Top / Amazon Web Service / AWS Amazon ECS / Task Definition

AWS Amazon ECS Task Definition

This page shows how to write Terraform and CloudFormation for Amazon ECS Task Definition and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_ecs_task_definition (Terraform)

The Task Definition in Amazon ECS can be configured in Terraform with the resource name aws_ecs_task_definition. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

secrets.tf#L2
resource "aws_ecs_task_definition" "container_definitions_environment_not_set" {
  family                = "foo"
  container_definitions = <<EOF
[
  {
    "name": "bar",
secrets.tf#L2
resource "aws_ecs_task_definition" "container_definitions_environment_not_set" {
  family                = "foo"
  container_definitions = <<EOF
[
  {
    "name": "bar",
ecs.tf#L7
resource "aws_ecs_task_definition" "gadget-front-task" {
  family                   = "gadget-front-task"
  cpu                      = "512"
  memory                   = "1024"
  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]
aws_ecs_task_definition.tf#L1
resource "aws_ecs_task_definition" "front-task" {
  family                = "webapp-service"
  container_definitions = file("./container_definitions/service.json.tpl")

  execution_role_arn = data.terraform_remote_state.aws_iam.outputs.ecs_task_role_arn
  network_mode       = "bridge"

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for aws_ecs_task_definition

There is 1 setting in aws_ecs_task_definition that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure to enable in-transit encryption of EFS volume

It is better to enable in-transit encryption of EFS volume for the protection of data in transit more.

Review your AWS Amazon ECS settings

You can check if the aws_ecs_task_definition setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Manages a revision of an ECS task definition to be used in aws_ecs_service.

>> from Terraform Registry

Tips: Best Practices for The Other AWS Amazon ECS Resources

In addition to the aws_ecs_cluster, AWS Amazon ECS has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_ecs_cluster

Ensure to enable CloudWatch Container Insights

It's better to enable CloudWatch Container Insights to gain a better perspective on cluster applications. CloudWatch Container Insights collects, aggregates, and summarizes ECS metrics and logs.

Review your AWS Amazon ECS settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::ECS::TaskDefinition (CloudFormation)

The TaskDefinition in ECS can be configured in CloudFormation with the resource name AWS::ECS::TaskDefinition. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

ECSTaskDefinitionEFSVolumeEncryption-PASSED.yaml#L4
    Type: AWS::ECS::TaskDefinition
    Properties:
      ContainerDefinitions:
        - Name: "busybox"
          Image: "busybox"
          Cpu: 256
services.yaml#L158
    Type: AWS::ECS::TaskDefinition
    Properties:
      Family: !Ref 'MongoDbServiceName'
      Cpu: !Ref 'ContainerCpu'
      Memory: !Ref 'ContainerMemory'
      TaskRoleArn:
ecs-taskdef-tests.yaml#L14
        Type: 'AWS::ECS::TaskDefinition'
        Properties:
          TaskRoleArn: 'aws:arn'
  expectations:
    rules:
      all_ecs_tasks_must_have_task_end_execution_roles: FAIL
ecs-taskdef-tests.yaml#L14
        Type: 'AWS::ECS::TaskDefinition'
        Properties:
          TaskRoleArn: 'aws:arn'
  expectations:
    rules:
      all_ecs_tasks_must_have_task_end_execution_roles: FAIL
ecs-taskdef-tests.yaml#L14
        Type: 'AWS::ECS::TaskDefinition'
        Properties:
          TaskRoleArn: 'aws:arn'
  expectations:
    rules:
      all_ecs_tasks_must_have_task_end_execution_roles: FAIL
ECS.json#L73
  "resourceType" : "AWS::ECS::TaskDefinition",
  "properties" : [ {
    "propertyName" : "ContainerDefinitions",
    "propertyType" : "List<AWS::ECS::TaskDefinition::ContainerDefinition>",
    "required" : true,
    "propertyHref" : "aws-properties-ecs-taskdefinition-containerdefinitions.html"
cloudformation.json#L338
      "Type": "AWS::ECS::TaskDefinition",
      "Properties": {
        "ContainerDefinitions": [
          {
            "Essential": true,
            "Image": "mongo",
AWS-ECS-task-definition-resource-limits-not-set.json#L3
   "rule":"$.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Cpu any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Cpu any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Cpu any equal 0 or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Cpu any equal 0 or ($.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Memory any null and $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Memory any null) or  ($.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Memory any equal 0 and $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Memory any equal 0)",
   "id":"44a82298-64d1-4b4b-a9ad-eeda02448975",
   "enabled":true,
   "resourceType":"ecs",
   "policy":"AWS ECS task definition resource limits not set",
   "description": "Check if AWS ECS task definition resource limits are set",
cloudformation.json#L219
            "Type": "AWS::ECS::TaskDefinition",
            "Properties": {
                "ContainerDefinitions": [{
                    "Essential": true,
                    "Image": "mongo",
                    "Name": "carts-db",
cloudformation.json#L178
      "Type": "AWS::ECS::TaskDefinition",
      "Properties": {
        "ContainerDefinitions": [
          {
            "Essential": true,
            "Image": "mongo",

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

The AWS::ECS::TaskDefinition resource describes the container and volume definitions of an Amazon Elastic Container Service (Amazon ECS) task. You can specify which Docker images to use, the required resources, and other configurations related to launching the task definition through an Amazon ECS service or task.

>> from AWS CloudFormation Documentation

The Other Related AWS Amazon ECS Resources

Frequently asked questions

What is AWS Amazon ECS Task Definition?

AWS Amazon ECS Task Definition is a resource for Amazon ECS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon ECS Task Definition?

For Terraform, the stelligent/config-lint, stelligent/config-lint and kuromitsu0104/gadget-app source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the melscoop-test/check, sdlombardo2/robot-shop and nizamawscloud/aws-cloudformation-cloudformation-guard source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents