Get the list of families and then get latest task definition

checks/check_extra768

@@ -23,22 +23,22 @@ extra768(){
     # this folder is deleted once this check is finished
     mkdir $SECRETS_TEMP_FOLDER
   fi
-  DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
   textInfo "Looking for secrets in ECS task definitions' environment variables across all regions... "
   for regx in $REGIONS; do
-    # Get a list of ALL Task Definitions:
+    # Get a list of all families first:
-    $AWSCLI ecs list-task-definitions $PROFILE_OPT --region $regx | jq -r .taskDefinitionArns[] > ALL_TASK_DEFINITIONS.txt
+    FAMILIES=$($AWSCLI ecs list-task-definition-families $PROFILE_OPT --region $regx --status ACTIVE | jq -r .families[])
-    # Filter it down to ONLY the latest version of that task definition:
+    if [[ $FAMILIES ]]; then
-    LIST_OF_TASK_DEFINITIONS=$(python ${DIR}/get_latest_ecs_task_definition_version.py -f ALL_TASK_DEFINITIONS.txt)
+      for FAMILY in $FAMILIES;do
-    if [[ $LIST_OF_TASK_DEFINITIONS ]]; then
+        # Get the full task definition arn:
-      for taskDefinition in $LIST_OF_TASK_DEFINITIONS;do
+        TASK_DEFINITION_TEMP=$($AWSCLI ecs list-task-definitions $PROFILE_OPT --region $regx --family-prefix $FAMILY --sort DESC --max-items 1 | jq -r .taskDefinitionArns[0])
-        IFS='/' read -r -a splitArn <<< "$taskDefinition"
+        # We only care about the task definition name:
+        IFS='/' read -r -a splitArn <<< "$TASK_DEFINITION_TEMP"
         TASK_DEFINITION=${splitArn[1]}
         TASK_DEFINITION_ENV_VARIABLES_FILE="$SECRETS_TEMP_FOLDER/extra768-$TASK_DEFINITION-$regx-variables.txt"
-        TASK_DEFINITION_ENV_VARIABLES=$($AWSCLI ecs $PROFILE_OPT --region $regx describe-task-definition --task-definition $taskDefinition --query 'taskDefinition.containerDefinitions[*].environment' --output text > $TASK_DEFINITION_ENV_VARIABLES_FILE)
+        TASK_DEFINITION_ENV_VARIABLES=$($AWSCLI ecs $PROFILE_OPT --region $regx describe-task-definition --task-definition $TASK_DEFINITION --query 'taskDefinition.containerDefinitions[*].environment' --output text > $TASK_DEFINITION_ENV_VARIABLES_FILE)
         if [ -s $TASK_DEFINITION_ENV_VARIABLES_FILE ];then
-        # Implementation using https://github.com/Yelp/detect-secrets
+          # Implementation using https://github.com/Yelp/detect-secrets
-        FINDINGS=$(secretsDetector file $TASK_DEFINITION_ENV_VARIABLES_FILE)
+          FINDINGS=$(secretsDetector file $TASK_DEFINITION_ENV_VARIABLES_FILE)
           if [[ $FINDINGS -eq 0 ]]; then
             textPass "$regx: No secrets found in ECS task definition $TASK_DEFINITION variables" "$regx"
             # delete file if nothing interesting is there

checks/get_latest_ecs_task_definition_version.py

@@ -1,23 +0,0 @@
-import argparse
-
-def parseArgs():
-    parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter)
-    parser.add_argument('-f', help='file containing list of ecs task definitions', required=True)
-    args = parser.parse_args()
-    return args
-
-
-if __name__ == '__main__':
-    args = parseArgs()
-    family = {}
-    with open(args.f, 'r') as fd:
-        for line in fd:
-            l = line.strip()
-            family_name = l[:l.rfind(':')]
-            version_int = int(l[l.rfind(':') + 1:])
-            if family_name not in family:
-                family[family_name] = version_int
-            if family[family_name] < version_int:
-                family[family_name] = version_int
-    for family, version in family.items():
-        print('{}:{}'.format(family, version))