@dga-itc/aws-cdk-constructs 1.0.0

package/dist/aws-cdk/constructs/ecs-service.js

@@ -0,0 +1,682 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EcsServiceConstruct = void 0;
+const constructs_1 = require("constructs");
+const cdk = __importStar(require("aws-cdk-lib"));
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const ec2 = __importStar(require("aws-cdk-lib/aws-ec2"));
+const ecs = __importStar(require("aws-cdk-lib/aws-ecs"));
+const elbv2 = __importStar(require("aws-cdk-lib/aws-elasticloadbalancingv2"));
+const logs = __importStar(require("aws-cdk-lib/aws-logs"));
+const iam = __importStar(require("aws-cdk-lib/aws-iam"));
+const ecr = __importStar(require("aws-cdk-lib/aws-ecr"));
+/**
+ * ECS Service Construct - สร้าง Fargate Service + SecurityGroup + LogGroup + TargetGroup
+ *
+ * Modes:
+ * - web:    สร้าง TargetGroup + ListenerRule ที่ ALB
+ * - worker: สร้างแค่ Service (ไม่มี ALB integration)
+ *
+ * อ้างอิง VpcConstruct, EcsClusterConstruct, AlbConstruct จาก stacks อื่น
+ */
+class EcsServiceConstruct extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        const { config, vpcConstruct, ecsClusterConstruct, albConstruct, efsConstruct, rdsConstruct, elastiCacheConstruct } = props;
+        this.isWorkerMode = config.serviceMode === 'worker';
+        this.removalPolicy = config.removalPolicy === 'retain'
+            ? aws_cdk_lib_1.RemovalPolicy.RETAIN
+            : aws_cdk_lib_1.RemovalPolicy.DESTROY;
+        // Validate: web mode requires ALB construct + routing
+        if (!this.isWorkerMode) {
+            if (!albConstruct) {
+                throw new Error(`ECS Service "${config.container.name}" is web mode but no ALB construct provided. ` +
+                    `Set serviceMode: 'worker' or provide albStackName in source.`);
+            }
+            if (!config.routing) {
+                throw new Error(`ECS Service "${config.container.name}" is web mode but no routing config provided.`);
+            }
+        }
+        // A. Resolve VPC & Subnets
+        const { vpc, subnets } = this.resolveVpc(config, vpcConstruct);
+        // B. Create Security Group
+        this.securityGroup = this.createSecurityGroup(config, vpc, albConstruct);
+        // C. Create Log Group
+        this.logGroup = this.createLogGroup(config);
+        // D. Resolve IAM Roles
+        const { taskRole, executionRole } = this.resolveIamRoles(config);
+        // E. Create Task Definition
+        const taskDef = this.createTaskDefinition(config, taskRole, executionRole);
+        // F. Create Fargate Service
+        this.service = this.createFargateService(config, ecsClusterConstruct, taskDef, subnets);
+        // G. Create Target Group + Listener Rule (web mode only)
+        if (!this.isWorkerMode && albConstruct && config.routing) {
+            this.targetGroup = this.createTargetGroup(config, vpc);
+            this.createListenerRule(config, albConstruct);
+        }
+        // H. Setup upstream SG access (EFS / RDS / Redis)
+        this.setupUpstreamSecurityAccess(config, efsConstruct, rdsConstruct, elastiCacheConstruct);
+        // I. Apply Removal Policy
+        this.securityGroup.applyRemovalPolicy(this.removalPolicy);
+        this.logGroup.applyRemovalPolicy(this.removalPolicy);
+        // J. Outputs
+        this.createOutputs(config);
+    }
+    // ==========================================
+    // Upstream SG Access (EFS / RDS / Redis)
+    // ==========================================
+    /**
+     * เพิ่ม ingress rule ที่ EFS/RDS/Redis SG ให้ ECS SG เข้าถึงได้
+     * ใช้ CfnSecurityGroupIngress เพื่อหลีกเลี่ยง cyclic dependency
+     */
+    setupUpstreamSecurityAccess(config, efsConstruct, rdsConstruct, elastiCacheConstruct) {
+        // ECS → EFS (NFS port 2049)
+        if (efsConstruct) {
+            new ec2.CfnSecurityGroupIngress(this, 'EfsNfsIngress', {
+                groupId: efsConstruct.securityGroup.securityGroupId,
+                sourceSecurityGroupId: this.securityGroup.securityGroupId,
+                ipProtocol: 'tcp',
+                fromPort: 2049,
+                toPort: 2049,
+                description: `Allow NFS from ECS ${config.container.name}`,
+            });
+        }
+        // ECS → RDS (MySQL/MariaDB/PostgreSQL port)
+        if (rdsConstruct) {
+            const dbPort = config.container.environmentVariables?.WORDPRESS_DB_PORT
+                ? parseInt(config.container.environmentVariables.WORDPRESS_DB_PORT)
+                : 3306;
+            new ec2.CfnSecurityGroupIngress(this, 'RdsDbIngress', {
+                groupId: rdsConstruct.securityGroup.securityGroupId,
+                sourceSecurityGroupId: this.securityGroup.securityGroupId,
+                ipProtocol: 'tcp',
+                fromPort: dbPort,
+                toPort: dbPort,
+                description: `Allow DB from ECS ${config.container.name}`,
+            });
+        }
+        // ECS → Redis (port 6379)
+        if (elastiCacheConstruct) {
+            const redisPort = config.container.environmentVariables?.WP_REDIS_PORT
+                ? parseInt(config.container.environmentVariables.WP_REDIS_PORT)
+                : 6379;
+            new ec2.CfnSecurityGroupIngress(this, 'RedisIngress', {
+                groupId: elastiCacheConstruct.securityGroup.securityGroupId,
+                sourceSecurityGroupId: this.securityGroup.securityGroupId,
+                ipProtocol: 'tcp',
+                fromPort: redisPort,
+                toPort: redisPort,
+                description: `Allow Redis from ECS ${config.container.name}`,
+            });
+        }
+    }
+    // ==========================================
+    // Resolve VPC & Subnets
+    // ==========================================
+    resolveVpc(config, vpcConstruct) {
+        const subnetName = config.source.subnetName ?? 'private';
+        const cfnSubnets = vpcConstruct.subnetsByName.get(subnetName);
+        if (!cfnSubnets || cfnSubnets.length === 0) {
+            throw new Error(`No subnets found with name "${subnetName}" in VPC construct. ` +
+                `Available: ${Array.from(vpcConstruct.subnetsByName.keys()).join(', ')}`);
+        }
+        // Build subnets with routeTableId from VpcConstruct
+        const subnetIds = [];
+        const subnets = [];
+        const allAzs = new Set();
+        const routeTableIds = [];
+        vpcConstruct.subnets.forEach((cfnSubnet, subnetKey) => {
+            if (subnetKey.startsWith(`${subnetName}-`)) {
+                const az = subnetKey.replace(`${subnetName}-`, '');
+                const routeTableId = vpcConstruct.subnetRouteTableMap.get(subnetKey);
+                subnetIds.push(cfnSubnet.ref);
+                if (cfnSubnet.availabilityZone)
+                    allAzs.add(cfnSubnet.availabilityZone);
+                if (routeTableId)
+                    routeTableIds.push(routeTableId);
+                subnets.push(ec2.Subnet.fromSubnetAttributes(this, `ServiceSubnet-${az}`, {
+                    subnetId: cfnSubnet.ref,
+                    availabilityZone: cfnSubnet.availabilityZone,
+                    routeTableId,
+                }));
+            }
+        });
+        const hasRtIds = routeTableIds.length === subnetIds.length;
+        const vpc = ec2.Vpc.fromVpcAttributes(this, 'ServiceVpc', {
+            vpcId: vpcConstruct.vpc.ref,
+            availabilityZones: Array.from(allAzs),
+            privateSubnetIds: subnetIds,
+            privateSubnetRouteTableIds: hasRtIds ? routeTableIds : undefined,
+        });
+        return { vpc, subnets };
+    }
+    // ==========================================
+    // Security Group
+    // ==========================================
+    createSecurityGroup(config, vpc, albConstruct) {
+        const sgConfig = config.securityGroup ?? {};
+        const serviceType = this.isWorkerMode ? 'worker' : 'web';
+        const sg = new ec2.SecurityGroup(this, 'ServiceSecurityGroup', {
+            vpc,
+            securityGroupName: config.naming?.securityGroupName,
+            description: `Security group for ${config.container.name} ECS ${serviceType} service`,
+            allowAllOutbound: true,
+        });
+        // Allow traffic from ALB (web mode only)
+        if (!this.isWorkerMode && albConstruct) {
+            const allowAll = sgConfig.allowAllFromAlb !== false; // default: true
+            if (allowAll) {
+                // ใช้ CfnSecurityGroupIngress เพื่อหลีกเลี่ยง circular dependency
+                new ec2.CfnSecurityGroupIngress(this, 'AlbToServiceIngress', {
+                    ipProtocol: 'tcp',
+                    fromPort: 0,
+                    toPort: 65535,
+                    groupId: sg.securityGroupId,
+                    sourceSecurityGroupId: albConstruct.securityGroup.securityGroupId,
+                    description: 'Allow all TCP traffic from ALB',
+                });
+            }
+            else {
+                new ec2.CfnSecurityGroupIngress(this, 'AlbToServiceIngress', {
+                    ipProtocol: 'tcp',
+                    fromPort: config.container.port,
+                    toPort: config.container.port,
+                    groupId: sg.securityGroupId,
+                    sourceSecurityGroupId: albConstruct.securityGroup.securityGroupId,
+                    description: `Allow traffic from ALB on container port ${config.container.port}`,
+                });
+            }
+        }
+        // Additional source security groups
+        if (sgConfig.additionalSourceSgIds) {
+            sgConfig.additionalSourceSgIds.forEach((sourceSgId, index) => {
+                new ec2.CfnSecurityGroupIngress(this, `AdditionalSgIngress${index + 1}`, {
+                    ipProtocol: 'tcp',
+                    fromPort: 0,
+                    toPort: 65535,
+                    groupId: sg.securityGroupId,
+                    sourceSecurityGroupId: sourceSgId,
+                    description: `Allow all TCP from additional SG ${index + 1}`,
+                });
+            });
+        }
+        // CIDR rules
+        if (sgConfig.allowFromCidrs) {
+            sgConfig.allowFromCidrs.forEach((cidr, index) => {
+                sg.addIngressRule(ec2.Peer.ipv4(cidr), ec2.Port.allTcp(), `Allow all TCP from CIDR ${index + 1}: ${cidr}`);
+            });
+        }
+        return sg;
+    }
+    // ==========================================
+    // IAM Roles
+    // ==========================================
+    resolveIamRoles(config) {
+        const iamConfig = config.iam;
+        let taskRole;
+        let executionRole;
+        // ── Task Execution Role ──
+        if (iamConfig?.executionRoleArn) {
+            executionRole = iam.Role.fromRoleArn(this, 'ImportedExecRole', iamConfig.executionRoleArn, {
+                mutable: false,
+            });
+        }
+        else if (iamConfig?.executionRolePresets && iamConfig.executionRolePresets.length > 0) {
+            // สร้าง Execution Role เอง + เพิ่ม preset policies
+            const execRole = new iam.Role(this, 'ExecutionRole', {
+                roleName: config.naming?.executionRoleName,
+                assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+                description: `Execution Role for ${config.container.name} ECS service`,
+                managedPolicies: [
+                    iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonECSTaskExecutionRolePolicy'),
+                ],
+            });
+            // Add execution role preset policies
+            this.applyExecutionRolePresets(execRole, iamConfig.executionRolePresets);
+            execRole.applyRemovalPolicy(this.removalPolicy);
+            executionRole = execRole;
+        }
+        // ถ้าไม่ระบุ CDK จะ auto-create พร้อม AmazonECSTaskExecutionRolePolicy
+        // ── Task Role ──
+        const hasPresets = iamConfig?.taskRolePresets && iamConfig.taskRolePresets.length > 0;
+        const hasInlinePolicies = iamConfig?.taskRolePolicies && iamConfig.taskRolePolicies.length > 0;
+        const hasManagedPolicies = iamConfig?.taskRoleManagedPolicyArns && iamConfig.taskRoleManagedPolicyArns.length > 0;
+        if (iamConfig?.taskRoleArn) {
+            // Import existing role
+            taskRole = iam.Role.fromRoleArn(this, 'ImportedTaskRole', iamConfig.taskRoleArn, {
+                mutable: false,
+            });
+        }
+        else if (hasPresets || hasInlinePolicies || hasManagedPolicies) {
+            // สร้าง Task Role พร้อม preset + inline + managed policies
+            const role = new iam.Role(this, 'TaskRole', {
+                roleName: config.naming?.taskRoleName,
+                assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
+                description: `Task Role for ${config.container.name} ECS service`,
+            });
+            // Apply preset policies
+            if (hasPresets) {
+                this.applyTaskRolePresets(role, iamConfig.taskRolePresets);
+            }
+            // Add inline policies
+            if (hasInlinePolicies) {
+                iamConfig.taskRolePolicies.forEach((policy, index) => {
+                    role.addToPolicy(new iam.PolicyStatement({
+                        effect: policy.effect === 'Deny' ? iam.Effect.DENY : iam.Effect.ALLOW,
