Use SSM targets instead of doing our own lookups#26
Merged
sendqueery merged 12 commits intov1from Aug 4, 2020
Merged
Conversation
Collaborator
|
Is there no way to do a dry-run with this new method? Dry run was originally supported in mco via --noop and was a blocker for some users to adopt If you can't get a list of instances that would execute a command (based on account and region) maybe it's possible to execute a noop command (e.g. |
Collaborator
Author
|
Yeah, the only way to do a dry run would be via running a noop of some sort. Since we can't guarantee what noop commands will be available on a target instance, I'd rather just document this approach instead of hard-coding it in. |
Collaborator
|
So long as |
JordanFaust
reviewed
Jul 21, 2020
JordanFaust
reviewed
Jul 23, 2020
JordanFaust
reviewed
Jul 23, 2020
JordanFaust
reviewed
Jul 23, 2020
JordanFaust
reviewed
Jul 23, 2020
sendqueery
force-pushed
the
use-ssm-targets
branch
from
d02cf34 to
f51e92d
Compare
jschell12
approved these changes
Aug 4, 2020
sendqueery
added a commit
that referenced
this pull request
Sep 3, 2020
* Update ssm-run to rely on SSM for targeting * Update gomod * Update RunInvocations() to use mockable SSM client * Clean up logging * Clean up flag validation * Change instances of "ctx" to "client" * Fix profile validity check * Temporary change: remove --dry-run flag from run command * Temporary change: update session command to make things build
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The original design of ssm-run involved starting an invocation per instance targeted, allowing for what I'd call a "shotgun" approach. Unfortunately, at scale, you start to run into API rate limit issues due to the sheer volume of calls. For any given instance, we had to make an API call each time we:
This might not sound like a ton, but the relevant SSM APIs have relatively low rate limits, resulting in our invocations behaving inconsistently at best. After talking with the AWS SSM team, we were able to validate the expected behavior for things like instances running OSes incompatible with a given document and concurrency settings.
Going forward, we're offloading much of the work to the SSM side of things. We're letting SSM validate targets on its own, which means lots of conditionals that we don't have to check. We're also going to check the status of the top-level invocation itself instead of querying on a per invocation ID + instance ID basis.
The downside of this approach is primarily that visibility into the status of an invocation is reduced. SSM doesn't return information on how many instances an invocation targets unless you specify their instance IDs. Because of the new method, we instead look at the status of the parent invocation, and only fetch the status/output of individual invocations when it's complete.
EDIT: Yes, this is missing tests. I'm workin' on it.