<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
  <title>michaelheap.com</title>
  <subtitle>Thoughts on leadership, code and how to fix odd edge cases in tools (not necessarily in that order)</subtitle>
  <link href="https://michaelheap.com/rss" rel="self"/>
  <link href="https://michaelheap.com"/>
  <updated>2025-12-27T17:11:26Z</updated>
  <id>https://michaelheap.com</id>
  <author>
    <name>Michael Heap</name>
    <email>[email protected]</email>
  </author>
  
  <entry>
    <title>Electron Node Module Version</title>
    <link href="https://michaelheap.com/electron-node-module-version/"/>
    <updated>2025-12-27T17:11:26Z</updated>
    <id>https://michaelheap.com/electron-node-module-version/</id>
    <content type="html">&lt;p&gt;I&#39;ve been building an Electron app for the first time. It was all going well until I tried to use a dependency that involved native components. When I tried to run the app, I got an error that &lt;code&gt;[...] was compiled against a different Node.js version&lt;/code&gt;:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;Error occurred &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;in&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; handler &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;for&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;tasks:fetch&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;: Error: The module &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;/private/tmp/electron-demo/node_modules/better-sqlite3/build/Release/better_sqlite3.node&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;was compiled against a different Node.js version using&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;NODE_MODULE_VERSION 137. This version of Node.js requires&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;NODE_MODULE_VERSION 140. Please try re-compiling or re-installing&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;the module &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;(&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;for instance, using &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;`&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;npm rebuild&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;`&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; or &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;`&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;npm install&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;`&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;)&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;.&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;It turns out that the node.js and Electron ABIs are not compatible (see the &lt;a href=&quot;https://github.com/nodejs/node/blob/main/doc/abi_version_registry.json&quot;&gt;compatibility matrix&lt;/a&gt;), and any native code needs to be compiled specifically for Electron.&lt;/p&gt;
&lt;p&gt;To solve the issue above, you have to rebuild native modules for Electron using &lt;code&gt;@electron/rebuild&lt;/code&gt;:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;npm install --save-dev @electron/rebuild&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;./node_modules/.bin/electron-rebuild&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;Then &lt;code&gt;npm start&lt;/code&gt; and everything works.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;⚠️ You&#39;ll need to re-run &lt;code&gt;electron-rebuild&lt;/code&gt; after every &lt;code&gt;npm install&lt;/code&gt;.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h2 id=&quot;reproduction-case&quot; tabindex=&quot;-1&quot;&gt;Reproduction case&lt;/h2&gt;
&lt;p&gt;If you&#39;re looking for a simple reproduction case:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;git clone https://github.com/mheap/electron-build-sample&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #88C0D0&quot;&gt;cd&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; electron-build-sample&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;npm install&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;npm start &lt;/span&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# You&#39;ll get an error here&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;Rebuild the native modules and try again:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;./node_modules/.bin/electron-rebuild&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;npm start&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;You&#39;ll see a task that says &amp;quot;Do the thing&amp;quot;.&lt;/p&gt;
</content>
  </entry>
  
  <entry>
    <title>Toolsmiths melt snowflakes</title>
    <link href="https://michaelheap.com/toolsmiths-melt-snowflakes/"/>
    <updated>2025-12-17T09:30:00Z</updated>
    <id>https://michaelheap.com/toolsmiths-melt-snowflakes/</id>
    <content type="html">&lt;p&gt;Every company has snowflakes. Each one unique, delicate, and guaranteed to melt under pressure.&lt;/p&gt;
&lt;p&gt;They accumulate quietly: the one-off script someone runs before every deploy, the spreadsheet with its own arcane formula logic, the onboarding flow that requires five Slack DMs to complete. Over time, those snowflake processes pile up into a blizzard of operational friction.&lt;/p&gt;
&lt;p&gt;Toolsmiths are the ones who melt them.&lt;/p&gt;
&lt;p&gt;They’re not the loudest people in the room. You won’t see them pitching product roadmaps or leading all-hands. But they build the quiet infrastructure that keeps a company from freezing in place. A toolsmith sees repetition and decides it shouldn’t exist. They build a small script, an automation, a workflow, and suddenly something that was fragile becomes reusable. That’s the kind of leverage that scales an organization, yet it’s often invisible.&lt;/p&gt;
&lt;h2 id=&quot;from-infrastructure-to-everywhere&quot; tabindex=&quot;-1&quot;&gt;From Infrastructure to Everywhere&lt;/h2&gt;
&lt;p&gt;The idea of codifying process isn’t new. The DevOps movement was built on it. Chef, Ansible, and later Terraform turned one-off, bespoke configurations into repeatable, version-controlled artifacts. Infrastructure stopped being artisanal; it became declarative.&lt;/p&gt;
&lt;p&gt;But somewhere along the way, the rest of the business got left behind. Marketing teams still handcraft campaigns in silos. Support teams dig through logs by memory. BI teams spend days reconciling slightly different versions of the truth in spreadsheets. Every team has its own snowflakes, and very few have the tools (or the permission) to melt them.&lt;/p&gt;
&lt;p&gt;If your business isn’t like this, congratulations! You’ve invested in systems and they’re paying off. Sadly though, many businesses haven’t (engineering teams included) and they’re just one typo away from a meltdown.&lt;/p&gt;
&lt;h2 id=&quot;the-small-tools-that-matter&quot; tabindex=&quot;-1&quot;&gt;The Small Tools That Matter&lt;/h2&gt;
&lt;p&gt;A few years ago, I built a simple CLI tool for GitHub. Its only job was to &lt;a href=&quot;https://github.com/mheap/pin-github-action&quot;&gt;pin every GitHub Action to a specific SHA&lt;/a&gt;. That’s it. It took an afternoon to write.&lt;/p&gt;
&lt;p&gt;Before that, every repository had workflows that pulled the latest version of an action. This was fine, until one day an upstream change broke half our builds. The “fix” was manual: open each repo, edit the workflow to pin to a specific commit hash, commit, push. Tedious, error-prone, and repeated by multiple teams.&lt;/p&gt;
&lt;p&gt;So I wrote a CLI that scanned all repos in our org and pinned each action automatically. One run. Hundreds of snowflakes gone.&lt;/p&gt;
&lt;p&gt;No one outside engineering noticed. But internally, it saved dozens of hours and reduced risk every time someone added a new workflow.&lt;/p&gt;
&lt;h2 id=&quot;toolsmiths-aren%E2%80%99t-just-developers&quot; tabindex=&quot;-1&quot;&gt;Toolsmiths Aren’t Just Developers&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;Toolsmithing is a mindset, not a job title.&lt;/strong&gt; It’s what happens when someone sees a messy process and refuses to accept it as normal.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;In BI, it’s the analyst who turns scattered spreadsheets into a shared dashboard that updates automatically.&lt;/li&gt;
&lt;li&gt;In Support, it’s the agent who builds a small search interface over logs so others don’t need to memorize file paths or grep commands.&lt;/li&gt;
&lt;li&gt;In Partnerships, it’s the manager who realises that every customer onboarding ends up being unique, and builds a form or workflow that standardizes it.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These people often work in isolation because organizations don’t recognize what they’re doing as engineering. But it &lt;em&gt;is&lt;/em&gt; engineering - just applied to people, processes, and information ins tead of servers and code.&lt;/p&gt;
&lt;h2 id=&quot;start-small%2C-then-scale&quot; tabindex=&quot;-1&quot;&gt;Start Small, Then Scale&lt;/h2&gt;
&lt;p&gt;There’s a myth that internal tools need to be fully featured products. That mindset kills most automation before it starts. A wiki page of useful commands is a great first tool. A small script that one team uses can later become an API or a workflow in Slack.&lt;/p&gt;
&lt;p&gt;The question isn’t “Can we build this perfectly?” It’s “Is this pain common enough to solve once and share?”&lt;/p&gt;
&lt;p&gt;Too many companies overengineer the idea of tooling. They spin up projects, assign teams, and stall under the weight of process. But the best tools start informally. They’re acts of curiosity, not mandates. And once proven useful, they can be hardened, shared, and maintained.&lt;/p&gt;
&lt;h2 id=&quot;build-without-overbuilding&quot; tabindex=&quot;-1&quot;&gt;Build Without Overbuilding&lt;/h2&gt;
&lt;p&gt;Code is a liability, and not every solution needs it. Some of the best internal tools aren’t codebases at all. They’re Zapier automations, Airtable forms, or Slack workflows. Platforms like Retool and Node-RED exist precisely to help non-developers build lightweight, domain-specific tools.&lt;/p&gt;
&lt;p&gt;But even there, restraint matters. Internal tools don’t need to impress anyone; they need to save time. David Tuite calls this out in his essay on “&lt;a href=&quot;https://www.davidtuite.com/hidden-const-mediocre-internal-tools/&quot;&gt;the hidden cost of mediocre internal tools&lt;/a&gt;”: if a tool is 80% right and saves hours a week, that’s success. Perfection is the enemy of progress.&lt;/p&gt;
&lt;h2 id=&quot;the-cultural-blind-spot&quot; tabindex=&quot;-1&quot;&gt;The Cultural Blind Spot&lt;/h2&gt;
&lt;p&gt;Here’s the uncomfortable part: most companies don’t reward toolsmiths. They celebrate heroics instead. Everyone hears about the engineer who pulls an all-nighter, the support rep who clears a backlog manually. But &lt;a href=&quot;https://sre.google/resources/practices-and-processes/no-heroes/&quot;&gt;we don’t need any more superheroes&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;A toolsmith’s work is quieter. It’s the absence of pain, not the spectacle of solving it. But that quiet efficiency compounds. Each script, dashboard, and workflow removes another point of friction - another snowflake. Over time, it transforms the company’s metabolism.&lt;/p&gt;
&lt;p&gt;The irony is that the companies best at building products for others are often the worst at building tools for themselves.&lt;/p&gt;
&lt;h2 id=&quot;melting-snowflakes-at-scale&quot; tabindex=&quot;-1&quot;&gt;Melting Snowflakes at Scale&lt;/h2&gt;
&lt;p&gt;Empowering toolsmiths doesn’t mean spinning up a new “internal tools” department. It means creating permission structures that let anyone automate what hurts. It means treating those efforts as strategic, not peripheral. Give them time to do the work, and access to the systems they need.&lt;/p&gt;
&lt;p&gt;Imagine if every engineer, analyst, and operations specialist had an hour a week to improve their own workflow. Imagine if they had access to shared infrastructure. A data warehouse, a Retool instance, a place to share scripts safely. The compound effect would dwarf most process initiatives.&lt;/p&gt;
&lt;p&gt;That’s how you grow fast without breaking things: you melt snowflakes before they become avalanches.&lt;/p&gt;
&lt;h2 id=&quot;build-systems%2C-not-empires&quot; tabindex=&quot;-1&quot;&gt;Build Systems, not Empires&lt;/h2&gt;
&lt;p&gt;Organizations love to talk about scale, but scale doesn’t come from adding headcount. It comes from eliminating friction. Toolsmiths are the people who make that possible.&lt;/p&gt;
&lt;p&gt;If you want to grow, don’t just hire more hands. Empower the ones you have to build better tools. Give them permission to tinker. Recognise their work.&lt;/p&gt;
&lt;p&gt;Because every snowflake you melt makes your company a little stronger.&lt;/p&gt;
</content>
  </entry>
  
  <entry>
    <title>Parse Codex `jsonl` with `jq`</title>
    <link href="https://michaelheap.com/extract-codex-conversation/"/>
    <updated>2025-12-12T16:27:46Z</updated>
    <id>https://michaelheap.com/extract-codex-conversation/</id>
    <content type="html">&lt;p&gt;I recently &lt;a href=&quot;https://michaelheap.com/gh-saved-issues/&quot;&gt;built a GitHub extension&lt;/a&gt; using ChatGPT Codex, and I wanted to share the prompts that I gave to Codex to build the tool.&lt;/p&gt;
&lt;p&gt;I thought about copy/pasting it out of the VSCode UI, but figured that the data must be available somewhere. It turns out that Codex stores sessions as &lt;code&gt;.jsonl&lt;/code&gt; files in &lt;code&gt;.codex/sessions&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;Looking through the session files, there&#39;s a ton of data in there around what the LLM does, but I was only interested in messages that I sent. Fortunately each user message has &lt;code&gt;type: user_message&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;Here&#39;s a one liner that uses &lt;code&gt;jq&lt;/code&gt; to output all of the user messages for a given session:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;cat .codex/sessions/2025/12/04/rollout-2025-12-04T22-06-28-019aeb67-0620-71c1-8cbb-756bc8845c6e.jsonl &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;|&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; \&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  jq -r &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;. |&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;  select(.payload.type == &quot;user_message&quot;) |&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;  .payload.message |&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;  split(&quot;\n## My request for Codex:\n&quot;)[1] + &quot;\n\n--- NEW COMMAND ---\n\n&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
</content>
  </entry>
  
  <entry>
    <title>Building `gh-saved-issues` using ChatGPT Codex</title>
    <link href="https://michaelheap.com/gh-saved-issues/"/>
    <updated>2025-12-12T07:59:44Z</updated>
    <id>https://michaelheap.com/gh-saved-issues/</id>
    <content type="html">&lt;p&gt;I spend a &lt;em&gt;lot&lt;/em&gt; of time on the &lt;code&gt;/issues&lt;/code&gt; page on GitHub. Working across multiple repos in multiple orgs, it can be difficult to keep up to date on what&#39;s happening. &lt;code&gt;/issues&lt;/code&gt; allows me to see everything on a single page.&lt;/p&gt;
&lt;p&gt;The &lt;code&gt;/issues&lt;/code&gt; page allows you to create saved searches and view them when needed. Here are a couple of examples that I use every day:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# My PRs that are awaiting review&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;is:pr author:@me state:open org:Kong -draft:true&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# Issues open on my personal projects (excluding dependency updates + my blog)&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;state:open archived:false sort:updated-desc user:mheap -author:app/dependabot -repo:mheap/michaelheap.com is:issue&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;I also started out with a &amp;quot;all PRs awaiting review from me filter&amp;quot;:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# Awaiting review from me within the Kong org&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;is:pr state:open org:Kong review-requested:@me&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;However, I found that I wasn&#39;t looking at it as there were regularly too many items to review in a single session. So instead, I started segmenting my reviews by context:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# All Terraform PRs&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;is:pr state:open -author:app/renovate &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;(&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;repo:Kong/terraform-provider-konnect OR repo:Kong/terraform-provider-konnect-beta OR repo:Kong/terraform-provider-kong-gateway&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;)&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;This worked much better, but then I realised that I&#39;d need to keep 90% of the search consistent, but change the repos being shown for various different contexts.&lt;/p&gt;
&lt;p&gt;So I did what anyone would - I started reverse engineering the GraphQL queries needed to configure saved searches and building a configuration file with template support.&lt;/p&gt;
&lt;p&gt;If you&#39;re just looking for the tool, you can find it at &lt;a href=&quot;https://github.com/mheap/gh-saved-issues&quot;&gt;mheap/gh-saved-issues&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This tool is my first attempt at building something with an agent. Keep reading to see my experience.&lt;/p&gt;
&lt;h3 id=&quot;building-with-codex&quot; tabindex=&quot;-1&quot;&gt;Building with Codex&lt;/h3&gt;
&lt;p&gt;I did some research before prompting Codex, including extracting &lt;code&gt;curl&lt;/code&gt; commands from developer tools. I pasted these commands into my initial prompt&lt;/p&gt;
&lt;div class=&quot;ai-input&quot;&gt;
&lt;div class=&quot;ai-header&quot;&gt;
📝 Prompt
&lt;/div&gt;
&lt;div class=&quot;ai-body&quot;&gt;
&lt;p&gt;You are an expert Go developer. You have been tasked to build a GitHub CLI extension to configure saved searches on GitHub. The CLI layer should be very thin, and all of the logic for working with the API must be included in library files.&lt;/p&gt;
&lt;p&gt;The tool should accept a configuration file (located at $XDG_CONFIG_HOME/.github-searches.yaml) in the following format:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;yaml&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;searches&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Assigned to me (Kong)&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;query&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;state:open archived:false assignee:@me sort:updated-desc org:Kong&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Assigned to Steve (All Orgs)&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;query&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;state:open archived:false assignee:steve.doe sort:updated-desc&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Work from Alice&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;template&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;recent-work&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;vars&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;user&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;alice.jones&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;time&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;7d&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Work from Bob&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;template&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;recent-work&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;vars&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;user&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;bob.smith&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;templates&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;	&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;recent-work&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;	  &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;query&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;org:Kong ((assignee:{{ user }} AND is:issue) OR (is:pr AND author:{{ user }})) (is:open OR updated:&amp;gt;@today-{{ default(time, &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;30d&quot;) }}) sort:updated-desc&quot;&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;If the search has an &lt;code&gt;id&lt;/code&gt; associated with it, update the existing rule. Otherwise create a new one then update the configuration file to set the &lt;code&gt;id&lt;/code&gt; value.&lt;/p&gt;
&lt;p&gt;To create a new saved issue search, make the following request (but use Go, don&#39;t shell out to curl):&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;curl &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;https://github.com/_graphql&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; \&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  --data-raw &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;{&quot;query&quot;:&quot;c06c5627e09922bd28c6d34ff91d0530&quot;,&quot;variables&quot;:{&quot;input&quot;:{&quot;color&quot;:&quot;GRAY&quot;,&quot;icon&quot;:&quot;BOOKMARK&quot;,&quot;name&quot;:&quot;Untitled view&quot;,&quot;query&quot;:&quot;&quot;,&quot;searchType&quot;:&quot;ISSUES&quot;}}}&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;To update a search, use this request (shortcutId is the &lt;code&gt;id&lt;/code&gt; from the config):&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;curl &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;https://github.com/_graphql&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; \&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  --data-raw &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;{&quot;query&quot;:&quot;379dbe4cf68c3485e48df2f699f5ae75&quot;,&quot;variables&quot;:{&quot;input&quot;:{&quot;color&quot;:&quot;GRAY&quot;,&quot;description&quot;:&quot;Test&quot;,&quot;icon&quot;:&quot;BOOKMARK&quot;,&quot;name&quot;:&quot;Demo123&quot;,&quot;query&quot;:&quot;user:mheap&quot;,&quot;scopingRepository&quot;:null,&quot;shortcutId&quot;:&quot;SSC_kgDOAB3rrw&quot;}}}&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;If a user sets &lt;code&gt;remove: true&lt;/code&gt; on a query, you can delete the search using the following request:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;curl &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;https://github.com/_graphql&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; \&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  --data-raw &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;{&quot;query&quot;:&quot;2939ea7192de2c6284da481de6737322&quot;,&quot;variables&quot;:{&quot;input&quot;:{&quot;shortcutId&quot;:&quot;SSC_kgDOAB3rsg&quot;}}}&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;Build the CLI, and also bootstrap test cases for all library code.&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;At this point most of the work was done, except it didn&#39;t work. This graphql endpoint is not accessible using a GitHub token, it needs a cookie session to be specified&lt;/p&gt;
&lt;div class=&quot;ai-input&quot;&gt;
&lt;div class=&quot;ai-header&quot;&gt;
📝 Prompt
&lt;/div&gt;
&lt;div class=&quot;ai-body&quot;&gt;
&lt;p&gt;In addition to &lt;code&gt;req.Header.Set(&amp;quot;Authorization&amp;quot;, &amp;quot;Bearer &amp;quot;+c.token)&lt;/code&gt;, allow me to specify a cookie like:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  -b &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;_device_id=ID_HERE; user_session=SESSION_HERE&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&#39;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; \&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;This made the API requests work, but I realised that updating an existing config wasn&#39;t working due to a bug in findShortcutId.&lt;/p&gt;
&lt;div class=&quot;ai-input&quot;&gt;
&lt;div class=&quot;ai-header&quot;&gt;
📝 Prompt
&lt;/div&gt;
&lt;div class=&quot;ai-body&quot;&gt;
&lt;p&gt;Fix findShortcutId&lt;/p&gt;
&lt;p&gt;The response looks like the following:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;json&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;{&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;data&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:{&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;createDashboardSearchShortcut&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:{&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;dashboard&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:{&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;shortcuts&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:{&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;totalCount&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;4&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;nodes&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:[{&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;id&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;SSC_kgDOAA2otQ&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;mheap: Open Issues&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;query&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;state:open archived:false sort:updated-desc user:mheap -author:app/dependabot -repo:mheap/michaelheap.com is:issue &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;icon&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;BOOKMARK&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;color&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;GRAY&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;description&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;scopingRepository&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;null&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;},{&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;id&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;SSC_kgDOABdOWA&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Kong: My Open PRs&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;query&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;is:pr author:@me state:open org:Kong -draft:true&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;icon&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;BOOKMARK&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;color&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;GRAY&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;description&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;scopingRepository&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;null&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;},{&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;id&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;SSC_kgDOABdOZw&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Kong: Awaiting Review from Me&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;query&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;is:pr state:open org:Kong review-requested:@me -repo:Kong/platform-api &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;icon&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;BOOKMARK&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;color&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;GRAY&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;description&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;scopingRepository&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;null&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;},{&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;id&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;SSC_kgDOABdOaA&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;mheap: Awaiting Review from Me&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;query&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;state:open archived:false sort:updated-desc user:mheap -author:app/dependabot -repo:mheap/michaelheap.com is:pr &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;icon&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;BOOKMARK&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;color&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;GRAY&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;description&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;scopingRepository&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;null&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;}&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;Search for &amp;quot;name: Kong: My Open PRs&amp;quot; and extact the &lt;code&gt;id&lt;/code&gt; field from that value&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;This worked, but was inefficient. Codex walked every node in the tree looking for IDs.&lt;/p&gt;
&lt;div class=&quot;ai-input&quot;&gt;
&lt;div class=&quot;ai-header&quot;&gt;
📝 Prompt
&lt;/div&gt;
&lt;div class=&quot;ai-body&quot;&gt;
&lt;p&gt;You don&#39;t have to walk the tree. The data is always in data.createDashboardSearchShortcut.dashboard.shortcuts.nodes&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Success! Now let&#39;s add some new capabilities&lt;/p&gt;
&lt;div class=&quot;ai-input&quot;&gt;
&lt;div class=&quot;ai-header&quot;&gt;
📝 Prompt
&lt;/div&gt;
&lt;div class=&quot;ai-body&quot;&gt;
&lt;p&gt;Now group the searches by &lt;code&gt;section&lt;/code&gt;. For each section, create an empty query with the title &amp;quot;== $SECTION ==&amp;quot; above the list of items&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;This worked, but didn&#39;t feel right to me.&lt;/p&gt;
&lt;div class=&quot;ai-input&quot;&gt;
&lt;div class=&quot;ai-header&quot;&gt;
📝 Prompt
&lt;/div&gt;
&lt;div class=&quot;ai-body&quot;&gt;
&lt;p&gt;Actually, I changed my mind. Don&#39;t use &lt;code&gt;section&lt;/code&gt; in a config. Instead, sections will be defined explicitly e.g.&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;yaml&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;searches&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;section&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Demo&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;id&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;SSC_kgDOAB5MiA&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Test 1&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;query&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;state:open archived:false assignee:@me sort:updated-desc org:Kong&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;template&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;vars&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;{}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;remove&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;false&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;id&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;SSC_kgDOAB5MiQ&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Work from Alice&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;query&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;template&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;recent-work&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;vars&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;time&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;30d&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;user&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;alice.jones&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;remove&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;false&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;templates&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;recent-work&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;query&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;org:Kong ((assignee:{{ user }} AND is:issue) OR (is:pr AND author:{{ user }})) (is:open OR updated:&amp;gt;@today-{{ default(time, &quot;30d&quot;) }}) sort:updated-desc&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Much better! But my section configs were being given a &lt;code&gt;query&lt;/code&gt; entry unexpectedly in the updated config like this:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;yaml&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;id&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;SSC_kgDOAB5MiA&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;section&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Demo&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;query&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;template&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;vars&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;{}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;remove&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;false&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;I wanted it to look like this:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;yaml&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;id&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;SSC_kgDOAB5MiA&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;section&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Demo&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;div class=&quot;ai-input&quot;&gt;
&lt;div class=&quot;ai-header&quot;&gt;
📝 Prompt
&lt;/div&gt;
&lt;div class=&quot;ai-body&quot;&gt;
&lt;p&gt;Do not replace section configs with a full query object. It should contain only &lt;code&gt;id&lt;/code&gt; and &lt;code&gt;section&lt;/code&gt;&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Everything looked good at this point. I wanted to try recreating everything so that the order in my config file is respected (right now, the section is the last item as it&#39;s the most recently created)&lt;/p&gt;
&lt;div class=&quot;ai-input&quot;&gt;
&lt;div class=&quot;ai-header&quot;&gt;
📝 Prompt
&lt;/div&gt;
&lt;div class=&quot;ai-body&quot;&gt;
&lt;p&gt;Add a --force flag to the CLI that deletes all existing configs and recreates them, even if an ID is set&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;It worked, but I realised that the flag name should really be &lt;code&gt;--recreate&lt;/code&gt;.&lt;/p&gt;
&lt;div class=&quot;ai-input&quot;&gt;
&lt;div class=&quot;ai-header&quot;&gt;
📝 Prompt
&lt;/div&gt;
&lt;div class=&quot;ai-body&quot;&gt;
&lt;p&gt;Rename the force flag to --recreate&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;How about use cases where I want to remove all saved searches without recreating them?&lt;/p&gt;
&lt;div class=&quot;ai-input&quot;&gt;
&lt;div class=&quot;ai-header&quot;&gt;
📝 Prompt
&lt;/div&gt;
&lt;div class=&quot;ai-body&quot;&gt;
&lt;p&gt;Also add a --reset flag that removes all entries without creating anything&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;At this point, the CLI was finished. It can create saved searches, with section markers and recreate all saved searches to enforce ordering.&lt;/p&gt;
&lt;p&gt;But I wasn&#39;t done. I had an idea for another template, but needed a way to provide multiple repos as a list:&lt;/p&gt;
&lt;div class=&quot;ai-input&quot;&gt;
&lt;div class=&quot;ai-header&quot;&gt;
📝 Prompt
&lt;/div&gt;
&lt;div class=&quot;ai-body&quot;&gt;
&lt;p&gt;Add support for the join function in templates. Example usage:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;yaml&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Terraform PRs&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;template&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;repo-prs&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;vars&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;repos&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;repo:Kong/terraform-provider-konnect&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;repo:Kong/terraform-provider-konnect-beta&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;repo:Kong/terraform-provider-kong-gateway&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;yaml&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;repo-prs&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;query&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;is:pr state:open ({{ join(repos, &quot;OR&quot;) }}) -author:app/renovate draft:false {{ additional }}&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Uh oh! There&#39;s a bug. I used &lt;code&gt;{{ additional }}&lt;/code&gt; in the template to add additional filters using a free-form string. If there are no additional parameters, I expected it to resolve to an empty string (meaning &amp;quot;no additional filters&amp;quot;).&lt;/p&gt;
&lt;p&gt;However, if a config didn&#39;t specify an empty string we got an error. I pasted the error message into Codex to try and fix it:&lt;/p&gt;
&lt;div class=&quot;ai-input&quot;&gt;
&lt;div class=&quot;ai-header&quot;&gt;
📝 Prompt
&lt;/div&gt;
&lt;div class=&quot;ai-body&quot;&gt;
&lt;p&gt;template: query:1: function &amp;quot;additional&amp;quot; not defined - can the template code treat missing values as null?&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;All working as expected, but how do people know how to use it?&lt;/p&gt;
&lt;div class=&quot;ai-input&quot;&gt;
&lt;div class=&quot;ai-header&quot;&gt;
📝 Prompt
&lt;/div&gt;
&lt;div class=&quot;ai-body&quot;&gt;
&lt;p&gt;Produce a &lt;a href=&quot;http://readme.md/&quot;&gt;README.md&lt;/a&gt; teaching people how to use this tool&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The README mentions a &lt;code&gt;--config&lt;/code&gt; flag, but it doesn&#39;t exist. Sounds like a good idea to me&lt;/p&gt;
&lt;div class=&quot;ai-input&quot;&gt;
&lt;div class=&quot;ai-header&quot;&gt;
📝 Prompt
&lt;/div&gt;
&lt;div class=&quot;ai-body&quot;&gt;
&lt;p&gt;Implement the --config flag like the README indicates&lt;/p&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;At this point, I had something I wanted to ship 🎉&lt;/p&gt;
&lt;h3 id=&quot;reflection&quot; tabindex=&quot;-1&quot;&gt;Reflection&lt;/h3&gt;
&lt;p&gt;Honestly, I had a great time building this tool. I&#39;m not sure it was faster than writing it by hand, but I did it in the background while doing something else and it ended up saving me a ton of time. If I had to write it by hand, I probably wouldn&#39;t have finished this project.&lt;/p&gt;
&lt;p&gt;I &lt;em&gt;did&lt;/em&gt; do a little bit extra by hand after the session above. I added a GitHub Action to build and release the extension, which means you can run it with &lt;code&gt;gh extension install https://github.com/mheap/gh-saved-issues&lt;/code&gt;.&lt;/p&gt;
</content>
  </entry>
  
  <entry>
    <title>Display mirroring with Hammerspoon</title>
    <link href="https://michaelheap.com/toggle-mirroring-hammerspoon/"/>
    <updated>2025-12-08T13:59:48Z</updated>
    <id>https://michaelheap.com/toggle-mirroring-hammerspoon/</id>
    <content type="html">&lt;p&gt;I need to mirror my screens periodically - enough that it&#39;s painful to go in to system settings each time and configure mirroring.&lt;/p&gt;
&lt;p&gt;Here&#39;s a Hammerspoon snippet that will toggle mirroring. It works because &lt;code&gt;allScreens&lt;/code&gt; returns a single value if your second screen is mirroring the first.&lt;/p&gt;
&lt;p&gt;&lt;code&gt;C34H89x&lt;/code&gt; and &lt;code&gt;LC49G95T&lt;/code&gt; are my screen names, which I looked up in system settings.&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;lua&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;hs.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;hotkey&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #88C0D0&quot;&gt;bind&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;({ &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;cmd&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;, &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;alt&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;, &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;ctrl&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;, &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;shift&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; }, &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;M&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;, &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;function&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;()&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;	&lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;local&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; screens &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; hs.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;screen&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #88C0D0&quot;&gt;allScreens&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;()&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;	&lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;if&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;#&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;screens &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;==&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;1&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;then&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;		screens[&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;1&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;]:&lt;/span&gt;&lt;span style=&quot;color: #88C0D0&quot;&gt;mirrorStop&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;()&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;	&lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;else&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;		&lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;local&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; screenToMirror &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; hs.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;screen&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #88C0D0&quot;&gt;find&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;(&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;C34H89x&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;)&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;		&lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;local&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; screenToHide &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; hs.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;screen&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #88C0D0&quot;&gt;find&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;(&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;LC49G95T&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;)&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;		screenToHide:&lt;/span&gt;&lt;span style=&quot;color: #88C0D0&quot;&gt;mirrorOf&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;(screenToMirror)&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;	&lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;end&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;end&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;)&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
</content>
  </entry>
  
  <entry>
    <title>Automated NPM secret rotation in GitHub Actions</title>
    <link href="https://michaelheap.com/rotate-all-npm-tokens-github-actions/"/>
    <updated>2025-11-16T19:49:03Z</updated>
    <id>https://michaelheap.com/rotate-all-npm-tokens-github-actions/</id>
    <content type="html">&lt;p&gt;NPM recently announced that all long-lived tokens are being revoked, and that going forwards any new tokens may be valid for a maximum of 90 days.&lt;/p&gt;
&lt;p&gt;This presents a challenge for me, as I&#39;ve built a system where when I tag a release on GitHub in my JavaScript projects, it builds and publishes to NPM using an access token. Rotating those tokens regularly would be a lot of toil.&lt;/p&gt;
&lt;h2 id=&quot;upgrading-to-oidc&quot; tabindex=&quot;-1&quot;&gt;Upgrading to OIDC&lt;/h2&gt;
&lt;p&gt;The correct way to solve this is to adopt &lt;a href=&quot;https://docs.npmjs.com/trusted-publishers#for-github-actions&quot;&gt;trusted publishing (OIDC)&lt;/a&gt;. However, I don&#39;t have time to update all of my projects right now. I&#39;d like to keep using an access token until I have time to update each project.&lt;/p&gt;
&lt;h2 id=&quot;rotating-github-actions-user-secrets-at-scale&quot; tabindex=&quot;-1&quot;&gt;Rotating GitHub Actions user secrets at scale&lt;/h2&gt;
&lt;p&gt;Fortunately, back in 2020 I was feeling the pain of rotating GitHub secrets for a user account as I couldn&#39;t use organization level secrets and built &lt;a href=&quot;https://github.com/mheap/github-update-secret&quot;&gt;github-update-secret&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;code&gt;github-update-secret&lt;/code&gt; iterates over all of your repositories and checks if the provided secret name is set. If so, it updates the value to the new value provided.&lt;/p&gt;
&lt;h3 id=&quot;how-it-works&quot; tabindex=&quot;-1&quot;&gt;How it works&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;Provide GitHub authentication by populating the &lt;code&gt;GITHUB_TOKEN&lt;/code&gt; environment variable, or passing the &lt;code&gt;--pat&lt;/code&gt; flag to the CLI&lt;/li&gt;
&lt;li&gt;Fetch a list of all repos to which the authenticated user has admin access for the provided user/org&lt;/li&gt;
&lt;li&gt;Fetch the list of secrets on each repository&lt;/li&gt;
&lt;li&gt;For each repository that has a secret named the same as the provided &lt;code&gt;SECRET_NAME&lt;/code&gt;, update the value of that secret&lt;/li&gt;
&lt;li&gt;Check if the provided target is an organisation.&lt;/li&gt;
&lt;li&gt;If so:
&lt;ul&gt;
&lt;li&gt;Check if there is an org secret named &lt;code&gt;SECRET_NAME&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;If there is, update the value&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id=&quot;example&quot; tabindex=&quot;-1&quot;&gt;Example&lt;/h3&gt;
&lt;p&gt;I just rotated all of my &lt;code&gt;NPM_TOKEN&lt;/code&gt; secrets with a secret that&#39;s valid for another 90 days using the following command:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;GITHUB_TOKEN=ghp_... DEBUG=github-update-secret npx github-update-secret &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;&amp;lt;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;user/org&lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;&amp;lt;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;SECRET_NAME&lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;&amp;gt;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;&amp;lt;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;new_value&lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;&amp;gt;&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;Running the tool with &lt;code&gt;DEBUG=github-update-secret&lt;/code&gt; allows you to see all of the repositories that are being updated:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;❯ DEBUG=github-update-secret npx github-update-secret mheap NPM_TOKEN npm_...&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  github-update-secret Fetching repo list +0ms&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  github-update-secret Processed repo list +2s&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  github-update-secret Building list of repos using &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;[&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;npm_token&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;]&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; +0ms&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  github-update-secret Found &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;[&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;27&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;]&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; repos with the secret &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;[&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;npm_token&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;]&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; +2s&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  github-update-secret Updating action-guard +1ms&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  github-update-secret Updated action-guard +347ms&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  github-update-secret Updating action-router +1ms&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  github-update-secret Updated action-router +381ms&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  github-update-secret Updating action-run +1ms&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  github-update-secret Updated action-run +338ms&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  github-update-secret Updating actions-output-wrapper +0ms&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;...snip...&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  github-update-secret Check &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;if&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; provided user is an org +0ms&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  github-update-secret User is not an org. Skipping org secret update +142ms&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;NPM’s move to 90-day tokens is good for security but rough on existing workflows. OIDC is the long-term fix, but until I can update each project, &lt;code&gt;github-update-secret&lt;/code&gt; gives me a quick way to rotate tokens across all my repos and keep releases moving. It’s not perfect, but it provides enough breathing room until I can do the real migration.&lt;/p&gt;
</content>
  </entry>
  
  <entry>
    <title>JSON Semantic Diff</title>
    <link href="https://michaelheap.com/json-semantic-diff/"/>
    <updated>2025-11-16T18:19:42Z</updated>
    <id>https://michaelheap.com/json-semantic-diff/</id>
    <content type="html">&lt;p&gt;&lt;a href=&quot;https://github.com/geofffranks/spruce&quot;&gt;Spruce&lt;/a&gt; is a general purpose YAML &amp;amp; JSON merging tool, and one of it&#39;s subcommands is a semantic JSON diff. It captures added and removed fields, and highlights any type changes.&lt;/p&gt;
&lt;h2 id=&quot;installing-spruce&quot; tabindex=&quot;-1&quot;&gt;Installing Spruce&lt;/h2&gt;
&lt;p&gt;Spruce is written in Go, and can be installed in many different ways:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;With &lt;code&gt;mise&lt;/code&gt; (which I highly recommend):&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;mise use -g github:geofffranks/spruce&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;With &lt;code&gt;brew&lt;/code&gt; if you&#39;re on MacOS&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;brew install starkandwayne/cf/spruce&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;With &lt;code&gt;go get&lt;/code&gt;:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;go get github.com/geofffranks/spruce&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2 id=&quot;example-usage&quot; tabindex=&quot;-1&quot;&gt;Example usage&lt;/h2&gt;
&lt;p&gt;Here are two sample JSON files. Between the first and the second, I&#39;ve changed a value, changed two data types, and removed two fields:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;json&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;{&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Alice&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;age&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;30&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;pets&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Fido&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;favourite_cake&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Carrot cake&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;another&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;{&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;value&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;here&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;json&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;{&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Alice Smith&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;age&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;30&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;pets&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;[&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Fido&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;],&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;another&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;{}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;If we run &lt;code&gt;spruce diff&lt;/code&gt;, this information is returned to us in a format that makes is &lt;em&gt;very&lt;/em&gt; easy to see the diffs:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;diff&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;$ spruce diff first.json second.json&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;(root level)&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #BF616A&quot;&gt; one map entry removed:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;favourite_cake: &quot;Carrot cake&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;age&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;± type change from string to int&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #BF616A&quot;&gt; 30&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;+&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; 30&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;another&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #BF616A&quot;&gt; one map entry removed:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;value: here&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;name&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;± value change&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #BF616A&quot;&gt; Alice&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;+&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; Alice Smith&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;pets&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;± type change from string to list&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #BF616A&quot;&gt; Fido&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;+&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; - Fido&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
</content>
  </entry>
  
  <entry>
    <title>Say Three Things</title>
    <link href="https://michaelheap.com/say-three-things/"/>
    <updated>2025-11-06T21:03:56Z</updated>
    <id>https://michaelheap.com/say-three-things/</id>
    <content type="html">&lt;p&gt;We’ve all been in &lt;em&gt;that&lt;/em&gt; meeting, with a dozen people sat on Zoom, not quite sure why they’re there. The more jaded of the group might have their camera off, trying to do some work while they listen in. Others might keep their camera on, trying to stay focused on what’s being said.&lt;/p&gt;
&lt;p&gt;No matter if your camera is on or off, if you’re not participating in the meeting why are you there at all? &lt;a href=&quot;https://knowyourmeme.com/photos/1753854-shiba-inu-barking-in-an-office-meeting&quot;&gt;This meeting could have been an email&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Except, it couldn’t. People &lt;em&gt;are&lt;/em&gt; interacting on the call. There’s a lot of nuance in the discussion that would be missed in a summary. You need to be there to hear it. So how do you make the most of your time?&lt;/p&gt;
&lt;p&gt;Remind people that you exist. Say at least three things in the meeting. It doesn’t matter if you’re meeting with your CEO or your newest, most junior hire. Speaking up reminds people that you’re there.&lt;/p&gt;
&lt;p&gt;If you stay silent, they’re likely to forget you were even there. Or worse, assume that you don’t understand what’s going on around you. By speaking up, you can paint a picture of how you want to be perceived.&lt;/p&gt;
&lt;h2 id=&quot;what-three-things-should-i-say%3F&quot; tabindex=&quot;-1&quot;&gt;What Three Things Should I Say?&lt;/h2&gt;
&lt;p&gt;“But I don’t have anything to add!” I hear you say. Wonderful! Neither do a lot of people that can’t stop talking in meetings (myself included). Here are a couple of my favourite ways to inject myself into the conversation.&lt;/p&gt;
&lt;h3 id=&quot;1.-clarify&quot; tabindex=&quot;-1&quot;&gt;1. Clarify&lt;/h3&gt;
&lt;p&gt;“&lt;em&gt;Can I try to summarise to make sure that I’m following? I heard…&lt;/em&gt;”&lt;/p&gt;
&lt;p&gt;This is a great way to illustrate that you understand what’s going on. There’s always someone on the call that was distracted by a Slack message, a knock at the door, or a butterfly and they&#39;re very appreciative that you just summarised the last 5 minutes of conversation.&lt;/p&gt;
&lt;h3 id=&quot;2.-capture&quot; tabindex=&quot;-1&quot;&gt;2. Capture&lt;/h3&gt;
&lt;p&gt;“&lt;em&gt;So the next steps are for Alice and Bob to submit a proposal for how to proceed. I’ve captured that in the meeting notes. Is there a specific date we need that by?&lt;/em&gt;”&lt;/p&gt;
&lt;p&gt;Being the note taker is a thankless task, but it also gives you the opportunity to speak. It also helps build a reputation as someone that helps drive progress.&lt;/p&gt;
&lt;h3 id=&quot;3.-connect&quot; tabindex=&quot;-1&quot;&gt;3. Connect&lt;/h3&gt;
&lt;p&gt;“&lt;em&gt;Has anyone spoken to Charlie about this? I can see some parallels with Project Flubjam&lt;/em&gt;”&lt;/p&gt;
&lt;p&gt;This one takes some organisational context, but being the person to connect the dots between orgs is a huge differentiator&lt;/p&gt;
&lt;h3 id=&quot;4.-chat&quot; tabindex=&quot;-1&quot;&gt;4. Chat&lt;/h3&gt;
&lt;p&gt;And if all else fails, join the meeting early. The few unscripted minutes before a call are often the most human ones. Ask about someone’s weekend or joke about the weather - people remember small talk more than polished summaries.&lt;/p&gt;
&lt;h2 id=&quot;why-it-matters&quot; tabindex=&quot;-1&quot;&gt;Why It Matters&lt;/h2&gt;
&lt;p&gt;Saying three things in every meeting isn’t about filling airtime or proving your worth. It’s about showing up with intention.&lt;/p&gt;
&lt;p&gt;Your aim isn’t to be the person that speaks for 25 minutes of a 30 minute meeting. Prioritise clarity and brevity - 15-30 seconds of talking per point is enough.&lt;/p&gt;
&lt;p&gt;You’re signalling that you’re engaged, thoughtful, and invested in the outcome. Whether you’re clarifying, summarising, or connecting dots, those small contributions compound over time into credibility and visibility.&lt;/p&gt;
&lt;p&gt;Silence might feel safe, but it also makes you invisible. Speaking up, even briefly, ensures that when decisions are made or opportunities arise, people remember that you were part of the conversation rather than being just another name on the invite list.&lt;/p&gt;
</content>
  </entry>
  
  <entry>
    <title>Run a container on a schedule with ECS</title>
    <link href="https://michaelheap.com/ecs-scheduled-container/"/>
    <updated>2025-06-02T08:00:13Z</updated>
    <id>https://michaelheap.com/ecs-scheduled-container/</id>
    <content type="html">&lt;p&gt;I&#39;ve got a Docker container that I want to run periodically to fetch data and store it in a database. As this is something that needs to run persistently, I&#39;m using Terraform to manage the infrastructure. It took me a while to figure out all the required resources and permissions, so I thought I&#39;d share my solution here.&lt;/p&gt;
&lt;p&gt;To securely run a container on a schedule in ECS, I needed to:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Initialise Terraform&lt;/li&gt;
&lt;li&gt;Configure any secrets that the container needs&lt;/li&gt;
&lt;li&gt;Create an ECS Fargate cluster, and a VPC for the container to run in&lt;/li&gt;
&lt;li&gt;Create an IAM role for the container to execute as&lt;/li&gt;
&lt;li&gt;Create an IAM role for EventBridge to trigger the ECS task&lt;/li&gt;
&lt;li&gt;Define an EventBridge schedule trigger&lt;/li&gt;
&lt;li&gt;Define a task&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&quot;initialise-terraform&quot; tabindex=&quot;-1&quot;&gt;Initialise Terraform&lt;/h2&gt;
&lt;p&gt;Create &lt;code&gt;providers.tf&lt;/code&gt; containing the AWS profile and region you want to use:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;hcl&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;provider&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;region&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;us-east-2&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;profile&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;default&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;Then run &lt;code&gt;terraform init&lt;/code&gt;.&lt;/p&gt;
&lt;h2 id=&quot;secrets&quot; tabindex=&quot;-1&quot;&gt;Secrets&lt;/h2&gt;
&lt;p&gt;The container that I&#39;m running needs access to some secret values as environment variables. I read the two most sensitive items from &lt;code&gt;tfvars&lt;/code&gt;, and hard code the role as the Terraform repo is private anyway. The &lt;code&gt;test/area/role&lt;/code&gt; secret is really just configuration rather than being a secret:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;hcl&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;variable&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;AREA_USERNAME&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;description&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;Username for AREA access&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;type&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; string&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;sensitive&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;   &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;true&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;variable&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;AREA_PASSWORD&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;description&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;Password for AREA access&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;type&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; string&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;sensitive&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;   &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;true&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;locals&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;my_secrets&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &quot;test/area/username&quot; = var.AREA_USERNAME&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &quot;test/area/password&quot; = var.AREA_PASSWORD&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &quot;test/area/role&quot;     = &quot;some_role&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_secretsmanager_secret&quot; &quot;my_secrets&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;for_each&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; local&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;my_secrets&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;     &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; each&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;key&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_secretsmanager_secret_version&quot; &quot;my_secret_values&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;for_each&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; local&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;my_secrets&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;secret_id&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;     &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_secretsmanager_secret&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;my_secrets[each&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;key].id&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;secret_string&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; each&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;value&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;h2 id=&quot;ecs-cluster-and-vpc&quot; tabindex=&quot;-1&quot;&gt;ECS Cluster and VPC&lt;/h2&gt;
&lt;p&gt;ECS allows you to scale to zero, but you still need a VPC to spin up containers in. My containers need internet access, so here&#39;s how I create an ECS cluster and VPC with internet access:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;hcl&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# Create an ECS cluster&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_ecs_cluster&quot; &quot;my_cluster&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;demo-fargate-cluster&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# Create a VPC and network, allowing all egress traffic&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_vpc&quot; &quot;main&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;cidr_block&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;           &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;10.0.0.0/16&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;enable_dns_hostnames&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;true&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_subnet&quot; &quot;public&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;vpc_id&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;                  &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_vpc&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;main&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;id&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;cidr_block&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;              &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;10.0.1.0/24&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;availability_zone&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;       &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;us-east-2a&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;map_public_ip_on_launch&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;true&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# You could also use a NAT gateway instead. We use an internet gateway&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# due to speed / cost reasons in this example&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_internet_gateway&quot; &quot;gw&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;vpc_id&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_vpc&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;main&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;id&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_route_table&quot; &quot;public&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;vpc_id&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_vpc&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;main&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;id&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;route&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;cidr_block&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;0.0.0.0/0&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;gateway_id&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_internet_gateway&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;gw&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;id&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_route_table_association&quot; &quot;public_assoc&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;subnet_id&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_subnet&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;public&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;id&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;route_table_id&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_route_table&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;public&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;id&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_security_group&quot; &quot;ecs_tasks&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;ecs-scheduled-tasks-sg&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;description&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;Allow outbound traffic&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;vpc_id&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_vpc&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;main&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;id&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;egress&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;from_port&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;   &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;0&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;to_port&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;     &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;0&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;protocol&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;-1&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;cidr_blocks&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; [&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;0.0.0.0/0&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;]&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;h2 id=&quot;execution-iam-role&quot; tabindex=&quot;-1&quot;&gt;Execution IAM role&lt;/h2&gt;
&lt;p&gt;The container that runs does not have access to AWS Secrets Manager by default. To allow access, I create a new IAM role that the container will assume using &lt;code&gt;sts:AssumeRole&lt;/code&gt; before running. This new role has a policy attached that allows access to specific secrets in AWS Secrets Manager.&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;hcl&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# Allow ECS to assume this role&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_iam_role&quot; &quot;ecs_task_execution&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;ecs-task-execution-role&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;assume_role_policy&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; jsonencode({&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    Version = &quot;2012-10-17&quot;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    Statement = [{&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      Effect = &quot;Allow&quot;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      Principal = {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        Service = &quot;ecs-tasks.amazonaws.com&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      },&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;Action&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;sts:AssumeRole&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    }]&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  })&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# Create a policy that allows access to the secrets we defined earlier&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_iam_policy&quot; &quot;ecs_execution_secrets_access&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;ecs-exec-secrets-access&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;policy&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; jsonencode({&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    Version = &quot;2012-10-17&quot;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    Statement = [{&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      Effect = &quot;Allow&quot;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      Action = [&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &quot;secretsmanager:GetSecretValue&quot;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &quot;secretsmanager:DescribeSecret&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      ],&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      Resource = [&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        aws_secretsmanager_secret.my_secrets[&quot;test/area/username&quot;].arn,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        aws_secretsmanager_secret.my_secrets[&quot;test/area/password&quot;].arn,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        aws_secretsmanager_secret.my_secrets[&quot;test/area/role&quot;].arn,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      ]&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    }]&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  })&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# Attach the above policy to the IAM role&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_iam_role_policy_attachment&quot; &quot;ecs_exec_secrets_access_attach&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;role&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;       &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_iam_role&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;ecs_task_execution&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;name&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;policy_arn&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_iam_policy&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;ecs_execution_secrets_access&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;arn&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# Attach the ECS Task execution policy&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_iam_role_policy_attachment&quot; &quot;ecs_task_execution_attach&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;role&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;       &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_iam_role&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;ecs_task_execution&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;name&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;policy_arn&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;h2 id=&quot;trigger-iam-role&quot; tabindex=&quot;-1&quot;&gt;Trigger IAM role&lt;/h2&gt;
&lt;p&gt;Amazon EventBridge also needs an IAM role in order to trigger the ECS task. Here&#39;s an IAM role that has permission to run the defined tasks explicitly.&lt;/p&gt;
&lt;p&gt;It took me a &lt;em&gt;long&lt;/em&gt; time to realise that not only did I need to provide a &lt;code&gt;runTask&lt;/code&gt; permission to the tasks, I also needed to allow &lt;code&gt;runTask&lt;/code&gt; to the ECS cluster that was being used.&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;hcl&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# Allow EventBridge to assume this role&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_iam_role&quot; &quot;eventbridge_invoke_ecs&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;eventbridge-ecs-invoke-role&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;assume_role_policy&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; jsonencode({&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    Version = &quot;2012-10-17&quot;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    Statement = [{&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      Effect = &quot;Allow&quot;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      Principal = {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        Service = &quot;events.amazonaws.com&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      },&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;Action&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;sts:AssumeRole&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    ]&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  })&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# Create a new IAM policy that allows us to run all of the defined tasks&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# We need to explicitly allow ecs:RunTask for the ecs:cluster too&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_iam_role_policy&quot; &quot;eventbridge_ecs_policy&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;invoke-ecs&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;role&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_iam_role&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;eventbridge_invoke_ecs&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;id&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;policy&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; jsonencode({&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    Version = &quot;2012-10-17&quot;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    Statement = [&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        Effect   = &quot;Allow&quot;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        Action   = &quot;ecs:RunTask&quot;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        Resource = aws_ecs_task_definition.scheduled_my_command.arn&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      },&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;Effect&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;   &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;Allow&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;Action&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;   &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;iam:PassRole&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;Resource&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_iam_role&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;ecs_task_execution&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;arn&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      },&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;Effect&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;   &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;Allow&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;Action&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;   &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;ecs:RunTask&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;Resource&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;*&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;Condition&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;          &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;ArnEquals&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;            &quot;ecs:cluster&quot; : aws_ecs_cluster.my_cluster.arn&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;          }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    ]&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  })&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;h2 id=&quot;eventbridge-schedule-trigger&quot; tabindex=&quot;-1&quot;&gt;EventBridge schedule trigger&lt;/h2&gt;
