From 172f4b2681e3d5aad5cfc416f47c6f7d52ea8c86 Mon Sep 17 00:00:00 2001
From: Alex Gray <agray@clearcareonline.com>
Date: Wed, 15 Apr 2020 15:19:44 -0400
Subject: [PATCH 1/2] Only check latest version of task definition

---
 checks/check_extra768                         |  7 ++++--
 .../get_latest_ecs_task_definition_version.py | 23 +++++++++++++++++++
 2 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 checks/get_latest_ecs_task_definition_version.py

diff --git a/checks/check_extra768 b/checks/check_extra768
index b357c72e..94089008 100644
--- a/checks/check_extra768
+++ b/checks/check_extra768
@@ -23,10 +23,13 @@ extra768(){
     # this folder is deleted once this check is finished
     mkdir $SECRETS_TEMP_FOLDER
   fi
-
+  DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
   textInfo "Looking for secrets in ECS task definitions' environment variables across all regions... "
   for regx in $REGIONS; do
-    LIST_OF_TASK_DEFINITIONS=$($AWSCLI ecs list-task-definitions $PROFILE_OPT --region $regx --query taskDefinitionArns[*] --output text)
+    # Get a list of ALL Task Definitions:
+    $AWSCLI ecs list-task-definitions $PROFILE_OPT --region $regx | jq -r .taskDefinitionArns[] > ALL_TASK_DEFINITIONS.txt
+    # Filter it down to ONLY the latest version of that task definition:
+    LIST_OF_TASK_DEFINITIONS=$(python ${DIR}/get_latest_ecs_task_definition_version.py -f ALL_TASK_DEFINITIONS.txt)
     if [[ $LIST_OF_TASK_DEFINITIONS ]]; then
       for taskDefinition in $LIST_OF_TASK_DEFINITIONS;do
         IFS='/' read -r -a splitArn <<< "$taskDefinition"
diff --git a/checks/get_latest_ecs_task_definition_version.py b/checks/get_latest_ecs_task_definition_version.py
new file mode 100644
index 00000000..d096d6fb
--- /dev/null
+++ b/checks/get_latest_ecs_task_definition_version.py
@@ -0,0 +1,23 @@
+import argparse
+
+def parseArgs():
+    parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+    parser.add_argument('-f', help='file containing list of ecs task definitions', required=True)
+    args = parser.parse_args()
+    return args
+
+
+if __name__ == '__main__':
+    args = parseArgs()
+    family = {}
+    with open(args.f, 'r') as fd:
+        for line in fd:
+            l = line.strip()
+            family_name = l[:l.rfind(':')]
+            version_int = int(l[l.rfind(':') + 1:])
+            if family_name not in family:
+                family[family_name] = version_int
+            if family[family_name] < version_int:
+                family[family_name] = version_int
+    for family, version in family.items():
+        print('{}:{}'.format(family, version))

From 5b8370179a136c8a44a905e5f2916e9daf599b69 Mon Sep 17 00:00:00 2001
From: Alex Gray <agray@clearcareonline.com>
Date: Mon, 20 Apr 2020 09:15:15 -0400
Subject: [PATCH 2/2] Get the list of families and then get latest task
 definition

---
 checks/check_extra768                         | 22 +++++++++---------
 .../get_latest_ecs_task_definition_version.py | 23 -------------------
 2 files changed, 11 insertions(+), 34 deletions(-)
 delete mode 100644 checks/get_latest_ecs_task_definition_version.py

