Updating aws resource using pipeline causing cdk drift

Question

I have an ECS Cluster running ECS task for my backend container , and I have a pipeline in github actions which deploy my new code changes

1- logs to amazon ECR
 
2- build , tag and push docker image to Amazon ECR

3- Fills in the new image ID in the amazon ECS task definition using 
      aws-actions/amazon-ecs-render-task-definition

4- Deploy the new ECS task definition.

Now every time i run the pipeline it create a new Task definition with the new docker image built in the previous steps , and i am managing my infrastructure for ECS cluster ( Including Task definition) using AWS CDK.

Is this a problem that my pipeline create a new Task definition without using cdk deploy in the pipeline which might cause cdk drift ?

```
const container = taskDefinition.addContainer(`${TaskDefinitionAttributes[this.environment].containerLogicalId}`,{
            image:ecs.ContainerImage.fromEcrRepository(baseRepo,`${tag}`),
```

In the above snippet of code , i tried to create a utility function to fetch the latest image tag pushed to the ECR Repository , but the thing is when i type cdk deploy , the CDK app identify the latest pushed task definition from the deployment pipeline as a cdk change resulting in creating a new duplicate task definition with the same Image tag.

i.e.

1- Latest Task definition is 100

2-  After pipeline run new task definition is 101

3- When typing cdk deploy , cdk diff shows changes between 100 and 101 which result in creating a new task definition 102 which is duplicate of 101

Would replacing the github actions like aws-actions/amazon-ecs-render-task-definition  and amazon-ecs-deploy-task-definition@v2 for deploying a new task definition in the pipeline and using cdk deploy is better approach ?

M Zubair Bin Ramzan · Answer

Yes, the situation you're describing is a classic case of infrastructure drift where the state of your infrastructure is changing outside of the CDK, which can cause issues with your CDK deployment (i.e., creating duplicate resources).

Explanation:
In your current setup:
Your GitHub Actions pipeline is creating a new ECS task definition every time it runs and pushing it to Amazon ECR.

Since you're managing ECS Task Definitions using CDK, any new task definition created outside of CDK (by the pipeline) causes CDK to detect a "change" (drift) the next time you run cdk deploy. This leads to the creation of new, duplicate task definitions.

This drift between your CDK-managed resources and what is manually deployed by the pipeline can lead to multiple task definitions with the same image but different versions (e.g., Task Definition 100, Task Definition 101, and so on). This results in your CDK app trying to recreate a new task definition, which leads to duplication.

Suggested Solutions:
1. Centralize Task Definition Creation with CDK:
Instead of letting the pipeline create a new ECS task definition with each code change, you could centralize this process entirely in CDK. This would mean:
Let the pipeline build the Docker image and push it to ECR.

CDK can be responsible for creating the task definition, and you can use CDK to automatically fetch the latest image tag from ECR and update the task definition.
You could achieve this by adding logic to your CDK stack to get the latest image from ECR and set it in your task definition like this:

const container = taskDefinition.addContainer('Container', {
    image: ecs.ContainerImage.fromEcrRepository(baseRepo, {
        tag: 'latest', // you could dynamically set this based on your pipeline
    }),
});

2. Update Task Definition and Avoid Re-Creation:
If you want to keep your pipeline for task definition updates but avoid creating duplicates, you should ensure that the task definition version only changes when there's an actual image change. You can make sure that CDK is only managing the task definition and not duplicating it each time:
Use a cdk.json or a version file to store the latest image tag, then reference that in your CDK app for the container's image.
In the pipeline, instead of directly creating a new ECS Task Definition, update the existing task definition, ensuring you avoid duplicating it.

3. Control Task Definition Creation in the Pipeline:
You can keep the aws-actions/amazon-ecs-render-task-definition step in the pipeline but make sure that it doesn't create a new task definition every time. To prevent this, only create a new task definition if the image tag has changed. If you don't want to use the CDK to manage the image tag, use an if condition in the pipeline to determine whether a new task definition should be created.

4. Avoid CDK Drift by Using CDK Deploy in Pipeline:
If you want to fully use CDK and ensure that no drift occurs, you can replace the task definition creation in your pipeline with cdk deploy. You can update the pipeline to run cdk deploy instead of using aws-actions/amazon-ecs-render-task-definition. This way, CDK will handle everything, including checking for any changes to the image tag and creating a new task definition only if necessary.

This would involve:
Modifying your pipeline to run cdk deploy after the Docker image is pushed to ECR.
Updating the image tag reference in CDK using either a dynamic approach (fetching the latest tag) or manually providing it as an environment variable.

Recommended Approach:
To avoid CDK drift and task definition duplication, centralize the task definition management within CDK and let your pipeline handle the Docker image build and push to ECR. Here's a potential approach:

In the pipeline:
Build and push the Docker image to Amazon ECR.

In CDK:

Fetch the image tag from ECR (dynamically or via a parameter).
Update the ECS task definition with the latest image tag using CDK.
Deploy the ECS task definition through CDK.

By making CDK the sole manager of your ECS task definition, you ensure that the state of the infrastructure is consistent, and you can avoid creating duplicate task definitions.

Updating aws resource using pipeline causing cdk drift

Relevant content