chore: Add configurable execution mode for ECS container tasks (ecs | ssm) (#476)

* chore: Add execution mode for ECS container tasks

* fix: typo

* fix execution validation

---------

Co-authored-by: Xing Yahao <48758247+keidarcy@users.noreply.github.com>

Author: Ppito

README.md

@@ -90,21 +90,24 @@ Usage:
   e1s [flags]
 
 Flags:
-      --cluster string       specify the default cluster
-  -c, --config-file string   config file (default "$HOME/.config/e1s/config.yml")
-  -d, --debug                sets debug mode
-  -h, --help                 help for e1s
-  -j, --json                 log output json format
-  -l, --log-file string      specify the log file path (default "${TMPDIR}e1s.log")
-      --profile string       specify the AWS profile
-      --read-only            sets read only mode
-  -r, --refresh int          specify the default refresh rate as an integer, sets -1 to stop auto refresh (sec) (default 30)
-      --region string        specify the AWS region
-      --service string       specify the default service (requires --cluster)
-  -s, --shell string         specify interactive ecs exec shell (default "/bin/sh")
-      --splash               display startup splash screen (AWS load runs before the UI) (default true)
-      --theme string         specify color theme
-  -v, --version              version for e1s
+      --cluster string         specify the default cluster
+  -c, --config-file string     config file (default "$HOME/.config/e1s/config.yml")
+  -d, --debug                  sets debug mode
+      --exec-mode string       execution mode for ECS containers: ecs or ssm (default "ecs")
+  -h, --help                   help for e1s
+  -j, --json                   log output json format
+  -l, --log-file string        specify the log file path (default "${TMPDIR}e1s.log")
+      --profile string         specify the AWS profile
+      --read-only              sets read only mode
+  -r, --refresh int            specify the default refresh rate as an integer, sets -1 to stop auto refresh (sec) (default 30)
+      --region string          specify the AWS region
+      --service string         specify the default service (requires --cluster)
+  -s, --shell string           specify interactive ecs exec shell (default "/bin/sh")
+      --ssm-custom-command string
+                                custom command template for SSM container execution mode
+      --splash                 display startup splash screen (AWS load runs before the UI) (default true)
+      --theme string           specify color theme
+  -v, --version                version for e1s
 
 ```
 
@@ -285,7 +288,7 @@ tail -f /tmp/e1s.log
 - Configure themes from the built-in theme set.
 - Override individual colors in config.
 - Adjust logging, refresh interval, splash behavior, shell, and default navigation targets.
-
+- Change execution mode for ECS container tasks.
 
 ### Table filtering
 
@@ -408,6 +411,28 @@ Implemented by a S3 bucket. Since file transfer though a S3 bucket and aws-cli i
   ![file-transfer-demo](./assets/e1s-file-transfer-demo.gif)
 </details>
 
+
+### Execution mode for ECS container tasks
+
+Due to certain security restrictions, the `ecs execute-command` may not be operational; this setting allows you to use `ssm start-session` instead.
+
+- `ecs` - use ECS Exec to execute commands in the container.
+- `ssm` - use AWS Systems Manager to execute commands in the container.
+
+#### Config file:
+```yaml
+# Default execution mode for ECS containers
+exec-mode: ssm
+```
+
+With SSM mode you can also customize the command to run with `--ssm-custom-command` or the config file.<br>
+The command takes the containerId and the config shell as arguments.
+#### Config file:
+```yaml
+# Customize command for ssm execution mode
+ssm-custom-command: "sudo docker exec -it %s %s"
+```
+
 ### Full features list
 
 <details>
@@ -452,6 +477,7 @@ Implemented by a S3 bucket. Since file transfer though a S3 bucket and aws-cli i
   - [x] Transfer files to and from your local machine and a remote host like `aws s3 cp`
   - [x] Customize theme
   - [x] Customize colors
+  - [x] Customize execution mode for ECS container tasks (ecs or ssm)
 </details>
 
 ## Feature requests & bug reports
@@ -476,4 +502,3 @@ Xing Yahao(https://github.com/keidarcy)
 ## Stargazers over time
 
 [![Stargazers over time](https://starchart.cc/keidarcy/e1s.svg?variant=adaptive)](https://starchart.cc/keidarcy/e1s)
-

cmd/e1s/main.go

@@ -59,6 +59,8 @@ func init() {
 	rootCmd.Flags().String("cluster", "", "specify the default cluster")
 	rootCmd.Flags().String("service", "", "specify the default service (requires --cluster)")
 	rootCmd.Flags().Bool("splash", true, "display startup splash screen (AWS load runs before the UI)")
+	rootCmd.Flags().String("exec-mode", "ecs", "execution mode for ECS containers: ecs or ssm")
+	rootCmd.Flags().String("ssm-custom-command", "", "custom command template for SSM container execution mode")
 
 	err := viper.BindPFlags(rootCmd.Flags())
 	if err != nil {
@@ -79,6 +81,9 @@ Check https://github.com/keidarcy/e1s for more details.`,
 		if service != "" && cluster == "" {
 			return fmt.Errorf("when specifying a service with --service, you must also specify a cluster with --cluster")
 		}
+		if err := validateExecMode(viper.GetString("exec-mode")); err != nil {
+			return err
+		}
 		return nil
 	},
 	Run: func(cmd *cobra.Command, args []string) {
@@ -107,19 +112,23 @@ Check https://github.com/keidarcy/e1s for more details.`,
 		cluster := viper.GetString("cluster")
 		service := viper.GetString("service")
 		splash := viper.GetBool("splash")
+		execMode := viper.GetString("exec-mode")
+		ssmCustomCommand := viper.GetString("ssm-custom-command")
 
 		option := e1s.Option{
-			ConfigFile: configFile,
-			LogFile:    logFile,
-			Debug:      debug,
-			JSON:       json,
-			ReadOnly:   readOnly,
-			Refresh:    refresh,
-			Shell:      shell,
-			Theme:      theme,
-			Cluster:    cluster,
-			Service:    service,
-			Splash:     splash,
+			ConfigFile:       configFile,
+			LogFile:          logFile,
+			Debug:            debug,
+			JSON:             json,
+			ReadOnly:         readOnly,
+			Refresh:          refresh,
+			Shell:            shell,
+			Theme:            theme,
+			Cluster:          cluster,
+			Service:          service,
+			Splash:           splash,
+			ExecMode:         execMode,
+			SsmCustomCommand: ssmCustomCommand,
 		}
 
 		if err := e1s.Start(option); err != nil {
@@ -131,6 +140,15 @@ Check https://github.com/keidarcy/e1s for more details.`,
 	Version: utils.ShowVersion(),
 }
 
+func validateExecMode(execMode string) error {
+	switch execMode {
+	case "ecs", "ssm":
+		return nil
+	default:
+		return fmt.Errorf("invalid exec-mode %q: must be ecs or ssm", execMode)
+	}
+}
+
 func main() {
 	if err := rootCmd.Execute(); err != nil {
 		fmt.Fprintln(os.Stderr, err)

internal/view/app.go

@@ -65,6 +65,10 @@ type Option struct {
 	Service string
 	// Splash screen on startup (load AWS config and first resource list in background).
 	Splash bool
+	// Execution mode for ECS containers: "ecs" or "ssm".
+	ExecMode string
