Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(aws-tools)!: Update AWS CLI to v2 #1562

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat(aws-tools)!: Update AWS CLI to v2 #1562

wants to merge 7 commits into from

Conversation

akash1810
Copy link
Member

@akash1810 akash1810 commented Oct 7, 2024
edited
Loading

What does this change?

Install the latest version of the AWS CLI (v2) using an AWS maintained mechanism.

It looks like installing the AWS CLI via pip3 isn't maintained by AWS as:

Install the AWS CLI via an AWS provided zip file instead.

The package gets installed to /usr/local/bin/aws, replicating existing behaviour. This should make this change backwards compatible for places where we're using the CLI via its full path.

Why not snap?

I originally intended to install the CLI via the official snap package. However this'll install to /snap/bin/aws, and we'd have to symlink this to /usr/local/bin/aws for backwards compatibility. This was slightly less readable than installing from the zip file.

How to test

  • Deploy to CODE (done)
  • Bake a recipe that uses the aws-tools role, it should succeed (done)

What is the value of this?

  • Using the latest version of the AWS CLI.
  • This installation mechanism should allow AMIgo to provide better support for Ubuntu 24.04 as when installing via pip3 we're greeted with an error introduced in Python 3.12:
This environment is externally managed
╰─> To install Python packages system-wide, try apt install
python3-xyz, where xyz is the package you are trying to
install.

If you wish to install a non-Debian-packaged Python package,
create a virtual environment using python3 -m venv path/to/venv.
Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make
sure you have python3-full installed.

If you wish to install a non-Debian packaged Python application,
it may be easiest to use pipx install xyz, which will manage a
virtual environment for you. Make sure you have pipx installed.

See /usr/share/doc/python3.12/README.venv for more information.

note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-system-packages.
hint: See PEP 668 for the detailed specification.

Have we considered potential risks?

Version 2 brings some breaking changes - https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration-changes.html#cliv2-migration-changes-breaking. I can't see any immediate issues this would bring, however I could very well be wrong! If the breaking changes do impact us, I'd expect it to manifest in a failed deployment as the user-data script of an EC2 service would fail to run. That is, there wouldn't be any service disruption.

@akash1810 akash1810 force-pushed the aa/aws-cli-v2 branch 3 times, most recently from c701477 to c0ba959 Compare October 7, 2024 20:07
Base automatically changed from aa/simplify-aws-tools to main October 7, 2024 20:17
@akash1810 akash1810 marked this pull request as ready for review October 7, 2024 20:40
@akash1810 akash1810 requested a review from a team as a code owner October 7, 2024 20:40
@akash1810 akash1810 force-pushed the aa/aws-cli-v2 branch 2 times, most recently from 66165ec to a5da2ba Compare October 8, 2024 18:48
adamnfish
adamnfish reviewed Oct 9, 2024
View reviewed changes
Copy link
Contributor

@adamnfish adamnfish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "image bakery" model means we do this work once, properly. With that in mind, should we be verifying the signature as well? The verification mechanism uses pgp, so we'd need gpg installed on the box as well is the only real downside.

The instructions are fairly simple once gpg is installed

  • include the AWS public key in this role
  • make sure that the public key is imported into the poublic key ring
  • also download the signature file for the AWS CLI
  • Verify the signature of the downloaded zip file with gpg gpg --verify awscliv2.sig awscliv2.zip

I think generally in these image builds if we're downloading stuff off the internet we should be taking the extra step of verifying it, where possible.

Very happy to think about adding this separately though, we don't have those checks now and should focus on unblocking the 24.04 image creation!

roles/aws-tools/tasks/main.yml Outdated Show resolved Hide resolved
roles/aws-tools/tasks/main.yml Outdated Show resolved Hide resolved
@akash1810 akash1810 marked this pull request as draft October 10, 2024 10:41
@github-actions GitHub Actions
Copy link
Contributor

This PR is stale because it has been open 30 days with no activity. Unless a comment is added or the “stale” label removed, this will be closed in 3 days

@github-actions github-actions bot added the Stale label Nov 11, 2024
@akash1810 akash1810 removed the Stale label Nov 13, 2024
@akash1810
feat(aws-tools)!: Update AWS CLI to v2
083991c 
Install the latest version of the AWS CLI (v2) using an AWS maintained mechanism.

It looks like installing the AWS CLI via `pip3` isn't maintained by AWS as:
- It (still) installs v1
- It is not listed on https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

Install the AWS CLI via an AWS provided zip file instead.
@akash1810 akash1810 force-pushed the aa/aws-cli-v2 branch 3 times, most recently from cadfcba to ccbc544 Compare November 13, 2024 18:01
@akash1810
fix: Correct YAML syntax
59f3406 
Looks like `[]` is not valid YAML.
Maybe it would be if enclosed in quotes, but use parens for ease.
@akash1810
Copy link
Member Author

akash1810 commented Nov 13, 2024
edited
Loading

With that in mind, should we be verifying the signature as well?

Turns out this was simpler than anticipated. I've added this now.

Any advice on how to resolve the following warning welcomed:

image

@akash1810 akash1810 marked this pull request as ready for review November 13, 2024 19:26
akash1810
akash1810 commented Nov 13, 2024
View reviewed changes
roles/aws-tools/files/aws.pub Outdated
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The contents of this file are from https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html.

@akash1810
Copy link
Member Author

akash1810 commented Nov 14, 2024
edited
Loading

With that in mind, should we be verifying the signature as well?

Turns out this was simpler than anticipated. I've added this now.

Any advice on how to resolve the following warning welcomed:

Resolved in ffbb78f.

There's still more stdout detail than possibly desired, but we never really read the AMIgo build log so 🤷🏽:

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adamnfish adamnfish adamnfish left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@akash1810 @adamnfish