A collection of Ruby scripts that make it easier to work with ECS from the command line.
A tool to sync up AWS Systems Manager Parameter Store with a local YAML file.
WIP; TODO a prettier name.
Usage: AWS_REGION=<your_region> param_tool.rb [options] (down|up)
-f, --file=FILE File with params
-p, --prefix=PREFIX Param prefix
-k, --key=KEY Encryption key for writing secure params (no effect on reading)
-d, --decrypt Output decrypted params
-y, --yes Apply changes without asking for confirmation (DANGER)
-D, --description=STRING Add description to params
AWS_REGION=eu-central-1 param_tool.rb --prefix /staging/myapp down >params.yml
- Secure (encrypted) param values are replaced with
SECURE
- NOT decrypted. - To decrypt, use
-d
key. - Secure param keys are suffixed with '!'
- Params are converted into a tree, using slashes as nesting separators.
# see planned changes, confirm, apply:
AWS_REGION=eu-central-1 param_tool.rb --prefix /staging/myapp --file params.yml up
Planned changes:
create /staging/myapp/host = "app.com"
delete /staging/myapp/deprecated
update /staging/myapp/port = "80"
Apply? (anything but "yes" will abort): yes
writing parameter /staging/myapp/host...done
deleting parameter /staging/myapp/deprecated...done
writing parameter /staging/myapp/port...done
All done!
# non-interactive mode (and you can pass params to standard input)
my_param_generating_script.sh | param_tool.rb --prefix /staging/myapp --yes up
# specify a key to do the encryption:
AWS_REGION=eu-central-1 param_tool.rb --key alias/mailtrap-parameter-store --prefix /staging/myapp --file params.yml up
- params that are not changed will not be updated
- secure params that have a value of
SECURE
are NOT updated - secure params that have any other value ARE updated - then make sure to provide the proper key
- to make a param secure, add a
!
suffix to the key name - note that the '!' character itself will be stripped from the key name in Parameter Store - params with a value of
DELETE
are deleted from parameter store
- create a YAML file with the params you need; you can reuse the same file for a file-based Global backend.
- upload it to staging
- upload it to prod
- download params from staging, update, and send to prod
- commit param set as reference (make sure that sensitive params are secured, and thus not committed)
---
aws:
bucket: my-bucket
braintree:
environment: sandbox
merchant_id!: SECURE
private_key!: SECURE
public_key!: SECURE
heroku:
addon_manifest: |-
{
"hey!": "you can do multiline values too",
"useful": "for SSH keys"
}
Run shell script or Ruby code on an ECS service
Usage: ecs_run.rb [options] [command or STDIN]
-c, --cluster=CLUSTER Cluster name
-s, --service=SERVICE Service name
-w, --watch Watch output
-r, --ruby Run input as Ruby code with Rails runner (instead of shell command)
-R, --region AWS region to use
Note that the command is non-interactive - you provide the code and you watch it execute.
Cluster and service are required params. Besides them, you'll need to set the region through environment variables.
The command retrieves the task definition, subnet, and security group from the service automatically.
There are three ways to provide input:
-
as a final argument to the command - make sure to quote it properly
ecs_run.rb -c app -s app 'rake -T'
-
from a file
ecs_run.rb -c app -s app <script.sh
-
type it in
ecs_run.rb -c app -s app Type your command then press Ctrl+D rake -T [Ctrl+D]
Note that in all cases you're providing literal code to be evaluated on the ECS service; you can't send files; the rest of the environment is defined by the service.
Normally after you start the task you get an AWS Console link to monitor the task online, and that's it.
But if you specify the --watch
option, you will see the task status changes and the output logged to the terminal. You will also know when the task has finished.
Besides running shell code, you can also run Ruby code with the Rails runner (only available if bundle
and a Rails app are present in your service's docker image.)
ecs_run.rb -c app -s app --ruby 'p User.first'
This way you get Rails log output, but note that, unlike a Rails console, you don't see command evaluation results by default - you need to print it explicitly.
Include credential_process
in the config file:
# ~/.aws/config
[profile dev]
credential_process = sh -c "op item get 'AWS Access Key' --fields label='Access Key ID',label='Secret Access Key' --format json | jq 'map(.value) | {Version:1, AccessKeyId:.[0], SecretAccessKey: .[1]}'"
Now run the command with --process-profile
option:
ecs_run.rb --process-profile dev -c app -s app -R us-east-1
$ ruby ecs_run.rb --cluster myapp --service myapp --watch --ruby
Type your command then press Ctrl+D
Note - Ruby evaluation result is NOT automatically printed, use `p`
User.where("email LIKE '%@myapp.com'").update_all(role: 'admin')
^D
Task started. See it online at https://eu-central-1.console.aws.amazon.com/ecs/home?region=eu-central-1#/clusters/mailtrap/tasks/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/details
Watching task output. Note - Ctrl+C will stop watching, but will NOT stop the task!
[2020-07-25 08:42:01 +0300] Task status changed to PROVISIONING
[2020-07-25 08:42:23 +0300] Task status changed to PENDING
[2020-07-25 08:43:18 +0300] Task status changed to RUNNING
[2020-07-25 08:43:42 +0300] I, [2020-07-25T05:43:37.853603 #7] INFO -- : Raven 3.0.0 ready to catch errors
[2020-07-25 08:44:01 +0300] Task status changed to DEPROVISIONING
[2020-07-25 08:44:14 +0300] Task status changed to STOPPED