Support update hook for DummyTaskDefinition

Author: cuperman

packages/cdk-blue-green-container-deployment/src/__tests__/__snapshots__/dummy-task-definition.test.ts.snap

@@ -60,6 +60,7 @@ Object {
             Object {
               "Action": Array [
                 "ecs:RegisterTaskDefinition",
+                "ecs:DescribeTaskDefinition",
                 "ecs:DeregisterTaskDefinition",
               ],
               "Effect": "Allow",
@@ -116,6 +117,178 @@ Object {
             "Arn",
           ],
         },
+        "Update": "{\\"service\\":\\"ECS\\",\\"action\\":\\"describeTaskDefinition\\",\\"parameters\\":{\\"taskDefinition\\":\\"PHYSICAL:RESOURCEID:\\"},\\"physicalResourceId\\":{\\"responsePath\\":\\"taskDefinition.taskDefinitionArn\\"}}",
+      },
+      "Type": "Custom::DummyTaskDefinition",
+      "UpdateReplacePolicy": "Delete",
+    },
+    "DummyTaskDefinitionExecutionRole715DBD43": Object {
+      "Properties": Object {
+        "AssumeRolePolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": "sts:AssumeRole",
+              "Effect": "Allow",
+              "Principal": Object {
+                "Service": "ecs-tasks.amazonaws.com",
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "ManagedPolicyArns": Array [
+          Object {
+            "Fn::Join": Array [
+              "",
+              Array [
+                "arn:",
+                Object {
+                  "Ref": "AWS::Partition",
+                },
+                ":iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
+              ],
+            ],
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Role",
+    },
+  },
+}
+`;
+
+exports[`with updates allowed 1`] = `
+Object {
+  "Parameters": Any<Object>,
+  "Resources": Object {
+    "AWS679f53fac002430cb0da5b7982bd22872D164C4C": Object {
+      "DependsOn": Array [
+        "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2",
+      ],
+      "Properties": Object {
+        "Code": Any<Object>,
+        "Handler": "index.handler",
+        "Role": Object {
+          "Fn::GetAtt": Array [
+            "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2",
+            "Arn",
+          ],
+        },
+        "Runtime": "nodejs12.x",
+        "Timeout": 120,
+      },
+      "Type": "AWS::Lambda::Function",
+    },
+    "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2": Object {
+      "Properties": Object {
+        "AssumeRolePolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": "sts:AssumeRole",
+              "Effect": "Allow",
+              "Principal": Object {
+                "Service": "lambda.amazonaws.com",
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "ManagedPolicyArns": Array [
+          Object {
+            "Fn::Join": Array [
+              "",
+              Array [
+                "arn:",
+                Object {
+                  "Ref": "AWS::Partition",
+                },
+                ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
+              ],
+            ],
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Role",
+    },
+    "DummyTaskDefinitionCustomResourcePolicyB5660701": Object {
+      "Properties": Object {
+        "PolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": Array [
+                "ecs:RegisterTaskDefinition",
