Propagate task definition tags through RegisterTaskDefinition#43
Merged
Conversation
DescribeTaskDefinition now requests TAGS, and RegisterTaskDefinition passes them through when registering the new revision. This keeps the tags on existing task definitions (typically set by Terraform) intact across ecs-tool deploys and run-task invocations. This unblocks deploys against AWS accounts where an SCP enforces mandatory tag keys on ecs:RegisterTaskDefinition: the new revision inherits the tags from the previous one, so aws:TagKeys is populated in the API request. Behaviour for projects that don't tag their task definitions is unchanged - DescribeTaskDefinition returns an empty Tags slice, and the RegisterTaskDefinition call passes nil tags as before.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
DescribeTaskDefinitionnow requestsTAGSviaIncludeRegisterTaskDefinitionpasses those tags through when registering the new revisionlib/run.go,lib/deploy.go, andlib/runFargate.goThis keeps the tags on existing task definitions (typically set by Terraform) intact across
ecs-tooldeploys and run-task invocations.Motivation
Without this change, every
ecs-tooldeploy / run creates a new task definition revision without tags, even when the previous revision (Terraform-managed) was correctly tagged. The tags effectively disappear on the next CI deploy and the service ends up pointing to an untagged revision.This also unblocks deploys against AWS accounts where an SCP enforces mandatory tag keys on `ecs:RegisterTaskDefinition`. Example failure (from a WCC org SCP gating on `aws:TagKeys`):
```
AccessDeniedException: User: arn:aws:iam::...:user/...-deploy is not authorized
to perform: ecs:RegisterTaskDefinition on resource: ...task-definition/...:*
with an explicit deny in a service control policy: ...
```
With this PR, the new revision inherits the tags from the previous one, so `aws:TagKeys` is populated in the API request and the SCP passes.
Backward compatibility
Projects that don't tag their task definitions: `DescribeTaskDefinition` returns an empty `Tags` slice, and the `RegisterTaskDefinition` call passes nil tags as before. Behaviour unchanged.
Test plan