AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

EventBus Rule Target ECS Fargate Task - Unable to invoke set version

0

When building a rule targeting a specific ECS Task version (not latest), we're observing that the rule fails to be invoked. Let me provide some scenarios:

    • In the EventBirdge-> Events-> Rules-> Add Target UI, define everything about your ECS Task. Do not update the task definition revision.
  • Verify your event invokes successfully.
  • Pull up the json from aws cli for referencing:
    aws events list-targets-by-rule --rule rule-name-here --event-bus-name bus-name-here
  • Edit your rule/target to "Configure task definition revision and task count" to a Revision of the latest version for your task.
  • Observe if your rule invokes successfully or not. From my tests, it will fail. You can see this in the Cloudwatch "Monitoring" of the rule and observe your Invocations and FailedInvocations.
  • Pull up the json from aws cli for referencing:
    aws events list-targets-by-rule --rule rule-name-here --event-bus-name bus-name-here
    You will notice the working version does not contain the version appended to the end (i.e. Works - "arn::aws::task-definition" vs Non-working "arn::aws::task-definition:16")
  1. In Cloudformation, build your CF template with the appropriate settings that can be matched/compared with #1.
    Example (with lots of actual links replaced)
    Targets:
    - Arn: !GetAtt ClusterArn.Value
    RoleArn: !GetAtt RoleArn.Value
    Id: project-name-here
    EcsParameters:
    TaskCount: 1
    TaskDefinitionArn: !GetAtt RoleArn.Value
    LaunchType: FARGATE
    NetworkConfiguration:
    AwsVpcConfiguration:
    AssignPublicIp: DISABLED
    SecurityGroups:
    Fn::Split:
    - ","
    - Fn::ImportValue: !Sub ${EnvironmentName}:sec-groups
    Subnets:
    Fn::Split:
    - ","
    - Fn::ImportValue:
    !Sub ${EnvironmentName}:subnets
    If you attempt this CF, it will build the stack successfully when providing a valid ARN for the ecs task definition (The rule invoking this target will fail). If you try to provide the task definition Arn without the version, that's not a valid ARN, so CF will fail during stack creation.

Let me know if more information is required to test this scenario in other environments, but we have validated it on our end to not be working as expected. Any help/guidance would be greatly appreciated!

Edited by: rsNate on Jun 29, 2021 2:32 PM

Edited by: rsNate on Jun 29, 2021 2:32 PM

주제
서버리스애플리케이션 통합
태그
아마존 EventBridge
언어
English
rsNate
질문됨 3년 전721회 조회
2개 답변
0

This was resolved by ensuring that the role's policy was specifying the task's ARN with the version being a * instead of the specific version.

i.e.
BAD - Only allow latest version
Resource: !Sub
- "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${EnvironmentName}-${TaskName}"
- TaskName: !FindInMap [Inventory, Project, Name]

GOOD - Allows specific versions to be defined
Resource: !Sub
- "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${EnvironmentName}-${TaskName}:*"
- TaskName: !FindInMap [Inventory, Project, Name]

When this is setup correctly, you can now Edit in the UI as well with all fields being populated as expected. The auto-generated policy does not include ALL version permissions, only Latest.

rsNate
답변함 3년 전
0

Thank you for bringing this to our attention. I will track this as an issue to improve our console policies for ECS tasks.

AWS
NikPinski-AWSEventBridge
답변함 3년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