Change health check port

[dylanratcliffe]

No description provided.

[github-actions]

Expected Changes

ecs-task-definition › facial-recognition

--- current
+++ planned
@@ -1,26 +1,16 @@
-arn: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition:48
-arn_without_revision: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition
-container_definitions: '[{"cpu":1024,"environment":[],"essential":true,"healthCheck":{"command":["CMD-SHELL","wget -q --spider localhost:1234"],"interval":30,"retries":3,"timeout":5},"image":"harshmanvar/face-detection-tensorjs:slim-amd","memory":2048,"mountPoints":[],"name":"facial-recognition","portMappings":[{"appProtocol":"http","containerPort":1234,"hostPort":1234,"protocol":"tcp"}],"volumesFrom":[]}]'
+container_definitions: '[{"cpu":1024,"environment":[],"essential":true,"healthCheck":{"command":["CMD-SHELL","wget -q --spider localhost:8080"],"interval":30,"retries":3,"timeout":5},"image":"harshmanvar/face-detection-tensorjs:slim-amd","memory":2048,"mountPoints":[],"name":"facial-recognition","portMappings":[{"appProtocol":"http","containerPort":1234}],"volumesFrom":[]}]'
 cpu: "1024"
 ephemeral_storage: []
-execution_role_arn: ""
 family: facial-recognition
-id: facial-recognition
 inference_accelerator: []
-ipc_mode: ""
 memory: "2048"
 network_mode: awsvpc
-pid_mode: ""
 placement_constraints: []
 proxy_configuration: []
 requires_compatibilities:
     - FARGATE
-revision: 48
 runtime_platform: []
 skip_destroy: false
-tags: {}
-tags_all: {}
-task_role_arn: ""
 terraform_address: module.loom[0].aws_ecs_task_definition.face
 terraform_name: module.loom[0].aws_ecs_task_definition.face
 track_latest: false

ec2-instance › i-0e9b4893e76c7b0aa

--- current
+++ planned
@@ -1,87 +1,13 @@
-ami: ami-0f199c73e611e6068
-arn: arn:aws:ec2:eu-west-2:540044833068:instance/i-0e9b4893e76c7b0aa
-associate_public_ip_address: true
-availability_zone: eu-west-2a
-capacity_reservation_specification:
-    - capacity_reservation_preference: open
-      capacity_reservation_target: []
-cpu_core_count: 1
-cpu_options:
-    - amd_sev_snp: ""
-      core_count: 1
-      threads_per_core: 2
-cpu_threads_per_core: 2
-credit_specification:
-    - cpu_credits: unlimited
-disable_api_stop: false
-disable_api_termination: false
-ebs_block_device: []
-ebs_optimized: false
-enclave_options:
-    - enabled: false
-ephemeral_block_device: []
+ami: ami-026d5ef1c0e90fd80
+credit_specification: []
 get_password_data: false
-hibernation: false
-host_id: ""
-iam_instance_profile: ""
-id: i-0e9b4893e76c7b0aa
-instance_initiated_shutdown_behavior: stop
-instance_lifecycle: ""
-instance_market_options: []
-instance_state: running
 instance_type: t3.micro
-ipv6_address_count: 0
-ipv6_addresses: []
-key_name: ""
 launch_template: []
-maintenance_options:
-    - auto_recovery: default
-metadata_options:
-    - http_endpoint: enabled
-      http_protocol_ipv6: disabled
-      http_put_response_hop_limit: 1
-      http_tokens: optional
-      instance_metadata_tags: disabled
-monitoring: false
-network_interface: []
-outpost_arn: ""
-password_data: ""
-placement_group: ""
-placement_partition_number: 0
-primary_network_interface_id: eni-0a13c9101d2f83f47
-private_dns: ip-172-31-25-125.eu-west-2.compute.internal
-private_dns_name_options:
-    - enable_resource_name_dns_a_record: false
-      enable_resource_name_dns_aaaa_record: false
-      hostname_type: ip-name
-private_ip: 172.31.25.125
-public_dns: ec2-35-178-131-180.eu-west-2.compute.amazonaws.com
-public_ip: 35.178.131.180
-root_block_device:
-    - delete_on_termination: true
-      device_name: /dev/xvda
-      encrypted: false
-      iops: 0
-      kms_key_id: ""
-      tags: {}
-      tags_all: {}
-      throughput: 0
-      volume_id: vol-0c13c385799b4a655
-      volume_size: 8
-      volume_type: standard
-secondary_private_ips: []
-security_groups:
-    - default
 source_dest_check: true
-spot_instance_request_id: ""
-subnet_id: subnet-0435f45b197666342
 tags:
     Name: SG Removal Example Instance 1
 tags_all:
     Name: SG Removal Example Instance 1
-tenancy: default
 terraform_address: module.scenarios[0].aws_instance.example_1
 terraform_name: module.scenarios[0].aws_instance.example_1
 user_data_replace_on_change: false
-vpc_security_group_ids:
-    - sg-0948cdc916d1efffd

