migrator addon vuln service compatibility (#17430)

initial pass after pairing session -- not yet tested but wanted to get
early feedback

Author: edwardsb

terraform/addons/external-vuln-scans/outputs.tf

@@ -3,3 +3,7 @@ output "extra_environment_variables" {
     FLEET_VULNERABILITIES_DISABLE_SCHEDULE  = "true"
   }
 }
+
+output "vuln_service_arn" {
+  value = aws_ecs_service.fleet.id
+}

terraform/addons/migrations/main.tf

@@ -5,6 +5,6 @@ resource "null_resource" "main" {
     task_definition_revision = var.task_definition_revision
   }
   provisioner "local-exec" {
-    command = "/bin/bash ${path.module}/migrate.sh REGION=${data.aws_region.current.name} ECS_CLUSTER=${var.ecs_cluster} TASK_DEFINITION=${var.task_definition} TASK_DEFINITION_REVISION=${var.task_definition_revision} SUBNETS=${jsonencode(var.subnets)} SECURITY_GROUPS=${jsonencode(var.security_groups)} ECS_SERVICE=${var.ecs_service} MIN_CAPACITY=${var.min_capacity} DESIRED_COUNT=${var.desired_count}"
+    command = "/bin/bash ${path.module}/migrate.sh REGION=${data.aws_region.current.name} VULN_SERVICE=${var.vuln_service} ECS_CLUSTER=${var.ecs_cluster} TASK_DEFINITION=${var.task_definition} TASK_DEFINITION_REVISION=${var.task_definition_revision} SUBNETS=${jsonencode(var.subnets)} SECURITY_GROUPS=${jsonencode(var.security_groups)} ECS_SERVICE=${var.ecs_service} MIN_CAPACITY=${var.min_capacity} DESIRED_COUNT=${var.desired_count}"
   }
 }

terraform/addons/migrations/migrate.sh

@@ -3,47 +3,60 @@ set -e
 
 function scale_services(){
 	UP_DOWN="${1:?}"
+	SERVICE_NAME="${2:?}" # Take service name as an argument
+	ADJUST_AUTOSCALING="${3:-}"
+	COUNT="${4:-1}"
+
 	# Set the minimum capacity and desired count in the cluster to 0 to scale down or to the original size to scale back to normal.
 
 	# This is a bit hacky, but the update-service has to happen first when scaling up and second when scaling down.
 	# Assume scaling down unless "up".
 	CAPACITY=0
 	if [ "${UP_DOWN:?}" = "up" ]; then
-		aws ecs update-service --region "${REGION:?}" --cluster "${ECS_CLUSTER:?}" --service "${ECS_SERVICE:?}" --desired-count "${DESIRED_COUNT:?}"
+		aws ecs update-service --region "${REGION:?}" --cluster "${ECS_CLUSTER:?}" --service "${SERVICE_NAME:?}" --desired-count "${COUNT:?}"
 		CAPACITY="${MIN_CAPACITY:?}"
 	fi
-	aws application-autoscaling register-scalable-target --region "${REGION:?}" --service-namespace ecs --resource-id "service/${ECS_CLUSTER:?}/${ECS_SERVICE:?}" --scalable-dimension "ecs:service:DesiredCount" --min-capacity "${CAPACITY:?}"
+
+  if [ -n "${ADJUST_AUTOSCALING}" ]; then
+    aws application-autoscaling register-scalable-target --region "${REGION:?}" --service-namespace ecs --resource-id "service/${ECS_CLUSTER:?}/${SERVICE_NAME:?}" --scalable-dimension "ecs:service:DesiredCount" --min-capacity "${CAPACITY:?}"
+  fi
 	# We are scaling down, make it 0
 	if [ "${UP_DOWN:?}" != "up" ]; then
-		aws ecs update-service --region "${REGION:?}" --cluster "${ECS_CLUSTER:?}" --service "${ECS_SERVICE:?}" --desired-count 0
+		aws ecs update-service --region "${REGION:?}" --cluster "${ECS_CLUSTER:?}" --service "${SERVICE_NAME:?}" --desired-count 0
 	fi
-	# The first task defintion might never get stable because it never had initial migrations so don't wait before continuing
+	# The first task definition might never get stable because it never had initial migrations so don't wait before continuing
 	if [ "${TASK_DEFINITION_REVISION}" != "1" ]; then
 		# Wait for scale-down to succeed
-		aws ecs wait services-stable --region "${REGION:?}" --cluster "${ECS_CLUSTER:?}" --service "${ECS_SERVICE:?}"
+		aws ecs wait services-stable --region "${REGION:?}" --cluster "${ECS_CLUSTER:?}" --services "${SERVICE_NAME:?}"
 	fi
 }
 
 for ARGUMENT in "$@"
 do
    KEY=$(echo $ARGUMENT | cut -f1 -d=)
-
    KEY_LENGTH=${#KEY}
    VALUE="${ARGUMENT:$KEY_LENGTH+1}"
-
    export "$KEY"="$VALUE"
 done
 
-scale_services down
+scale_services down "${ECS_SERVICE:?}" true "${DESIRED_COUNT}"
+
+if [ -n "${VULN_SERVICE}" ]; then
+  scale_services down "${VULN_SERVICE:?}"
+fi
 
 # Call aws ecs run-task
 TASK_ARN="$(aws ecs run-task --region "${REGION:?}" --cluster "${ECS_CLUSTER:?}" --task-definition "${TASK_DEFINITION:?}":"${TASK_DEFINITION_REVISION:?}" --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets="${SUBNETS:?}",securityGroups="${SECURITY_GROUPS:?}"}" --query 'tasks[].taskArn' --overrides '{"containerOverrides": [{"name": "fleet", "command": ["fleet", "prepare", "db"]}]}' --output text | rev | cut -d'/' -f1 | rev)"
 
 # Wait for completion
 aws ecs wait tasks-stopped --region "${REGION:?}" --cluster="${ECS_CLUSTER:?}" --tasks="${TASK_ARN:?}"
 
-scale_services up
+scale_services up "${ECS_SERVICE:?}" true "${DESIRED_COUNT}"
+
+if [ -n "${VULN_SERVICE}" ]; then
+  scale_services up "${VULN_SERVICE:?}"
+fi
 
 # Exit with task's exit code
-TASK_EXIT_CODE=$(aws ecs describe-tasks --region "${REGION:?}" --cluster ${ECS_CLUSTER:?} --tasks ${TASK_ARN:?} --query "tasks[0].containers[?name=='fleet'].exitCode" --output text)
+TASK_EXIT_CODE=$(aws ecs describe-tasks --region "${REGION:?}" --cluster "${ECS_CLUSTER:?}" --tasks "${TASK_ARN:?}" --query "tasks[0].containers[?name=='fleet'].exitCode" --output text)
 exit "${TASK_EXIT_CODE}"

terraform/addons/migrations/variables.tf

@@ -37,3 +37,8 @@ variable "security_groups" {
   type     = list(string)
   nullable = false
 }
+
+variable "vuln_service" {
+  default = ""
+}
+