Support ECS Exec at ADC Regions (#368)

* Add support for specifying DNS suffixes in AMI builds * Remove air-gapped region check and early exit --------- Co-authored-by: Prateek Chaudhry <prateek.chaudhry@gmail.com> Co-authored-by: Thean Lim <theanlim@amazon.com>
aws · Jan 15, 2025 · 588d5d9 · 588d5d9
1 parent cb9e8f9
commit 588d5d9
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 15 deletions.
diff --git a/al2.pkr.hcl b/al2.pkr.hcl
@@ -178,7 +178,8 @@ build {
     environment_vars = [
       "REGION=${var.region}",
       "EXEC_SSM_VERSION=${var.exec_ssm_version}",
-      "AIR_GAPPED=${var.air_gapped}"
+      "AIR_GAPPED=${var.air_gapped}",
+      "REGION_DNS_SUFFIX=${var.region_dns_suffix}"
     ]
   }
 

diff --git a/al2023.pkr.hcl b/al2023.pkr.hcl
@@ -148,7 +148,8 @@ build {
     environment_vars = [
       "REGION=${var.region}",
       "EXEC_SSM_VERSION=${var.exec_ssm_version}",
-      "AIR_GAPPED=${var.air_gapped}"
+      "AIR_GAPPED=${var.air_gapped}",
+      "REGION_DNS_SUFFIX=${var.region_dns_suffix}"
     ]
   }
 

diff --git a/scripts/install-exec-dependencies.sh b/scripts/install-exec-dependencies.sh
@@ -1,20 +1,34 @@
 #!/usr/bin/env bash
 set -ex
 
-if [ -n "$AIR_GAPPED" ]; then
-    echo "Air-gapped region, exec feature is not supported"
-    exit 0
-fi
+# Returns AWS DNS suffix from $REGION_DNS_SUFFIX if set, errors if no dns suffix set for air-gapped regions.
+# Defaults to amazonaws.com[.cn]
+get_dns_suffix() {
+    # If $REGION_DNS_SUFFIX is assigned and non-empty, use that
+    if [ -n "$REGION_DNS_SUFFIX" ]; then
+        echo >&2 "Using configured DNS suffix: $REGION_DNS_SUFFIX"
+        echo "$REGION_DNS_SUFFIX"
+        return
+    fi
+
+    if [ -n "$AIR_GAPPED" ]; then
+        echo "Air-gapped region, need to set DNS suffix explicitly"
+        exit 1
+    fi
+
+    local host_suffix=""
+    if grep -q "^cn-" <<<"$REGION"; then
+        host_suffix=".cn"
+    fi
+    echo "amazonaws.com${host_suffix}"
+}
+
+DNS_SUFFIX=$(get_dns_suffix)
 
 BINARY_PATH="/var/lib/ecs/deps/execute-command/bin/${EXEC_SSM_VERSION}"
 CERTS_PATH="/var/lib/ecs/deps/execute-command/certs"
 ARCHITECTURE="$(uname -m)"
 
-host_suffix=""
-if grep -q "^cn-" <<<"$REGION"; then
-    host_suffix=".cn"
-fi
-
 # Download ssm agent static binaries in BINARY_PATH
 mkdir -p /tmp/ssm-binaries && cd /tmp/ssm-binaries
 
@@ -23,12 +37,12 @@ gpg --import /tmp/amazon-ssm-agent.gpg
 
 case $ARCHITECTURE in
 'x86_64')
-    curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.amazonaws.com${host_suffix}/${EXEC_SSM_VERSION}/linux_amd64/amazon-ssm-agent-binaries.tar.gz" -o amazon-ssm-agent.tar.gz
-    curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.amazonaws.com${host_suffix}/${EXEC_SSM_VERSION}/linux_amd64/amazon-ssm-agent-binaries.tar.gz.sig" -o amazon-ssm-agent.tar.gz.sig
+    curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.${DNS_SUFFIX}/${EXEC_SSM_VERSION}/linux_amd64/amazon-ssm-agent-binaries.tar.gz" -o amazon-ssm-agent.tar.gz
+    curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.${DNS_SUFFIX}/${EXEC_SSM_VERSION}/linux_amd64/amazon-ssm-agent-binaries.tar.gz.sig" -o amazon-ssm-agent.tar.gz.sig
     ;;
 'aarch64')
-    curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.amazonaws.com${host_suffix}/${EXEC_SSM_VERSION}/linux_arm64/amazon-ssm-agent-binaries.tar.gz" -o amazon-ssm-agent.tar.gz
-    curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.amazonaws.com${host_suffix}/${EXEC_SSM_VERSION}/linux_arm64/amazon-ssm-agent-binaries.tar.gz.sig" -o amazon-ssm-agent.tar.gz.sig
+    curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.${DNS_SUFFIX}/${EXEC_SSM_VERSION}/linux_arm64/amazon-ssm-agent-binaries.tar.gz" -o amazon-ssm-agent.tar.gz
+    curl -fLSs "https://amazon-ssm-${REGION}.s3.${REGION}.${DNS_SUFFIX}/${EXEC_SSM_VERSION}/linux_arm64/amazon-ssm-agent-binaries.tar.gz.sig" -o amazon-ssm-agent.tar.gz.sig
     ;;
 esac
 gpg --verify amazon-ssm-agent.tar.gz.sig amazon-ssm-agent.tar.gz

diff --git a/variables.pkr.hcl b/variables.pkr.hcl
@@ -268,3 +268,9 @@ variable "run_tags" {
   description = "Tags to apply to resources (key-pair, SG, IAM, snapshot, interfaces and instance) used when building the AMI."
   default     = {}
 }
+
+variable "region_dns_suffix" {
+  type        = string
+  description = "DNS Suffix to use for in region URLs"
+  default     = ""
+}