Hello there I was wondering if that s possible to split the Pulumi Community #aws

Hello there, I was wondering if that's possible to...

faint-motherboard-95438

06/07/2024, 10:41 AM

Hello there, I was wondering if that's possible to split the ecs Service provisioning from the TaskDefinition deployment update. My goal would be in a CD project to only have to update the task definition image tag without the permission to change anything else (which would be the responsibility of a separate provisioning project with dedicated permissions). Not sure that's possible given how the components are made and I didn't find anything relevant, so I'm trying to see if you guys already did something similar or would know how/if that's doable within pulumi ecosystem. Thanks !

modern-zebra-45309

06/07/2024, 1:37 PM

I'm not too familiar with ECS but from reading the documentation it sounds like you can specify the task definition without its revision, leading to the latest (

ACTIVE

) version being used. Thus, you could update the task definition without changing the service.

modern-zebra-45309

06/07/2024, 1:38 PM

I don't think you can change the task definition reference without permission to change the service resource.

modern-zebra-45309

06/07/2024, 1:39 PM

In general, in situations like this, I try to figure out how to do what I want with the AWS CLI and then convert this process to Pulumi. If it's possible with the AWS CLI (or boto3), then it's typically possible to replicate with Pulumi.

faint-motherboard-95438

06/07/2024, 1:39 PM

Hum that's interesting, I overlooked the fact you can use the family:revision instead of the full arn. But not sure if I can create independently a new task and bind it to an existing service from a separate pulumi project

faint-motherboard-95438

06/07/2024, 1:40 PM

yeah I concluded that I would have to put both the service and task into the deployment project, I didn't find a way to split them in a satisfactory/safe way

modern-zebra-45309

06/07/2024, 1:41 PM

You can create the task in one project, export the ARN/tag, then create the service in a different project. Afterwards, you can modify the task definition in the first project.

modern-zebra-45309

06/07/2024, 1:42 PM

Not sure if you need to trigger a restart of some kind for the updated task definition to come into effect. But this is something you could do via boto3 and an ".apply()" in your Pulumi program.

modern-zebra-45309

06/07/2024, 1:43 PM

Maybe it's possible to create an IAM policy that only allows changing the task definition of a service? Not sure if it's possible to restrict

ecs:UpdateService

to specific properties. Then, you could run Pulumi with restricted permissions.

faint-motherboard-95438

06/07/2024, 1:44 PM

Not sure either, but I'll try a few things you suggested. Thanks for having looked into it 🙏

3 Views

Open in Slack

Previous Next