feat(events-targets): support assignPublicIp flag to EcsTask (#25660)

ymhiroki · web-flow · commit 37f1eb020d50 · 2023-06-12T14:19:34.000Z
This feature supports `assignPublicIp` to `EcsTask`. It specifies whether the task's elastic network interface receives a public IP address. You can enable it only when `LaunchType` is `FARGATE`. In this commit, the choice logic of the `LaunchType` keeps the backwards compatibility. Closes #9233 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/ecs/integ.event-fargate-task.js.snapshot/aws-ecs-integ-fargate.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/ecs/integ.event-fargate-task.js.snapshot/aws-ecs-integ-fargate.assets.json
@@ -1,15 +1,15 @@
 {
   "version": "31.0.0",
   "files": {
-    "4eef78557096850d7999e5b8dea53c92d3dfecb6360d19bff549c574432580e1": {
+    "f54d2ab12d74af5412f68984953da28f5db17e8b02e7df30a6e02393dbdc1da1": {
       "source": {
         "path": "aws-ecs-integ-fargate.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "4eef78557096850d7999e5b8dea53c92d3dfecb6360d19bff549c574432580e1.json",
+          "objectKey": "f54d2ab12d74af5412f68984953da28f5db17e8b02e7df30a6e02393dbdc1da1.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/ecs/integ.event-fargate-task.js.snapshot/aws-ecs-integ-fargate.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/ecs/integ.event-fargate-task.js.snapshot/aws-ecs-integ-fargate.template.json
@@ -556,6 +556,47 @@
         "Arn"
        ]
       }
+     },
+     {
+      "Arn": {
+       "Fn::GetAtt": [
+        "EcsCluster97242B84",
+        "Arn"
+       ]
+      },
+      "EcsParameters": {
+       "LaunchType": "FARGATE",
+       "NetworkConfiguration": {
+        "AwsVpcConfiguration": {
+         "AssignPublicIp": "ENABLED",
+         "SecurityGroups": [
+          {
+           "Fn::GetAtt": [
+            "TaskDefSecurityGroupD50E7CF0",
+            "GroupId"
+           ]
+          }
+         ],
+         "Subnets": [
+          {
+           "Ref": "VpcPublicSubnet1Subnet5C2D37C4"
+          }
+         ]
+        }
+       },
+       "TaskCount": 1,
+       "TaskDefinitionArn": {
+        "Ref": "TaskDef54694570"
+       }
+      },
+      "Id": "Target1",
+      "Input": "{}",
+      "RoleArn": {
+       "Fn::GetAtt": [
+        "TaskDefEventsRoleFB3B67B8",
+        "Arn"
+       ]
+      }
      }
     ]
    }
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/ecs/integ.event-fargate-task.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/ecs/integ.event-fargate-task.js.snapshot/manifest.json
@@ -17,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/4eef78557096850d7999e5b8dea53c92d3dfecb6360d19bff549c574432580e1.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f54d2ab12d74af5412f68984953da28f5db17e8b02e7df30a6e02393dbdc1da1.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/ecs/integ.event-fargate-task.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/ecs/integ.event-fargate-task.js.snapshot/tree.json
@@ -971,6 +971,47 @@
                           }
                         },
                         "input": "{\"containerOverrides\":[{\"name\":\"TheContainer\",\"environment\":[{\"name\":\"I_WAS_TRIGGERED\",\"value\":\"From CloudWatch Events\"}]}]}"
+                      },
+                      {
+                        "id": "Target1",
+                        "arn": {
+                          "Fn::GetAtt": [
+                            "EcsCluster97242B84",
+                            "Arn"
+                          ]
+                        },
+                        "roleArn": {
+                          "Fn::GetAtt": [
+                            "TaskDefEventsRoleFB3B67B8",
+                            "Arn"
+                          ]
+                        },
+                        "ecsParameters": {
+                          "taskCount": 1,
+                          "taskDefinitionArn": {
+                            "Ref": "TaskDef54694570"
+                          },
+                          "launchType": "FARGATE",
+                          "networkConfiguration": {
+                            "awsVpcConfiguration": {
+                              "subnets": [
+                                {
+                                  "Ref": "VpcPublicSubnet1Subnet5C2D37C4"
+                                }
+                              ],
+                              "assignPublicIp": "ENABLED",
+                              "securityGroups": [
+                                {
+                                  "Fn::GetAtt": [
+                                    "TaskDefSecurityGroupD50E7CF0",
+                                    "GroupId"
+                                  ]
+                                }
+                              ]
+                            }
+                          }
+                        },
+                        "input": "{}"
                       }
                     ]
                   }
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/ecs/integ.event-fargate-task.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-events-targets/test/ecs/integ.event-fargate-task.ts
@@ -51,6 +51,16 @@ rule.addTarget(new targets.EcsTask({
   ],
 }));
 