&lt;p&gt;We need to define an event rule that runs the container on a schedule. I also create a Cloudwatch log group to capture task logs.&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;hcl&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# Run the task at 23:59 every night&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_cloudwatch_event_rule&quot; &quot;run_at_23_59&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;                &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;run-ecs-task-schedule&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;schedule_expression&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;cron(59 23 * * ? *)&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# And create a Cloudwatch log group to send logs to&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_cloudwatch_log_group&quot; &quot;my_scheduled_task&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;              &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;/ecs/my-scheduled-task-logs&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;retention_in_days&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;1&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;h2 id=&quot;task-definition&quot; tabindex=&quot;-1&quot;&gt;Task Definition&lt;/h2&gt;
&lt;p&gt;Finally, we need to define the task to run. You&#39;ll need to upload the docker image to ECR before defining a task. You&#39;ll also need to specify all of the secrets that the container needs access to.&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;hcl&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# Define the container and command to run, plus CPU/Memory usage&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_ecs_task_definition&quot; &quot;scheduled_my_command&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;family&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;                   &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;scheduled-my-command&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;requires_compatibilities&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; [&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;FARGATE&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;]&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;network_mode&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;             &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;awsvpc&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;cpu&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;                      &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;256&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;memory&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;                   &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;512&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;execution_role_arn&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_iam_role&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;ecs_task_execution&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;arn&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;container_definitions&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; jsonencode([&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      name      = &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;demo&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      image     = &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;hello-world&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      essential = &lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;true&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      secrets = [&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;          name      = &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;AREA_USER&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;          valueFrom = aws_secretsmanager_secret&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;my_secrets[&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;test/area/username&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;].arn&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        },&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;          &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;AREA_PASSWORD&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;          &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;valueFrom&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_secretsmanager_secret&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;my_secrets[&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;test/area/password&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;].arn&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        },&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;          &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;AREA_ROLE&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;          &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;valueFrom&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_secretsmanager_secret&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;my_secrets[&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;test/area/role&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;].arn&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      ],&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;logConfiguration&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        logDriver = &quot;awslogs&quot;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        options = {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;          awslogs-group         = &quot;/ecs/my-scheduled-task-logs&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;          awslogs-region        = &quot;us-east-2&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;          awslogs-stream-prefix = &quot;demo&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  ])&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# Trigger this task using the scheduled event&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_cloudwatch_event_target&quot; &quot;ecs_my_command_target&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;rule&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_cloudwatch_event_rule&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;run_at_23_59&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;name&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;role_arn&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_iam_role&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;eventbridge_invoke_ecs&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;arn&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;target_id&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;ecs-task-my-command&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;arn&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_ecs_cluster&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;my_cluster&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;arn&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;ecs_target&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;task_definition_arn&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_ecs_task_definition&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;scheduled_my_command&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;arn&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;launch_type&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;         &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;FARGATE&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;network_configuration&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;subnets&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;          &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; [aws_subnet&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;public&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;id]&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;security_groups&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; [aws_security_group&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;ecs_tasks&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;id]&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;assign_public_ip&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;true&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# This is only needed for debugging. See the final section&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# dead_letter_config {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #616E88&quot;&gt;#   arn = aws_sqs_queue.failed_invocations.arn&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;h2 id=&quot;help%2C-it&#39;s-not-working!&quot; tabindex=&quot;-1&quot;&gt;Help, it&#39;s not working!&lt;/h2&gt;
&lt;p&gt;Last, but not least, debugging! If your task isn&#39;t triggering as expected, you can configure a DeadLetterQueue (DLQ) to receieve the error messages from AWS. If you choose to do this, uncomment the &lt;code&gt;dead_letter_config&lt;/code&gt; section of the task definition above.&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;hcl&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_sqs_queue&quot; &quot;failed_invocations&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;eventbridge-ecs-dlq&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;resource&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt; &quot;aws_sqs_queue_policy&quot; &quot;allow_eventbridge&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;queue_url&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_sqs_queue&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;failed_invocations&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;id&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;policy&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; jsonencode({&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    Version = &quot;2012-10-17&quot;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    Statement = [&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        Sid    = &quot;AllowEventBridgeToSendMessages&quot;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        Effect = &quot;Allow&quot;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        Principal = {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;          Service = &quot;events.amazonaws.com&quot;&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        },&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;Action&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;   &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;&quot;sqs:SendMessage&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;Resource&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; aws_sqs_queue&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;failed_invocations&lt;/span&gt;&lt;span style=&quot;color: #B48EAD&quot;&gt;.&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;arn,&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &lt;/span&gt;&lt;span style=&quot;color: #D8DEE9&quot;&gt;Condition&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;=&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;          ArnEquals = {&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;            &quot;aws:SourceArn&quot; = aws_cloudwatch_event_rule.run_at_23_59.arn&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;          }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      }&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    ]&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  })&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;}&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;To read messages from the dead letter queue, use the &lt;code&gt;aws&lt;/code&gt; CLI tool:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# Fetch the queue URL&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;aws sqs get-queue-url --queue-name eventbridge-ecs-dlq&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# Read messages - change the URL for your ID&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;aws sqs receive-message \&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  --queue-url https://sqs.us-east-2.amazonaws.com/111111111111/eventbridge-ecs-dlq \&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  --max-number-of-messages 10 \&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  --wait-time-seconds 5 \&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  --message-attribute-names All \&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  --attribute-names All&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;h2 id=&quot;conclusion&quot; tabindex=&quot;-1&quot;&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;The parts of this that gave me the most trouble were figuring out how to debug using &lt;code&gt;dead_letter_queue&lt;/code&gt; and that the IAM policy for &lt;code&gt;runTask&lt;/code&gt; needed access to the cluster too.&lt;/p&gt;
