AWS Amazon ECS Task Definition

This page shows how to write Terraform and CloudFormation for Amazon ECS Task Definition and write them securely.

aws_ecs_task_definition (Terraform)

The Task Definition in Amazon ECS can be configured in Terraform with the resource name aws_ecs_task_definition. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

secrets.tf#L2
resource "aws_ecs_task_definition" "container_definitions_environment_not_set" {
  family                = "foo"
  container_definitions = <<EOF
[
  {
    "name": "bar",
secrets.tf#L2
resource "aws_ecs_task_definition" "container_definitions_environment_not_set" {
  family                = "foo"
  container_definitions = <<EOF
[
  {
    "name": "bar",
ecs.tf#L7
resource "aws_ecs_task_definition" "gadget-front-task" {
  family                   = "gadget-front-task"
  cpu                      = "512"
  memory                   = "1024"
  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]
aws_ecs_task_definition.tf#L1
resource "aws_ecs_task_definition" "front-task" {
  family                = "webapp-service"
  container_definitions = file("./container_definitions/service.json.tpl")

  execution_role_arn = data.terraform_remote_state.aws_iam.outputs.ecs_task_role_arn
  network_mode       = "bridge"

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for aws_ecs_task_definition

There is 1 setting in aws_ecs_task_definition that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure to enable in-transit encryption of EFS volume

It is better to enable in-transit encryption of EFS volume for the protection of data in transit more.

Review your AWS Amazon ECS settings

You can check if the aws_ecs_task_definition setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

Explanation in Terraform Registry

Manages a revision of an ECS task definition to be used in aws_ecs_service.

Tips: Best Practices for The Other AWS Amazon ECS Resources

In addition to the aws_ecs_cluster, AWS Amazon ECS has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_ecs_cluster

Ensure to enable CloudWatch Container Insights

It's better to enable CloudWatch Container Insights to gain a better perspective on cluster applications. CloudWatch Container Insights collects, aggregates, and summarizes ECS metrics and logs.

Review your AWS Amazon ECS settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::ECS::TaskDefinition (CloudFormation)

The TaskDefinition in ECS can be configured in CloudFormation with the resource name AWS::ECS::TaskDefinition. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

ECSTaskDefinitionEFSVolumeEncryption-PASSED.yaml#L4
    Type: AWS::ECS::TaskDefinition
    Properties:
      ContainerDefinitions:
        - Name: "busybox"
          Image: "busybox"
          Cpu: 256
services.yaml#L158
    Type: AWS::ECS::TaskDefinition
    Properties:
      Family: !Ref 'MongoDbServiceName'
      Cpu: !Ref 'ContainerCpu'
      Memory: !Ref 'ContainerMemory'
      TaskRoleArn:
ecs-taskdef-tests.yaml#L14
        Type: 'AWS::ECS::TaskDefinition'
        Properties:
          TaskRoleArn: 'aws:arn'
  expectations:
    rules:
      all_ecs_tasks_must_have_task_end_execution_roles: FAIL
ecs-taskdef-tests.yaml#L14
        Type: 'AWS::ECS::TaskDefinition'
        Properties:
          TaskRoleArn: 'aws:arn'
  expectations:
    rules:
      all_ecs_tasks_must_have_task_end_execution_roles: FAIL
ecs-taskdef-tests.yaml#L14
        Type: 'AWS::ECS::TaskDefinition'
        Properties:
          TaskRoleArn: 'aws:arn'
  expectations:
    rules:
      all_ecs_tasks_must_have_task_end_execution_roles: FAIL
ECS.json#L73
  "resourceType" : "AWS::ECS::TaskDefinition",
  "properties" : [ {
    "propertyName" : "ContainerDefinitions",
    "propertyType" : "List<AWS::ECS::TaskDefinition::ContainerDefinition>",
    "required" : true,
    "propertyHref" : "aws-properties-ecs-taskdefinition-containerdefinitions.html"
cloudformation.json#L338
      "Type": "AWS::ECS::TaskDefinition",
      "Properties": {
        "ContainerDefinitions": [
          {
            "Essential": true,
            "Image": "mongo",
AWS-ECS-task-definition-resource-limits-not-set.json#L3
   "rule":"$.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Cpu any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Cpu any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Cpu any equal 0 or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Cpu any equal 0 or ($.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Memory any null and $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Memory any null) or  ($.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.Memory any equal 0 and $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].Memory any equal 0)",
   "id":"44a82298-64d1-4b4b-a9ad-eeda02448975",
   "enabled":true,
   "resourceType":"ecs",
   "policy":"AWS ECS task definition resource limits not set",
   "description": "Check if AWS ECS task definition resource limits are set",
cloudformation.json#L219
            "Type": "AWS::ECS::TaskDefinition",
            "Properties": {
                "ContainerDefinitions": [{
                    "Essential": true,
                    "Image": "mongo",
                    "Name": "carts-db",
cloudformation.json#L178
      "Type": "AWS::ECS::TaskDefinition",
      "Properties": {
        "ContainerDefinitions": [
          {
            "Essential": true,
            "Image": "mongo",

Parameters

Explanation in CloudFormation Registry

The AWS::ECS::TaskDefinition resource describes the container and volume definitions of an Amazon Elastic Container Service (Amazon ECS) task. You can specify which Docker images to use, the required resources, and other configurations related to launching the task definition through an Amazon ECS service or task.

Frequently asked questions

What is AWS Amazon ECS Task Definition?

AWS Amazon ECS Task Definition is a resource for Amazon ECS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon ECS Task Definition?

For Terraform, the stelligent/config-lint, stelligent/config-lint and kuromitsu0104/gadget-app source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the melscoop-test/check, sdlombardo2/robot-shop and BalmanRawat/cloudformation-policy-check source code examples are useful. See the CloudFormation Example section for further details.