Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

EventBus Rule Target ECS Fargate Task - Unable to invoke set version

0

When building a rule targeting a specific ECS Task version (not latest), we're observing that the rule fails to be invoked. Let me provide some scenarios:

    • In the EventBirdge-> Events-> Rules-> Add Target UI, define everything about your ECS Task. Do not update the task definition revision.
  • Verify your event invokes successfully.
  • Pull up the json from aws cli for referencing:
    aws events list-targets-by-rule --rule rule-name-here --event-bus-name bus-name-here
  • Edit your rule/target to "Configure task definition revision and task count" to a Revision of the latest version for your task.
  • Observe if your rule invokes successfully or not. From my tests, it will fail. You can see this in the Cloudwatch "Monitoring" of the rule and observe your Invocations and FailedInvocations.
  • Pull up the json from aws cli for referencing:
    aws events list-targets-by-rule --rule rule-name-here --event-bus-name bus-name-here
    You will notice the working version does not contain the version appended to the end (i.e. Works - "arn::aws::task-definition" vs Non-working "arn::aws::task-definition:16")
  1. In Cloudformation, build your CF template with the appropriate settings that can be matched/compared with #1.
    Example (with lots of actual links replaced)
    Targets:
    - Arn: !GetAtt ClusterArn.Value
    RoleArn: !GetAtt RoleArn.Value
    Id: project-name-here
    EcsParameters:
    TaskCount: 1
    TaskDefinitionArn: !GetAtt RoleArn.Value
    LaunchType: FARGATE
    NetworkConfiguration:
    AwsVpcConfiguration:
    AssignPublicIp: DISABLED
    SecurityGroups:
    Fn::Split:
    - ","
    - Fn::ImportValue: !Sub ${EnvironmentName}:sec-groups
    Subnets:
    Fn::Split:
    - ","
    - Fn::ImportValue:
    !Sub ${EnvironmentName}:subnets
    If you attempt this CF, it will build the stack successfully when providing a valid ARN for the ecs task definition (The rule invoking this target will fail). If you try to provide the task definition Arn without the version, that's not a valid ARN, so CF will fail during stack creation.

Let me know if more information is required to test this scenario in other environments, but we have validated it on our end to not be working as expected. Any help/guidance would be greatly appreciated!

Edited by: rsNate on Jun 29, 2021 2:32 PM

Edited by: rsNate on Jun 29, 2021 2:32 PM

Argomenti
ServerlessIntegrazione delle applicazioni
Tag
Amazon EventBridge
Lingua
English
rsNate
posta 3 anni fa721 visualizzazioni
2 Risposte
0

This was resolved by ensuring that the role's policy was specifying the task's ARN with the version being a * instead of the specific version.

i.e.
BAD - Only allow latest version
Resource: !Sub
- "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${EnvironmentName}-${TaskName}"
- TaskName: !FindInMap [Inventory, Project, Name]

GOOD - Allows specific versions to be defined
Resource: !Sub
- "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${EnvironmentName}-${TaskName}:*"
- TaskName: !FindInMap [Inventory, Project, Name]

When this is setup correctly, you can now Edit in the UI as well with all fields being populated as expected. The auto-generated policy does not include ALL version permissions, only Latest.

rsNate
con risposta 3 anni fa
0

Thank you for bringing this to our attention. I will track this as an issue to improve our console policies for ECS tasks.

AWS
NikPinski-AWSEventBridge
con risposta 3 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente