add ecs_run.rb

Author: leonid-shevtsov

Gemfile

@@ -1,3 +1,5 @@
 source 'https://rubygems.org'
 
 gem 'aws-sdk-ssm'
+gem 'aws-sdk-ecs'
+gem 'aws-sdk-cloudwatchlogs'

Gemfile.lock

@@ -3,11 +3,17 @@ GEM
   specs:
     aws-eventstream (1.1.0)
     aws-partitions (1.344.0)
+    aws-sdk-cloudwatchlogs (1.34.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
     aws-sdk-core (3.104.2)
       aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
+    aws-sdk-ecs (1.67.0)
+      aws-sdk-core (~> 3, >= 3.99.0)
+      aws-sigv4 (~> 1.1)
     aws-sdk-ssm (1.84.0)
       aws-sdk-core (~> 3, >= 3.99.0)
       aws-sigv4 (~> 1.1)
@@ -19,6 +25,8 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  aws-sdk-cloudwatchlogs
+  aws-sdk-ecs
   aws-sdk-ssm
 
 BUNDLED WITH

README.md

@@ -1,4 +1,8 @@
-# ssm-param-tool
+# aws-ecs-tools
+
+A collection of Ruby scripts that make it easier to work with ECS from the command line.
+
+## param_tool.rb
 
 A tool to sync up AWS Systems Manager Parameter Store with a local YAML file.
 
@@ -11,19 +15,19 @@ Usage: param_tool.rb [options] (down|up)
     -d, --dry-run                    Do not apply changes
 ```
 
-## Download params
+### Download params
 
-```
+```sh
 param_tool.rb --prefix /staging/myapp down >params.yml
 ```
 
 - secure (encrypted) param values are replaced with `SECURE` - NOT decrypted.
 - secure param keys are suffixed with '!'
 - param tree is unwrapped into a hash
 
-## Upload params
+### Upload params
 
-```
+```sh
 param_tool.rb --prefix /staging/myapp up <params.yml
 
 # specify a key to do the encryption:
@@ -40,15 +44,15 @@ param_tool.rb --dry-run --prefix /staging/myapp up <params.yml
 - to make a param secure, add a `!` suffix to the key name - note that the '!' character itself will be stripped from the key name in Parameter Store
 - params with a value of `DELETE` are deleted from parameter store
 
-## Workflow concept
+### Workflow concept
 
 - create a YAML file with the params you need; you can reuse the same file for a file-based Global backend.
 - upload it to staging
 - upload it to prod
 - download params from staging, update, and send to prod
 - commit param set as reference (make sure that sensitive params are secured, and thus not committed)
 
-## Sample params.yml
+### Sample params.yml
 
 ```yaml
 ---
@@ -66,3 +70,62 @@ heroku:
      "useful": "for SSH keys"
     }
 ```
+
+## ecs_run.rb
+
+Run a script on an ECS service
+
+```sh
+Usage: ecs_run.rb [options] [command or STDIN]
+    -c, --cluster=CLUSTER            Cluster name
+    -s, --service=SERVICE            Service name
+    -w, --watch                      Watch output
+    -r, --ruby                       Run input as Ruby code with Rails runner (instead of shell command)
+```
+
+### Specify target
+
+Cluster and service are required params. Besides them, you'll need to set the region through environment variables.
+
+### Providing input
+
+There are three ways to provide input:
+
+- as a final argument to the command - make sure to quote it properly
+
+  ```sh
+  ecs_run.rb -c app -s app 'rake -T'
+  ```
+
+- from a file
+
+  ```sh
+  ecs_run.rb -c app -s app <script.sh
+  ```
+
+- type it in
+
+  ```sh
+  ecs_run.rb -c app -s app
+  Type your command then press Ctrl+D
+  rake -T
+  [Ctrl+D]
+  ```
+
+Note that in all cases you're providing literal code to be evaluated on the ECS service; you can't send files; the rest of the environment is defined by the service.
+
+### Watching output
+
+Normally after you start the task you get an AWS Console link to monitor the task online, and that's it.
+
+But if you specify the `--watch` option, you will see the task status changes and the output logged to the terminal. You will also know when the task has finished.
+
+### Running Ruby code
+
+Besides running shell code, you can also run Ruby code with the Rails runner (only available if `bundle` and a Rails app are present in your service's docker image.)
+
+```sh
+ecs_run.rb -c app -s app --ruby 'p User.first'
+```
+
+This way you get Rails log output, but note that, unlike a Rails console, you don't see command evaluation results by default - you need to print it explicitly.

ecs_run.rb

@@ -0,0 +1,129 @@
+#!/bin/env ruby
+
+require 'aws-sdk-ecs'
+require 'aws-sdk-cloudwatchlogs'
+require 'optparse'
+require 'shellwords'
+
+config = {}
+OptionParser.new do |opts|
+  opts.banner = 'Usage: ecs_run.rb [options] [command or STDIN]'
+
+  opts.on('-c', '--cluster=CLUSTER', 'Cluster name') do |c|
+    config[:cluster] = c
+  end
+
+  opts.on('-s', '--service=SERVICE', 'Service name') do |s|
+    config[:service] = s
+  end
+
+  opts.on('-w', '--watch', 'Watch output') do |s|
+    config[:watch] = true
+  end
+
+  opts.on('-r', '--ruby', 'Run input as Ruby code with Rails runner (instead of shell command)') do |r|
+    config[:ruby] = true
+  end
+end.parse!
+raise OptionParser::MissingArgument, 'cluster' if config[:cluster].nil?
+raise OptionParser::MissingArgument, 'service' if config[:service].nil?
+
+command = ARGV[0]
+unless command
+  puts 'Type your command then press Ctrl+D' if STDIN.tty?
+  puts 'Note - Ruby evaluation result is NOT automatically printed, use `p`' if config[:ruby]
+  puts
+  command = STDIN.read
+  puts
+end
+command = "bundle exec rails runner #{command.shellescape}" if config[:ruby]
+
+client = Aws::ECS::Client.new
+
+resp = client.describe_services(
+  cluster: config[:cluster],
+  services: [
+    config[:service]
+  ]
+)
+service = resp.services[0]
+
+task_definition = client.describe_task_definition(task_definition: service.task_definition).task_definition
+
+if task_definition.container_definitions.length > 1
+  raise 'Running in tasks with more than one container is not yet supported'
+end
+
+container_name = task_definition.container_definitions.first.name
+
+vpc_config = service.deployments[0].network_configuration.awsvpc_configuration
+
+subnet = vpc_config.subnets[0]
+security_group = vpc_config.security_groups[0]
+
+task_response = client.run_task(
+  cluster: config[:cluster],
+  task_definition: service.task_definition,
+  launch_type: 'FARGATE',
+  overrides: {
+    container_overrides: [
+      {
+        name: container_name,
+        command: ['sh', '-c', command]
+      }
+    ]
+  },
+  network_configuration: {
+    awsvpc_configuration: {
+      subnets: [subnet],
+      security_groups: [security_group]
+    }
+  }
+)
+
+task_arn = task_response.tasks[0].task_arn
+task_arn_parts = task_arn.split(':')
+task_region = task_arn_parts[3]
+task_id = task_arn_parts[5].split('/').last
+
+puts "Task started. See it online at https://#{task_region}.console.aws.amazon.com/ecs/home?region=#{task_region}#/clusters/#{config[:cluster]}/tasks/#{task_id}/details"
+
+exit unless config[:watch]
+
+puts 'Watching task. Note - Ctrl+C will stop watching, but will NOT stop the task!'
+last_notified_status = ''
+
+log_configuration = task_definition.container_definitions.first.log_configuration
+log_client = nil
+log_stream_name = nil
+log_token = nil
+if log_configuration.log_driver == 'awslogs'
+  log_client = Aws::CloudWatchLogs::Client.new
+  log_stream_name = "#{log_configuration.options['awslogs-stream-prefix']}/#{container_name}/#{task_id}"
+  log_token = nil
+else
+  puts 'Use `awslogs` log adapter to see the task output.'
+end
+
+loop do
+  task_status = client.describe_tasks(cluster: config[:cluster], tasks: [task_id]).tasks[0].last_status
+  if task_status != last_notified_status
+    puts "[#{Time.now}] Task status changed to #{task_status}"
+    last_notified_status = task_status
+    break if task_status == 'STOPPED'
+  end
+
+  if log_client && %w[RUNNING DEPROVISIONING].include?(task_status)
+    events_resp = log_client.get_log_events(
+      log_group_name: log_configuration.options['awslogs-group'],
+      log_stream_name: log_stream_name,
+      start_from_head: true,
+      next_token: log_token
+    )
+    events_resp.events.each do |event|
+      puts "[#{Time.at(event.timestamp / 1000)}] #{event.message}"
+    end
+    log_token = events_resp.next_forward_token
+  end
+  sleep 1
+end

param_tool.rb

@@ -1,3 +1,5 @@
+#!/bin/env ruby
+
 require 'yaml'
 require 'aws-sdk-ssm'
 require 'optparse'