By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Why does CFN update the ECS TaskDefinition when updating the ECS Service but not use the latest revision?

0

We're using ECS and when I update the ECS::Service resource it also triggers an update of the ECS::TaskDefinition for that service. The documentation specifically says that if you don't specify a "revision" in the TaskDefinition it will use the latest ACTIVE revision. However, that doesn't seem to be the case.

In my testing, I changed the Service::ServiceConnectionConfiguration service timeout from 60 seconds to 30 seconds and CFN update my TaskDefinition from "8 (LATEST)" to "4" which was old. What am I doing wrong? Is anyone else seeing this problem?

Service Config:

"ecssrvcdurin": {
  "Type": "AWS::ECS::Service",
  "Properties": {
    "Cluster": {"Ref": "ParamClusterARN"},
    "DeploymentConfiguration": {
      "MaximumPercent": 200,
      "MinimumHealthyPercent": 100,
      "DeploymentCircuitBreaker": {"Enable": true, "Rollback": true}
    },
    "DeploymentController": {"Type": "ECS"},
    "DesiredCount": 2,
    "EnableECSManagedTags": true,
    "EnableExecuteCommand": true,
    "NetworkConfiguration": {"AwsvpcConfiguration": { .... }
    },
    "PropagateTags": "TASK_DEFINITION",
    "ServiceName": "durin",
    "ServiceConnectConfiguration": {
      "Enabled": true,
      "Services": [
        {"PortName": "durin", "ClientAliases": [{"Port": 3001}], "Timeout": {"PerRequestTimeoutSeconds": 30}}
      ]
    },
    "TaskDefinition": {"Ref": "ecstddurin"}
  }
},

Task Config:

"ecstddurin": {
  "Type": "AWS::ECS::TaskDefinition",
  "Properties": {
    "ContainerDefinitions": [
      {
        "Essential": true,
        "HealthCheck": {"Command": ["CMD-SHELL", "exit 0"], "Interval": 30, "Retries": 3, "Timeout": 5},
        "LinuxParameters": {"InitProcessEnabled": true},
        "LogConfiguration": {
          "LogDriver": "awslogs",
          "Options": {
            "awslogs-region": "us-east-1",
            "awslogs-group": "/lh/ecs/sg/durin",
            "awslogs-stream-prefix": "durin"
          }
        },
        "PortMappings": [{"Name": "durin", "ContainerPort": 3001, "Protocol": "tcp", "AppProtocol": "http"}],
        "Image": "zzzzzzzzzzzzzz.dkr.ecr.us-east-1.amazonaws.com/durin",
        "Name": "durin"
      }
    ],
    "Cpu": "1024",
    "ExecutionRoleArn": {"Fn::GetAtt": ["iamrecsexecutionrole", "Arn"]},
    "Family": "durin-sg",
    "Memory": "4096",
    "NetworkMode": "awsvpc",
    "RequiresCompatibilities": ["FARGATE"],
    "RuntimePlatform": {"CpuArchitecture": "X86_64", "OperatingSystemFamily": "LINUX"}
    ....
  }
},
Topics
ServerlessContainersManagement & Governance
Tags
AWS FargateAWS CloudFormationAmazon Elastic Container Service
Language
English
profile picture
RNHurt
asked 16 days ago288 views
1 Answer
1

Hello.

If you retrieve "AWS::ECS::TaskDefinition" with !Ref, the content will be retrieved with the revision number included in the ARN.
Therefore, it is possible that it has become the fourth revision.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html#aws-resource-ecs-taskdefinition-return-values

In the following example, the Ref function returns the ARN of the MyTaskDefinition task definition, such as arn:aws:ecs:us-west-2:123456789012:task-definition/TaskDefinitionFamily:1.

Why not check the revision of the task definition used in CloudFormation using the "Outputs" section as shown below?
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/outputs-section-structure.html

"Outputs" : {
  "TaskDefARN" : {
    "Value" : {"Ref": "ecstddurin"},
    "Export" : {
      "Name" : "TaskDefARN"
    }
  }
}
profile picture
EXPERT
Riku_Kobayashi
answered 16 days ago
  • RNHurt
    16 days ago

    Interesting. The "ECS::Service" and "ECS::TaskDefinition" are in the same CFN template. Will CFN dynamically update the TaskDevARN and apply it to the Service if they are both in the same template?

    Also, this is a neat idea for a workaround, but should it be necessary? The CFN docs are pretty clear that it will use the latest ACTIVE TaskDefinition, yet my experience seems to suggest that's not the case.

  • Riku_Kobayashi EXPERT
    16 days ago

    Interesting. The "ECS::Service" and "ECS::TaskDefinition" are in the same CFN template. Will CFN dynamically update the TaskDevARN and apply it to the Service if they are both in the same template?

    If there is a change in "AWS::ECS::TaskDefinition", a new revision will be created and the ARN revision number will be changed.

    Also, this is a neat idea for a workaround, but should it be necessary? The CFN docs are pretty clear that it will use the latest ACTIVE TaskDefinition, yet my experience seems to suggest that's not the case.

    In your case, you are getting the ARN including the revision number with "{"Ref": "ecstddurin"}". The documentation says to use the latest revision only if you don't specify the full ARN. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-taskdefinition
    Therefore, if the ARN is as below, I think the latest revision will be used.

    arn:aws:ecs:us-west-2:123456789012:task-definition/TaskDefinitionFamily
  • RNHurt
    13 days ago

    Riku, I think you are correct. I just did a bit of testing where I manually constructed the ARN (without the revision number) and my update didn't change the TaskDefinition. WooHoo! If you repost this as an Answer I'll mark it as Accepted. :)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content