Deploying FARGATE services using CloudFormation

Weekly Shorts are topics we discuss in our weekly remote meeting related to recent work we have done with our customers

TL;DR — Deploying Fargate services is not as straightforward as you may think, especially if you’re used to the current EC2 configuration and are now trying to migrate running services. I had to go through a couple of days and few dozens of CloudFormation deployment iterations to figure out my missing / wrong settings before I made it through my first running Fargate container. Scroll to the bottom to see my final list of settings you should be aware of while migrating, as well as some CloudFormation template snippets.

So AWS released FARGATE for ECS last week on re:Invent. Watching the presentation during the keynote, and reading the fresh documentation released with it, made me think I just have to edit my existing template with a simple change; I’d replace my ECS service LaunchType to FARGATE and I‘ll be ready to deploy my first infrastructure-free service!
Awesome right?!
Well, not quite.

Before running through the unfortunate events of struggling to migrate a single production service from ECS-EC2 configuration to FARGATE, here’s the layout of my production architecture: I’m running around 30 micro-services on 7 different ECS clusters, where each is running an ALB on top. Using CloudFormation templates, based on the great open source reference architecture by awslabs.

The first clue to what I was up against started with the innocent line:

Value of property RequiresCompatibilities must be of type List of String

“That’s easy” I thought; “so I got a few parameter types wrong.. I’ll be a little more thorough and be done with it…”, not exactly. 🙃

Instead of going on and on about how I stumbled across this error and that exception, here’s a partial list of them:

Fargate only supports network mode awsvpc.
Fargate requires that the privileged setting be false at the container level.
Fargate requires log configuration options to include awslogs-stream-prefix to support log driver awslogs.
Fargate requires task definition to have execution role ARN to support log driver awslogs.
Fargate requires that 'memory' be defined at the task level> No Fargate configuration exists for given values.
The provided target group <Target-Group-ARN> has target type instance, which is incompatible with the awsvpc network mode specified in the task definition.
Network Configuration must be provided when network Mode 'awsvpc' is specified.
You cannot specify an IAM role for services that require a service linked role.
Placement strategies are not supported with FARGATE launch type.
CannotPullContainerError: API error (500): Get https://000.dkr.ecr.us-east-1.amazonaws.com/v2/

Each line of the list above led me to a different part of the CloudFormation documentation looking for clues on what went wrong.I’ll provide a list of solutions to each of the exceptions, but I’d like to first list what you should do to begin with instead.

The ECS service configuration has to be changed

LaunchType — Determines whether you run on EC2 or FARGATE.
NetworkConfiguration: It turns out that FG services must run on awsvpc network configuration, to achieve that, you need to set AwsvpcConfiguration, and under that decide whether you AssignPublicIp or not, as well as the SecurityGroups and Subnets on which you plan to deploy your services.
Roles: this is a tricky one... Roles in this case should be set to service-linked roles, since this kind of roles cannot be created to the time of writing these lines using CloudFormation, read the docs on how to create them, although if an ECS cluster is already deployed, the role should be already set in your account’s IAM service.
NOTE: You should NOT define a Role! Let Fargate catch the service-linked role automatically.
Memory: “Fargate requires that ‘memory’ be defined at the task level”, meaning, remove the Memory setting from your service settings.

Relevant API documentation:

CreateService - Amazon EC2 Container ServiceRuns and maintains a desired number of tasks from a specified task definition.

Here’s how it should more or less look like:

#gist:<link rel="stylesheet" href="https://assets-cdn.github.com/assets/gist-embed-87673c31a5b37b5e6556b63e1081ebbc.css"><div id=\"gist84011990\" class=\"gist\">\n <div class=\"gist-file\">\n <div class=\"gist-data\">\n <div class=\"js-gist-file-update-container js-task-list-container file-box\">\n <div id=\"file-fargate-service-yaml\" class=\"file\">\n \n\n <div itemprop=\"text\" class=\"blob-wrapper data type-yaml\">\n <table class=\"highlight tab-size js-file-line-container\" data-tab-size=\"8\">\n <tr>\n <td id=\"file-fargate-service-yaml-L1\" class=\"blob-num js-line-number\" data-line-number=\"1\"><\/td>\n <td id=\"file-fargate-service-yaml-LC1\" class=\"blob-code blob-code-inner js-file-line\"><span class=\"pl-ent\">Resources<\/span>:<\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L2\" class=\"blob-num js-line-number\" data-line-number=\"2\"><\/td>\n <td id=\"file-fargate-service-yaml-LC2\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Service<\/span>: <\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L3\" class=\"blob-num js-line-number\" data-line-number=\"3\"><\/td>\n <td id=\"file-fargate-service-yaml-LC3\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Type<\/span>: <span class=\"pl-s\">AWS::ECS::Service<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L4\" class=\"blob-num js-line-number\" data-line-number=\"4\"><\/td>\n <td id=\"file-fargate-service-yaml-LC4\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">DependsOn<\/span>: <span class=\"pl-s\">ListenerRule<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L5\" class=\"blob-num js-line-number\" data-line-number=\"5\"><\/td>\n <td id=\"file-fargate-service-yaml-LC5\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Properties<\/span>: <\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L6\" class=\"blob-num js-line-number\" data-line-number=\"6\"><\/td>\n <td id=\"file-fargate-service-yaml-LC6\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Cluster<\/span>: <span class=\"pl-s\">!Ref Cluster<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L7\" class=\"blob-num js-line-number\" data-line-number=\"7\"><\/td>\n <td id=\"file-fargate-service-yaml-LC7\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">ServiceName<\/span>: <span class=\"pl-s\">!Ref ServiceName<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L8\" class=\"blob-num js-line-number\" data-line-number=\"8\"><\/td>\n <td id=\"file-fargate-service-yaml-LC8\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">LaunchType<\/span>: <span class=\"pl-s\">!Ref LaunchType<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L9\" class=\"blob-num js-line-number\" data-line-number=\"9\"><\/td>\n <td id=\"file-fargate-service-yaml-LC9\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">DesiredCount<\/span>: <span class=\"pl-s\">!Ref DesiredCount<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L10\" class=\"blob-num js-line-number\" data-line-number=\"10\"><\/td>\n <td id=\"file-fargate-service-yaml-LC10\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">DeploymentConfiguration<\/span>: <\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L11\" class=\"blob-num js-line-number\" data-line-number=\"11\"><\/td>\n <td id=\"file-fargate-service-yaml-LC11\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">MaximumPercent<\/span>: <span class=\"pl-s\">!Ref DeploymentMaximumPercent<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L12\" class=\"blob-num js-line-number\" data-line-number=\"12\"><\/td>\n <td id=\"file-fargate-service-yaml-LC12\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">MinimumHealthyPercent<\/span>: <span class=\"pl-s\">!Ref DeploymentMinimumHealthyPercent<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L13\" class=\"blob-num js-line-number\" data-line-number=\"13\"><\/td>\n <td id=\"file-fargate-service-yaml-LC13\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">TaskDefinition<\/span>: <span class=\"pl-s\">!Ref TaskDefinition<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L14\" class=\"blob-num js-line-number\" data-line-number=\"14\"><\/td>\n <td id=\"file-fargate-service-yaml-LC14\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">LoadBalancers<\/span>: <\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L15\" class=\"blob-num js-line-number\" data-line-number=\"15\"><\/td>\n <td id=\"file-fargate-service-yaml-LC15\" class=\"blob-code blob-code-inner js-file-line\"> - <span class=\"pl-ent\">ContainerName<\/span>: <span class=\"pl-s\">!Sub ${ServiceName}-container<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L16\" class=\"blob-num js-line-number\" data-line-number=\"16\"><\/td>\n <td id=\"file-fargate-service-yaml-LC16\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">ContainerPort<\/span>: <span class=\"pl-s\">!Ref ContainerPort<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L17\" class=\"blob-num js-line-number\" data-line-number=\"17\"><\/td>\n <td id=\"file-fargate-service-yaml-LC17\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">TargetGroupArn<\/span>: <span class=\"pl-s\">!Ref TargetGroup<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L18\" class=\"blob-num js-line-number\" data-line-number=\"18\"><\/td>\n <td id=\"file-fargate-service-yaml-LC18\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">NetworkConfiguration<\/span>: <\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L19\" class=\"blob-num js-line-number\" data-line-number=\"19\"><\/td>\n <td id=\"file-fargate-service-yaml-LC19\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">AwsvpcConfiguration<\/span>:<\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L20\" class=\"blob-num js-line-number\" data-line-number=\"20\"><\/td>\n <td id=\"file-fargate-service-yaml-LC20\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">AssignPublicIp<\/span>: <span class=\"pl-s\">DISABLED<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L21\" class=\"blob-num js-line-number\" data-line-number=\"21\"><\/td>\n <td id=\"file-fargate-service-yaml-LC21\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">SecurityGroups<\/span>: <\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L22\" class=\"blob-num js-line-number\" data-line-number=\"22\"><\/td>\n <td id=\"file-fargate-service-yaml-LC22\" class=\"blob-code blob-code-inner js-file-line\"> - <span class=\"pl-k\">!Ref<\/span> <span class=\"pl-s\">ECSHostSecurityGroup<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L23\" class=\"blob-num js-line-number\" data-line-number=\"23\"><\/td>\n <td id=\"file-fargate-service-yaml-LC23\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Subnets<\/span>:<\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L24\" class=\"blob-num js-line-number\" data-line-number=\"24\"><\/td>\n <td id=\"file-fargate-service-yaml-LC24\" class=\"blob-code blob-code-inner js-file-line\"> - <span class=\"pl-k\">!Ref<\/span> <span class=\"pl-s\">PrivateSubnet1<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L25\" class=\"blob-num js-line-number\" data-line-number=\"25\"><\/td>\n <td id=\"file-fargate-service-yaml-LC25\" class=\"blob-code blob-code-inner js-file-line\"> - <span class=\"pl-k\">!Ref<\/span> <span class=\"pl-s\">PrivateSubnet2<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-service-yaml-L26\" class=\"blob-num js-line-number\" data-line-number=\"26\"><\/td>\n <td id=\"file-fargate-service-yaml-LC26\" class=\"blob-code blob-code-inner js-file-line\"> <\/td>\n <\/tr>\n<\/table>\n\n\n <\/div>\n\n <\/div>\n<\/div>\n\n <\/div>\n <div class=\"gist-meta\">\n <a href=\"https://gist.github.com/omerxx/ec3c1be72337a63cc4ad08ff1a48f7b5/raw/7484420285f2213fa7a926c43e9174d9522645c2/FARGATE-service.yaml\" style=\"float:right\">view raw<\/a>\n <a href=\"https://gist.github.com/omerxx/ec3c1be72337a63cc4ad08ff1a48f7b5#file-fargate-service-yaml\">FARGATE-service.yaml<\/a>\n hosted with &#10084; by <a href=\"https://github.com\">GitHub<\/a>\n <\/div>\n <\/div>\n<\/div>\n

Obviously, you can use ENABLED for the public IP and set your subnets to be the public ones. Since my containers have no reason to be reached out from the outside world, they are deployed in private subnets with an available route to a NAT gateway.

Money time: Changing the TaskDefinition

Cpu — While using FG, you have to provide a virtual CPU unit count for your container.
RequiresCompatibilities — Should contain FARGATE.
NetworkMode — By default is a bridge, should now be changed to awsvpc.
Memory — “Fargate requires that ‘memory’ be defined at the task level”, Other than that, the docs are not aligned‍

From the API documentation:

If your containers will be part of a task using the Fargate launch type, this field is optional and the only requirement is that the total amount of memory reserved for all containers within a task be lower than the task memory value.

From CloudFormation TaskDefinition doc:

If you are using the Fargate launch type, this field is required and you must use one of the following values, which determines your range of valid values for the cpuparameter

So? Should you set memory or not? It seems that CloudFormation doesn’t allow memoryReservation option, if you’re using a different deployment method, here’s what the API docs add:

You must specify a non-zero integer for one or both of memory or memoryReservation in container definitions. If you specify both, memory must be greater than memoryReservation.

How much memory should be set? Follow that:

512MB, 1GB, 2GB — Available cpu values: 256 (.25 vCPU)

1GB, 2GB, 3GB, 4GB — Available cpu values: 512 (.5 vCPU)

2GB, 3GB, 4GB, 5GB, 6GB, 7GB, 8GB — Available cpu values: 1024 (1 vCPU)

Between 4GB and 16GB in 1GB increments — Available cpu values: 2048 (2 vCPU)

Between 8GB and 30GB in 1GB increments — Available cpu values: 4096 (4 vCPU)

LogConfiguration — In case you’re using CloudWatch logs like me, you have to set awslogs-stream-prefix for the setting to work. Actually, I’d like to get an explanation for this one… 🤔
Roles: with FG you have to set an execution role and a task role; you already have the predefined
AmazonEC2ContainerServiceTaskExecutionRole policy, with which you can create a role, and provide it’s ARN to these (Unless you require extra permissions for your Task role, in which case you can just change the created role as you please): ExecutionRoleArn + TaskRoleArn.
Note 1: You cannot have Privileged setting for containers on FG.
Note 2: You cannot use PlacementStrategy, it’s determined by FG.

Here’s my TaskDefinition:

#gist:<link rel="stylesheet" href="https://assets-cdn.github.com/assets/gist-embed-87673c31a5b37b5e6556b63e1081ebbc.css"><div id=\"gist84012395\" class=\"gist\">\n <div class=\"gist-file\">\n <div class=\"gist-data\">\n <div class=\"js-gist-file-update-container js-task-list-container file-box\">\n <div id=\"file-fargate-taskdefinition-yaml\" class=\"file\">\n \n\n <div itemprop=\"text\" class=\"blob-wrapper data type-yaml\">\n <table class=\"highlight tab-size js-file-line-container\" data-tab-size=\"8\">\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L1\" class=\"blob-num js-line-number\" data-line-number=\"1\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC1\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">TaskDefinition<\/span>:<\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L2\" class=\"blob-num js-line-number\" data-line-number=\"2\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC2\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Type<\/span>: <span class=\"pl-s\">AWS::ECS::TaskDefinition<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L3\" class=\"blob-num js-line-number\" data-line-number=\"3\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC3\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Properties<\/span>:<\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L4\" class=\"blob-num js-line-number\" data-line-number=\"4\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC4\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Cpu<\/span>: <span class=\"pl-s\">!Ref VCpu<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L5\" class=\"blob-num js-line-number\" data-line-number=\"5\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC5\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">RequiresCompatibilities<\/span>: <\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L6\" class=\"blob-num js-line-number\" data-line-number=\"6\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC6\" class=\"blob-code blob-code-inner js-file-line\"> - <span class=\"pl-k\">!Ref<\/span> <span class=\"pl-s\">RequiresCompatibilities<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L7\" class=\"blob-num js-line-number\" data-line-number=\"7\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC7\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Family<\/span>: <span class=\"pl-s\">!Ref ServiceName<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L8\" class=\"blob-num js-line-number\" data-line-number=\"8\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC8\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">NetworkMode<\/span>: <span class=\"pl-s\">!Ref NetworkMode<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L9\" class=\"blob-num js-line-number\" data-line-number=\"9\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC9\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">ExecutionRoleArn<\/span>: <span class=\"pl-s\">arn:aws:iam::000:role/EcsTaskExecutionRole<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L10\" class=\"blob-num js-line-number\" data-line-number=\"10\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC10\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">TaskRoleArn<\/span>: <span class=\"pl-s\">arn:aws:iam::000:role/EcsTaskExecutionRole<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L11\" class=\"blob-num js-line-number\" data-line-number=\"11\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC11\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Memory<\/span>: <span class=\"pl-s\">!Ref Memory<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L12\" class=\"blob-num js-line-number\" data-line-number=\"12\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC12\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">ContainerDefinitions<\/span>:<\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L13\" class=\"blob-num js-line-number\" data-line-number=\"13\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC13\" class=\"blob-code blob-code-inner js-file-line\"> - <span class=\"pl-ent\">Name<\/span>: <span class=\"pl-s\">!Sub ${ServiceName}-container<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L14\" class=\"blob-num js-line-number\" data-line-number=\"14\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC14\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Essential<\/span>: <span class=\"pl-c1\">true<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L15\" class=\"blob-num js-line-number\" data-line-number=\"15\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC15\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Image<\/span>: <span class=\"pl-s\">!Ref DockerImage<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L16\" class=\"blob-num js-line-number\" data-line-number=\"16\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC16\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">PortMappings<\/span>:<\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L17\" class=\"blob-num js-line-number\" data-line-number=\"17\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC17\" class=\"blob-code blob-code-inner js-file-line\"> - <span class=\"pl-ent\">ContainerPort<\/span>: <span class=\"pl-s\">!Ref ContainerPort<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L18\" class=\"blob-num js-line-number\" data-line-number=\"18\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC18\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">LogConfiguration<\/span>:<\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L19\" class=\"blob-num js-line-number\" data-line-number=\"19\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC19\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">LogDriver<\/span>: <span class=\"pl-s\">awslogs<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L20\" class=\"blob-num js-line-number\" data-line-number=\"20\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC20\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Options<\/span>:<\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L21\" class=\"blob-num js-line-number\" data-line-number=\"21\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC21\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">awslogs-group<\/span>: <span class=\"pl-s\">!Ref ServiceName<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L22\" class=\"blob-num js-line-number\" data-line-number=\"22\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC22\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">awslogs-region<\/span>: <span class=\"pl-s\">!Ref AWS::Region<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-taskdefinition-yaml-L23\" class=\"blob-num js-line-number\" data-line-number=\"23\"><\/td>\n <td id=\"file-fargate-taskdefinition-yaml-LC23\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">awslogs-stream-prefix<\/span>: <span class=\"pl-s\">!Ref ServiceName<\/span><\/td>\n <\/tr>\n<\/table>\n\n\n <\/div>\n\n <\/div>\n<\/div>\n\n <\/div>\n <div class=\"gist-meta\">\n <a href=\"https://gist.github.com/omerxx/6ce85b6b645aa47b7ed3c554a05ad970/raw/eb7199ab53c4ad874a97b49fe99cb25c5abed93e/FARGATE-TaskDefinition.yaml\" style=\"float:right\">view raw<\/a>\n <a href=\"https://gist.github.com/omerxx/6ce85b6b645aa47b7ed3c554a05ad970#file-fargate-taskdefinition-yaml\">FARGATE-TaskDefinition.yaml<\/a>\n hosted with &#10084; by <a href=\"https://github.com\">GitHub<\/a>\n <\/div>\n <\/div>\n<\/div>\n

And my TargetGroup:

#gist:<link rel="stylesheet" href="https://assets-cdn.github.com/assets/gist-embed-87673c31a5b37b5e6556b63e1081ebbc.css"><div id=\"gist84035315\" class=\"gist\">\n <div class=\"gist-file\">\n <div class=\"gist-data\">\n <div class=\"js-gist-file-update-container js-task-list-container file-box\">\n <div id=\"file-fargate-targetgroup-yaml\" class=\"file\">\n \n\n <div itemprop=\"text\" class=\"blob-wrapper data type-yaml\">\n <table class=\"highlight tab-size js-file-line-container\" data-tab-size=\"8\">\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L1\" class=\"blob-num js-line-number\" data-line-number=\"1\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC1\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">TargetGroup<\/span>:<\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L2\" class=\"blob-num js-line-number\" data-line-number=\"2\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC2\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Type<\/span>: <span class=\"pl-s\">AWS::ElasticLoadBalancingV2::TargetGroup<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L3\" class=\"blob-num js-line-number\" data-line-number=\"3\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC3\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Properties<\/span>:<\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L4\" class=\"blob-num js-line-number\" data-line-number=\"4\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC4\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">VpcId<\/span>: <span class=\"pl-s\">!Ref VPC<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L5\" class=\"blob-num js-line-number\" data-line-number=\"5\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC5\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Port<\/span>: <span class=\"pl-c1\">80<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L6\" class=\"blob-num js-line-number\" data-line-number=\"6\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC6\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Protocol<\/span>: <span class=\"pl-s\">HTTP<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L7\" class=\"blob-num js-line-number\" data-line-number=\"7\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC7\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Matcher<\/span>: <\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L8\" class=\"blob-num js-line-number\" data-line-number=\"8\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC8\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">HttpCode<\/span>: <span class=\"pl-c1\">200-299<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L9\" class=\"blob-num js-line-number\" data-line-number=\"9\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC9\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">HealthCheckIntervalSeconds<\/span>: <span class=\"pl-c1\">80<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L10\" class=\"blob-num js-line-number\" data-line-number=\"10\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC10\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">HealthCheckPath<\/span>: <span class=\"pl-s\">!Ref HealthCheckPath<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L11\" class=\"blob-num js-line-number\" data-line-number=\"11\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC11\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">HealthCheckProtocol<\/span>: <span class=\"pl-s\">HTTP<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L12\" class=\"blob-num js-line-number\" data-line-number=\"12\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC12\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">HealthCheckTimeoutSeconds<\/span>: <span class=\"pl-c1\">50<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L13\" class=\"blob-num js-line-number\" data-line-number=\"13\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC13\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">HealthyThresholdCount<\/span>: <span class=\"pl-c1\">2<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L14\" class=\"blob-num js-line-number\" data-line-number=\"14\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC14\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">UnhealthyThresholdCount<\/span>: <span class=\"pl-c1\">5<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L15\" class=\"blob-num js-line-number\" data-line-number=\"15\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC15\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Name<\/span>: <span class=\"pl-s\">!Join [ &#39;-&#39;, [ !Ref ServiceName, &#39;TG&#39; ] ]<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L16\" class=\"blob-num js-line-number\" data-line-number=\"16\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC16\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">TargetGroupAttributes<\/span>:<\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L17\" class=\"blob-num js-line-number\" data-line-number=\"17\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC17\" class=\"blob-code blob-code-inner js-file-line\"> - <span class=\"pl-ent\">Key<\/span>: <span class=\"pl-s\">deregistration_delay.timeout_seconds<\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L18\" class=\"blob-num js-line-number\" data-line-number=\"18\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC18\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">Value<\/span>: <span class=\"pl-s\"><span class=\"pl-pds\">&#39;<\/span>60<span class=\"pl-pds\">&#39;<\/span><\/span><\/td>\n <\/tr>\n <tr>\n <td id=\"file-fargate-targetgroup-yaml-L19\" class=\"blob-num js-line-number\" data-line-number=\"19\"><\/td>\n <td id=\"file-fargate-targetgroup-yaml-LC19\" class=\"blob-code blob-code-inner js-file-line\"> <span class=\"pl-ent\">TargetType<\/span>: <span class=\"pl-s\">!Ref TargetType<\/span><\/td>\n <\/tr>\n<\/table>\n\n\n <\/div>\n\n <\/div>\n<\/div>\n\n <\/div>\n <div class=\"gist-meta\">\n <a href=\"https://gist.github.com/omerxx/d8f741063201daeccb78a2f78424438b/raw/ec94bf05e3ba0cf6bf2cefc9a98002dcb371c8b5/FARGATE-TargetGroup.yaml\" style=\"float:right\">view raw<\/a>\n <a href=\"https://gist.github.com/omerxx/d8f741063201daeccb78a2f78424438b#file-fargate-targetgroup-yaml\">FARGATE-TargetGroup.yaml<\/a>\n hosted with &#10084; by <a href=\"https://github.com\">GitHub<\/a>\n <\/div>\n <\/div>\n<\/div>\n

Finally, my service is RUNNING!
Cool huh?...
Almost…

I just figured my entire CI process (working with the awesome drone.io) is only deploying a “normal” ECS TaskDefinition, lacking the above configurations completely when registering a new task. Since it’s a plugin I’ve created, there’s some work ahead 🛑, if you’re using Drone and looking into Fargate you can expect that soon enough.
So what now? I got now a completely useless container running on a 100% managed infrastructure… 🤓 Up ahead is integration with CI.

On a more serious note, I wish AWS had taken care of such a list or at least a preparation guide, and if not that, then an example template would have saved tons of hours for me and probably others out there.

Upon my successful deployment I came across a similar document describing some frustration with FG, created by none else than Medium Engineering, so kudos to you guys and to you Bob Corsaro, wish I had seen this one a little earlier 😝:

Starting FARGATE For the past year at Medium we’ve been using ECS to deploy containers to AWS. When Amazon announced FARGATE earlier.

At last, my list of errors and ways to handle them

Fargate only supports network mode? awsvpc?
# Yep, check it out here.
Fargate requires that the ?privileged? setting be ?false? at the container level
# Or not set at all, you can have privileged containers with FG.
# I was using it for some OpenFiles Linux settings.
# That's not an option anymore.
Fargate requires log configuration options to include awslogs-stream-prefix to support log driver awslogs# Simply add it to your log-configuration and set a prefix.
Fargate requires task definition to have execution role ARN to support log driver awslogs# It speaks for itself, using CloudWatch logs? You need a role.
Fargate requires that 'memory' be defined at the task level# Tasks are now "first-class citizens" (AWS naming).
# Having memory set for each of them is part of that.
No Fargate configuration exists for given values# Memory and CPU has to be set according to specific rules.
# e.g 512MB, 1GB, 2GB — Available CPU values: 256 (.25 vCPU)# Setting 800 f.e is not an option, and this would be the result.
The provided target group <Target-Group-ARN> has target type instance, which is incompatible with the awsvpc network mode specified in the task definition.
# See my TargetGroup - TargetType should be set to 'ip'.
Network Configuration must be provided when networkMode 'awsvpc' is specified.
# That one is on me, read the documentation about it and check.
# The 'Service' example for the complete setting.
You cannot specify an IAM role for services that require a service linked role.
# It took a while to get, the API docs were more elaborative # than the CloudFormation ones; you CANNOT set a 'role' for your
service when running on FG, ECS will pick it up automatically. # Even if you set the service-linked role explicitly, you'll get # this error until the setting is completely removed.
Placement strategies are not supported with FARGATE launch type.
# It's clear, remove the setting if you have it.
CannotPullContainerError: API error (500): Get https://000.dkr.ecr.us-east-1.amazonaws.com/v2/
# If you see this one the problem is probably about subnets;
# if you didn't set an auto assign of public IP, and the # subnets where you deployed don't have NAT routing
# (e.g Public subnets), this may be the result

My takeaways

Read the API documentation before the CloudFormation one.
But always read both.
Assume that every migration like that would take some time and have it’s own birth pangs.
Take into account all processes involved with infrastructural changes, e.g templating and saving it on VCS, CI processes and plugins etc.
Don’t be a too early adopter. I’m kidding, this one won’t happen‍

Omer Hamerman

Senior Software Operations Architect

Omer is an experienced software operations engineer and an open source contributor. He is always willing to go the extra mile to help our clients improve their software delivery. He is known for getting the job done very quickly and is clear-cut and very sharp, delivering almost any job on the spot. When he’s not helping our clients achieve scalable and resilient infrastructure, you’ll find him rock climbing and bouldering. He is passionate about beautiful code, cybersecurity and doing things right the first time. He is a keen writer of blog posts and a speaker at meetups.

Deploying FARGATE services using CloudFormation

The guide I wish I had

The first clue to what I was up against started with the innocent line:

The ECS service configuration has to be changed

Money time: Changing the TaskDefinition

My takeaways

Recent posts

A 6-minute introduction to HELM

On-prem resources slow you down

"helm install —wait" does not wait - workaround