ec2-instance › i-0ccab1235ae0f4467

--- current
+++ planned
@@ -1,87 +1,13 @@
-ami: ami-0f199c73e611e6068
-arn: arn:aws:ec2:eu-west-2:540044833068:instance/i-0ccab1235ae0f4467
-associate_public_ip_address: true
-availability_zone: eu-west-2a
-capacity_reservation_specification:
-    - capacity_reservation_preference: open
-      capacity_reservation_target: []
-cpu_core_count: 1
-cpu_options:
-    - amd_sev_snp: ""
-      core_count: 1
-      threads_per_core: 2
-cpu_threads_per_core: 2
-credit_specification:
-    - cpu_credits: unlimited
-disable_api_stop: false
-disable_api_termination: false
-ebs_block_device: []
-ebs_optimized: false
-enclave_options:
-    - enabled: false
-ephemeral_block_device: []
+ami: ami-026d5ef1c0e90fd80
+credit_specification: []
 get_password_data: false
-hibernation: false
-host_id: ""
-iam_instance_profile: ""
-id: i-0ccab1235ae0f4467
-instance_initiated_shutdown_behavior: stop
-instance_lifecycle: ""
-instance_market_options: []
-instance_state: running
 instance_type: t3.micro
-ipv6_address_count: 0
-ipv6_addresses: []
-key_name: ""
 launch_template: []
-maintenance_options:
-    - auto_recovery: default
-metadata_options:
-    - http_endpoint: enabled
-      http_protocol_ipv6: disabled
-      http_put_response_hop_limit: 1
-      http_tokens: optional
-      instance_metadata_tags: disabled
-monitoring: false
-network_interface: []
-outpost_arn: ""
-password_data: ""
-placement_group: ""
-placement_partition_number: 0
-primary_network_interface_id: eni-074e5724e0c7ec97c
-private_dns: ip-172-31-19-139.eu-west-2.compute.internal
-private_dns_name_options:
-    - enable_resource_name_dns_a_record: false
-      enable_resource_name_dns_aaaa_record: false
-      hostname_type: ip-name
-private_ip: 172.31.19.139
-public_dns: ec2-35-177-105-12.eu-west-2.compute.amazonaws.com
-public_ip: 35.177.105.12
-root_block_device:
-    - delete_on_termination: true
-      device_name: /dev/xvda
-      encrypted: false
-      iops: 0
-      kms_key_id: ""
-      tags: {}
-      tags_all: {}
-      throughput: 0
-      volume_id: vol-0ee2a48040c0c9698
-      volume_size: 8
-      volume_type: standard
-secondary_private_ips: []
-security_groups:
-    - default
 source_dest_check: true
-spot_instance_request_id: ""
-subnet_id: subnet-0435f45b197666342
 tags:
     Name: SG Removal Example Instance 1
 tags_all:
     Name: SG Removal Example Instance 1
-tenancy: default
 terraform_address: module.scenarios[0].aws_instance.example_2
 terraform_name: module.scenarios[0].aws_instance.example_2
 user_data_replace_on_change: false
-vpc_security_group_ids:
-    - sg-0948cdc916d1efffd

Unmapped Changes

Note

These changes couldn't be mapped to a discoverable cloud resource and therefore won't be included in the blast radius calculation.

aws_ecs_service › module.loom[0].aws_ecs_service.face

--- current
+++ planned
@@ -41,7 +41,6 @@
 service_registries: []
 tags: {}
 tags_all: {}
-task_definition: arn:aws:ecs:eu-west-2:540044833068:task-definition/facial-recognition:48
 terraform_address: module.loom[0].aws_ecs_service.face
 terraform_name: module.loom[0].aws_ecs_service.face
 triggers: {}

Blast Radius

Items	Edges
62	75

Open in Overmind

Risks

Health Check Failure on Port Change [High]

The task definition for facial-recognition is being updated to perform health checks on port 8080 instead of the previously configured port 1234. This change implies that the facial-recognition application must listen on the new port for health checks to pass. If the application is not configured to listen on port 8080, ECS services will continuously restart the task, leading to potential application downtime. The current ECS task definition and related Elastic Load Balancer (ELB) settings indicate that health checks and traffic are currently configured for port 1234. This discrepancy between the current configuration and the proposed change introduces a high risk of service disruption.

Load Balancer Misconfiguration Post Change [Medium]

The proposed change does not indicate an update to the ELB target group that routes traffic to the facial-recognition service. The current state information reveals that the ELB target group facial-recognition is configured to forward traffic to port 1234. If the service starts listening on the new health check port 8080 but the ELB is still forwarding traffic to port 1234, this could result in failed requests to the service, leading to an outage or degraded performance. Ensuring the ELB's target group configuration matches the health check port is critical to avoid service disruption.

Incomplete Monitoring Configuration Adjustment [Low]

Modifying the application to listen on a new port without updating monitoring tools and alerts may lead to inaccurate health reporting and delayed incident response. The existing monitoring setup, if any, configured to observe traffic and responses on the original port 1234 might miss crucial metrics or errors occurring on the new port 8080, thus impacting the operational visibility and the ability to quickly respond to issues.