Skip to content

Updates to MWAA verify environment script#246

Merged
harniva14 merged 1 commit intoawslabs:masterfrom
CihanBosnali:master
Nov 25, 2025
Merged

Updates to MWAA verify environment script#246
harniva14 merged 1 commit intoawslabs:masterfrom
CihanBosnali:master

Conversation

@CihanBosnali
Copy link
Contributor

Issue #, if available: Closes #165 #171 #179 #185 #203 #204 #205 #209

Description of changes:

  1. Check for two IAM permissions that are not currently being checked although used by the MWAA execution role (allow logs:GetQueryResults and allow logs:GetLogRecord).
  2. Check IAM permissions necessary to access REST API.
  3. Check if Airflow REST API invocation to GET /health endpoint succeeds, output the API response that includes status and heartbeat of Airflow components.
  4. Check SQS celery executor queue health using CloudWatch metrics.
  5. Divide output as full report and key findings, write them to files.
  6. Suggest to upgrade to a larger environment class based on CloudWatch metrics and # of dags.
  7. Check for cache folders in the S3 dags folder that are not being ignored by .airflowignore. (.ipynb_checkpoints, .git, __pycache__)
  8. Upload and run a simple DAG.
  9. Check secrets manager configuration.
  10. Check airflow configuration options for celery.worker_concurrency and core.lazy_load_plugins.
  11. _check_access_blocked no longer breaks script when user does not have permission to check access.
  12. region argument to script is made a required argument.
  13. VPC endpoint identification no longer fails if endpoint is connected to more subnets than the MWAA environment.
  14. Profile name validation no longer fails with hyphens and underscores, no longer passes incorrectly with empty string.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@harniva14 harniva14 merged commit 6b6925c into awslabs:master Nov 25, 2025
@ankon ankon mentioned this pull request Feb 16, 2026
"""
inline_policies = iam_client.list_role_policies(RoleName=role_arn)
return [
json.dumps(iam_client.get_role_policy(RoleName=role_arn, PolicyName=policy).get("PolicyDocument", ))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This breaks the script: import json is missing.

@CihanBosnali PTAL at #247, which contains a fix for this problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

MWAA - Check Service Vpc Endpoints showing wrong results

3 participants

Comments