By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

EventBus Rule Target ECS Fargate Task - Unable to invoke set version

0

When building a rule targeting a specific ECS Task version (not latest), we're observing that the rule fails to be invoked. Let me provide some scenarios:

    • In the EventBirdge-> Events-> Rules-> Add Target UI, define everything about your ECS Task. Do not update the task definition revision.
  • Verify your event invokes successfully.
  • Pull up the json from aws cli for referencing:
    aws events list-targets-by-rule --rule rule-name-here --event-bus-name bus-name-here
  • Edit your rule/target to "Configure task definition revision and task count" to a Revision of the latest version for your task.
  • Observe if your rule invokes successfully or not. From my tests, it will fail. You can see this in the Cloudwatch "Monitoring" of the rule and observe your Invocations and FailedInvocations.
  • Pull up the json from aws cli for referencing:
    aws events list-targets-by-rule --rule rule-name-here --event-bus-name bus-name-here
    You will notice the working version does not contain the version appended to the end (i.e. Works - "arn::aws::task-definition" vs Non-working "arn::aws::task-definition:16")
  1. In Cloudformation, build your CF template with the appropriate settings that can be matched/compared with #1.
    Example (with lots of actual links replaced)
    Targets:
    - Arn: !GetAtt ClusterArn.Value
    RoleArn: !GetAtt RoleArn.Value
    Id: project-name-here
    EcsParameters:
    TaskCount: 1
    TaskDefinitionArn: !GetAtt RoleArn.Value
    LaunchType: FARGATE
    NetworkConfiguration:
    AwsVpcConfiguration:
    AssignPublicIp: DISABLED
    SecurityGroups:
    Fn::Split:
    - ","
    - Fn::ImportValue: !Sub ${EnvironmentName}:sec-groups
    Subnets:
    Fn::Split:
    - ","
    - Fn::ImportValue:
    !Sub ${EnvironmentName}:subnets
    If you attempt this CF, it will build the stack successfully when providing a valid ARN for the ecs task definition (The rule invoking this target will fail). If you try to provide the task definition Arn without the version, that's not a valid ARN, so CF will fail during stack creation.

Let me know if more information is required to test this scenario in other environments, but we have validated it on our end to not be working as expected. Any help/guidance would be greatly appreciated!

Edited by: rsNate on Jun 29, 2021 2:32 PM

Edited by: rsNate on Jun 29, 2021 2:32 PM

Topics
ServerlessApplication Integration
Tags
Amazon EventBridge
Language
English
rsNate
asked 3 years ago705 views
2 Answers
0

This was resolved by ensuring that the role's policy was specifying the task's ARN with the version being a * instead of the specific version.

i.e.
BAD - Only allow latest version
Resource: !Sub
- "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${EnvironmentName}-${TaskName}"
- TaskName: !FindInMap [Inventory, Project, Name]

GOOD - Allows specific versions to be defined
Resource: !Sub
- "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${EnvironmentName}-${TaskName}:*"
- TaskName: !FindInMap [Inventory, Project, Name]

When this is setup correctly, you can now Edit in the UI as well with all fields being populated as expected. The auto-generated policy does not include ALL version permissions, only Latest.

rsNate
answered 3 years ago
0

Thank you for bringing this to our attention. I will track this as an issue to improve our console policies for ECS tasks.

AWS
NikPinski-AWSEventBridge
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content