Skip to content

Commit

Permalink
fix(ecs): potential race condition on TaskRole default policy update …
Browse files Browse the repository at this point in the history 
…with CfnService (#26070)

Prevents potential race conditions on TaskRole default policy update in EC2 and Fargate services by adding a dependency on the TaskRole.
This will update the TaskRole and its children first and the service after.

Closes #24880.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@lpizzinidev
lpizzinidev committed Jun 26, 2023
1 parent 939dc84 commit 2d9078c
Show file tree
Hide file tree
Showing 170 changed files with 3,746 additions and 2,128 deletions.
6 changes: 4 additions & 2 deletions .../test/integ.pipeline-ecs-deploy.js.snapshot/aws-cdk-codepipeline-ecs-deploy.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -297,7 +297,8 @@
"TaskDefinition": {
"Ref": "TaskDef54694570"
}
}
},
"DependsOn": ["TaskDefTaskRole1EDB4A67"]
},
"FargateServiceSecurityGroup0A0E79CB": {
"Type": "AWS::EC2::SecurityGroup",
Expand All @@ -313,7 +314,8 @@
"VpcId": {
"Ref": "VPCB9E5F0B4"
}
}
},
"DependsOn": ["TaskDefTaskRole1EDB4A67"]
},
"MyBucketF68F3FF0": {
"Type": "AWS::S3::Bucket",
Expand Down
3 changes: 2 additions & 1 deletion ...ervice-command-entry-point.js.snapshot/aws-ecs-integ-alb-ec2-cmd-entrypoint.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -868,7 +868,8 @@
},
"DependsOn": [
"ALBECSServiceWithCommandEntryPointLBPublicListenerECSGroup7271102D",
"ALBECSServiceWithCommandEntryPointLBPublicListener1DCF0F84"
"ALBECSServiceWithCommandEntryPointLBPublicListener1DCF0F84",
"ALBECSServiceWithCommandEntryPointTaskDefTaskRoleD0EE621C"
]
}
},
Expand Down
3 changes: 2 additions & 1 deletion ...2/integ.application-load-balanced-ecs-service.js.snapshot/aws-ecs-integ-alb.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1065,7 +1065,8 @@
},
"DependsOn": [
"myServiceLBPublicListenerECSGroup17E9BBC1",
"myServiceLBPublicListenerC78AE8A0"
"myServiceLBPublicListenerC78AE8A0",
"myServiceTaskDefTaskRole1C1DE6CC"
]
}
},
Expand Down
3 changes: 2 additions & 1 deletion ...ad-balanced-ecs-service.js.snapshot/aws-ecs-integ-multiple-alb-healthchecks.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1284,7 +1284,8 @@
"myServicelb1listener1ECSTargetGroupweb80GroupC3F9339A",
"myServicelb1listener15ED0E805",
"myServicelb2listener2ECSTargetGroupweb90Group6841F924",
"myServicelb2listener2AA6970EB"
"myServicelb2listener2AA6970EB",
"myServiceTaskDefTaskRole1C1DE6CC"
]
}
},
Expand Down
3 changes: 2 additions & 1 deletion ...etwork-load-balanced-ecs-service.js.snapshot/aws-ecs-integ-nlb-healthchecks.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1120,7 +1120,8 @@
"myServicelb1listener1ECSTargetGroupweb80GroupC3F9339A",
"myServicelb1listener15ED0E805",
"myServicelb2listener2ECSTargetGroupweb90Group6841F924",
"myServicelb2listener2AA6970EB"
"myServicelb2listener2AA6970EB",
"myServiceTaskDefTaskRole1C1DE6CC"
]
}
},
Expand Down
4 changes: 3 additions & 1 deletion ...alanced-ecs-service-idle-timeout.js.snapshot/aws-ecs-integ-alb-idle-timeout.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1500,7 +1500,9 @@
"myServicelb2listener2ECSTargetGroupweb443Group8FAB1268",
"myServicelb2listener2ECSTargetGroupweb80Group0590BDE6",
"myServicelb2listener2ECSTargetGroupweb80Rule2490715C",
"myServicelb2listener2AA6970EB"
"myServicelb2listener2AA6970EB",
"myServiceTaskDefTaskRoleDefaultPolicyD48473C0",
"myServiceTaskDefTaskRole1C1DE6CC"
]
}
},
Expand Down
4 changes: 3 additions & 1 deletion ...pplication-load-balanced-ecs-service.js.snapshot/aws-ecs-integ-multiple-alb.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1213,7 +1213,9 @@
"myServiceLBPublicListenerECSTargetGroupweb80GroupCA306BD0",
"myServiceLBPublicListenerECSTargetGroupweb90Group6388E5B5",
"myServiceLBPublicListenerECSTargetGroupweb90Rule0CAA997D",
"myServiceLBPublicListenerC78AE8A0"
"myServiceLBPublicListenerC78AE8A0",
"myServiceTaskDefTaskRoleDefaultPolicyD48473C0",
"myServiceTaskDefTaskRole1C1DE6CC"
]
}
},
Expand Down
3 changes: 2 additions & 1 deletion ...t/ec2/integ.network-load-balanced-ecs-service.js.snapshot/aws-ecs-integ-nlb.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1024,7 +1024,8 @@
},
"DependsOn": [
"myServiceLBPublicListenerECSGroup17E9BBC1",
"myServiceLBPublicListenerC78AE8A0"
"myServiceLBPublicListenerC78AE8A0",
"myServiceTaskDefTaskRole1C1DE6CC"
]
}
},
Expand Down
9 changes: 6 additions & 3 deletions ...ommand-entry-point.js.snapshot/aws-ecs-integ-lb-fargate-cmd-entrypoint-test.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -677,7 +677,8 @@
},
"DependsOn": [
"ALBFargateServiceWithCommandAndEntryPointLBPublicListenerECSGroupBAD40305",
"ALBFargateServiceWithCommandAndEntryPointLBPublicListener6589DC80"
"ALBFargateServiceWithCommandAndEntryPointLBPublicListener6589DC80",
"ALBFargateServiceWithCommandAndEntryPointTaskDefTaskRole65CE9392"
]
},
"ALBFargateServiceWithCommandAndEntryPointServiceSecurityGroupD154E880": {
Expand All @@ -694,7 +695,8 @@
"VpcId": {
"Ref": "Vpc8378EB38"
}
}
},
"DependsOn": ["ALBFargateServiceWithCommandAndEntryPointTaskDefTaskRole65CE9392"]
},
"ALBFargateServiceWithCommandAndEntryPointServiceSecurityGroupfromawsecsinteglbfargatecmdentrypointtestALBFargateServiceWithCommandAndEntryPointLBSecurityGroup886E70918046DDBFE6": {
"Type": "AWS::EC2::SecurityGroupIngress",
Expand All @@ -715,7 +717,8 @@
]
},
"ToPort": 80
}
},
"DependsOn": ["ALBFargateServiceWithCommandAndEntryPointTaskDefTaskRole65CE9392"]
}
},
"Outputs": {
Expand Down
16 changes: 13 additions & 3 deletions ...ate-service-https-idle-timeout.js.snapshot/aws-ecs-integ-alb-fg-idletimeout.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -787,7 +787,9 @@
},
"DependsOn": [
"myServiceLBPublicListenerECSGroup17E9BBC1",
"myServiceLBPublicListenerC78AE8A0"
"myServiceLBPublicListenerC78AE8A0",
"myServiceTaskDefTaskRoleDefaultPolicyD48473C0",
"myServiceTaskDefTaskRole1C1DE6CC"
]
},
"myServiceSecurityGroupC3B9D4E0": {
Expand All @@ -804,7 +806,11 @@
"VpcId": {
"Ref": "Vpc8378EB38"
}
}
},
"DependsOn": [
"myServiceTaskDefTaskRoleDefaultPolicyD48473C0",
"myServiceTaskDefTaskRole1C1DE6CC"
]
},
"myServiceSecurityGroupfromawsecsintegalbfgidletimeoutmyServiceLBSecurityGroup1B078E6280039B9A1C": {
"Type": "AWS::EC2::SecurityGroupIngress",
Expand All @@ -825,7 +831,11 @@
]
},
"ToPort": 80
}
},
"DependsOn": [
"myServiceTaskDefTaskRoleDefaultPolicyD48473C0",
"myServiceTaskDefTaskRole1C1DE6CC"
]
}
},
"Outputs": {
Expand Down
16 changes: 13 additions & 3 deletions ...gate/integ.alb-fargate-service-https.js.snapshot/aws-ecs-integ-alb-fg-https.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -783,7 +783,9 @@
},
"DependsOn": [
"myServiceLBPublicListenerECSGroup17E9BBC1",
"myServiceLBPublicListenerC78AE8A0"
"myServiceLBPublicListenerC78AE8A0",
"myServiceTaskDefTaskRoleDefaultPolicyD48473C0",
"myServiceTaskDefTaskRole1C1DE6CC"
]
},
"myServiceSecurityGroupC3B9D4E0": {
Expand All @@ -800,7 +802,11 @@
"VpcId": {
"Ref": "Vpc8378EB38"
}
}
},
"DependsOn": [
"myServiceTaskDefTaskRoleDefaultPolicyD48473C0",
"myServiceTaskDefTaskRole1C1DE6CC"
]
},
"myServiceSecurityGroupfromawsecsintegalbfghttpsmyServiceLBSecurityGroupA934AF89808E9FB7A3": {
"Type": "AWS::EC2::SecurityGroupIngress",
Expand All @@ -821,7 +827,11 @@
]
},
"ToPort": 80
}
},
"DependsOn": [
"myServiceTaskDefTaskRoleDefaultPolicyD48473C0",
"myServiceTaskDefTaskRole1C1DE6CC"
]
}
},
"Outputs": {
Expand Down
9 changes: 6 additions & 3 deletions ...erns/test/fargate/integ.asset-image.js.snapshot/aws-ecs-integ-fargate-image.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -707,7 +707,8 @@
},
"DependsOn": [
"FargateServiceLBPublicListenerECSGroupBE57E081",
"FargateServiceLBPublicListener4B4929CA"
"FargateServiceLBPublicListener4B4929CA",
"FargateServiceTaskDefTaskRole8CDCF85E"
]
},
"FargateServiceSecurityGroup262B61DD": {
Expand All @@ -724,7 +725,8 @@
"VpcId": {
"Ref": "Vpc8378EB38"
}
}
},
"DependsOn": ["FargateServiceTaskDefTaskRole8CDCF85E"]
},
"FargateServiceSecurityGroupfromawsecsintegfargateimageFargateServiceLBSecurityGroup04156A428000D3E717F0": {
"Type": "AWS::EC2::SecurityGroupIngress",
Expand All @@ -745,7 +747,8 @@
]
},
"ToPort": 8000
}
},
"DependsOn": ["FargateServiceTaskDefTaskRole8CDCF85E"]
}
},
"Outputs": {
Expand Down
9 changes: 6 additions & 3 deletions ...ker-load-balanced-fargate-service.js.snapshot/aws-ecs-integ-circuit-breaker.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -676,7 +676,8 @@
},
"DependsOn": [
"myServiceLBPublicListenerECSGroup17E9BBC1",
"myServiceLBPublicListenerC78AE8A0"
"myServiceLBPublicListenerC78AE8A0",
"myServiceTaskDefTaskRole1C1DE6CC"
]
},
"myServiceSecurityGroupC3B9D4E0": {
Expand All @@ -693,7 +694,8 @@
"VpcId": {
"Ref": "Vpc8378EB38"
}
}
},
"DependsOn": ["myServiceTaskDefTaskRole1C1DE6CC"]
},
"myServiceSecurityGroupfromawsecsintegcircuitbreakermyServiceLBSecurityGroupB690840480BBFF8B33": {
"Type": "AWS::EC2::SecurityGroupIngress",
Expand All @@ -714,7 +716,8 @@
]
},
"ToPort": 80
}
},
"DependsOn": ["myServiceTaskDefTaskRole1C1DE6CC"]
}
},
"Outputs": {
Expand Down
9 changes: 6 additions & 3 deletions ...-controller-fargate-service.js.snapshot/aws-ecs-integ-circuit-breaker-no-dc.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -673,7 +673,8 @@
},
"DependsOn": [
"myServiceLBPublicListenerECSGroup17E9BBC1",
"myServiceLBPublicListenerC78AE8A0"
"myServiceLBPublicListenerC78AE8A0",
"myServiceTaskDefTaskRole1C1DE6CC"
]
},
"myServiceSecurityGroupC3B9D4E0": {
Expand All @@ -690,7 +691,8 @@
"VpcId": {
"Ref": "Vpc8378EB38"
}
}
},
"DependsOn": ["myServiceTaskDefTaskRole1C1DE6CC"]
},
"myServiceSecurityGroupfromawsecsintegcircuitbreakernodcmyServiceLBSecurityGroupBDCB2AE380B499F76F": {
"Type": "AWS::EC2::SecurityGroupIngress",
Expand All @@ -711,7 +713,8 @@
]
},
"ToPort": 80
}
},
"DependsOn": ["myServiceTaskDefTaskRole1C1DE6CC"]
}
},
"Outputs": {
Expand Down
48 changes: 40 additions & 8 deletions ...breaker-queue-processing-fargate-service.js.snapshot/aws-ecs-patterns-queue.template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -650,7 +650,11 @@
"TaskDefinition": {
"Ref": "QueueProcessingServiceQueueProcessingTaskDef4982F68B"
}
}
},
"DependsOn": [
"QueueProcessingServiceQueueProcessingTaskDefTaskRoleDefaultPolicyAE808B19",
"QueueProcessingServiceQueueProcessingTaskDefTaskRole782B79A6"
]
},
"QueueProcessingServiceQueueProcessingFargateServiceSecurityGroup8FDF413D": {
"Type": "AWS::EC2::SecurityGroup",
Expand All @@ -666,7 +670,11 @@
"VpcId": {
"Ref": "VPCB9E5F0B4"
}
}
},
"DependsOn": [
"QueueProcessingServiceQueueProcessingTaskDefTaskRoleDefaultPolicyAE808B19",
"QueueProcessingServiceQueueProcessingTaskDefTaskRole782B79A6"
]
},
"QueueProcessingServiceQueueProcessingFargateServiceTaskCountTargetA9D54444": {
"Type": "AWS::ApplicationAutoScaling::ScalableTarget",
Expand Down Expand Up @@ -709,7 +717,11 @@
},
"ScalableDimension": "ecs:service:DesiredCount",
"ServiceNamespace": "ecs"
}
},
"DependsOn": [
"QueueProcessingServiceQueueProcessingTaskDefTaskRoleDefaultPolicyAE808B19",
"QueueProcessingServiceQueueProcessingTaskDefTaskRole782B79A6"
]
},
"QueueProcessingServiceQueueProcessingFargateServiceTaskCountTargetCpuScaling330150E9": {
"Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
Expand All @@ -725,7 +737,11 @@
},
"TargetValue": 50
}
}
},
"DependsOn": [
"QueueProcessingServiceQueueProcessingTaskDefTaskRoleDefaultPolicyAE808B19",
"QueueProcessingServiceQueueProcessingTaskDefTaskRole782B79A6"
]
},
"QueueProcessingServiceQueueProcessingFargateServiceTaskCountTargetQueueMessagesVisibleScalingLowerPolicy332E2644": {
"Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
Expand All @@ -745,7 +761,11 @@
}
]
}
}
},
"DependsOn": [
"QueueProcessingServiceQueueProcessingTaskDefTaskRoleDefaultPolicyAE808B19",
"QueueProcessingServiceQueueProcessingTaskDefTaskRole782B79A6"
]
},
"QueueProcessingServiceQueueProcessingFargateServiceTaskCountTargetQueueMessagesVisibleScalingLowerAlarm20C30A06": {
"Type": "AWS::CloudWatch::Alarm",
Expand Down Expand Up @@ -774,7 +794,11 @@
"Period": 300,
"Statistic": "Maximum",
"Threshold": 0
}
},
"DependsOn": [
"QueueProcessingServiceQueueProcessingTaskDefTaskRoleDefaultPolicyAE808B19",
"QueueProcessingServiceQueueProcessingTaskDefTaskRole782B79A6"
]
},
"QueueProcessingServiceQueueProcessingFargateServiceTaskCountTargetQueueMessagesVisibleScalingUpperPolicy84DD739A": {
"Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
Expand All @@ -799,7 +823,11 @@
}
]
}
}
},
"DependsOn": [
"QueueProcessingServiceQueueProcessingTaskDefTaskRoleDefaultPolicyAE808B19",
"QueueProcessingServiceQueueProcessingTaskDefTaskRole782B79A6"
]
},
"QueueProcessingServiceQueueProcessingFargateServiceTaskCountTargetQueueMessagesVisibleScalingUpperAlarm2660BEDF": {
"Type": "AWS::CloudWatch::Alarm",
Expand Down Expand Up @@ -828,7 +856,11 @@
"Period": 300,
"Statistic": "Maximum",
"Threshold": 100
}
},
"DependsOn": [
"QueueProcessingServiceQueueProcessingTaskDefTaskRoleDefaultPolicyAE808B19",
"QueueProcessingServiceQueueProcessingTaskDefTaskRole782B79A6"
]
},
"EcsDefaultClusterMnL3mNNYNVPC9C1EC7A3": {
"Type": "AWS::ECS::Cluster"
Expand Down
Loading

0 comments on commit 2d9078c

Please sign in to comment.