(aws-ecs): ECS Exec Support

[mbeacom]

As of March 16, ECS now supports remote execution similar to docker exec.

Use Case

As a user, I want the capability to execute commands against an AWS ECS Fargate / EC2 container (similar to docker exec) workloads managed by CDK.

Proposed Solution

CloudFormation's AWS::ECS::Service resource currently supports the boolean property: EnableExecuteCommand

Expose this to the aws-ecs's FargateService similar to enableEcsManagedTags

Other

• https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html
• https://aws.amazon.com/blogs/containers/new-using-amazon-ecs-exec-access-your-containers-fargate-ec2/
• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-enableexecutecommand

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[SoManyHs]

We may also want to consider modifying the task role since "the task role will need to have IAM permissions to log the output to S3 and/or CloudWatch if the cluster is configured for these options. If these options are not configured then these IAM permissions are not required."

See: "Configuring the task role with the proper IAM policy"

[underbluewaters]

Is there any way one could use this functionality before it has higher-level support within CDK?

[SoManyHs]

@mbeacom Hi! Thanks so much for opening this issue -- was wondering if you were actively working on this? If so I can tag it as "in-progress"!

[MrArnoldPalmer]

@underbluewaters you can use escape hatches to set the EnableExecuteCommand property on the L1 ecs.CfnService construct. This property will be available on the next CDK release as it was just pulled from the new spec yesterday #13633.

You can access the underlying L1 resource of any construct or use the L1 classes directly until we add these properties to the corresponding higher level constructs. See the above docs for details.

[SoManyHs]

Note: CfnSpec with update on ECS Service for EnableExecuteCommand is now merged: #13633

[underbluewaters]

@MrArnoldPalmer Thanks! I was able to get it working with the following code:

// const cfnService = ecsService.node.defaultChild as CfnService;
// doesn't work, see
// https://github.com/aws/aws-cdk/issues/10666
const cfnService = ecsService.node.children[0] as CfnService;
cfnService.addOverride("Properties.EnableExecuteCommand", "True");

I had to be sure to add the following permissions to the task execution role:

const role = new iam.Role(this, "MaintenanceRole", {
  assumedBy: new ServicePrincipal("ecs-tasks.amazonaws.com"),
  inlinePolicies: {
    ecsExec: new PolicyDocument({
      statements: [
        new PolicyStatement({
          effect: iam.Effect.ALLOW,
          actions: [
            "ssmmessages:CreateControlChannel",
            "ssmmessages:CreateDataChannel",
            "ssmmessages:OpenControlChannel",
            "ssmmessages:OpenDataChannel",
          ],
          resources: ["*"],
        }),
      ],
    }),
  },
});
const taskDefinition = new ecs.FargateTaskDefinition(
  this,
  "SeaSketchMaintenanceFargateTaskDef",
  {
    cpu: 256,
    executionRole: role,
    memoryLimitMiB: 512,
  }
);

[mbeacom]

@SoManyHs Yes, I'd be more than happy to (as long as an ETA of this weekend will suffice).

[SoManyHs]

@mbeacom awesome! I have some starter code pushed to my fork if you want to save some time and build off of that -- added the EnableExecuteCommand property, but if you could continue with adding the IAM policy to the taskRole, that'd be amazing!

[SoManyHs]

Hi @mbeacom, were you still planning on submitting a PR for this? Thanks!

[mbeacom]

@SoManyHs Yes, apologies for the delay. I can push this out shortly!

[SoManyHs]

Hi @mbeacom,
If you're not actively working on this anymore, mind if I move this back into the backlog? Thanks!

[SoManyHs]

Hi @mbeacom!

We're planning on prioritizing this in our next sprint -- since we haven't heard from you in awhile I'll go ahead and unassign you. Thanks for your help, and feel free to reach out if you have other input!

[upparekh]

Hi, just updating the issue with the current status on the feature. The implementation involves enabling support for the enableExecuteCommand field, adding IAM permissions for the AWS Systems Manager Agent (SSM) and further adding permissions for logging using CloudWatch or S3. For more information, please refer the documentation. I'm currently working on adding and testing the logging permissions.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.