Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/steadybit/extension-aws

A Steadybit discovery and action implementation to inject faults into various AWS services.
https://github.com/steadybit/extension-aws

attack aws chaos chaos-engineering cloud lambda rds resilience

Last synced: 5 days ago
JSON representation

A Steadybit discovery and action implementation to inject faults into various AWS services.

Host: GitHub
URL: https://github.com/steadybit/extension-aws
Owner: steadybit
License: mit
Created: 2022-07-20T14:49:21.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2025-01-27T01:59:05.000Z (16 days ago)
Last Synced: 2025-01-29T05:32:35.047Z (13 days ago)
Topics: attack, aws, chaos, chaos-engineering, cloud, lambda, rds, resilience
Language: Go
Homepage: https://hub.steadybit.com/extension/com.steadybit.extension_aws
Size: 13.2 MB
Stars: 9
Watchers: 4
Forks: 1
Open Issues: 2
Metadata Files:
- Readme: README-ecs-ssm-setup.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE

Awesome Lists containing this project

README

        # Setup for ECS Task attacks using the SSM

The SSM agent performs the stress CPU/memory/IO and Fill Disk attack on ECS.

You must add the SSM agent to your ECS Task Definitions and deploy it with your application in the same ECS Task.

This is not performed by the extension-aws to not trigger an unanticipated restart of your ECS Tasks.

This setup is the same as you would use for [AWS FIS on ECS Tasks](https://docs.aws.amazon.com/fis/latest/userguide/ecs-task-actions.html)

Please note that the SSM agent is not supported on Windows containers or Tasks with the ECS's `execute command` feature enabled.

Also make sure the extension is granted the [necessary permissions](./README.md#ecs-permissions)

## 1. IAM Role for the SSM Managed Instance

The SSM agent will register in the SSM as a managed instance and needs an IAM role to do so.

Create a role with the [AmazonSSMManagedInstanceCore](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) managed policy attached and add the following policies:

```json

{

	"Version": "2012-10-17",

	"Statement": [

		{

			"Effect": "Allow",

			"Action": [

				"ssm:DeleteActivation"

			],

			"Resource": "*"

		},

		{

			"Effect": "Allow",

			"Action": [

				"ssm:DeregisterManagedInstance"

			],

			"Resource": "arn:aws:ssm:*:*:managed-instance/*"

		}

	]

}

```

## 2. SSM IAM Permissions for the ECS Task Role

Add the following policy to the ECS Task Role used to run the tasks (! this is not the same role used by the extension).

Specify the ARN of the role created in step 1 in the Resource section.

```json{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Action": [

                "ssm:AddTagsToResource",

                "ssm:CreateActivation"

            ],

            "Resource": "*"

        },

        {

            "Sid": "Statement2",

            "Effect": "Allow",

            "Action": [

                "iam:PassRole"

            ],

            "Resource": ""

        }

    ]

}

```

## 3. Add the SSM agent container to your ECS Task Definition

Add the ss-agent container to your ECS Task Definition.

Specify the ARN of the role created in step 1 for the `MANAGED_INSTANCE_ROLE_NAME` environment variable section.