+	// Custom command template for ECS container SSM sessions.
+	SsmCustomCommand string
 }
 
 // viewState holds sort/filter state per page so it can be restored after a reload.

internal/view/shell.go

@@ -1,6 +1,7 @@
 package view
 
 import (
+	"encoding/json"
 	"fmt"
 	"log/slog"
 	"os"
@@ -150,59 +151,57 @@ func (v *view) preValidateExec() (*[]string, string, error) {
 	return &args, containerName, nil
 }
 
-// Start session for instance
-// aws ssm start-session --target ${instance_id}
-func (v *view) instanceStartSession() {
-	if v.app.kind != InstanceKind && v.app.kind != TaskKind {
-		v.app.Notice.Warn("Invalid kind type to start session")
-		return
+func (v *view) preValidateStartSession() (*[]string, string, error) {
+	if v.app.kind != ContainerKind && v.app.kind != InstanceKind && v.app.kind != TaskKind {
+		return nil, "", fmt.Errorf("invalid kind type to start session")
 	}
 
 	if v.app.ReadOnly {
-		v.app.Notice.Warn("No permission to start session in read only mode")
-		return
+		return nil, "", fmt.Errorf("no permission to start session in read only mode")
 	}
 
 	_, err := exec.LookPath(awsCli)
 	if err != nil {
-		v.app.Notice.Warnf("failed to find %s path, please check %s", awsCli, "https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html")
-		return
+		return nil, "", fmt.Errorf("failed to find %s path, please check %s", awsCli, "https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html")
 	}
 
 	selected, err := v.getCurrentSelection()
 	if err != nil {
-		v.app.Notice.Warnf("failed to handleSelected, err: %v", err)
-		return
+		return nil, "", fmt.Errorf("failed to handleSelected, err: %v", err)
 	}
 
 	instanceId := ""
 	if v.app.kind == InstanceKind {
 		if selected.instance == nil {
-			v.app.Notice.Warn("Not a valid instance")
-			return
+			return nil, "", fmt.Errorf("not a valid instance")
+		}
+		if selected.instance.Ec2InstanceId == nil || *selected.instance.Ec2InstanceId == "" {
+			return nil, "", fmt.Errorf("not a valid instance id")
 		}
 		instanceId = *selected.instance.Ec2InstanceId
-	} else if v.app.kind == TaskKind {
+	} else if v.app.kind == ContainerKind || v.app.kind == TaskKind {
 		if v.app.task.ContainerInstanceArn == nil {
-			v.app.Notice.Warn("Not a valid task with container instance")
-			return
+			return nil, "", fmt.Errorf("not a valid task with container instance")
+		}
+		if v.app.Store == nil {
+			return nil, "", fmt.Errorf("aws store is not initialized")
+		}
+		if v.app.cluster == nil || v.app.cluster.ClusterName == nil || *v.app.cluster.ClusterName == "" {
+			return nil, "", fmt.Errorf("not a valid cluster")
 		}
 		instanceId, err = v.app.Store.GetTaskInstanceId(v.app.cluster.ClusterName, v.app.task.ContainerInstanceArn)
 		if err != nil {
-			v.app.Notice.Warnf("failed to get task instance id, err: %v", err)
-			return
+			return nil, "", fmt.Errorf("failed to get task instance id, err: %v", err)
 		}
 	}
 
 	if instanceId == "" {
-		v.app.Notice.Warn("Not a valid instance")
-		return
+		return nil, "", fmt.Errorf("not a valid instance")
 	}
 
 	_, err = exec.LookPath(smpCi)
 	if err != nil {
-		v.app.Notice.Warnf("failed to find %s path, please check %s", smpCi, "https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html")
-		return
+		return nil, "", fmt.Errorf("failed to find %s path, please check %s", smpCi, "https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html")
 	}
 
 	args := []string{
@@ -212,16 +211,28 @@ func (v *view) instanceStartSession() {
 		instanceId,
 	}
 
+	return &args, instanceId, nil
+}
+
+// Start session for instance
