Some text some message..
Login to get started
Back 5. AWS Infra pipeline: AWS::ECS::TaskDefinition 12 Nov, 2025
Programming Programming
  • Report Note

ECSTaskDefinition:

    Type: AWS::ECS::TaskDefinition

    Properties:

      Family: documentportaltd

      Cpu: "1024"

      Memory: "8192"

      NetworkMode: awsvpc

      RequiresCompatibilities:

        - FARGATE

      ExecutionRoleArn: !GetAtt ECSExecutionRole.Arn

      ContainerDefinitions:

        - Name: document-portal-container

          Image: !Ref ImageUrl

          Essential: true

          PortMappings:

            - ContainerPort: 8080

          Environment:

            - Name: LANGCHAIN_PROJECT

              Value: DOCUMENT PORTAL

          Secrets:

            - Name: GROQ_API_KEY

              ValueFrom: arn:aws:secretsmanager:us-east-1:685057748560:secret:GROQ_API_KEY

            - Name: HF_TOKEN

              ValueFrom: arn:aws:secretsmanager:us-east-1:685057748560:secret:HF_TOKEN

            - Name: GOOGLE_API_KEY

              ValueFrom: arn:aws:secretsmanager:us-east-1:685057748560:secret:GOOGLE_API_KEY

            - Name: LANGCHAIN_API_KEY

              ValueFrom: arn:aws:secretsmanager:us-east-1:685057748560:secret:LANGCHAIN_API_KEY

          LogConfiguration:

            LogDriver: awslogs

            Options:

              awslogs-group: /ecs/documentportal

              awslogs-region: !Ref AWS::Region

              awslogs-stream-prefix: ecs


Nice — this AWS::ECS::TaskDefinition is the blueprint for running your container on Fargate. I’ll explain every field, call out important behaviors, point out potential problems (and why they matter), and finish with short, practical improvements you can apply immediately.

Line-by-line explanation

ECSTaskDefinition:
  Type: AWS::ECS::TaskDefinition
  Properties:
    Family: documentportaltd

  • Family: a logical name for the task definition family. Each new revision of the task definition will be versioned under this family (documentportaltd).

    Cpu: "1024"
    Memory: "8192"

  • Cpu and Memory are the Fargate task-level compute resources.

    • Cpu: "1024" = 1 vCPU (ECS/Fargate units).

    • Memory: "8192" = 8192 MB = 8 GB.

  • Important: Fargate only allows certain CPU↔Memory combos. 1024 + 8192 is a valid combo (1 vCPU with up to 8GB RAM). Values must match Fargate allowed combinations.

    NetworkMode: awsvpc

  • awsvpc network mode: each task receives its own elastic network interface (ENI) and a private IP in the chosen subnet(s).

  • Pros: fine-grained security (security groups per task), easier for service discovery.

  • Note: required for Fargate.

    RequiresCompatibilities:
      - FARGATE

  • Indicates this task runs on AWS Fargate (serverless containers), not on EC2 instances.

    ExecutionRoleArn: !GetAtt ECSExecutionRole.Arn

  • Execution role ARN (the role you previously created).

  • Used by the ECS agent / runtime to:

    • Pull images from ECR (if private)

    • Fetch secrets for injection

    • Send logs to CloudWatch

  • Reminder: Execution role is not the same as the task role (the role the application code would assume to call AWS APIs).

    ContainerDefinitions:
      - Name: document-portal-container
        Image: !Ref ImageUrl
        Essential: true

  • ContainerDefinitions: describes one or more containers that make up the task. Here you have a single container document-portal-container.

  • Image: comes from the ImageUrl parameter (ECR URI or Docker image).

  • Essential: true: if this container stops or fails, the whole task is considered failed and will be stopped/restarted per service/placement policies.

        PortMappings:
          - ContainerPort: 8080

  • PortMappings: declares the container port the app listens on — 8080.

  • With awsvpc the container’s port is reachable on the task’s ENI. If using an ALB, the target group should use port 8080 for health checks and traffic. HostPort is implicitly the same under awsvpc.

        Environment:
          - Name: LANGCHAIN_PROJECT
            Value: DOCUMENT PORTAL

  • Environment: plain-text environment variables baked into the container. Use for non-sensitive config only (they appear in the task metadata).

        Secrets:
          - Name: GROQ_API_KEY
            ValueFrom: arn:aws:secretsmanager:us-east-1:685057748560:secret:GROQ_API_KEY
          - Name: HF_TOKEN
            ValueFrom: arn:aws:secretsmanager:us-east-1:685057748560:secret:HF_TOKEN
          - Name: GOOGLE_API_KEY
            ValueFrom: arn:aws:secretsmanager:us-east-1:685057748560:secret:GOOGLE_API_KEY
          - Name: LANGCHAIN_API_KEY
            ValueFrom: arn:aws:secretsmanager:us-east-1:685057748560:secret:LANGCHAIN_API_KEY

  • Secrets: ECS will fetch these secrets from Secrets Manager at task start and inject their decrypted values as environment variables inside the container (env var names = Name).

  • ValueFrom expects an ARN or an ssm parameter path.

  • Important considerations:

    • The Execution role must have secretsmanager:GetSecretValue for these secret ARNs (and kms:Decrypt if the secret is encrypted with a customer-managed KMS key).

    • These ARNs point to us-east-1 — if your cluster is in a different region, cross-region secret access is possible but you must ensure the secret actually exists in that region or update ARNs accordingly. Cross-region behavior can add latency and complexity — best practice: place secrets in the same region as your tasks.

    • Secrets are injected securely (not stored plaintext in CloudFormation), but be cautious with logging or debugging that may print env vars.

        LogConfiguration:
          LogDriver: awslogs
          Options:
            awslogs-group: /ecs/documentportal
            awslogs-region: !Ref AWS::Region
            awslogs-stream-prefix: ecs

  • LogConfiguration: configures the container to send logs to CloudWatch Logs using the awslogs driver.

    • awslogs-group: the CloudWatch Log Group /ecs/documentportal.

    • awslogs-region: uses the stack region.

    • awslogs-stream-prefix: streams will be created with prefix ecs/<task-id> producing consistent naming.

  • The Execution role must allow logs:CreateLogStream, logs:PutLogEvents, and (if you want automatic creation) logs:CreateLogGroup. You already gave those wide permissions in the earlier role but consider scoping them.

Key behaviors & gotchas (practical matters)

  1. ExecutionRole vs TaskRole

    • You set ExecutionRoleArn — this is correct for image pulls & secrets.

    • But you did not set a TaskRoleArn. If your application needs to call AWS services (S3, DynamoDB, SQS, etc.) at runtime, you should create and set a Task Role. The execution role cannot be used by the running container to call AWS APIs — the task role is used by the application.

  2. Secrets ARNs are region-specific

    • The ValueFrom ARNs reference us-east-1. If your cluster is in another region (e.g., ap-south-1), either:

      • Create the secrets in the same region and supply the local ARNs, or

      • Accept cross-region secret access but ensure permissions and KMS keys allow it.

    • Best practice: store secrets in the same region.

  3. Permissions required

    • Execution role must include:

      • secretsmanager:GetSecretValue (scoped to secret ARNs)

      • ecr:GetAuthorizationToken, ecr:BatchGetImage, ecr:GetDownloadUrlForLayer (if pulling from ECR)

      • logs:CreateLogStream, logs:PutLogEvents (and optional CreateLogGroup)

      • kms:Decrypt if secrets or images are encrypted with a customer-managed key

    • Right now your role allowed secretsmanager:GetSecretValue and logs actions globally — works but is broad.

  4. CPU/Memory billing & compatibility

    • Cpu: "1024" and Memory: "8192" are valid and correspond to Fargate pricing for 1 vCPU + 8GB memory. Make sure this matches your application needs (large memory costs more).

  5. Port & ALB integration

    • If fronting with an Application Load Balancer (ALB), create a Target Group for port 8080 and configure the ECS Service to use the ALB target group (not shown in this snippet).

    • Security groups must allow ALB SG → Task SG on port 8080.

  6. Multiple containers

    • If you later add sidecars (e.g., proxy, tracer, local cache), they live in the same task definition and share network/ENI; remember essential containers stop whole task.

  7. Secrets visibility

    • Secrets injected as env variables are available to the process environment inside the container. Avoid printing env dumps to logs.

Short recommended improvements (apply quickly)

  • Add a Task Role (for app runtime AWS permissions):

TaskRoleArn: !GetAtt ECSTaskRole.Arn    # create ECSTaskRole with narrow policies

  • Avoid hardcoding secret ARNs — use parameters or mappings so you can deploy the same template across regions/accounts:

Parameters:
  SecretsPrefix:
    Type: String
    Default: arn:aws:secretsmanager:us-east-1:685057748560:secret:
# then use !Sub "${SecretsPrefix}GROQ_API_KEY"

  • Scope permissions: give execution role least privilege (restrict secrets and logs to known ARNs). Use managed policy AmazonECSTaskExecutionRolePolicy for standard needs.

  • Create Log Group in template (optional) so creation is explicit and IAM scoping is easier:

CWLogGroup:
  Type: AWS::Logs::LogGroup
  Properties:
    LogGroupName: /ecs/documentportal
    RetentionInDays: 30

Minimal example: add TaskRole + parameterized secret ARNs (snippet)

# (assumes ECSTaskRole definition exists)
Properties:
  ...
  ExecutionRoleArn: !GetAtt ECSExecutionRole.Arn
  TaskRoleArn: !GetAtt ECSTaskRole.Arn
  ContainerDefinitions:
    - ...
      Secrets:
        - Name: GROQ_API_KEY
          ValueFrom: !Sub "${SecretsArnPrefix}GROQ_API_KEY"

TL;DR (one-line)

This TaskDefinition tells Fargate to run a 1 vCPU / 8 GB task using awsvpc, pulls the container image you specified, injects Secrets Manager secrets as environment variables, and streams logs to CloudWatch — but you should add a TaskRole for app permissions, ensure the execution role has the exact required permissions (and KMS decrypt if used), and align secret ARNs/regions or parameterize them for flexibility and security.