Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(aws-tools)!: Update AWS CLI to v2 #1562

Merged
merged 7 commits into from
Nov 19, 2024
Merged

feat(aws-tools)!: Update AWS CLI to v2 #1562

merged 7 commits into from
Nov 19, 2024

Conversation

akash1810
Copy link
Member

@akash1810 akash1810 commented Oct 7, 2024

What does this change?

Install the latest version of the AWS CLI (v2) using an AWS maintained mechanism.

It looks like installing the AWS CLI via pip3 isn't maintained by AWS as:

Install the AWS CLI via an AWS provided zip file instead.

The package gets installed to /usr/local/bin/aws, replicating existing behaviour. This should make this change backwards compatible for places where we're using the CLI via its full path.

Why not snap?

I originally intended to install the CLI via the official snap package. However this'll install to /snap/bin/aws, and we'd have to symlink this to /usr/local/bin/aws for backwards compatibility. This was slightly less readable than installing from the zip file.

How to test

  • Deploy to CODE (done)
  • Bake a recipe that uses the aws-tools role, it should succeed (done)

What is the value of this?

  • Using the latest version of the AWS CLI.
  • This installation mechanism should allow AMIgo to provide better support for Ubuntu 24.04 as when installing via pip3 we're greeted with an error introduced in Python 3.12:
This environment is externally managed
╰─> To install Python packages system-wide, try apt install
python3-xyz, where xyz is the package you are trying to
install.

If you wish to install a non-Debian-packaged Python package,
create a virtual environment using python3 -m venv path/to/venv.
Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make
sure you have python3-full installed.

If you wish to install a non-Debian packaged Python application,
it may be easiest to use pipx install xyz, which will manage a
virtual environment for you. Make sure you have pipx installed.

See /usr/share/doc/python3.12/README.venv for more information.

note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-system-packages.
hint: See PEP 668 for the detailed specification.

Have we considered potential risks?

Version 2 brings some breaking changes - https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration-changes.html#cliv2-migration-changes-breaking. I can't see any immediate issues this would bring, however I could very well be wrong! If the breaking changes do impact us, I'd expect it to manifest in a failed deployment as the user-data script of an EC2 service would fail to run. That is, there wouldn't be any service disruption.

@akash1810 akash1810 force-pushed the aa/aws-cli-v2 branch 3 times, most recently from c701477 to c0ba959 Compare October 7, 2024 20:07
Base automatically changed from aa/simplify-aws-tools to main October 7, 2024 20:17
@akash1810 akash1810 marked this pull request as ready for review October 7, 2024 20:40
@akash1810 akash1810 requested a review from a team as a code owner October 7, 2024 20:40
@akash1810 akash1810 force-pushed the aa/aws-cli-v2 branch 2 times, most recently from 66165ec to a5da2ba Compare October 8, 2024 18:48
Copy link
Contributor

@adamnfish adamnfish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "image bakery" model means we do this work once, properly. With that in mind, should we be verifying the signature as well? The verification mechanism uses pgp, so we'd need gpg installed on the box as well is the only real downside.

The instructions are fairly simple once gpg is installed

  • include the AWS public key in this role
  • make sure that the public key is imported into the poublic key ring
  • also download the signature file for the AWS CLI
  • Verify the signature of the downloaded zip file with gpg gpg --verify awscliv2.sig awscliv2.zip

I think generally in these image builds if we're downloading stuff off the internet we should be taking the extra step of verifying it, where possible.

Very happy to think about adding this separately though, we don't have those checks now and should focus on unblocking the 24.04 image creation!

roles/aws-tools/tasks/main.yml Outdated Show resolved Hide resolved
roles/aws-tools/tasks/main.yml Outdated Show resolved Hide resolved
@akash1810 akash1810 marked this pull request as draft October 10, 2024 10:41
Copy link
Contributor

This PR is stale because it has been open 30 days with no activity. Unless a comment is added or the “stale” label removed, this will be closed in 3 days

@github-actions github-actions bot added the Stale label Nov 11, 2024
@akash1810 akash1810 removed the Stale label Nov 13, 2024
@akash1810 akash1810 force-pushed the aa/aws-cli-v2 branch 4 times, most recently from ccbc544 to 41088b5 Compare November 13, 2024 18:06
@akash1810
Copy link
Member Author

akash1810 commented Nov 13, 2024

With that in mind, should we be verifying the signature as well?

Turns out this was simpler than anticipated. I've added this now.

Any advice on how to resolve the following warning welcomed:

image

@akash1810 akash1810 marked this pull request as ready for review November 13, 2024 19:26
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@akash1810
Copy link
Member Author

akash1810 commented Nov 14, 2024

With that in mind, should we be verifying the signature as well?

Turns out this was simpler than anticipated. I've added this now.

Any advice on how to resolve the following warning welcomed:

Resolved in ffbb78f.

There's still more stdout detail than possibly desired, but we never really read the AMIgo build log so 🤷🏽:

image

@akash1810 akash1810 force-pushed the aa/aws-cli-v2 branch 2 times, most recently from 65aa5d3 to d5c7d6e Compare November 14, 2024 21:20
Comment on lines +12 to +15
# It is not uncommon for this role to be run once in a base image, and again in a recipe.
# There's no point installing the AWS CLI twice, so check if it's already installed.
- shell: which aws 2>/dev/null || echo aws_cli_not_installed
register: aws_cli_installed
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this role, we're creating a gpg key for user AMIgo. This means on first run, it succeeds but on second it fails as the key we're trying to create already exists.

This register syntax was the only way I could see to create a variable in ansible. Ultimately, aws_cli_installed is used to detect if this role has already been executed or not.

Install the latest version of the AWS CLI (v2) using an AWS maintained mechanism.

It looks like installing the AWS CLI via `pip3` isn't maintained by AWS as:
- It (still) installs v1
- It is not listed on https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

Install the AWS CLI via an AWS provided zip file instead.
Looks like `[]` is not valid YAML.
Maybe it would be if enclosed in quotes, but use parens for ease.
@akash1810 akash1810 merged commit 6282028 into main Nov 19, 2024
4 checks passed
@akash1810 akash1810 deleted the aa/aws-cli-v2 branch November 19, 2024 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants