Any ideas what the issue might be here? Do you want to perform this update? yes Updating (dev) Type Name Status In pulumipulumiStack infra-dev failed 1 ├─ awsxecrImage image + │ └─ dockerindexImage 943b18a1-container created (1004s) 1 + └─ awsxecsFargateService service created (0.41s) + ├─ awsxecsFargateTaskDefinition service created (0.57s) + │ ├─ awsiamRole service-task created (0.86s) + │ ├─ awscloudwatchLogGroup service created (0.65s) + │ ├─ awsiamRole service-execution created (0.79s) + │ ├─ awsiamRolePolicyAttachment service-execution-9a42f520 created (0.41s) + │ └─ awsecsTaskDefinition service created (0.69s) + ├─ awsec2SecurityGroup service-sg created (2s) + └─ awsecsService service creating failed 2 Diagnostics: dockerindexImage (943b18a1-container): pulumipulumiStack (infra-dev): error: update failed awsecsService (service): error: 1 error occurred: * creating urnpulumidev:infraawsxecs:FargateService$awsecs/serviceService:service 1 error occurred: * waiting for ECS Service (arnawsecsus east 19268265756:service/cluster-00c124e/service-27ff8ee) create: timeout while waiting for state to become 'tfSTABLE' (last state: 'tfPENDING', timeout: 20m0s) error: post-step event returned an error: failed to save snapshot: fetching credentials: renewing lease: [403] The provided update token has expired. Resources: + 9 created 11 unchanged Duration: 36m54s error: failed to complete update: fetching credentials: renewing lease: [403] The provided update token has expired.

Looks like your app didn't start. It probably died, got restarted, re-died, ad infinitum. Probably not an infra / IaC error.

thanks @little-cartoon-10569 perhaps some issue with the container itself.

App logs are not automatically handled: you need to arrange for that. It would be good to send them to CloudWatch, or some other log aggregator. You can start the container locally to investigate the problem though. There should be no difference; so long as you're setting up a similar environment, you should be able to reproduce the behaviour. Obviously it won't keep restarting, since it's ECS that does that. But the stopping should be observable.

The local container is fine. I'm coming across a 503 error. I attempted to change target group of load balancer to 8000 so that i can forward requests to the same port as the container app but now I'm unable to reach the load balancer. I'm thinking I may need to add a port mapping argument somewhere...

You might need a port mapping, yes. If you're setting a 503, does that mean that your LB is serving 443 but it's not finding anything at whatever port is associated with the TG your LB rules are directing the request to?

The LB is running on port 80. I tried a change to port mapping by replacing to the lb.default_target_group instead of container application port.

import pulumi

import pulumi_aws as aws

import pulumi_awsx as awsx

repository = awsx.ecr.Repository("repository")

image = awsx.ecr.Image("image",

repository_url=repository.url,

context="..",

platform='linux/x86_64',

)

cluster = aws.ecs.Cluster("cluster")

lb = <http://awsx.lb|awsx.lb>.ApplicationLoadBalancer("lb")

service = awsx.ecs.FargateService("service",

cluster=cluster.arn,

assign_public_ip=True,

desired_count=2,

platform_version="LATEST",

task_definition_args=awsx.ecs.FargateServiceTaskDefinitionArgs(

container=awsx.ecs.TaskDefinitionContainerDefinitionArgs(

name="chainlit",

image=image.image_uri,

port_mappings=[awsx.ecs.TaskDefinitionPortMappingArgs(

target_group=lb.default_target_group,

)],

cpu=2048,

memory=512,

essential=True,

),

log_group=awsx.ecs.TaskDefinitionLogConfigurationArgs(

log_driver="awslogs",

options={

"awslogs-group": "chainlit",

"awslogs-region": "us-east-1",

"awslogs-create-group": "true",

"awslogs-stream-prefix": "ecs",

}

)

))

pulumi.export("url", lb.load_balancer.dns_name)