&lt;p&gt;Hopefully this has helped you (or will help me again in the future) to deploy scheduled tasks on ECS.&lt;/p&gt;
</content>
  </entry>
  
  <entry>
    <title>Pin your GitHub Actions</title>
    <link href="https://michaelheap.com/pin-your-github-actions/"/>
    <updated>2025-03-15T20:19:27Z</updated>
    <id>https://michaelheap.com/pin-your-github-actions/</id>
    <content type="html">&lt;p&gt;Way back in 2019, Julien Renaux published &lt;a href=&quot;https://julienrenaux.fr/2019/12/20/github-actions-security-risk/&quot;&gt;Use GitHub Actions at your own risk&lt;/a&gt;. While the title is a little sensational, it correctly pointed out that any maintainer can update a branch or tag to point at new code without you knowing. This means that if any action is compromised, you&#39;ll start leaking secrets without knowing it.&lt;/p&gt;
&lt;p&gt;Today, &lt;code&gt;tj-actions/changed-files&lt;/code&gt;, a widely used GitHub Action &lt;a href=&quot;https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised&quot;&gt;was compromised&lt;/a&gt; and started leaking secrets.&lt;/p&gt;
&lt;p&gt;Hopefully this was the wakeup call the industry needed to start paying attention to supply chain security.&lt;/p&gt;
&lt;h2 id=&quot;solving-the-problem&quot; tabindex=&quot;-1&quot;&gt;Solving the problem&lt;/h2&gt;
&lt;p&gt;Security is always a trade-off. You can solve the supply chain problem by specifying a full length commit SHA, but fetching that SHA for every action is a painful process. Then, whenever you want to upgrade your action you have to do it all again.&lt;/p&gt;
&lt;p&gt;Thankfully, there are tools and automations available to solve this problem. You can be secure &lt;em&gt;and&lt;/em&gt; feel minimal pain thanks to these projects:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;a href=&quot;https://github.com/mheap/pin-github-action&quot;&gt;pin-github-action&lt;/a&gt; - This is one of my projects. It takes a directory of workflows and uses the GitHub API to convert tag and branch references to a full length commit SHA.&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions&quot;&gt;github-actions-ensure-sha-pinned-actions&lt;/a&gt; - A community action that will fail the build if it detects any unpinned actions being used in the current repository.&lt;/li&gt;
&lt;li&gt;&lt;a href=&quot;https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot&quot;&gt;Dependabot&lt;/a&gt; / &lt;a href=&quot;https://docs.renovatebot.com/modules/manager/github-actions/&quot;&gt;Renovate&lt;/a&gt; - Dependency management systems that submits PRs to upgrade GitHub Actions. They both natively understand the &lt;code&gt;# &amp;lt;ref&amp;gt;&lt;/code&gt; comments in workflow files.&lt;/li&gt;
&lt;/ol&gt;
&lt;h3 id=&quot;pin-to-a-sha&quot; tabindex=&quot;-1&quot;&gt;Pin to a SHA&lt;/h3&gt;
&lt;p&gt;The first thing to do is update all of your existing workflows to use the long commit SHA using &lt;code&gt;pin-github-action&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;You can run it with &lt;code&gt;npx&lt;/code&gt; or &lt;code&gt;docker&lt;/code&gt;. If you&#39;re not sure which to use, use &lt;code&gt;docker&lt;/code&gt; through the following alias:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #88C0D0&quot;&gt;alias&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; pin-github-action=&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;docker run --rm -v &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;$(&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;pwd&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;)&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;:/workflows -e GITHUB_TOKEN mheap/pin-github-action&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;If you&#39;re working with a large number of workflows, or any private actions you&#39;ll need to set the &lt;code&gt;GITHUB_TOKEN&lt;/code&gt; environment variable to prevent rate limiting or provide valid access credentials to a repository:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;export&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; GITHUB_TOKEN=&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;ghp_YOUR_TOKEN_HERE&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;Finally, change directory to your repository and run &lt;code&gt;pin-github-action&lt;/code&gt;:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #88C0D0&quot;&gt;cd&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; my-repo&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;pin-github-action .github/workflows&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;If you run &lt;code&gt;git diff .github/workflows&lt;/code&gt; you&#39;ll see that all of your actions have been updated to the long commit SHA:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;diff&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    steps:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #BF616A&quot;&gt;     - uses: actions/checkout@v4&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;+&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #BF616A&quot;&gt;     - uses: MyOrg/some-action@v1&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;+&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;     - uses: MyOrg/some-action@25ed13d0628a1601b4b44048e63cc4328ed03633 # v1&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;I recommend pinning all actions to a SHA, but this may not be feasible for some companies that use internal actions. If you want to trust internal actions, you can pass the &lt;code&gt;--allow&lt;/code&gt; flag to &lt;code&gt;pin-github-action&lt;/code&gt; to add a specific prefix to an allowlist:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;pin-github-action --allow &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;MyOrg/*&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; .github/workflows&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;This will ignore any actions with the prefix &lt;code&gt;MyOrg&lt;/code&gt;:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;diff&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    steps:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #BF616A&quot;&gt;     - uses: actions/checkout@v4&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;+&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      - uses: MyOrg/some-action@v1&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;h3 id=&quot;prevent-regressions&quot; tabindex=&quot;-1&quot;&gt;Prevent regressions&lt;/h3&gt;
&lt;p&gt;Pinning all actions to a specific SHA solves the problem today, but it doesn&#39;t guarantee that a new action won&#39;t be added in the future without using a SHA. To prevent that happening, &lt;a href=&quot;https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions&quot;&gt;github-actions-ensure-sha-pinned-actions&lt;/a&gt; can be used to fail the build when any unpinned actions are detected.&lt;/p&gt;
&lt;p&gt;The README for the action contains examples, but if you&#39;re using &lt;code&gt;pin-github-action&lt;/code&gt; you can automatically add a new workflow using the &lt;code&gt;--enforce&lt;/code&gt; flag. The &lt;code&gt;--enforce&lt;/code&gt; flag writes a workflow containing &lt;code&gt;github-actions-ensure-sha-pinned-actions&lt;/code&gt; to the path provided, including adding any actions passed in &lt;code&gt;--allow&lt;/code&gt; to the &lt;code&gt;allowlist&lt;/code&gt; input for the action.&lt;/p&gt;
&lt;p&gt;The following command will create a workflow at &lt;code&gt;.github/workflows/security.yaml&lt;/code&gt; that ensures all actions are using the long commit SHA, &lt;em&gt;unless&lt;/em&gt; they are actions from &lt;code&gt;MyOrg&lt;/code&gt;:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;bash&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;pin-github-action --allow &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;MyOrg/*&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;&quot;&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; --enforce .github/workflows/security.yaml .github/workflows &lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;The created workflow looks like this:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;yaml&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;on&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;push&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Security&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;jobs&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;  &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;ensure-pinned-actions&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;runs-on&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;ubuntu-latest&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;steps&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Checkout code&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;uses&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# v4&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;      &lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;name&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;Ensure SHA pinned actions&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;uses&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;zgosalvez/github-actions-ensure-sha-pinned-actions@25ed13d0628a1601b4b44048e63cc4328ed03633&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #616E88&quot;&gt;# v3&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;        &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;with&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;          &lt;/span&gt;&lt;span style=&quot;color: #8FBCBB&quot;&gt;allowlist&lt;/span&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;:&lt;/span&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt; &lt;/span&gt;&lt;span style=&quot;color: #81A1C1&quot;&gt;|&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;            MyOrg/&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;h3 id=&quot;automating-updates&quot; tabindex=&quot;-1&quot;&gt;Automating updates&lt;/h3&gt;
&lt;p&gt;Finally, we need to keep our dependencies up to date. You have two options here:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Run &lt;code&gt;pin-github-action&lt;/code&gt; again&lt;/li&gt;
&lt;li&gt;Use Dependabot or Renovate&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;strong&gt;I recommend using Dependabot or Renovate.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Running &lt;code&gt;pin-github-action&lt;/code&gt; on a repository with pinned SHAs and will extract the target version from the comment and update the SHA like so:&lt;/p&gt;
&lt;pre class=&quot;shiki nord&quot; style=&quot;background-color: #2e3440ff; color: #d8dee9ff&quot;&gt;&lt;div class=&quot;language-id&quot;&gt;diff&lt;/div&gt;&lt;div class=&quot;code-container&quot;&gt;&lt;code&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #D8DEE9FF&quot;&gt;    steps:&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;-&lt;/span&gt;&lt;span style=&quot;color: #BF616A&quot;&gt;     - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4&lt;/span&gt;&lt;/div&gt;&lt;div class=&quot;line&quot;&gt;&lt;span style=&quot;color: #ECEFF4&quot;&gt;+&lt;/span&gt;&lt;span style=&quot;color: #A3BE8C&quot;&gt;     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4&lt;/span&gt;&lt;/div&gt;&lt;/code&gt;&lt;/div&gt;&lt;/pre&gt;
&lt;p&gt;This is great for updating actions in bulk, but it doesn&#39;t improve your security posture that much. You&#39;re still blindly upgrading to the latest version.&lt;/p&gt;
&lt;p&gt;I recommend using Dependabot or Renovate to update your actions. Both tools create Pull Requests with updated SHAs and provide a diff for review. Each pull request contains a link to the &lt;code&gt;compare&lt;/code&gt; view on GitHub that you can use to audit the changes since your last update and ensure that the action has not been compromised.&lt;/p&gt;
&lt;h3 id=&quot;stay-safe%2C-pin-your-dependencies&quot; tabindex=&quot;-1&quot;&gt;Stay safe, pin your dependencies&lt;/h3&gt;
&lt;p&gt;The compromise of &lt;code&gt;tj-actions/changed-files&lt;/code&gt; serves as a crucial reminder of the security risks in GitHub Actions. While pinning actions to commit SHAs adds an extra step, it significantly reduces the risk of supply chain attacks.&lt;/p&gt;
&lt;p&gt;By leveraging tools like &lt;code&gt;pin-github-action&lt;/code&gt;, enforcing SHA pinning with &lt;code&gt;github-actions-ensure-sha-pinned-actions&lt;/code&gt;, and automating updates with Dependabot or Renovate, teams can secure their workflows without unnecessary overhead.&lt;/p&gt;
&lt;p&gt;Supply chain security is an ongoing effort, but with these practices in place, you can proactively protect your repositories and secrets from potential threats.&lt;/p&gt;
</content>
  </entry>
</feed>