aws_ecs_patterns: ApplicationLoadBalancedFargateService does not honor task image options (cpu, memory, environment,) and secrets are typed incorrectly not allowing them to be used. #33988
Comments
Xenoha
added
bug
github-actions
bot
added
the
@aws-cdk/aws-ecs-patterns
|
Hi Are you able to provide a minimal code with all relevant properties and what you expect to see as well as what you actually have so we can reproduce it? |
|
should produce a template of: Which should product the following task Def:
|
Reproductionimport * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as ecs from 'aws-cdk-lib/aws-ecs';
import * as ecs_patterns from 'aws-cdk-lib/aws-ecs-patterns';
export class Issue33988ReproStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// default VPC
const vpc = ec2.Vpc.fromLookup(this, 'DefaultVpc', { isDefault: true });
// Create an ECS cluster
const cluster = new ecs.Cluster(this, 'ReproCluster', { vpc });
// Define the ALB Fargate Service as described in the issue comment
const fargateService = new ecs_patterns.ApplicationLoadBalancedFargateService(this, 'ReproFargateService', {
cluster,
publicLoadBalancer: true,
memoryLimitMiB: 1024,
cpu: 512,
desiredCount: 1,
circuitBreaker: {
rollback: true,
},
taskImageOptions: {
image: ecs.ContainerImage.fromRegistry('nginx'), // Using nginx as specified
containerName: 'pdp', // Container name from comment
containerPort: 7000, // Container port from comment
enableLogging: true,
environment: {
// Hardcoding the value for reproducibility instead of process.env
ENVIRONMENT_ONE: 'repro_value_from_cdk',
},
// Note: Secrets part of the issue is not included here to focus on the environment variable problem first.
},
// Assign public IP to easily test the nginx service if needed, though not strictly required for the repro
assignPublicIp: true,
});
// Output the Load Balancer DNS Name
new cdk.CfnOutput(this, 'LoadBalancerDNS', {
value: fargateService.loadBalancer.loadBalancerDnsName,
});
}
}On The AWS::ECS::TaskDefinition resource (ReproFargateServiceTaskDefA8C9BC97) within the template correctly includes the environment variable: "ReproFargateServiceTaskDefA8C9BC97": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"Environment": [
{
"Name": "ENVIRONMENT_ONE",
"Value": "repro_value_from_cdk" // Correctly included
}
],
// ... other container properties ...
"Name": "pdp"
}
],
// ... other task definition properties ...
"Cpu": "512",
"Memory": "1024"
}
// ...
}And if I go to ECS console I can see this 
so I think this works as expected. Now if I define the env var like this: environment: {
ENVIRONMENT_ONE: process.env.environmentOne!,
},And deploy like this to pass the env var % environmentOne=foo_Bar_test npx cdk deploy Issue33988ReproStack --require-approval never This works as well % aws ecs describe-task-definition --task-definition Issue33988ReproStackReproFargateServiceTaskDef0619FE42 --query 'taskDefinition.containerDefinitions[?name==`pdp`].environment'
[
[
{
"name": "ENVIRONMENT_ONE",
"value": "foo_Bar_test"
}
]
]Let me know if it works for you. |
pahud
added
response-requested
|
You are correct! I found my issue. I am doing a pipeline, and the cdk.out shows it correct in the stage template output, but when deployed and running the variable isn't available. I guess my double check before creating the issue was against the same template from cdk.out at the time of synth, not what was provided to the account stage. This brings me to the second issue. Can you do the same thing, but show me an example where you are using a secret. The secret can be defined in the code as another contruct as 'foo_bar'.
Does not work as it isn't typed correctly. |
github-actions
bot
removed
the
response-requested
|
Hi @Xenoha If you need to use secrets for container environments, check out the sample here: |
pahud
added
the
response-requested
|
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
github-actions
bot
added
closing-soon
Describe the bug
When I create a alb fargate construct as the following
const fargate = new ApplicationLoadBalancedFargateService(this, 'fargate', { cluster, publicLoadBalancer: true, memoryLimitMiB: 1024, cpu: 512, desiredCount: 1, circuitBreaker: { rollback: true, }, taskImageOptions: { image: ContainerImage.fromRegistry('nginx'), containerName: 'pdp', containerPort: 7000, enableLogging: true, environment: { ENVIRONMENT_ONE: process.env.environmentOne, }, }, })It will create cloudformation that looks correct, however, the stack doesn't look to honor the configured cpu, memoryLimitMiB and the environment.
When I went to use a the secrets property in typescript it is typed with values being Secret.
When creating a new Secret and passing in as a value, I get a type error signifying that Secret is missing the property 'arn'.
when looking up a Secret you get back a type ISecret, so I don't see a way that this is used.
Regression Issue
Last Known Working CDK Version
No response
Expected Behavior
I would expect environment to be passed to my fargate task def.
Current Behavior
environment is showing up as an empty array.
Reproduction Steps
Using typescript, create a ALB fargate service with a simple docker image from the registry and place environment variables per the props.
After this synth's correctly, see that the deployed task def doesn't include the properties in the environments array.
Try to use this construct while defining secrets.
Possible Solution
Secrets should be able to be defined from ISecret using the latest Secret.fromSecretNameV2 method on the Secret construct.
Additional Information/Context
No response
CDK CLI Version
2.1006.0 (build a3b9762)
Framework Version
2.1006.0
Node.js Version
22.12.0
OS
Linux 24.04.2 LTS
Language
TypeScript
Language Version
5.8.2
Other information
No response
The text was updated successfully, but these errors were encountered: