This goes over the maintenance needs and strategies for this subproject.
The following is an overview of all the areas that may need patches and updates:
- Devcontainer
- (Ubuntu base image is covered by the honeypot subproject)
- cfn-lint version
- cfn-guard version
- Github Workflows
- (Ubuntu runner versions is covered by the honeypot subproject)
- 3rd party action versions
- cfn-lint version
- cfn-guard version
- Version of binaries (e.g. cosign, curl, jq)
- Testing Tools
- Bastion EC2 AMI
- Vendored guard-rules-registry-all-rules.guard file
- This Package's Contents
- PlatformVersion in the ECS Service
- Honeypot container image version (from the other subproject)
By default, the target for each area is
- Be on the latest major version that has been out for a while
with the exceptions being
- cfn-lint (this is continuously updated based on changes to the AWS API, so needs to be at or near the latest version always to be most useful)
- Vendored guard-rules-registry-all-rules.guard file (this receives new security rules with minor releases that are helpful to pick up)
- Bastion EC2 AMI (this will always pull in the latest version of the image)
- Honeypot container image (immediately after a new image is published, the Cloudformation template should always be updated to the new version and a new Github release created with it)
- Well-known binaries (e.g. curl, jq, that don't strictly need their versions pinned as much)
The goals here are twofold
- To stay away from end-of-life and lack of security support situations
- To always be able to easily uptake security patches without needing to worry about breaking changes at the same time
On a monthly basis, I will check to see if any area is not hitting its target and attempt to rectify that
The first step is to check if there is a new release available. This can be done as follows
- Run
apt-cache policy python3-pip- If the version is the same, nothing more needs to be done
- If there are, continue
- Update the version in
.devcontainer/Dockerfile
From there, update the changelog, and (potentially) bump the version and run the release workflow to publish the changes.
The first step is to check if there is a new release available. This can be done as follows
- Navigate to https://github.com/aws-cloudformation/cfn-lint/releases
- Check for any releases newer than the one used in the repo
- If there are none, nothing more needs to be done
- If there are, continue
- Take the version of the latest release and update it in
- .devcontainer/Dockerfile
- ci.yaml
- Run
make lint - Work through any breaking changes in functionality
From there, update the changelog, and (potentially) bump the version and run the release workflow to publish the changes.
The first step is to check if there is a new release available. This can be done as follows
- Navigate to https://github.com/aws-cloudformation/cloudformation-guard/releases
- Check for any releases newer than the one used in the repo (by a major version or more)
- If there are none, nothing more needs to be done
- If there are, continue
- Take the version of the latest release and update it in
- .devcontainer/Dockerfile
- ci.yaml
- Run
make static-analysis-guard - Work through any breaking changes in functionality
From there, update the changelog, and (potentially) bump the version and run the release workflow to publish the changes.
The first step is to check if there is a new file available upstream. This can be done as follows
- Navigate to https://github.com/aws-cloudformation/aws-guard-rules-registry/releases
- Check for any new releases since last time
- If there are none, nothing more needs to be done
- If there are, continue
- Download the
ruleset-buildfile from the latest release - Unzip the zip archive and look for the
guard-rules-registry-all-rules.guardfile - Overwrite copy it into the repo
- If there are no changes, nothing more needs to be done
- If there are, continue
- Run
make static-analysis-guard - Resolve any new violations that come up
- Commit the changes
From there, update the changelog, and (potentially) bump the version and run the release workflow to publish the changes.
The first step is to check if there is a new PlatformVersion available. This can be done as follows
- Navigate to https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform-linux-fargate.html
- Check the page for any versions newer that the PlatformVersion in
honeypot.yaml - If there is a newer version (not very recently released), update
honeypot.yamland smoke test the changes
From there, update the changelog, bump the version, and run the release workflow to publish the changes.
Dependabot should be configured to create monthly PRs for any outdated actions, so just need to review and merge those in.
It should be ignoring all (non-security) patch and minor updates, but in case it isn't this should be controllable on each PR that comes in (there should be an option to make it that way for each particular dependency).
Picking up security patches requires first learning about them in the first place. These are the strategies for doing that with the dependencies.
A watch for releases and security alerts was turned on for https://github.com/aws-cloudformation/cfn-lint
A watch for releases and security alerts was turned on for https://github.com/aws-cloudformation/cloudformation-guard
A watch for releases and security alerts was turned on for https://github.com/aws-cloudformation/aws-guard-rules-registry
The check-for-updated-dependencies.yaml tries to detect any newly released platform versions for Fargate.
Dependabot should be creating notices for these.