Skip to content

QA Task: LogGuardian ECS/Fargate Deployment Validation #134

Open
Task
Open
QA Task: LogGuardian ECS/Fargate Deployment Validation#134
Task
Assignees
ditahkk
@Sarlynoel020

Description

@Sarlynoel020
Sarlynoel020
opened on Oct 24, 2025

📋 Overview

Validate the LogGuardian ECS/Fargate deployment in the dev account (769392325486) to ensure all functionality works as expected before promoting to staging/production.

🎯 Scope

What was deployed:

  • ECS/Fargate infrastructure (9 AWS resources)
  • LogGuardian container image in ECR
  • IAM roles with Config/Logs permissions
  • CloudWatch logging integration
  • AWS Config rule integration

Repository: zsoftly/logguardian
Issue: Closes #91 (ECS/Fargate Task Definition and Integration)
Environment: Dev (769392325486, ca-central-1)
Deployment Date: 2024-10-24
Deployed By: @[your-github-username]

✅ Test Scenarios

1. Infrastructure Validation

  • ECS cluster logguardian-dev exists and is active
  • Task definition logguardian-dev:2 is registered
  • IAM roles exist: logguardian-dev-task and logguardian-dev-execution
  • Security group sg-015c44092a321da76 allows outbound traffic
  • CloudWatch log group /ecs/logguardian exists with 30-day retention
  • ECR repository contains logguardian:latest image
  • Fargate Spot capacity provider is configured (80/20 split)

Verification Command:

aws ecs describe-clusters --cluster logguardian-dev --region ca-central-1
aws ecs describe-task-definition --task-definition logguardian-dev --region ca-central-1

2. Manual Task Execution (Dry-Run)

  • Task launches successfully
  • Container starts without errors
  • Authentication via ECS task role works
  • Connects to AWS Config API
  • Retrieves non-compliant resources
  • Generates compliance report
  • Exit code = 0
  • Logs appear in CloudWatch

Test Command:

CLUSTER=logguardian-dev
TASK=logguardian-dev
SG=sg-015c44092a321da76

aws ecs run-task \
  --cluster $CLUSTER \
  --launch-type FARGATE \
  --task-definition $TASK \
  --network-configuration "awsvpcConfiguration={subnets=[subnet-0cb3a166fffa03698,subnet-0026232dabc7d880d],securityGroups=[$SG],assignPublicIp=ENABLED}" \
  --overrides '{
    "containerOverrides":[{
      "name":"logguardian",
      "command":["--dry-run","--config-rule","cloudwatch-log-group-encrypted","--verbose"],
      "environment":[{"name":"AWS_REGION","value":"ca-central-1"}]
    }]
  }' \
  --region ca-central-1

Check logs:

aws logs tail /ecs/logguardian --since 10m --region ca-central-1

3. Production Mode Execution

  • Task executes without --dry-run flag
  • Actually applies encryption to log groups
  • Verifies changes were applied
  • Reports success count correctly
  • Handles errors gracefully
  • Exit code = 0 on success

Test Command:

aws ecs run-task \
  --cluster logguardian-dev \
  --launch-type FARGATE \
  --task-definition logguardian-dev \
  --network-configuration "awsvpcConfiguration={subnets=[subnet-0cb3a166fffa03698,subnet-0026232dabc7d880d],securityGroups=[sg-015c44092a321da76],assignPublicIp=ENABLED}" \
  --overrides '{
    "containerOverrides":[{
      "name":"logguardian",
      "command":["--config-rule","cloudwatch-log-group-encrypted","--verbose"],
      "environment":[{"name":"AWS_REGION","value":"ca-central-1"}]
    }]
  }' \
  --region ca-central-1

4. Error Handling

  • Missing Config rule name returns proper error (exit code 2)
  • Invalid Config rule name returns proper error (exit code 1)
  • IAM permission issues are logged clearly
  • Network failures are handled gracefully
  • All errors appear in CloudWatch logs

Test Invalid Rule:

aws ecs run-task \
  --cluster logguardian-dev \
  --launch-type FARGATE \
  --task-definition logguardian-dev \
  --network-configuration "awsvpcConfiguration={subnets=[subnet-0cb3a166fffa03698,subnet-0026232dabc7d880d],securityGroups=[sg-015c44092a321da76],assignPublicIp=ENABLED}" \
  --overrides '{
    "containerOverrides":[{
      "name":"logguardian",
      "command":["--dry-run","--config-rule","nonexistent-rule"]
    }]
  }' \
  --region ca-central-1

5. Performance & Resource Utilization

  • Task completes within expected time (<2 minutes for typical workload)
  • CPU usage stays under 50% (256 CPU units allocated)
  • Memory usage stays under 300 MB (512 MB allocated)
  • No container restarts or crashes
  • Fargate Spot instances are being used (check task details)

Check Task Metrics:

# View in CloudWatch Container Insights or ECS console

6. CloudWatch Logging

  • All log events appear in /ecs/logguardian
  • Logs are structured JSON
  • Execution ID is unique for each run
  • Timestamps are accurate
  • Log retention is 30 days
  • No sensitive data (credentials) in logs

7. IAM Permissions

  • Task role can read AWS Config rules
  • Task role can modify CloudWatch log groups
  • Task role can write CloudWatch metrics
  • Execution role can pull ECR images
  • Execution role can write CloudWatch logs
  • No unnecessary/overly broad permissions

Verify Permissions:

aws iam get-role-policy --role-name logguardian-dev-task --policy-name logguardian-dev-task-policy

8. Multiple Config Rules

  • Works with AWS managed rules (e.g., cloudwatch-log-group-encrypted)
  • Works with custom Config rules
  • Handles rules with no non-compliant resources
  • Handles rules with many non-compliant resources (>10)

🎯 Acceptance Criteria

Must Pass:

  • ✅ All infrastructure resources deployed correctly
  • ✅ Manual dry-run execution succeeds (exit code 0)
  • ✅ Production mode successfully remediates resources
  • ✅ CloudWatch logs capture all execution details
  • ✅ IAM roles have appropriate permissions
  • ✅ Error handling works for invalid inputs
  • ✅ No sensitive data leaked in logs

Should Pass:

  • ✅ Task completes in <2 minutes
  • ✅ Fargate Spot is being utilized
  • ✅ Resource utilization is within limits
  • ✅ Works with multiple Config rules

🔧 Prerequisites for Testing

Access Required:

  • AWS Account: 769392325486 (zsoftly dev logguardian)
  • Region: ca-central-1
  • IAM Permissions: AdministratorAccess or equivalent

Tools Required:

  • AWS CLI configured
  • ztictl for authentication
  • Access to CloudWatch Logs console

Authentication:

ztictl auth login zsoftly
# Select: zsoftly dev logguardian (769392325486)
# Select: AdministratorAccess

export AWS_PROFILE=zsoftly
export AWS_REGION=ca-central-1
export AWS_PAGER=""

📊 Test Evidence

For each test scenario, document:

  1. Command executed
  2. Screenshot or output snippet
  3. Pass/Fail status
  4. Any issues found

Example:

Test: Manual Task Execution (Dry-Run)
Command: aws ecs run-task --cluster logguardian-dev...
Result: ✅ PASS
Exit Code: 0
Duration: 245ms
Resources Found: 2 non-compliant log groups
Screenshot: [link to CloudWatch logs]

🐛 Known Issues

None currently - this is the first QA pass

🔍 Areas of Concern

  1. Public Subnets: Using public subnets for dev. Confirm this is acceptable or needs NAT Gateway for production.
  2. ECR Image: Image is built from source. Verify GitHub Container Registry alternative if needed.
  3. Config Rule Creation: AWS Config must be enabled and rules created before LogGuardian can run.

📝 Additional Testing (Optional)

  • Test with disabled AWS Config
  • Test with no network connectivity
  • Test with revoked IAM permissions
  • Test concurrent task executions
  • Test with large number of resources (100+)
  • Load testing for batch processing

🚀 Next Steps After QA Pass

  1. Document deployment
  2. Create runbook
  3. Deploy to another environment
  4. Set up EventBridge triggers for automation
  5. Add Lambda orchestrator for batch processing
  6. Configure SNS notifications for failures

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Task

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions