead.
The package gets installed to
/usr/local/bin/aws
, replicating existing behaviour. This should make this change backwards compatible for places where we're using the CLI via its full path.Why not snap?
I originally intended to install the CLI via the official
snap
package. However this'll install to/snap/bin/aws
, and we'd have to symlink this to/usr/local/bin/aws
for backwards compatibility. This was slightly less readable than installing from the zip file.How to test
aws-tools
role, it should succeed (done)What is the value of this?
pip3
we're greeted with an error introduced in Python 3.12:Have we considered potential risks?
Version 2 brings some breaking changes - https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration-changes.html#cliv2-migration-changes-breaking. I can't see any immediate issues this would bring, however I could very well be wrong! If the breaking changes do impact us, I'd expect it to manifest in a failed deployment as the user-data script of an EC2 service would fail to run. That is, there wouldn't be any service disruption.