Skip to content

Comments

feat(aws-ecs): Ec2Service, FargateService, and ExternalService do not accept imported task definitions#37048

Open
letsgomeow wants to merge 11 commits intoaws:mainfrom
letsgomeow:feature/7863
Open

feat(aws-ecs): Ec2Service, FargateService, and ExternalService do not accept imported task definitions#37048
letsgomeow wants to merge 11 commits intoaws:mainfrom
letsgomeow:feature/7863

Conversation

@letsgomeow
Copy link

@letsgomeow letsgomeow commented Feb 22, 2026

Issue # (if applicable)

Closes #7863.

Reason for this change

Ec2Service, FargateService, and ExternalService declared their taskDefinition prop as the concrete class TaskDefinition, which meant that task definitions imported via fromTaskDefinitionArn() or similar static import methods could not be passed to these constructs. This prevented valid cross-stack and cross-account patterns where a task definition is managed separately from the service.

// Previously failed with a type error at synth time
const importedTaskDef = ecs.TaskDefinition.fromTaskDefinitionArn(
  stack, 'ImportedTaskDef', 'arn:aws:ecs:us-east-1:123456789012:task-definition/my-task:1',
);

// Error: Argument of type 'ITaskDefinition' is not assignable to parameter of type 'TaskDefinition'
new ecs.FargateService(stack, 'Service', {
  cluster,
  taskDefinition: importedTaskDef,
});

Description of changes

base/base-service.ts

  • Changed the taskDefinition parameter type from TaskDefinition to ITaskDefinition in BaseService's constructor and the taskDefinition property declaration.
  • Added TaskDefinition.isTaskDefinition() guards around all code paths that rely on properties only available on owned task definitions (e.g., taskRole, family, defaultContainer, findPortMappingByName):
    • taskRole dependency: skipped for imported task definitions
    • CODE_DEPLOY deployment controller: throws a clear ValidationError when an imported task definition is supplied, as family is required for strip-revision logic
    • taskDefinitionRevision: same restriction with a descriptive error
    • Service Connect configuration: restricted to owned task definitions (port mapping lookups require findPortMappingByName)
    • Execute command: emits an addInfo annotation instead of granting permissions, since the task role is unknown
    • Load balancer target: throws a ValidationError with a clear message
    • Cloud Map service discovery: throws a ValidationError

ec2/ec2-service.ts

  • Changed taskDefinition prop type from TaskDefinition to ITaskDefinition.
  • Wrapped the isEc2Compatible compatibility check in an isTaskDefinition() guard (imported task definitions cannot be verified at synth time).
  • Wrapped the networkMode-based VPC networking setup in an isTaskDefinition() guard; for imported task definitions, VPC networking props are used as a hint if provided.
  • Wrapped the defaultContainer existence validation in an isTaskDefinition() guard; emits an annotation for imported task definitions.

fargate/fargate-service.ts

  • Changed taskDefinition prop type from TaskDefinition to ITaskDefinition.
  • Wrapped the isFargateCompatible compatibility check in an isTaskDefinition() guard.

external/external-service.ts

  • Changed taskDefinition prop type from TaskDefinition to ITaskDefinition.
  • Wrapped the Compatibility.EXTERNAL compatibility check in an isTaskDefinition() guard.
  • Wrapped the defaultContainer existence validation in an isTaskDefinition() guard.

README.md

  • Added a new section "Using imported Task Definitions" documenting the supported patterns and noting which features require an owned task definition.

Describe any new or updated permissions being added

None. When an imported task definition is used with execute-command enabled, permissions that would normally be granted to the task role are skipped (the task role is unknown). An addInfo annotation is emitted to notify users to configure these permissions manually.

Description of how you validated changes

Unit tests (packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-service.test.ts):

  • Added unit tests verifying that FargateService accepts an imported task definition.
  • Added unit tests verifying that features incompatible with imported task definitions (CODE_DEPLOY, taskDefinitionRevision, Service Connect, load balancer target, Cloud Map) throw descriptive ValidationErrors.

Integration tests (all passing against a real AWS account):

Test file What it validates
test/fargate/integ.fargate-service-imported-taskdef.ts Cross-stack import — task definition created in producerStack, service created in consumerStack using only the ARN
test/ec2/integ.ec2-service-imported-taskdef.ts Ec2Service with an imported task definition, including a second service with placementStrategies to verify EC2-specific features work
test/external/integ.external-service-imported-taskdef.ts ExternalService with an imported task definition, including a daemon-mode service

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK p1 labels Feb 22, 2026
@pahud pahud mentioned this pull request Feb 22, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ecs: create Ec2Service or FargateService with imported TaskDefinition

1 participant

@letsgomeow