setup ecs local endpoints for debugging & integration testing

.devcontainer/Dockerfile

@@ -24,10 +24,6 @@ RUN unzip awscli-exe-linux-x86_64.zip \
     && ./aws/install --update \
     && rm -rf ./aws
 
-RUN curl -OJ https://amazon-ecs-cli.s3.amazonaws.com/ecs-cli-linux-amd64-latest \
-    && chmod +x ecs-cli-linux-amd64-latest \
-    && mv ecs-cli-linux-amd64-latest /usr/local/bin/ecs-cli
-
 COPY --from=docker/buildx-bin /buildx /usr/libexec/docker/cli-plugins/docker-buildx
 RUN docker buildx install
 

.devcontainer/devcontainer.json

@@ -30,5 +30,9 @@
 		"source=${env:HOME}${env:USERPROFILE}/.ssh,target=/root/.ssh,type=bind"
 	],
 
+	"runArgs": [
+    	"--network=host"
+	],
+
 	"postCreateCommand": "chmod +x ./bin/setup-cred-helper.sh ; ./bin/setup-cred-helper.sh ; dotnet restore"
 }

README.md

@@ -247,5 +247,4 @@ Input:
 4. run `task deploy`
 
 **To Do**
-- [ ] ecs-cli for testing & debugging
 - [ ] terraform discord server

Taskfile.yml

@@ -2,27 +2,18 @@ version: '3'
 
 tasks:
   test:
-    deps: [test-core, test-exec, test-proc]
+    deps: [test-unit, test-int]
 
-  test-core:
+  test-unit:
     cmds:
       - dotnet test --filter "FullyQualifiedName~test.unit"
 
-  test-proc:
-    deps: [build-proc-image]
+  test-int:
     cmds:
       - |
-        rm -rf test/pwnctl.proc.test.int/bin
-        export UNTESTED_IMAGE=$(aws ecr describe-repositories | jq -r '.repositories[] | select( .repositoryName == "pwnctl-proc") | .repositoryUri'):untested_$(git rev-parse --short HEAD)
-        dotnet test --filter "FullyQualifiedName~pwnctl.proc"
-
-  test-exec:
-    deps: [build-exec-long-image]
-    cmds:
-    - |
-      rm -rf test/pwnctl.exec.test.int/bin
-      export UNTESTED_IMAGE=$(aws ecr describe-repositories | jq -r '.repositories[] | select( .repositoryName == "pwnctl-exec-long") | .repositoryUri'):untested_$(git rev-parse --short HEAD)
-      dotnet test --filter "FullyQualifiedName~pwnctl.exec"
+        . ./bin/setenv.sh
+        dotnet test --filter "FullyQualifiedName~test.int"
+        docker-compose -f test/pwnctl.core.test.int/docker-compose.ecs-local.yml down
 
   build-api:
     cmds:
@@ -94,8 +85,11 @@ tasks:
 
   setup-ci:
     cmds:
-      - gh variable set AWS_REGION --body "$(aws configure get region)"
-      - gh variable set AWS_CALLER_IDENTITY --body "$(aws sts get-caller-identity | jq -r .Account)"
+      # - gh auth login
+      # - gh secret set AWS_REGION --body "$(aws configure get region)"
+      # - gh secret set AWS_CALLER_IDENTITY --body "$(aws sts get-caller-identity | jq -r .Account)"
+      # - gh secret set AWS_ACCESS_KEY_ID --body ""
+      # - gh secret set AWS_SECRET_ACCESS_KEY --body ""
       - terraform -chdir=infra/modules/ci apply -auto-approve
 
   deploy:
@@ -112,35 +106,11 @@ tasks:
     cmds:
       - terraform -chdir=infra/modules/ci destroy
 
-  debug-exec-long:
-    cmds:
-      - |
-        ecrUri=$(aws ecr describe-repositories | jq -r '.repositories[] | select( .repositoryName == "pwnctl-exec-long") | .repositoryUri')
-        latestTag=$(docker images | grep $ecrUri | head -n 1 | awk '{print $2}')
-        docker run -v ~/.aws/:/root/.aws/ -e PWNCTL_USE_LOCAL_INTEGRATIONS=true \
-                   -e PWNCTL_Logging__FilePath=/mnt/efs -e PWNCTL_Logging__MinLevel=Information \
-                   -e PWNCTL_TaskQueue__VisibilityTimeout=1200 -e PWNCTL_OutputQueue__VisibilityTimeout=1200 \
-                   -v "$(pwd)"/deployment:/mnt/efs -t ${ecrUri}:$latestTag
-
-  debug-exec-short:
+  debug:
     cmds:
-      - |
-        ecrUri=$(aws ecr describe-repositories | jq -r '.repositories[] | select( .repositoryName == "pwnctl-exec-short") | .repositoryUri')
-        latestTag=$(docker images | grep $ecrUri | head -n 1 | awk '{print $2}')
-        docker run -e PWNCTL_USE_LOCAL_INTEGRATIONS=true \
-                   -e PWNCTL_Logging__FilePath=/mnt/efs -e PWNCTL_Logging__MinLevel=Information \
-                   -e PWNCTL_TaskQueue__VisibilityTimeout=1200 -e PWNCTL_OutputQueue__VisibilityTimeout=1200 \
-                   -v "$(pwd)"/deployment:/mnt/efs -t ${ecrUri}:$latestTag
-
-  debug-proc:
-    cmds:
-      - |
-        ecrUri=$(aws ecr describe-repositories | jq -r '.repositories[] | select( .repositoryName == "pwnctl-proc") | .repositoryUri')
-        latestTag=$(docker images | grep $ecrUri | head -n 1 | awk '{print $2}')
-        docker run -v ~/.aws/:/root/.aws/ -e PWNCTL_USE_LOCAL_INTEGRATIONS=true \
-                   -e PWNCTL_Logging__FilePath=/mnt/efs -e PWNCTL_Logging__MinLevel=Information \
-                   -e PWNCTL_TaskQueue__VisibilityTimeout=1200 -e PWNCTL_OutputQueue__VisibilityTimeout=1200 \
-                   -v "$(pwd)"/deployment:/mnt/efs -t ${ecrUri}:$latestTag
+      - | 
+        . ./bin/setenv.sh
+        docker-compose -f test/pwnctl.core.test.int/docker-compose.ecs-local.yml up
 
   get-exec-logs:
     cmds:

bin/setenv.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+export AWS_REGION=$(aws configure get region)
+export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
+export PWNCTL_PROC_TAG=$(docker images | grep pwnctl-proc | head -n 1 | awk '{print $2}')
+export PWNCTL_EXEC_SHORT_TAG=$(docker images | grep pwnctl-exec-short | head -n 1 | awk '{print $2}')
+export PWNCTL_EXEC_LONG_TAG=$(docker images | grep pwnctl-exec-long | head -n 1 | awk '{print $2}')

