Integration & Automation
Restart Amazon ECS tasks with AWS Lambda and AWS CloudFormation custom resources
Long-running tasks such as web applications in Amazon Elastic Container Service (Amazon ECS) are often configured to read an AWS Secrets Manager secret value at startup. When that secret is rotated in Secrets Manager, all Amazon ECS tasks that use the secret must be restarted to read the new value.
You can restart tasks under an Amazon ECS service using an UpdateService API call with the forceNewDeployment
option using the AWS Management Console or AWS Command Line Interface (CLI). However, this option is not available for application environments where changes are allowed only through pipeline deployments. In these situations, you must rebuild and redeploy the container, which can pose operational challenges to organizations with a large number of Amazon ECS deployments.
In this post, I present an approach that programmatically recycles tasks under an Amazon ECS service by using a combination of an AWS Lambda function and an AWS CloudFormation custom resource. My solution is designed to integrate with a pipeline so that Amazon ECS tasks restart whenever the pipeline is deployed.
About this blog post | |
Time to read | ~10 minutes |
Time to complete | ~20 minutes |
Cost to complete | ~$1 (see the AWS service documentation for details) |
Learning level | Intermediate (200) |
AWS services | AWS Lambda AWS CloudFormation AWS Identity and Access Management (IAM) Amazon Elastic Container Service (Amazon ECS) |
Overview
My solution deploys the following architecture.
- A user creates or updates a CloudFormation custom resource through a pipeline deployment. The Amazon ECS cluster and service names are resource properties of the custom resource.
- The custom resource invokes the Lambda function as its service token to initiate the process.
- The Lambda function extracts the Amazon ECS cluster and service names from the invocation event, and makes an
UpdateService
API call with theforceNewDeployment
option on the service. - The Amazon ECS service recycles all of its tasks.
- The Lambda function sends a response back to the custom resource.
In this configuration, the Lambda function is invoked whenever you create, update, or delete the custom resource. You can also pass arguments to the Lambda function by configuring them as properties to the custom resource. This lets you recycle any of the Amazon ECS services by passing in corresponding identifiers. You can also integrate the solution to a deployment pipeline for restarting Amazon ECS tasks in restricted environments.
Important: My solution does not apply to Amazon ECS standalone tasks. Also, Terraform does provide an option to force new deployment.
Prerequisites
- An AWS account with permissions to interact with AWS resources.
- An Amazon ECS task running under a service in an Amazon ECS cluster. For an example, see Learn how to create an Amazon ECS Linux task for the Fargate launch type.
Walkthrough
To get started, sign in to the AWS Management Console.
Step 1: Create an execution role with permissions for the Lambda function
Task 1.1: Create an execution role in the IAM console
- Open the IAM console.
- In the navigation pane of the IAM console, choose Roles, Create role.
- Under Trusted entity type, choose AWS Service.
- Under Use case, choose Lambda.
- Choose Next.
- Under Permission Policies, select AWSLambdaVPCAccessExecutionRole.
- Enter a name for the role, and then choose Create role.
Task 1.2: Add permissions to the execution role
- Still in the IAM console, navigate to the role that you just created in the previous step.
- Under Add permissions, choose Create inline policy.
- Under Select a service, choose Elastic Container Service.
- Under List, select ListServices.
- Under Write, select UpdateService.
- Under Resources, select Any in this account.
- Choose Next.
- Enter the policy name, and choose Create Policy.
For additional details, see Create a role to delegate permissions to an AWS service.
Step 2: Create the Lambda function
- Open the Lambda console.
- Choose Create function.
- Choose Author from scratch.
- Enter the function name and description.
- Under Runtime, select Python 3.12.
- Under Change default execution role, select Use an existing role.
- Under existing role, select the role name that you created in step 1.
- Choose Create function.
- Paste the following code example in the lambda_function.py tab, and choose Deploy.
For additional details, see Create your first Lambda function.
Step 3: Create the CloudFormation template
Perform these steps:
- Copy and paste the following code example into a .yaml file on your local machine. This file is the CloudFormation template.
- Replace the <arn of Lambda function> placeholder with the Amazon Resource Number (ARN) of the Lambda function.
- Save the .yaml file to your local machine. You will upload this template file in the next step.
Step 4: Create a CloudFormation custom resource
Perform these steps:
- Open the CloudFormation console.
- Under Create stack, select With new resources (standard).
- Under Specify template, select Upload a template file.
- Under Upload a template file, choose Choose file.
- Navigate to and choose the .yaml file that you created in the previous step.
- Choose Next.
- Enter the stack name.
- Under Parameters, enter values for the ECSCluster and ECSService parameters.
- Choose Next and then Submit.
Step 5: Validate the solution
Perform these steps:
- Open the Amazon ECS console.
- Confirm that the same number of new tasks are added as existed before you created the custom resource.
- Confirm that the old tasks are deleted after the new tasks are started and that they complete the health check.
- To restart the same tasks again, navigate to the Parameters section, and update the stack with a different value for the ReRunParam parameter.
Cleanup
To avoid incurring future charges, delete the resources you created for this solution in the following sequence:
- Delete the CloudFormation stack. For instructions, see Deleting a stack on the AWS CloudFormation console.
- Delete the Lambda function. In the Lambda console, select the Lambda function and choose Actions, Delete.
- Delete the IAM role. For instructions, see Deleting roles or instance profiles.
- Delete the Amazon ECS cluster. For instructions, see Deleting an Amazon ECS cluster.
Conclusion
In this post, I’ve provided a solution for restarting Amazon ECS tasks by using a combination of a Lambda function and a CloudFormation custom resource. You can use this solution for situations such as secrets rotation or launching a new Docker image with the existing task definition in your production environments through a pipeline deployment.
If you have a comment or feedback about this blog post, use the Comments section on this page.