search

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform
https://user-guide.modernisation-platform.service.justice.gov.uk
MIT License
681 stars 289 forks source link

Contact MP members with hardcoded ECS/EKS AMIs to suggest alternative ways to stay up to date #7188

Closed richgreen-moj closed 3 months ago

richgreen-moj commented 5 months ago

User Story

As a MP Engineer, I want to contact members who are using outdated/hardcoded ECS/EKS AMIs to suggest alternative ways of keeping their infrastructure patched with the latest updates, So that the security best practices are followed on the platform

Value / Purpose

Follow on from https://github.com/ministryofjustice/modernisation-platform/issues/2413

This issue would involve contacting the applications that were highlighted in the SPIKE as having hardcoded AMI values to suggest one of the options to keep their infrastructure up to date with the latest versions.

The applications identified were:

Options they could consider:

  1. Use Fargate (serverless) approach so that instance patch management is managed by AWS. (Use the MP module for this)
  2. Use a Terraform data call to retrieve the latest ECS/EKS-optimised AMI image by querying the Systems Manager Parameter Store API
  3. Reconsider whether workloads would be appropriate for Cloud Platform

Useful Contacts

@richgreen-moj @davidkelliott

Additional Information

No response

Proposal / Unknowns

Hypothesis If we... [do a thing] Then... [this will happ]

Proposal A proposal that is something testable, don't worry whether it works or not, it's a place for ideas.

Unknowns Potential pitfalls that could cause the story to expand beyond its original scope. Ideally this section will remain blank.

Definition of Done

Khatraf commented 3 months ago

I've created a spreadsheet to document the outcomes of the discussions with members regarding their applications. https://docs.google.com/spreadsheets/d/1aKL6CstYGka1ZPUE74RTjYZIGejWyNL4MhrK-mt8Jwc/edit?gid=0#gid=0

Khatraf commented 3 months ago

Tickets have been raised to test and implement a solution to avoid hardcoding ECS AMIs for 3 applications (apex, mlra and maat) over the next couple of months. I have added a comment in ticket #7189 to confirm successful implementation.