feat(scheduler-targets): EcsRunTask scheduler target

[gracelu0]

Issue # (if applicable)

Closes #27456

Reason for this change

Currently the module supports all templated targets for EventBridge scheduler except for EcsRunTask.

Description of changes

• Added new base class EcsRunTask with subclasses EcsRunFargateTask and EcsRunEc2Task depending on where user wants to schedule their ECS task. Decided on this design since some of the parameters in EcsParameters only apply one of Fargate or EC2.

Describe any new or updated permissions being added

• Grant ecs:RunTask to the schedule execution role for the task definition and iam:passRole using existing grantRun() method (docs)

  this.props.taskDefinition.grantRun(role);

// TaskDefinition grant method 
  public grantRun(grantee: iam.IGrantable) {
    grantee.grantPrincipal.addToPrincipalPolicy(this.passRoleStatement);
    return iam.Grant.addToPrincipal({
      grantee,
      actions: ['ecs:RunTask'],
      resourceArns: [this.taskDefinitionArn],
    });
  }

//   passRoleStatement 
private get passRoleStatement() {
    if (!this._passRoleStatement) {
      this._passRoleStatement = new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: ['iam:PassRole'],
        resources: this.executionRole ? [this.taskRole.roleArn, this.executionRole.roleArn] : [this.taskRole.roleArn],
        conditions: {
          StringLike: { 'iam:PassedToService': 'ecs-tasks.amazonaws.com' },
        },
      });
    }

    return this._passRoleStatement;
  }

• If tags are defined, grant ecs:TagResourceto the schedule execution tole for tasks in the cluster

    if (this.props.propagateTags === true || this.props.tags) {
      role.addToPrincipalPolicy(new PolicyStatement({
        actions: ['ecs:TagResource'],
        resources: [`arn:${this.cluster.stack.partition}:ecs:${this.cluster.env.region}:${this.props.taskDefinition.env.account}:task/${this.cluster.clusterName}/*`],
      }));
    }

Description of how you validated changes

Added unit tests and integration tests with assertions.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.38%. Comparing base (2623e00) to head (08fc170).
Report is 3 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33697   +/-   ##
=======================================
  Coverage   82.38%   82.38%           
=======================================
  Files         120      120           
  Lines        6937     6937           
  Branches     1170     1170           
=======================================
  Hits         5715     5715           
  Misses       1119     1119           
  Partials      103      103           

Flag	Coverage Δ
suite.unit	82.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.38% <ø> (ø)

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[godwingrs22]

Thanks @gracelu0 for this great work. LGTM overall. Left few nits and comments for my understanding.

[godwingrs22]

Can we a unit test for both fargate and ec2 task by calling like below also?

new scheduler.Schedule(stack, 'Schedule', {
        schedule: scheduler.ScheduleExpression.rate(cdk.Duration.minutes(5)),
        target: new targets.FargateTask(...)
      });

new scheduler.Schedule(stack, 'Schedule', {
        schedule: scheduler.ScheduleExpression.rate(cdk.Duration.minutes(5)),
        target: new targets.EC2Task(...)
      });

[gracelu0]

The API is intentionally designed to only support the static factory methods (EcsRunTask.onFargate() and EcsRunTask.onEc2()). The concrete classes (FargateTask and EC2Task) are implementation details and not part of the public API, so users can't directly instantiate them.

I recognize this isn't consistent with the other scheduler targets though (e.g. new targets.SqsSendMessage()) - so for consistency we could refactor as new targets.EcsRunFargateTask() and new targets.EcsRunEc2Task()

[godwingrs22]

Yes i think we should expose this as public api as well so users can directly instantiate to be consistent with other scheduler targets. I'm good with the naming you suggested.

[godwingrs22]

Thanks @gracelu0 for addressing the earlier comments. Left two comments to clarify on the validation.

[godwingrs22]

I'm not sure if this check is valid. Based on the CFN doc, it doesn't explicitly state that subnets or security groups should not be provided for other network modes.

I think it says as networkConfiguration is required for task definitions that use the awsvpc network mode. I know AWS_VPC network mode needs subnet and security group. But other network modes such as host or bridge i'm not sure if these subnets or secruity group can be used.

Please correct me if my understanding is wrong.

In that case, may be we should validate to check if the vpcSubnets is provided if aws_vpc network mode is used. since subnet is a required property on conditional basis.

if (this.props.taskDefinition.networkMode === ecs.NetworkMode.AWS_VPC && !this.props.vpcSubnets) {
    throw new ValidationError('Subnets must be specified when using awsvpc network mode', _schedule);
}

[gracelu0]

The info seems to be scattered across multiple docs 😅 but here's another doc for AwsvpcConfiguration that says:

Properties

AwsvpcConfiguration
Specifies the Amazon VPC subnets and security groups for the task, and whether a public IP address is to be used. 

**This structure is relevant only for ECS tasks that use the awsvpc network mode.**

Based on that, my understanding is that for other network modes like 'host' or 'bridge', subnets and securityGroups should not be specified. I see in the stepfunctions-tasks module for ecs run-task we have some similar validation logic.

In that case, may be we should validate to check if the vpcSubnets is provided if aws_vpc network mode is used. since subnet is a required property on conditional basis.

We could add the validation or default to using the private subnets if user doesn't pass in any subnets and task definition is using AWS_VPC network mode:

const subnetSelection = this.subnetSelection || { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS };

Setting a default for subnets is the current behaviour for Fargate, I can update EC2 with the same unless you think we should not set any default and instead enforce the user to provide a value.

[aws-cdk-automation]

(This review is outdated)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[godwingrs22]

Thanks @gracelu0. LGTM overall. Just one question for my understanding before i approve the PR.

[godwingrs22]

qq: For my understanding, is assignPublicIp feature not supported for EC2 based tasks ? I see we have it supported for Fargate based tasks. For ec2 based tasks, if the network mode is aws_vpc and subnet is a public subnet then users can still enable assignPublicIp right if they want to connect via public ip?

[gracelu0]

I based the implementation on the CloudFormation docs for AWS::Scheduler::Schedule AwsVpcConfiguration, it says under AssignPublicIp:

You can specify ENABLED only when LaunchType in EcsParameters is set to FARGATE.

[godwingrs22]

Thank you for the clarification.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated

You should update or rebase your pull request manually.

If you want to requeue this pull request, you can post a @mergifyio requeue comment.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 66721c4
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.