Hello there, I was wondering if that's possible to...
# aws
Hello there, I was wondering if that's possible to split the ecs Service provisioning from the TaskDefinition deployment update. My goal would be in a CD project to only have to update the task definition image tag without the permission to change anything else (which would be the responsibility of a separate provisioning project with dedicated permissions). Not sure that's possible given how the components are made and I didn't find anything relevant, so I'm trying to see if you guys already did something similar or would know how/if that's doable within pulumi ecosystem. Thanks !
I'm not too familiar with ECS but from reading the documentation it sounds like you can specify the task definition without its revision, leading to the latest (
) version being used. Thus, you could update the task definition without changing the service.
I don't think you can change the task definition reference without permission to change the service resource.
In general, in situations like this, I try to figure out how to do what I want with the AWS CLI and then convert this process to Pulumi. If it's possible with the AWS CLI (or boto3), then it's typically possible to replicate with Pulumi.
Hum that's interesting, I overlooked the fact you can use the family:revision instead of the full arn. But not sure if I can create independently a new task and bind it to an existing service from a separate pulumi project
yeah I concluded that I would have to put both the service and task into the deployment project, I didn't find a way to split them in a satisfactory/safe way
You can create the task in one project, export the ARN/tag, then create the service in a different project. Afterwards, you can modify the task definition in the first project.
Not sure if you need to trigger a restart of some kind for the updated task definition to come into effect. But this is something you could do via boto3 and an ".apply()" in your Pulumi program.
Maybe it's possible to create an IAM policy that only allows changing the task definition of a service? Not sure if it's possible to restrict
to specific properties. Then, you could run Pulumi with restricted permissions.
Not sure either, but I'll try a few things you suggested. Thanks for having looked into it 🙏