+// add public EcsTask as the target of the Rule
+rule.addTarget(
+  new targets.EcsTask({
+    cluster,
+    taskDefinition,
+    assignPublicIp: true,
+    subnetSelection: { subnetType: ec2.SubnetType.PUBLIC },
+  }),
+);
+
 new integ.IntegTest(app, 'EcsFargateTest', {
   testCases: [stack],
 });
diff --git a/packages/aws-cdk-lib/aws-events-targets/README.md b/packages/aws-cdk-lib/aws-events-targets/README.md
@@ -388,15 +388,44 @@ rule.addTarget(
 );
 ```
 
-### enable Amazon ECS Exec for ECS Task
+### Assign public IP addresses to tasks
 
-If you use Amazon ECS Exec, you can run commands in or get a shell to a container running on an Amazon EC2 instance or on AWS Fargate. 
+You can set the `assignPublicIp` flag to assign public IP addresses to tasks.
+If you want to detach the public IP address from the task, you have to set the flag `false`.
+You can specify the flag `true` only when the launch type is set to FARGATE.
 
 ```ts
 import * as ecs from "aws-cdk-lib/aws-ecs"
 declare const cluster: ecs.ICluster
 declare const taskDefinition: ecs.TaskDefinition
+
+const rule = new events.Rule(this, 'Rule', {
+  schedule: events.Schedule.rate(cdk.Duration.hours(1)),
+});
+
+rule.addTarget(
+  new targets.EcsTask({
+    cluster,
+    taskDefinition,
+    assignPublicIp: true,
+    subnetSelection: { subnetType: ec2.SubnetType.PUBLIC },
+  }),
+);
 declare const rule: events.Rule
+```
+
+### enable Amazon ECS Exec for ECS Task
+
+If you use Amazon ECS Exec, you can run commands in or get a shell to a container running on an Amazon EC2 instance or on AWS Fargate.
+
+```ts
+import * as ecs from "aws-cdk-lib/aws-ecs"
+declare const cluster: ecs.ICluster
+declare const taskDefinition: ecs.TaskDefinition
+
+const rule = new events.Rule(this, 'Rule', {
+  schedule: events.Schedule.rate(cdk.Duration.hours(1)),
+});
 
 rule.addTarget(new targets.EcsTask({
   cluster,
diff --git a/packages/aws-cdk-lib/aws-events-targets/lib/ecs-task.ts b/packages/aws-cdk-lib/aws-events-targets/lib/ecs-task.ts
@@ -96,6 +96,14 @@ export interface EcsTaskProps extends TargetBaseProps {
    */
   readonly platformVersion?: ecs.FargatePlatformVersion;
 
+  /**
+   * Specifies whether the task's elastic network interface receives a public IP address.
+   * You can specify true only when LaunchType is set to FARGATE.
+   *
+   * @default - true if the subnet type is PUBLIC, otherwise false
+   */
+  readonly assignPublicIp?: boolean;
+
   /**
     * Specifies whether to propagate the tags from the task definition to the task. If no value is specified, the tags are not propagated.
     *
@@ -144,6 +152,7 @@ export class EcsTask implements events.IRuleTarget {
   private readonly taskCount: number;
   private readonly role: iam.IRole;
   private readonly platformVersion?: ecs.FargatePlatformVersion;
+  private readonly assignPublicIp?: boolean;
   private readonly propagateTags?: ecs.PropagatedTagSource;
   private readonly tags?: Tag[];
   private readonly enableExecuteCommand?: boolean;
@@ -157,6 +166,7 @@ export class EcsTask implements events.IRuleTarget {
     this.taskDefinition = props.taskDefinition;
     this.taskCount = props.taskCount ?? 1;
     this.platformVersion = props.platformVersion;
+    this.assignPublicIp = props.assignPublicIp;
     this.enableExecuteCommand = props.enableExecuteCommand;
 
