I'm currently using CloudFormation to manage all my infrastructure, including ECS services and task definitions. Initially, when I set up a stack, I create the task definition with an image from ECR tagged as "latest." However, that leads to issues when I deploy further updates using GitHub Actions plus aws ecs update-service, resulting in drift within the CloudFormation stack. Whenever I need to update the stack for other changes, I have to manually log into the ECS console and pull the latest image to ensure CloudFormation doesn't deploy an undesired image during the update.
I'm thinking about ways to improve this process. One idea is to write a script to fetch the latest image from the parameter store, or perhaps use a Lambda function to set it. I'm curious to know if others handle task definitions via CloudFormation routinely. Here are a couple of thoughts I'm considering:
1. Start using CloudFormation for deployments, move my task definition into a child stack, and control the deployment through changeset updates.
2. Remove the task definition from CloudFormation entirely and manage it through the deployment process, letting CloudFormation handle only the ECS Cluster and Services.
Thoughts? We're talking about a lot of deployments each day, so I want to make this efficient!
2 Answers
I always prefer using Infrastructure as Code (IaC) for deploying updates instead of relying on command line tools. It’s beneficial to inject the image version into your CloudFormation template as a parameter during the update.
Absolutely! Managing everything through IaC is crucial to avoid any drift or unexpected behavior, especially with the 'latest' tag.
Using the 'latest' tag can lead to a lot of unpredictability. I recommend version pinning your images and integrating CloudFormation into your CI process.
Could you explain how that would look in practice?
We do something similar with CDK, which is built on CloudFormation. We automatically grab the latest build tag, similar to how our Docker build process works, and deploy the whole stack. This way, you're ensured that everything is up to date, and managing changes is easier.