+                "ecs:DescribeTaskDefinition",
+                "ecs:DeregisterTaskDefinition",
+              ],
+              "Effect": "Allow",
+              "Resource": "*",
+            },
+            Object {
+              "Action": "iam:PassRole",
+              "Effect": "Allow",
+              "Resource": Object {
+                "Fn::GetAtt": Array [
+                  "DummyTaskDefinitionExecutionRole715DBD43",
+                  "Arn",
+                ],
+              },
+            },
+          ],
+          "Version": "2012-10-17",
+        },
+        "PolicyName": "DummyTaskDefinitionCustomResourcePolicyB5660701",
+        "Roles": Array [
+          Object {
+            "Ref": "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::Policy",
+    },
+    "DummyTaskDefinitionE3D9D432": Object {
+      "DeletionPolicy": "Delete",
+      "DependsOn": Array [
+        "DummyTaskDefinitionCustomResourcePolicyB5660701",
+      ],
+      "Properties": Object {
+        "Create": Object {
+          "Fn::Join": Array [
+            "",
+            Array [
+              "{\\"service\\":\\"ECS\\",\\"action\\":\\"registerTaskDefinition\\",\\"parameters\\":{\\"requiresCompatibilities\\":[\\"FARGATE\\"],\\"family\\":\\"c86e1e5d419d3c124c7e40411b7e7805f91621e162\\",\\"executionRoleArn\\":\\"",
+              Object {
+                "Fn::GetAtt": Array [
+                  "DummyTaskDefinitionExecutionRole715DBD43",
+                  "Arn",
+                ],
+              },
+              "\\",\\"networkMode\\":\\"awsvpc\\",\\"cpu\\":\\"256\\",\\"memory\\":\\"512\\",\\"containerDefinitions\\":[{\\"name\\":\\"sample-website\\",\\"image\\":\\"image\\",\\"portMappings\\":[{\\"hostPort\\":80,\\"protocol\\":\\"tcp\\",\\"containerPort\\":80}]}]},\\"physicalResourceId\\":{\\"responsePath\\":\\"taskDefinition.taskDefinitionArn\\"}}",
+            ],
+          ],
+        },
+        "Delete": "{\\"service\\":\\"ECS\\",\\"action\\":\\"deregisterTaskDefinition\\",\\"parameters\\":{\\"taskDefinition\\":\\"PHYSICAL:RESOURCEID:\\"}}",
+        "InstallLatestAwsSdk": true,
+        "ServiceToken": Object {
+          "Fn::GetAtt": Array [
+            "AWS679f53fac002430cb0da5b7982bd22872D164C4C",
+            "Arn",
+          ],
+        },
+        "Update": Object {
+          "Fn::Join": Array [
+            "",
+            Array [
+              "{\\"service\\":\\"ECS\\",\\"action\\":\\"registerTaskDefinition\\",\\"parameters\\":{\\"requiresCompatibilities\\":[\\"FARGATE\\"],\\"family\\":\\"c86e1e5d419d3c124c7e40411b7e7805f91621e162\\",\\"executionRoleArn\\":\\"",
+              Object {
+                "Fn::GetAtt": Array [
+                  "DummyTaskDefinitionExecutionRole715DBD43",
+                  "Arn",
+                ],
+              },
+              "\\",\\"networkMode\\":\\"awsvpc\\",\\"cpu\\":\\"256\\",\\"memory\\":\\"512\\",\\"containerDefinitions\\":[{\\"name\\":\\"sample-website\\",\\"image\\":\\"image\\",\\"portMappings\\":[{\\"hostPort\\":80,\\"protocol\\":\\"tcp\\",\\"containerPort\\":80}]}]},\\"physicalResourceId\\":{\\"responsePath\\":\\"taskDefinition.taskDefinitionArn\\"}}",
+            ],
+          ],
+        },
       },
       "Type": "Custom::DummyTaskDefinition",
       "UpdateReplacePolicy": "Delete",

packages/cdk-blue-green-container-deployment/src/__tests__/dummy-task-definition.test.ts

@@ -14,3 +14,16 @@ test('default setup', (): void => {
     ignoreAssets: true,
   });
 });
+
+test('with updates allowed', (): void => {
+  const stack = new Stack();
+
+  new DummyTaskDefinition(stack, 'DummyTaskDefinition', {
+    image: 'image',
+    allowUpdates: true,
+  });
+
+  expect(stack).toMatchCdkSnapshot({
+    ignoreAssets: true,
+  });
+});

packages/cdk-blue-green-container-deployment/src/dummy-task-definition.ts

@@ -1,7 +1,7 @@
 import { NetworkMode } from '@aws-cdk/aws-ecs';
 import { Role, ServicePrincipal, ManagedPolicy, PolicyStatement, Effect, IRole } from '@aws-cdk/aws-iam';
 import { Construct } from '@aws-cdk/core';
-import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId, PhysicalResourceIdReference } from '@aws-cdk/custom-resources';
+import { AwsCustomResource, AwsCustomResourcePolicy, AwsSdkCall, PhysicalResourceId, PhysicalResourceIdReference } from '@aws-cdk/custom-resources';
 
 export interface IDummyTaskDefinition {
   readonly executionRole: IRole;
@@ -38,6 +38,13 @@ export interface DummyTaskDefinitionProps {
    * @default 80
    */
   readonly containerPort?: number;
+
+  /**
+   * Allow task definition to be updated, causing new task definition to be created with new attributes.
+   * Updates could negatively affect blue/green deployments.
+   * @default false
+   */
+  readonly allowUpdates?: boolean;
 }
 
 export class DummyTaskDefinition extends Construct implements IDummyTaskDefinition {
@@ -62,46 +69,61 @@ export class DummyTaskDefinition extends Construct implements IDummyTaskDefiniti
     this.family = props.family ?? this.node.addr;
     this.containerName = props.containerName ?? 'sample-website';
     this.containerPort = props.containerPort ?? 80;
+    const allowUpdates = !!props.allowUpdates;
+
+    const registerTaskDefinition: AwsSdkCall = {
+      service: 'ECS',
+      action: 'registerTaskDefinition',
+      parameters: {
+        requiresCompatibilities: ['FARGATE'],
+        family: this.family,
+        executionRoleArn: this.executionRole.roleArn,
+        networkMode: NetworkMode.AWS_VPC,
+        cpu: '256',
+        memory: '512',
+        containerDefinitions: [
+          {
+            name: this.containerName,
+            image: props.image,
+            portMappings: [
+              {
+                hostPort: this.containerPort,
+                protocol: 'tcp',
+                containerPort: this.containerPort,
+              },
+            ],
+          },
+        ],
+      },
+      physicalResourceId: PhysicalResourceId.fromResponse('taskDefinition.taskDefinitionArn'),
+    };
+
+    const describeTaskDefinition: AwsSdkCall = {
+      service: 'ECS',
+      action: 'describeTaskDefinition',
+      parameters: {
+        taskDefinition: new PhysicalResourceIdReference(),
+      },
+      physicalResourceId: PhysicalResourceId.fromResponse('taskDefinition.taskDefinitionArn'),
+    };
+
+    const deregisterTaskDefinition: AwsSdkCall = {
+      service: 'ECS',
+      action: 'deregisterTaskDefinition',
+      parameters: {
+        taskDefinition: new PhysicalResourceIdReference(),
+      },
+    };
 
     const taskDefinition = new AwsCustomResource(this, 'DummyTaskDefinition', {
       resourceType: 'Custom::DummyTaskDefinition',
-      onCreate: {
-        service: 'ECS',
-        action: 'registerTaskDefinition',
-        parameters: {
-          requiresCompatibilities: ['FARGATE'],
-          family: this.family,
-          executionRoleArn: this.executionRole.roleArn,
-          networkMode: NetworkMode.AWS_VPC,
-          cpu: '256',
-          memory: '512',
-          containerDefinitions: [
-            {
-              name: this.containerName,
-              image: props.image,
-              portMappings: [
-                {
-                  hostPort: this.containerPort,
-                  protocol: 'tcp',
-                  containerPort: this.containerPort,
-                },
-              ],
-            },
-          ],
-        },
-        physicalResourceId: PhysicalResourceId.fromResponse('taskDefinition.taskDefinitionArn'),
-      },
-      onDelete: {
-        service: 'ECS',
-        action: 'deregisterTaskDefinition',
-        parameters: {
-          taskDefinition: new PhysicalResourceIdReference(),
-        },
-      },
+      onCreate: registerTaskDefinition,
+      onUpdate: allowUpdates ? registerTaskDefinition : describeTaskDefinition,
+      onDelete: deregisterTaskDefinition,
       policy: AwsCustomResourcePolicy.fromStatements([
         new PolicyStatement({
           effect: Effect.ALLOW,
-          actions: ['ecs:RegisterTaskDefinition', 'ecs:DeregisterTaskDefinition'],
+          actions: ['ecs:RegisterTaskDefinition', 'ecs:DescribeTaskDefinition', 'ecs:DeregisterTaskDefinition'],
           resources: ['*'],
         }),
         new PolicyStatement({