From 172f4b2681e3d5aad5cfc416f47c6f7d52ea8c86 Mon Sep 17 00:00:00 2001 From: Alex Gray Date: Wed, 15 Apr 2020 15:19:44 -0400 Subject: [PATCH] Only check latest version of task definition --- checks/check_extra768 | 7 ++++-- .../get_latest_ecs_task_definition_version.py | 23 +++++++++++++++++++ 2 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 checks/get_latest_ecs_task_definition_version.py diff --git a/checks/check_extra768 b/checks/check_extra768 index b357c72e..94089008 100644 --- a/checks/check_extra768 +++ b/checks/check_extra768 @@ -23,10 +23,13 @@ extra768(){ # this folder is deleted once this check is finished mkdir $SECRETS_TEMP_FOLDER fi - + DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" textInfo "Looking for secrets in ECS task definitions' environment variables across all regions... " for regx in $REGIONS; do - LIST_OF_TASK_DEFINITIONS=$($AWSCLI ecs list-task-definitions $PROFILE_OPT --region $regx --query taskDefinitionArns[*] --output text) + # Get a list of ALL Task Definitions: + $AWSCLI ecs list-task-definitions $PROFILE_OPT --region $regx | jq -r .taskDefinitionArns[] > ALL_TASK_DEFINITIONS.txt + # Filter it down to ONLY the latest version of that task definition: + LIST_OF_TASK_DEFINITIONS=$(python ${DIR}/get_latest_ecs_task_definition_version.py -f ALL_TASK_DEFINITIONS.txt) if [[ $LIST_OF_TASK_DEFINITIONS ]]; then for taskDefinition in $LIST_OF_TASK_DEFINITIONS;do IFS='/' read -r -a splitArn <<< "$taskDefinition" diff --git a/checks/get_latest_ecs_task_definition_version.py b/checks/get_latest_ecs_task_definition_version.py new file mode 100644 index 00000000..d096d6fb --- /dev/null +++ b/checks/get_latest_ecs_task_definition_version.py @@ -0,0 +1,23 @@ +import argparse + +def parseArgs(): + parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter) + parser.add_argument('-f', help='file containing list of ecs task definitions', required=True) + args = parser.parse_args() + return args + + +if __name__ == '__main__': + args = parseArgs() + family = {} + with open(args.f, 'r') as fd: + for line in fd: + l = line.strip() + family_name = l[:l.rfind(':')] + version_int = int(l[l.rfind(':') + 1:]) + if family_name not in family: + family[family_name] = version_int + if family[family_name] < version_int: + family[family_name] = version_int + for family, version in family.items(): + print('{}:{}'.format(family, version))