AWS code-library documentation change
Summary
Added multiple code examples demonstrating AWS service integrations including ECS, Lambda, API Gateway, EKS, MSK, OpenSearch, SageMaker, Config, WAF, Secrets Manager, IoT Core, FIS, and Systems Manager. Each example includes setup, deployment, and cleanup steps with security configurations like IAM roles and security groups.
Security assessment
The changes add documentation for security best practices (IAM roles, security groups, encryption) and security services (WAF, Secrets Manager), but there's no evidence of addressing specific security vulnerabilities. The examples demonstrate standard security configurations rather than patching issues.
Diff
diff --git a/code-library/latest/ug/bash_2_sts_code_examples.md b/code-library/latest/ug/bash_2_sts_code_examples.md index fd66bec12..dbb3c2eeb 100644 --- a//code-library/latest/ug/bash_2_sts_code_examples.md +++ b//code-library/latest/ug/bash_2_sts_code_examples.md @@ -7 +7 @@ -Actions +ActionsScenarios @@ -16,0 +17,2 @@ _Actions_ are code excerpts from larger programs and must be run in context. Whi +_Scenarios_ are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. + @@ -22,0 +25,2 @@ Each example includes a link to the complete source code, where you can find ins + * Scenarios + @@ -129,0 +134,9294 @@ There's more on GitHub. Find the complete example and learn how to set up and ru +## Scenarios + +The following code example shows how to: + + * Create the VPC infrastructure + + * Set up logging + + * Create the ECS cluster + + * Configure IAM roles + + * Create the service with Service Connect + + * Verify the deployment + + * Clean up resources + + + + +**AWS CLI with Bash script** + + +###### Note + +There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/085-amazon-ecs-service-connect) repository. + + + #!/bin/bash + + # ECS Service Connect Tutorial Script v4 - Modified to use Default VPC + # This script creates an ECS cluster with Service Connect and deploys an nginx service + # Uses the default VPC to avoid VPC limits + + set -e # Exit on any error + + # Configuration + SCRIPT_NAME="ECS Service Connect Tutorial" + LOG_FILE="ecs-service-connect-tutorial-v4-default-vpc.log" + REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null)}} + if [ -z "$REGION" ]; then + echo "ERROR: No AWS region configured." + echo "Set one with: aws configure set region us-east-1" + exit 1 + fi + ENV_PREFIX="tutorial" + CLUSTER_NAME="${ENV_PREFIX}-cluster" + NAMESPACE_NAME="service-connect" + + # Generate random suffix for unique resource names + RANDOM_SUFFIX=$(openssl rand -hex 6) + + # Arrays to track created resources for cleanup + declare -a CREATED_RESOURCES=() + + # Logging function + log() { + echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE" + } + + # Error handling function + handle_error() { + log "ERROR: Script failed at line $1" + log "Attempting to clean up resources..." + cleanup_resources + exit 1 + } + + # Set up error handling + trap 'handle_error $LINENO' ERR + + # Function to add resource to tracking array + track_resource() { + CREATED_RESOURCES+=("$1") + log "Tracking resource: $1" + } + + # Function to check if command output contains actual errors + check_for_errors() { + local output="$1" + local command_name="$2" + + # Check for specific AWS CLI error patterns, not just any occurrence of "error" + if echo "$output" | grep -qi "An error occurred\|InvalidParameterException\|AccessDenied\|ValidationException\|ResourceNotFoundException"; then + log "ERROR in $command_name: $output" + return 1 + fi + return 0 + } + + # Function to get AWS account ID + get_account_id() { + ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) + log "Using AWS Account ID: $ACCOUNT_ID" + } + + # Function to wait for resources to be ready + wait_for_resource() { + local resource_type="$1" + local resource_id="$2" + + case "$resource_type" in + "cluster") + log "Waiting for cluster $resource_id to be active..." + local attempt=1 + local max_attempts=30 + while [ $attempt -le $max_attempts ]; do + local status=$(aws ecs describe-clusters --clusters "$resource_id" --query 'clusters[0].status' --output text) + if [ "$status" = "ACTIVE" ]; then + log "Cluster is now active" + return 0 + fi + log "Cluster status: $status (attempt $attempt/$max_attempts)" + sleep 10 + ((attempt++)) + done + log "ERROR: Cluster did not become active within expected time" + return 1 + ;; + "service") + log "Waiting for service $resource_id to be stable..." + aws ecs wait services-stable --cluster "$CLUSTER_NAME" --services "$resource_id" + ;; + "nat-gateway") + log "Waiting for NAT Gateway $resource_id to be available..." + aws ec2 wait nat-gateway-available --nat-gateway-ids "$resource_id" + ;; + esac + } + + # Function to use default VPC infrastructure + setup_default_vpc_infrastructure() { + log "Using default VPC infrastructure..." + + # Get default VPC + VPC_ID=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query 'Vpcs[0].VpcId' --output text) + if [[ "$VPC_ID" == "None" || -z "$VPC_ID" ]]; then + log "ERROR: No default VPC found. Please create a default VPC first." + exit 1 + fi + log "Using default VPC: $VPC_ID" + + # Get default subnets + SUBNETS=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID" "Name=default-for-az,Values=true" --query 'Subnets[].SubnetId' --output text) + SUBNET_ARRAY=($SUBNETS) + + if [ ${#SUBNET_ARRAY[@]} -lt 2 ]; then + log "ERROR: Need at least 2 subnets for ECS Service Connect. Found: ${#SUBNET_ARRAY[@]}" + exit 1 + fi + + PUBLIC_SUBNET1=${SUBNET_ARRAY[0]} + PUBLIC_SUBNET2=${SUBNET_ARRAY[1]} + + log "Using subnets: $PUBLIC_SUBNET1, $PUBLIC_SUBNET2" + + # Create security group for ECS tasks + SG_OUTPUT=$(aws ec2 create-security-group \ + --group-name "${ENV_PREFIX}-ecs-sg-${RANDOM_SUFFIX}" \ + --description "Security group for ECS Service Connect tutorial" \ + --vpc-id "$VPC_ID" 2>&1) + check_for_errors "$SG_OUTPUT" "create-security-group" + SECURITY_GROUP_ID=$(echo "$SG_OUTPUT" | grep -o '"GroupId": "[^"]*"' | cut -d'"' -f4) + track_resource "SG:$SECURITY_GROUP_ID" + log "Created security group: $SECURITY_GROUP_ID" + + # Add inbound rules to security group + aws ec2 authorize-security-group-ingress \ + --group-id "$SECURITY_GROUP_ID" \ + --protocol tcp \ + --port 80 \ + --cidr 0.0.0.0/0 >/dev/null 2>&1 || true + + aws ec2 authorize-security-group-ingress \ + --group-id "$SECURITY_GROUP_ID" \ + --protocol tcp \ + --port 443 \ + --cidr 0.0.0.0/0 >/dev/null 2>&1 || true + + log "Default VPC infrastructure setup completed" + } + + # Function to create CloudWatch log groups + create_log_groups() { + log "Creating CloudWatch log groups..."