+// aws ssm start-session --target ${instance_id}
+func (v *view) instanceStartSession() {
+	args, instanceId, err := v.preValidateStartSession()
+	if err != nil {
+		v.app.Notice.Warnf("Exec command validation failed: %v", err)
+		return
+	}
+
 	// catch ctrl+C & SIGTERM
 	interrupt := make(chan os.Signal, 1)
 	signal.Notify(interrupt, os.Interrupt, syscall.SIGTERM)
 
 	v.app.Suspend(func() {
 		v.app.isSuspended = true
 		bin, _ := exec.LookPath(awsCli)
-		slog.Info("exec", "command", bin+" "+strings.Join(args, " "))
+		slog.Info("exec", "command", bin+" "+strings.Join(*args, " "))
 
-		cmd := exec.Command(bin, args...)
+		cmd := exec.Command(bin, *args...)
 		cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
 		_, err = cmd.Stdout.Write([]byte(fmt.Sprintf(instanceBannerFmt, *v.app.cluster.ClusterName, instanceId)))
 		err = cmd.Run()
@@ -232,3 +243,86 @@ func (v *view) instanceStartSession() {
 		v.app.isSuspended = false
 	})
 }
+
+// Start session for instance
+// Equivalent to
+// aws ssm start-session
+// --target ecs:${cluster_id}_${task_id}_${runtime_id}
+// --document-name AWS-StartInteractiveCommand
+// --parameters {"command":["${command}"]}
+func (v *view) instanceStartSessionDocument() {
+	args, instanceId, err := v.preValidateStartSession()
+	if err != nil {
+		v.app.Notice.Warnf("Exec command validation failed: %v", err)
+		return
+	}
+
+	selected, err := v.getCurrentSelection()
+	if err != nil {
+		v.app.Notice.Warnf("failed to handleSelected, err: %v", err)
+		return
+	}
+	runtimeId, containerName, err := validateContainerSessionTarget(selected)
+	if err != nil {
+		v.app.Notice.Warn(err.Error())
+		return
+	}
+	if v.app.task.TaskArn == nil || *v.app.task.TaskArn == "" {
+		v.app.Notice.Warn("Not a valid task")
+		return
+	}
+	if v.app.cluster.ClusterName == nil || *v.app.cluster.ClusterName == "" {
+		v.app.Notice.Warn("Not a valid cluster")
+		return
+	}
+
+	ssmCommand := "docker exec -it %s %s"
+	if v.app.Option.SsmCustomCommand != "" {
+		ssmCommand = v.app.Option.SsmCustomCommand
+	}
+	params := map[string][]string{
+		"command": {fmt.Sprintf(ssmCommand, runtimeId, v.app.Option.Shell)},
+	}
+	parameterJson, _ := json.Marshal(params)
+
+	extraArgs := []string{
+		"--document-name",
+		"AWS-StartInteractiveCommand",
+		"--parameters",
+		string(parameterJson),
+	}
+
+	cmdArgs := append(*args, extraArgs...)
+	// catch ctrl+C & SIGTERM
+	interrupt := make(chan os.Signal, 1)
+	signal.Notify(interrupt, os.Interrupt, syscall.SIGTERM)
+
+	v.app.Suspend(func() {
+		v.app.isSuspended = true
+		bin, _ := exec.LookPath(awsCli)
+		slog.Info("exec", "command", bin+" "+strings.Join(cmdArgs, " "))
+
+		cmd := exec.Command(bin, cmdArgs...)
+		cmd.Stdin, cmd.Stdout, cmd.Stderr = os.Stdin, os.Stdout, os.Stderr
+		_, err = cmd.Stdout.Write([]byte(fmt.Sprintf(execBannerFmt, *v.app.cluster.ClusterName, instanceId, utils.ArnToName(v.app.task.TaskArn), containerName)))
+		err = cmd.Run()
+
+		// return signal
+		signal.Stop(interrupt)
+		close(interrupt)
+		v.app.isSuspended = false
+	})
+}
+
+func validateContainerSessionTarget(selected Entity) (runtimeId string, containerName string, err error) {
+	if selected.container == nil {
+		return "", "", fmt.Errorf("not a valid container")
+	}
+	if selected.container.RuntimeId == nil || *selected.container.RuntimeId == "" {
+		return "", "", fmt.Errorf("not a valid runtime id")
+	}
+	if selected.container.Name == nil || *selected.container.Name == "" {
+		return "", "", fmt.Errorf("not a valid container name")
+	}
+	return *selected.container.RuntimeId, *selected.container.Name, nil
+}