infra/iam.tf

@@ -1,109 +1,3 @@
-# ECS Execution role
-resource "aws_iam_role" "ecs_service" {
-  name = "pwnctl-ecs-service"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Effect = "Allow"
-        Principal = {
-          Service = "ecs-tasks.amazonaws.com"
-        }
-      }
-    ]
-  })
-}
-
-data "aws_iam_policy_document" "scalein_protection" {
-  statement {
-    effect = "Allow"
-
-    actions = [
-      "ecs:UpdateTaskProtection"
-    ]
-
-    resources = ["*"]
-  }
-}
-
-resource "aws_iam_policy" "scalein_protection" {
-  name        = "scalein-protection"
-  path        = "/"
-  description = "IAM policy for ECS Scale in Protection"
-  policy      = data.aws_iam_policy_document.scalein_protection.json
-}
-
-resource "aws_iam_role_policy_attachment" "grant_ecs_scalein_protection_access" {
-  role       = aws_iam_role.ecs_service.name
-  policy_arn = aws_iam_policy.scalein_protection.arn
-}
-
-data "aws_iam_policy_document" "sqs_readwrite" {
-  statement {
-    effect = "Allow"
-
-    actions = [
-      "sqs:ChangeMessageVisibility",
-      "sqs:DeleteMessage",
-      "sqs:GetQueueAttributes",
-      "sqs:GetQueueUrl",
-      "sqs:ReceiveMessage",
-      "sqs:SendMessage"
-    ]
-
-    resources = ["*"]
-  }
-}
-
-resource "aws_iam_policy" "sqs_readwrite" {
-  name        = "sqs-readwrite"
-  path        = "/"
-  description = "IAM policy for sqs Read/Write access"
-  policy      = data.aws_iam_policy_document.sqs_readwrite.json
-}
-
-resource "aws_iam_role_policy_attachment" "grant_ecs_sqs_readwrite_access" {
-  role       = aws_iam_role.ecs_service.name
-  policy_arn = aws_iam_policy.sqs_readwrite.arn
-}
-
-resource "aws_iam_role_policy_attachment" "grant_ecs_task_execution" {
-  role       = aws_iam_role.ecs_service.name
-  policy_arn = data.aws_iam_policy.ecs_task_execution.arn
-}
-resource "aws_iam_role_policy_attachment" "grant_ecs_efs_client_full_access" {
-  role       = aws_iam_role.ecs_service.name
-  policy_arn = data.aws_iam_policy.efs_client_full_access.arn
-}
-resource "aws_iam_role_policy_attachment" "grant_ecs_ec2_container_registry_readonly_access" {
-  role       = aws_iam_role.ecs_service.name
-  policy_arn = data.aws_iam_policy.ec2_container_registry_readonly.arn
-}
-resource "aws_iam_role_policy_attachment" "grant_ecs_cloud_watch_logs_full_access" {
-  role       = aws_iam_role.ecs_service.name
-  policy_arn = data.aws_iam_policy.cloud_watch_logs_full_access.arn
-}
-resource "aws_iam_role_policy_attachment" "grant_ecs_rds_full_access" {
-  role       = aws_iam_role.ecs_service.name
-  policy_arn = data.aws_iam_policy.rds_full_access.arn
-}
-
-resource "aws_iam_role_policy_attachment" "grant_ecs_ssm_readonly_access" {
-  role       = aws_iam_role.ecs_service.name
-  policy_arn = data.aws_iam_policy.ssm_readonly_access.arn
-}
-
-resource "aws_iam_role_policy_attachment" "grant_ecs_sm_readwrite_access" {
-  role       = aws_iam_role.ecs_service.name
-  policy_arn = data.aws_iam_policy.sm_readwrite_access.arn
-}
-
-resource "aws_iam_role_policy_attachment" "grant_eventbridge_scheduler_access" {
-  role       = aws_iam_role.ecs_service.name
-  policy_arn = aws_iam_policy.eventbridge_scheduler.arn
-}
 
 # EventBridge Role
 data "aws_iam_policy_document" "event_publisher" {
@@ -150,35 +44,6 @@ resource "aws_iam_role_policy_attachment" "grant_lambda_eventbridge_scheduler_ac
 }
 
 
-data "aws_iam_policy_document" "eventbridge_scheduler" {
-  statement {
-    effect = "Allow"
-
-    actions = [
-      "ecs:ListClusters",
-      "ecs:ListTaskDefinitions",
-      "iam:ListRoles",
-      "iam:PassRole",
-      "events:PutRule",
-      "events:PutTargets",
-      "events:DeleteRule",
-      "events:DeleteTargets",
-      "events:RemoveTargets",
-      "events:ListTargetsByRule"
-    ]
-
-    resources = ["*"]
-  }
-}
-
-resource "aws_iam_policy" "eventbridge_scheduler" {
-  name        = "eventbridge_scheduler"
-  path        = "/"
-  description = "IAM policy to create & delete event bridge schedules"
-  policy      = data.aws_iam_policy_document.eventbridge_scheduler.json
-}
-
-
 # Lambda Execution role
 data "aws_iam_policy" "lambda_basic_execution" {
   name = "AWSLambdaBasicExecutionRole"