Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

EventBus Rule Target ECS Fargate Task - Unable to invoke set version

0

When building a rule targeting a specific ECS Task version (not latest), we're observing that the rule fails to be invoked. Let me provide some scenarios:

    • In the EventBirdge-> Events-> Rules-> Add Target UI, define everything about your ECS Task. Do not update the task definition revision.
  • Verify your event invokes successfully.
  • Pull up the json from aws cli for referencing:
    aws events list-targets-by-rule --rule rule-name-here --event-bus-name bus-name-here
  • Edit your rule/target to "Configure task definition revision and task count" to a Revision of the latest version for your task.
  • Observe if your rule invokes successfully or not. From my tests, it will fail. You can see this in the Cloudwatch "Monitoring" of the rule and observe your Invocations and FailedInvocations.
  • Pull up the json from aws cli for referencing:
    aws events list-targets-by-rule --rule rule-name-here --event-bus-name bus-name-here
    You will notice the working version does not contain the version appended to the end (i.e. Works - "arn::aws::task-definition" vs Non-working "arn::aws::task-definition:16")
  1. In Cloudformation, build your CF template with the appropriate settings that can be matched/compared with #1.
    Example (with lots of actual links replaced)
    Targets:
    - Arn: !GetAtt ClusterArn.Value
    RoleArn: !GetAtt RoleArn.Value
    Id: project-name-here
    EcsParameters:
    TaskCount: 1
    TaskDefinitionArn: !GetAtt RoleArn.Value
    LaunchType: FARGATE
    NetworkConfiguration:
    AwsVpcConfiguration:
    AssignPublicIp: DISABLED
    SecurityGroups:
    Fn::Split:
    - ","
    - Fn::ImportValue: !Sub ${EnvironmentName}:sec-groups
    Subnets:
    Fn::Split:
    - ","
    - Fn::ImportValue:
    !Sub ${EnvironmentName}:subnets
    If you attempt this CF, it will build the stack successfully when providing a valid ARN for the ecs task definition (The rule invoking this target will fail). If you try to provide the task definition Arn without the version, that's not a valid ARN, so CF will fail during stack creation.

Let me know if more information is required to test this scenario in other environments, but we have validated it on our end to not be working as expected. Any help/guidance would be greatly appreciated!

Edited by: rsNate on Jun 29, 2021 2:32 PM

Edited by: rsNate on Jun 29, 2021 2:32 PM

Temas
Sin servidorIntegración de aplicaciones
Etiquetas
Amazon EventBridge
Idioma
English
rsNate
preguntada hace 3 años721 visualizaciones
2 Respuestas
0

This was resolved by ensuring that the role's policy was specifying the task's ARN with the version being a * instead of the specific version.

i.e.
BAD - Only allow latest version
Resource: !Sub
- "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${EnvironmentName}-${TaskName}"
- TaskName: !FindInMap [Inventory, Project, Name]

GOOD - Allows specific versions to be defined
Resource: !Sub
- "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${EnvironmentName}-${TaskName}:*"
- TaskName: !FindInMap [Inventory, Project, Name]

When this is setup correctly, you can now Edit in the UI as well with all fields being populated as expected. The auto-generated policy does not include ALL version permissions, only Latest.

rsNate
respondido hace 3 años
0

Thank you for bringing this to our attention. I will track this as an issue to improve our console policies for ECS tasks.

AWS
NikPinski-AWSEventBridge
respondido hace 3 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante