fix(ecs/host_group): automatic security updates breaking ECS tasks (#164

)
codequest-eu · Sep 23, 2024 · af3635a · af3635a
1 parent 72d0dcc
commit af3635a
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 7 deletions.
diff --git a/ecs/host_group/README.md b/ecs/host_group/README.md
@@ -64,6 +64,7 @@ Creates an auto-scaling group of EC2 instances which will join the given ECS clu
 | <a name="input_cpu_credits"></a> [cpu\_credits](#input\_cpu\_credits) | The credit option for CPU usage. Can be 'standard' or 'unlimited'. | `string` | `null` | no |
 | <a name="input_create"></a> [create](#input\_create) | Should resources be created | `bool` | `true` | no |
 | <a name="input_detailed_monitoring"></a> [detailed\_monitoring](#input\_detailed\_monitoring) | Whether to enable detailed monitoring on EC2 instances | `bool` | `true` | no |
+| <a name="input_docker_config"></a> [docker\_config](#input\_docker\_config) | Docker daemon config, see https://docs.docker.com/reference/cli/dockerd/#daemon-configuration-file | `map(any)` | `{}` | no |
 | <a name="input_ecs_agent_config"></a> [ecs\_agent\_config](#input\_ecs\_agent\_config) | ECS agent configuration to append to the default one | `string` | `""` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Kebab-cased environment name, eg. development, staging, production. | `string` | n/a | yes |
 | <a name="input_instance_attributes"></a> [instance\_attributes](#input\_instance\_attributes) | ECS instance attributes to be applied to EC2 instance | `map(string)` | `{}` | no |

diff --git a/ecs/host_group/main.tf b/ecs/host_group/main.tf
@@ -44,6 +44,7 @@ locals {
     cluster_name        = var.cluster_name
     detailed_monitoring = var.detailed_monitoring
     user_data           = var.user_data
+    docker_config       = var.docker_config
     ecs_agent_config    = var.ecs_agent_config
     instance_attributes = jsonencode(var.instance_attributes)
   })

diff --git a/ecs/host_group/templates/user_data.sh b/ecs/host_group/templates/user_data.sh
@@ -23,6 +23,13 @@ ECS_INSTANCE_ATTRIBUTES=${instance_attributes}
 ${ecs_agent_config}
 EOF
 
+# Make sure ECS agent is restarted when docker restarts
+cat >/etc/systemd/system/ecs.service.d/override.conf <<EOF
+[Unit]
+Requires=docker.service
+EOF
+systemctl daemon-reload
+
 # Update ECS agent
 yum update -y ecs-init
 docker pull amazon/amazon-ecs-agent:latest
@@ -55,7 +62,7 @@ update_cmd = security
 update_messages = yes
 download_updates = yes
 apply_updates = yes
-random_sleep = 0
+random_sleep = 60
 
 [base]
 exclude = kernel*
@@ -73,13 +80,9 @@ EOF
 
 systemctl enable yum-cron
 
-# Enable docker daemon live restore, so we can update docker without
-# restarting containers
-# https://docs.docker.com/config/containers/live-restore/
+# https://docs.docker.com/reference/cli/dockerd/#daemon-configuration-file
 cat >/etc/docker/daemon.json <<EOF
-{
-  "live-restore": true
-}
+${jsonencode(docker_config)}
 EOF
 
 # Setup memory and disk usage monitoring

diff --git a/ecs/host_group/variables.tf b/ecs/host_group/variables.tf
@@ -103,3 +103,9 @@ variable "instance_attributes" {
   type        = map(string)
   default     = {}
 }
+
+variable "docker_config" {
+  description = "Docker daemon config, see https://docs.docker.com/reference/cli/dockerd/#daemon-configuration-file"
+  type        = map(any)
+  default     = {}
+}