diff --git a/checks/check_extra768 b/checks/check_extra768
index 94089008..591983af 100644
--- a/checks/check_extra768
+++ b/checks/check_extra768
@@ -23,22 +23,22 @@ extra768(){
     # this folder is deleted once this check is finished
     mkdir $SECRETS_TEMP_FOLDER
   fi
-  DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
   textInfo "Looking for secrets in ECS task definitions' environment variables across all regions... "
   for regx in $REGIONS; do
-    # Get a list of ALL Task Definitions:
-    $AWSCLI ecs list-task-definitions $PROFILE_OPT --region $regx | jq -r .taskDefinitionArns[] > ALL_TASK_DEFINITIONS.txt
-    # Filter it down to ONLY the latest version of that task definition:
-    LIST_OF_TASK_DEFINITIONS=$(python ${DIR}/get_latest_ecs_task_definition_version.py -f ALL_TASK_DEFINITIONS.txt)
-    if [[ $LIST_OF_TASK_DEFINITIONS ]]; then
-      for taskDefinition in $LIST_OF_TASK_DEFINITIONS;do
-        IFS='/' read -r -a splitArn <<< "$taskDefinition"
+    # Get a list of all families first:
+    FAMILIES=$($AWSCLI ecs list-task-definition-families $PROFILE_OPT --region $regx --status ACTIVE | jq -r .families[])
+    if [[ $FAMILIES ]]; then
+      for FAMILY in $FAMILIES;do
+        # Get the full task definition arn:
+        TASK_DEFINITION_TEMP=$($AWSCLI ecs list-task-definitions $PROFILE_OPT --region $regx --family-prefix $FAMILY --sort DESC --max-items 1 | jq -r .taskDefinitionArns[0])
+        # We only care about the task definition name:
+        IFS='/' read -r -a splitArn <<< "$TASK_DEFINITION_TEMP"
         TASK_DEFINITION=${splitArn[1]}
         TASK_DEFINITION_ENV_VARIABLES_FILE="$SECRETS_TEMP_FOLDER/extra768-$TASK_DEFINITION-$regx-variables.txt"
-        TASK_DEFINITION_ENV_VARIABLES=$($AWSCLI ecs $PROFILE_OPT --region $regx describe-task-definition --task-definition $taskDefinition --query 'taskDefinition.containerDefinitions[*].environment' --output text > $TASK_DEFINITION_ENV_VARIABLES_FILE)
+        TASK_DEFINITION_ENV_VARIABLES=$($AWSCLI ecs $PROFILE_OPT --region $regx describe-task-definition --task-definition $TASK_DEFINITION --query 'taskDefinition.containerDefinitions[*].environment' --output text > $TASK_DEFINITION_ENV_VARIABLES_FILE)
         if [ -s $TASK_DEFINITION_ENV_VARIABLES_FILE ];then
-        # Implementation using https://github.com/Yelp/detect-secrets
-        FINDINGS=$(secretsDetector file $TASK_DEFINITION_ENV_VARIABLES_FILE)
+          # Implementation using https://github.com/Yelp/detect-secrets
+          FINDINGS=$(secretsDetector file $TASK_DEFINITION_ENV_VARIABLES_FILE)
           if [[ $FINDINGS -eq 0 ]]; then
             textPass "$regx: No secrets found in ECS task definition $TASK_DEFINITION variables" "$regx"
             # delete file if nothing interesting is there
diff --git a/checks/get_latest_ecs_task_definition_version.py b/checks/get_latest_ecs_task_definition_version.py
deleted file mode 100644
index d096d6fb..00000000
--- a/checks/get_latest_ecs_task_definition_version.py
+++ /dev/null
@@ -1,23 +0,0 @@
-import argparse
-
-def parseArgs():
-    parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter)
-    parser.add_argument('-f', help='file containing list of ecs task definitions', required=True)
-    args = parser.parse_args()
-    return args
-
-
-if __name__ == '__main__':
-    args = parseArgs()
-    family = {}
-    with open(args.f, 'r') as fd:
-        for line in fd:
-            l = line.strip()
-            family_name = l[:l.rfind(':')]
-            version_int = int(l[l.rfind(':') + 1:])
-            if family_name not in family:
-                family[family_name] = version_int
-            if family[family_name] < version_int:
-                family[family_name] = version_int
-    for family, version in family.items():
-        print('{}:{}'.format(family, version))