fix(stepfunctions-tasks): missing permissions for running tasks on ecs

[msambol]

While working on #27803, I noticed the integration tests for aws-stepfunctions-tasks/ecs were not fully working (they deployed but the state machines did not run successfully). This PR addresses two issues:

1. Missing permissions for ecs:RunTask on the task definition version.

2. The sample container was from a Lambda image. This resulted in the following error: entrypoint requires the handler name to be the first argument. I changed the image to docker/library/python:3.12.

These changes result in the successful execution of all four state machines in aws-stepfunctions-tasks/ecs.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[msambol]

I needed --platform=x86-64 since I am building on a Mac M2.

[lpizzinidev]

Instead of changing the image have you tried changing CMD:

CMD [ "index.handler" ]

and defining a handler function in index.py:

import os
import print

def handler(event, context):
    print('Hello from ECS!')
    pprint.pprint(dict(os.environ))

?

[msambol]

I did try that but didn't spend a bunch of time on it. I can revisit.. but my thinking is, why is it a Lambda image when this is running on ECS and not in Lambda?

[lpizzinidev]

Good point, thanks for clarifying.

[msambol]

Drawing attention to the bits that add permission to run versions of the task definition.

[lpizzinidev]

Thanks!
Some minor comments and a note on the Docker image change.

[lpizzinidev]

Instead of changing the image have you tried changing CMD:

CMD [ "index.handler" ]

and defining a handler function in index.py:

import os
import print

def handler(event, context):
    print('Hello from ECS!')
    pprint.pprint(dict(os.environ))

?

[lpizzinidev]

Good point, thanks for clarifying.

[vinayak-kukreja]

Hey @msambol , this is great. Just a clarification comment.

[vinayak-kukreja]

Could you tell me why some of these were removed?

And if we can remove --platform=x86-64?

[msambol]

We don't need some of these commands in the Dockerfile.

I needed --platform=x86-64 because I am building on an M2 and got an architecture mismatch. Unless I'm doing something wrong?

[kaizencc]

I'm not too familiar with Docker but I'm also concerned with this. What about other users who are not on an M2 but on a computer incompatible with this platform? Maybe @mrgrain can weigh in further because I'm not well-versed myself in Docker stuff.

[msambol]

@mrgrain Have some time to look at this?

[mrgrain]

@msambol What is the exact error you are getting?

[msambol]

@mrgrain I'm not sure if I was doing something wrong or something changed, but it's working now without "platform" 😅

[msambol]

@mrgrain wait... I think this is still an issue. I get exec /usr/local/bin/python3: exec format error when I run the task without --platform=linux/amd64. Let me keep testing..

[msambol]

@mrgrain If I don't use --platform=linux/amd64, I get the following error when the task runs: exec /usr/local/bin/python3: exec format error. Similar here: #28898.

[msambol]

@vinayak-kukreja Any additional feedback on this?

[msambol]

@mrgrain Have time for another look at this one ?

[msambol]

@mrgrain Mind taking another look here?

[kaizencc]

Thanks and sorry for the delay @msambol

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: a9bc264
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).