In the Definition section, enter the following code:
{
"Comment": "A description of my state machine",
"StartAt": "ECS RunTask",
"States": {
"ECS RunTask": {
"Type": "Task",
"Resource": "arn:aws:states:::ecs:runTask.sync",
"Parameters": {
"LaunchType": "FARGATE",
"Cluster": "<ClusterARN>",
"TaskDefinition": "<TaskDefinitionARN>",
"NetworkConfiguration": {
"AwsvpcConfiguration": {
"Subnets": [<Subnets>],
"SecurityGroups": [<SecurityGroups>],
"AssignPublicIp": "ENABLED" | "DISABLED"
}
}
},
"Next": "Notify Success",
"Retry": [
{
"ErrorEquals": [
"States.ALL"
],
"BackoffRate": 2,
"MaxAttempts": 3,
"IntervalSeconds": 10
}
],
"Catch": [
{
"ErrorEquals": [
"States.ALL"
],
"Next": "TransformData"
}
]
},
"TransformData": {
"Type": "Pass",
"Next": "Notify Failure",
"Parameters": {
"Error.$": "$.Error",
"Cause.$": "States.StringToJson($.Cause)"
}
},
"Notify Failure": {
"Type": "Task",
"Resource": "arn:aws:states:::sns:publish",
"Parameters": {
"TopicArn": "<Topic ARN>",
"Message": {
"Error.$": "$.Error",
"StoppedReason.$": "$.Cause.StoppedReason"
}
},
"End": true
},
"Notify Success": {
"Type": "Task",
"Resource": "arn:aws:states:::sns:publish",
"Parameters": {
"TopicArn": "<Topic ARN>",
"Message": "AWS ECS Task started by Step Functions succeeded"
},
"End": true
}
}
}
To run the state machine and related resources, select a role. It's best practice to select a role with the least privilege. Also, include only the permissions that are necessary for your IAM policies. The following example policies include only the necessary permissions:
ECS policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": [
"arn:aws:ecs:*:123456789:task-definition/<TASK_DEFINITION>"
],
"Condition": {
"ArnLike": {
"ecs:cluster": "arn:aws:ecs:*:123456789:cluster/<ECS CLUSTER>"
}
}
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"iam:PassedToService": "ecs-tasks.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:StopTask",
"ecs:DescribeTasks"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:us-east-1:123456788:rule/StepFunctionsGetEventsForECSTaskRule"
]
}
]
}
SNS policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:Publish"
],
"Resource": [
"arn:aws:sns:us-east-1:12345678:<TOPIC>"
]
}
]
}
Amazon CloudWatch policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": "*"
}
]
}