     const propagateTagsValidValues = [ecs.PropagatedTagSource.TASK_DEFINITION, ecs.PropagatedTagSource.NONE];
@@ -212,14 +222,24 @@ export class EcsTask implements events.IRuleTarget {
     const enableExecuteCommand = this.enableExecuteCommand;
 
     const subnetSelection = this.props.subnetSelection || { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS };
-    const assignPublicIp = subnetSelection.subnetType === ec2.SubnetType.PUBLIC ? 'ENABLED' : 'DISABLED';
+
+    // throw an error if assignPublicIp is true and the subnet type is not PUBLIC
+    if (this.assignPublicIp && subnetSelection.subnetType !== ec2.SubnetType.PUBLIC) {
+      throw new Error('assignPublicIp should be set to true only for PUBLIC subnets');
+    }
+
+    const assignPublicIp = (this.assignPublicIp ?? subnetSelection.subnetType === ec2.SubnetType.PUBLIC) ? 'ENABLED' : 'DISABLED';
+    const launchType = this.taskDefinition.isEc2Compatible ? 'EC2' : 'FARGATE';
+    if (assignPublicIp === 'ENABLED' && launchType !== 'FARGATE') {
+      throw new Error('assignPublicIp is only supported for FARGATE tasks');
+    };
 
     const baseEcsParameters = { taskCount, taskDefinitionArn, propagateTags, tagList, enableExecuteCommand };
 
     const ecsParameters: events.CfnRule.EcsParametersProperty = this.taskDefinition.networkMode === ecs.NetworkMode.AWS_VPC
       ? {
         ...baseEcsParameters,
-        launchType: this.taskDefinition.isEc2Compatible ? 'EC2' : 'FARGATE',
+        launchType,
         platformVersion: this.platformVersion,
         networkConfiguration: {
           awsVpcConfiguration: {
diff --git a/packages/aws-cdk-lib/aws-events-targets/test/ecs/event-rule-target.test.ts b/packages/aws-cdk-lib/aws-events-targets/test/ecs/event-rule-target.test.ts
@@ -920,3 +920,137 @@ test('sets tag lists', () => {
     ],
   });
 });
+
+test('enable assignPublicIp for public subnet', () => {
+  // GIVEN
+  const taskDefinition = new ecs.FargateTaskDefinition(stack, 'TaskDef');
+  taskDefinition.addContainer('TheContainer', {
+    image: ecs.ContainerImage.fromRegistry('henk'),
+  });
+
+  const rule = new events.Rule(stack, 'Rule', {
+    schedule: events.Schedule.expression('rate(1 min)'),
+  });
+
+  // WHEN
+  rule.addTarget(new targets.EcsTask({
+    cluster,
+    taskDefinition,
+    taskCount: 1,
+    containerOverrides: [{
+      containerName: 'TheContainer',
+      command: ['echo', events.EventField.fromPath('$.detail.event')],
+    }],
+    subnetSelection: { subnetType: ec2.SubnetType.PUBLIC },
+    assignPublicIp: true,
+  }));
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::Events::Rule', {
+    Targets: [
+      {
+        EcsParameters: {
+          NetworkConfiguration: {
+            AwsVpcConfiguration: {
+              AssignPublicIp: 'ENABLED',
+            },
+          },
+        },
+      },
+    ],
+  });
+});
+
+test('DISABLE is set when disable assignPublicIp in a public subnet', () => {
+  // GIVEN
+  const taskDefinition = new ecs.FargateTaskDefinition(stack, 'TaskDef');
+  taskDefinition.addContainer('TheContainer', {
+    image: ecs.ContainerImage.fromRegistry('henk'),
+  });
+
+  const rule = new events.Rule(stack, 'Rule', {
+    schedule: events.Schedule.expression('rate(1 min)'),
+  });
+
+  // WHEN
+  rule.addTarget(new targets.EcsTask({
+    cluster,
+    taskDefinition,
+    taskCount: 1,
+    containerOverrides: [{
+      containerName: 'TheContainer',
+      command: ['echo', events.EventField.fromPath('$.detail.event')],
+    }],
+    subnetSelection: { subnetType: ec2.SubnetType.PUBLIC },
+    assignPublicIp: false,
+  }));
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::Events::Rule', {
+    Targets: [
+      {
+        EcsParameters: {
+          NetworkConfiguration: {
+            AwsVpcConfiguration: {
+              AssignPublicIp: 'DISABLED',
+            },
+          },
+        },
+      },
+    ],
+  });
+});
+
+test('throw error when enable assignPublicIp for non-Fargate task', () => {
+  // GIVEN
+  const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'TaskDef', {});
+  taskDefinition.addContainer('TheContainer', {
+    image: ecs.ContainerImage.fromRegistry('henk'),
+  });
+
+  const rule = new events.Rule(stack, 'Rule', {
+    schedule: events.Schedule.expression('rate(1 min)'),
+  });
+
+  // THEN
+  expect(() => {
+    rule.addTarget(new targets.EcsTask({
+      cluster,
+      taskDefinition,
+      taskCount: 1,
+      containerOverrides: [{
+        containerName: 'TheContainer',
+        command: ['echo', events.EventField.fromPath('$.detail.event')],
+      }],
+      subnetSelection: { subnetType: ec2.SubnetType.PUBLIC },
+      assignPublicIp: true,
+    }));
+  }).toThrowError('assignPublicIp is only supported for FARGATE tasks');
+});
+
+test('throw an error when assignPublicIp is set to true for private subnets', () => {
+  // GIVEN
+  const taskDefinition = new ecs.FargateTaskDefinition(stack, 'TaskDef');
+  taskDefinition.addContainer('TheContainer', {
+    image: ecs.ContainerImage.fromRegistry('henk'),
+  });
+
+  const rule = new events.Rule(stack, 'Rule', {
+    schedule: events.Schedule.expression('rate(1 min)'),
+  });
+
+  // THEN
+  expect(() => {
+    rule.addTarget(new targets.EcsTask({
+      cluster,
+      taskDefinition,
+      taskCount: 1,
+      containerOverrides: [{
+        containerName: 'TheContainer',
+        command: ['echo', events.EventField.fromPath('$.detail.event')],
+      }],
+      subnetSelection: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
+      assignPublicIp: true,
+    }));
+  }).toThrowError('assignPublicIp should be set to true only for PUBLIC subnets');
+});

Original file line number	Diff line number	Diff line change
`@@ -1,15 +1,15 @@`
`1`	`1`	`{`
`2`	`2`	`"version": "31.0.0",`
`3`	`3`	`"files": {`
`4`		`- "4eef78557096850d7999e5b8dea53c92d3dfecb6360d19bff549c574432580e1": {`
	`4`	`+ "f54d2ab12d74af5412f68984953da28f5db17e8b02e7df30a6e02393dbdc1da1": {`
`5`	`5`	`"source": {`
`6`	`6`	`"path": "aws-ecs-integ-fargate.template.json",`
`7`	`7`	`"packaging": "file"`
`8`	`8`	`},`
`9`	`9`	`"destinations": {`
`10`	`10`	`"current_account-current_region": {`
`11`	`11`	`"bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",`
`12`		`- "objectKey": "4eef78557096850d7999e5b8dea53c92d3dfecb6360d19bff549c574432580e1.json",`
	`12`	`+ "objectKey": "f54d2ab12d74af5412f68984953da28f5db17e8b02e7df30a6e02393dbdc1da1.json",`
`13`	`13`	`"assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"`
`14`	`14`	`}`
`15`	`15`	`}`