[Readable version of the script executed by this container](https://docs.aws.amazon.com/fis/latest/userguide/ecs-task-actions.html#ecs-task-reference)

```json

{

    "name": "amazon-ssm-agent",

    "image": "public.ecr.aws/amazon-ssm-agent/amazon-ssm-agent:latest",

    "cpu": 0,

    "links": [],

    "portMappings": [],

    "essential": false,

    "entryPoint": [],

    "command": [

        "/bin/bash",

        "-c",

        "set -e; yum upgrade -y; yum install jq procps awscli -y; term_handler() { echo \"Deleting SSM activation $ACTIVATION_ID\"; if ! aws ssm delete-activation --activation-id $ACTIVATION_ID --region $ECS_TASK_REGION; then echo \"SSM activation $ACTIVATION_ID failed to be deleted\" 1>&2; fi; MANAGED_INSTANCE_ID=$(jq -e -r .ManagedInstanceID /var/lib/amazon/ssm/registration); echo \"Deregistering SSM Managed Instance $MANAGED_INSTANCE_ID\"; if ! aws ssm deregister-managed-instance --instance-id $MANAGED_INSTANCE_ID --region $ECS_TASK_REGION; then echo \"SSM Managed Instance $MANAGED_INSTANCE_ID failed to be deregistered\" 1>&2; fi; kill -SIGTERM $SSM_AGENT_PID; }; trap term_handler SIGTERM SIGINT; if [[ -z $MANAGED_INSTANCE_ROLE_NAME ]]; then echo \"Environment variable MANAGED_INSTANCE_ROLE_NAME not set, exiting\" 1>&2; exit 1; fi; if ! ps ax | grep amazon-ssm-agent | grep -v grep > /dev/null; then if [[ -n $ECS_CONTAINER_METADATA_URI_V4 ]] ; then echo \"Found ECS Container Metadata, running activation with metadata\"; TASK_METADATA=$(curl \"${ECS_CONTAINER_METADATA_URI_V4}/task\"); ECS_TASK_AVAILABILITY_ZONE=$(echo $TASK_METADATA | jq -e -r '.AvailabilityZone'); ECS_TASK_ARN=$(echo $TASK_METADATA | jq -e -r '.TaskARN'); ECS_TASK_REGION=$(echo $ECS_TASK_AVAILABILITY_ZONE | sed 's/.$//'); ECS_TASK_AVAILABILITY_ZONE_REGEX='^(af|ap|ca|cn|eu|me|sa|us|us-gov)-(central|north|(north(east|west))|south|south(east|west)|east|west)-[0-9]{1}[a-z]{1}$'; if ! [[ $ECS_TASK_AVAILABILITY_ZONE =~ $ECS_TASK_AVAILABILITY_ZONE_REGEX ]]; then echo \"Error extracting Availability Zone from ECS Container Metadata, exiting\" 1>&2; exit 1; fi; ECS_TASK_ARN_REGEX='^arn:(aws|aws-cn|aws-us-gov):ecs:[a-z0-9-]+:[0-9]{12}:task/[a-zA-Z0-9_-]+/[a-zA-Z0-9]+$'; if ! [[ $ECS_TASK_ARN =~ $ECS_TASK_ARN_REGEX ]]; then echo \"Error extracting Task ARN from ECS Container Metadata, exiting\" 1>&2; exit 1; fi; CREATE_ACTIVATION_OUTPUT=$(aws ssm create-activation --iam-role $MANAGED_INSTANCE_ROLE_NAME --tags Key=ECS_TASK_AVAILABILITY_ZONE,Value=$ECS_TASK_AVAILABILITY_ZONE Key=ECS_TASK_ARN,Value=$ECS_TASK_ARN Key=FAULT_INJECTION_SIDECAR,Value=true --region $ECS_TASK_REGION); ACTIVATION_CODE=$(echo $CREATE_ACTIVATION_OUTPUT | jq -e -r .ActivationCode); ACTIVATION_ID=$(echo $CREATE_ACTIVATION_OUTPUT | jq -e -r .ActivationId); if ! amazon-ssm-agent -register -code $ACTIVATION_CODE -id $ACTIVATION_ID -region $ECS_TASK_REGION; then echo \"Failed to register with AWS Systems Manager (SSM), exiting\" 1>&2; exit 1; fi; amazon-ssm-agent & SSM_AGENT_PID=$!; wait $SSM_AGENT_PID; else echo \"ECS Container Metadata not found, exiting\" 1>&2; exit 1; fi; else echo \"SSM agent is already running, exiting\" 1>&2; exit 1; fi"

    ],

    "environment": [

        {

            "name": "MANAGED_INSTANCE_ROLE_NAME",

            "value": ""

        }

    ],

    "environmentFiles": [],

    "mountPoints": [],

    "volumesFrom": [],

    "secrets": [],

    "dnsServers": [],

    "dnsSearchDomains": [],

    "extraHosts": [],

    "dockerSecurityOptions": [],

    "dockerLabels": {},

    "ulimits": [],

    "logConfiguration": {},

    "systemControls": []

}

```