使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

EventBus Rule Target ECS Fargate Task - Unable to invoke set version

0

When building a rule targeting a specific ECS Task version (not latest), we're observing that the rule fails to be invoked. Let me provide some scenarios:

    • In the EventBirdge-> Events-> Rules-> Add Target UI, define everything about your ECS Task. Do not update the task definition revision.
  • Verify your event invokes successfully.
  • Pull up the json from aws cli for referencing:
    aws events list-targets-by-rule --rule rule-name-here --event-bus-name bus-name-here
  • Edit your rule/target to "Configure task definition revision and task count" to a Revision of the latest version for your task.
  • Observe if your rule invokes successfully or not. From my tests, it will fail. You can see this in the Cloudwatch "Monitoring" of the rule and observe your Invocations and FailedInvocations.
  • Pull up the json from aws cli for referencing:
    aws events list-targets-by-rule --rule rule-name-here --event-bus-name bus-name-here
    You will notice the working version does not contain the version appended to the end (i.e. Works - "arn::aws::task-definition" vs Non-working "arn::aws::task-definition:16")
  1. In Cloudformation, build your CF template with the appropriate settings that can be matched/compared with #1.
    Example (with lots of actual links replaced)
    Targets:
    - Arn: !GetAtt ClusterArn.Value
    RoleArn: !GetAtt RoleArn.Value
    Id: project-name-here
    EcsParameters:
    TaskCount: 1
    TaskDefinitionArn: !GetAtt RoleArn.Value
    LaunchType: FARGATE
    NetworkConfiguration:
    AwsVpcConfiguration:
    AssignPublicIp: DISABLED
    SecurityGroups:
    Fn::Split:
    - ","
    - Fn::ImportValue: !Sub ${EnvironmentName}:sec-groups
    Subnets:
    Fn::Split:
    - ","
    - Fn::ImportValue:
    !Sub ${EnvironmentName}:subnets
    If you attempt this CF, it will build the stack successfully when providing a valid ARN for the ecs task definition (The rule invoking this target will fail). If you try to provide the task definition Arn without the version, that's not a valid ARN, so CF will fail during stack creation.

Let me know if more information is required to test this scenario in other environments, but we have validated it on our end to not be working as expected. Any help/guidance would be greatly appreciated!

Edited by: rsNate on Jun 29, 2021 2:32 PM

Edited by: rsNate on Jun 29, 2021 2:32 PM

主题
无服务器应用程序集成
标签
Amazon EventBridge
语言
English
rsNate
已提问 3 年前721 查看次数
2 回答
0

This was resolved by ensuring that the role's policy was specifying the task's ARN with the version being a * instead of the specific version.

i.e.
BAD - Only allow latest version
Resource: !Sub
- "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${EnvironmentName}-${TaskName}"
- TaskName: !FindInMap [Inventory, Project, Name]

GOOD - Allows specific versions to be defined
Resource: !Sub
- "arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/${EnvironmentName}-${TaskName}:*"
- TaskName: !FindInMap [Inventory, Project, Name]

When this is setup correctly, you can now Edit in the UI as well with all fields being populated as expected. The auto-generated policy does not include ALL version permissions, only Latest.

rsNate
已回答 3 年前
0

Thank you for bringing this to our attention. I will track this as an issue to improve our console policies for ECS tasks.

AWS
NikPinski-AWSEventBridge
已回答 3 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容