aws.ecs-service

Filters

• config-compliance

• event

• finding

• json-diff

• list-item

• marked-for-op

• metrics

• offhour

• onhour

• ops-item

• reduce

• subnet

• taggable

• task-definition

• value

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

taggable

Filter ECS resources on arn-format https://docs.aws.amazon.com/AmazonECS/latest/userguide/ecs-resource-ids.html :example:

policies:
    - name: taggable
      resource: ecs-service
      filters:
        - type: taggable
          state: True

properties:
  state:
    type: boolean
  type:
    enum:
    - taggable
required:
- type

Permissions - ecs:ListServices

task-definition

Filter services by their task definitions.

Example:

Find any fargate services that are running with a particular image in the task and stop them.

policies:
  - name: fargate-find-stop-image
    resource: ecs-task
    filters:
      - launchType: FARGATE
      - type: task-definition
        key: "containerDefinitions[].image"
        value: "elasticsearch/elasticsearch:6.4.3"
        value_type: swap
        op: contains
    actions:
      - type: stop

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - task-definition
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - ecs:DescribeTaskDefinition, ecs:ListTaskDefinitions

Actions

• auto-tag-user

• copy-related-tag

• delete

• invoke-lambda

• invoke-sfn

• mark-for-op

• modify

• notify

• post-finding

• post-item

• put-metric

• remove-tag

• resize

• tag

• webhook

delete

Delete service(s).

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - ecs:DeleteService

modify

Action to update service

example:

policies:
  - name: no-public-ips-services
    resource: ecs-service
    filters:
      - 'networkConfiguration.awsvpcConfiguration.assignPublicIp': 'ENABLED'
    actions:
      - type: modify
        update:
          networkConfiguration:
            awsvpcConfiguration:
              assignPublicIp: DISABLED

properties:
  type:
    enum:
    - modify
  update:
    deploymentConfiguration:
      properties:
        maximumPercent:
          type: integer
        minimumHealthyPercent:
          type: integer
      type: object
    desiredCount:
      type: integer
    forceNewDeployment:
      default: false
      type: boolean
    healthCheckGracePeriodSeconds:
      type: integer
    networkConfiguration:
      properties:
        awsvpcConfiguration:
          properties:
            assignPublicIp:
              enum:
              - ENABLED
              - DISABLED
              type: string
            securityGroups:
              items:
                type: string
            subnets:
              items:
                type: string
              minItems: 1
              type: array
          type: object
      type: object
    platformVersion:
      type: string
    taskDefinition:
      type: string
required:
- type

Permissions - ecs:UpdateService

resize

Action to resize the min/max/desired count in an application autoscaling target

There are several ways to use this action:

1. apply a fixed resize of min, max or desired, optionally saving the previous values to a named tag (for restoring later):

policies:
  - name: offhours-ecs-off
    resource: ecs-service
    filters:
      - type: offhour
        offhour: 19
        default_tz: bst
    actions:
      - type: resize
        min-capacity: 0
        desired: 0
        save-options-tag: OffHoursPrevious
        suspend-scaling: true

2. restore previous values for min/max/desired from a tag:

policies:
  - name: offhours-ecs-on
    resource: ecs-service
    filters:
      - type: onhour
        onhour: 8
        default_tz: bst
    actions:
      - type: resize
        restore-options-tag: OffHoursPrevious
        restore-scaling: true

properties:
  desired:
    anyOf:
    - enum:
      - current
    - minimum: 0
      type: integer
  max-capacity:
    minimum: 0
    type: integer
  min-capacity:
    minimum: 0
    type: integer
  restore-options-tag:
    type: string
  restore-scaling:
    type: boolean
  save-options-tag:
    type: string
  suspend-scaling:
    type: boolean
  type:
    enum:
    - resize
required:
- type

Permissions - ecs:UpdateService, ecs:TagResource, ecs:UntagResource