+                        actions: policy.actions,
+                        resources: policy.resources,
+                    }));
+                });
+            }
+            // Attach managed policies
+            if (hasManagedPolicies) {
+                iamConfig.taskRoleManagedPolicyArns.forEach((arn, index) => {
+                    role.addManagedPolicy(iam.ManagedPolicy.fromManagedPolicyArn(this, `ManagedPolicy${index + 1}`, arn));
+                });
+            }
+            role.applyRemovalPolicy(this.removalPolicy);
+            taskRole = role;
+        }
+        // ถ้าไม่ระบุอะไรเลย CDK จะ auto-create empty role
+        return { taskRole, executionRole };
+    }
+    // ==========================================
+    // IAM Preset Policies
+    // ==========================================
+    /**
+     * Apply preset policies ให้ Task Role
+     * ใช้ AWS Managed Policies เป็นหลัก, fallback เป็น inline สำหรับ services ที่ไม่มี managed policy ที่เหมาะสม
+     */
+    applyTaskRolePresets(role, presets) {
+        // AWS Managed Policy ARNs mapping
+        const managedPolicyMap = {
+            'ssm-parameters': 'arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess',
+            'sqs': 'arn:aws:iam::aws:policy/AmazonSQSFullAccess',
+            's3-read': 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess',
+            's3-full': 'arn:aws:iam::aws:policy/AmazonS3FullAccess',
+            'dynamodb': 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess',
+            'sns': 'arn:aws:iam::aws:policy/AmazonSNSFullAccess',
+            'ses': 'arn:aws:iam::aws:policy/AmazonSESFullAccess',
+            'xray': 'arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess',
+            'cloudwatch-metrics': 'arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy',
+            'bedrock': 'arn:aws:iam::aws:policy/AmazonBedrockFullAccess',
+        };
+        // Inline policies สำหรับ services ที่ไม่มี managed policy ที่เหมาะสม
+        const inlinePolicyMap = {
+            'secrets-manager': {
+                actions: [
+                    'secretsmanager:GetSecretValue',
+                    'secretsmanager:DescribeSecret',
+                    'secretsmanager:ListSecretVersionIds',
+                ],
+                resources: ['*'],
+            },
+            'rds-connect': {
+                actions: ['rds-db:connect'],
+                resources: ['*'],
+            },
+            'ecs-exec': {
+                actions: [
+                    'ssmmessages:CreateControlChannel',
+                    'ssmmessages:CreateDataChannel',
+                    'ssmmessages:OpenControlChannel',
+                    'ssmmessages:OpenDataChannel',
+                ],
+                resources: ['*'],
+            },
+            'kms': {
+                actions: [
+                    'kms:Decrypt',
+                    'kms:GenerateDataKey',
+                    'kms:DescribeKey',
+                ],
+                resources: ['*'],
+            },
+            'efs': {
+                actions: [
+                    'elasticfilesystem:ClientMount',
+                    'elasticfilesystem:ClientWrite',
+                    'elasticfilesystem:ClientRootAccess',
+                ],
+                resources: ['*'],
+            },
+            'elasticache': {
+                actions: [
+                    'elasticache:Connect',
+                    'elasticache:DescribeCacheClusters',
+                    'elasticache:DescribeReplicationGroups',
+                    'elasticache:DescribeCacheSubnetGroups',
+                ],
+                resources: ['*'],
+            },
+        };
+        const allKnownPresets = [...Object.keys(managedPolicyMap), ...Object.keys(inlinePolicyMap)];
+        presets.forEach((presetName) => {
+            // ลองหา managed policy ก่อน
+            const managedPolicyArn = managedPolicyMap[presetName];
+            if (managedPolicyArn) {
+                role.addManagedPolicy(iam.ManagedPolicy.fromManagedPolicyArn(this, `ManagedPolicy-${presetName}`, managedPolicyArn));
+                return;
+            }
+            // ถ้าไม่มี managed policy ใช้ inline
+            const inlinePolicy = inlinePolicyMap[presetName];
+            if (inlinePolicy) {
+                role.addToPolicy(new iam.PolicyStatement({
+                    effect: iam.Effect.ALLOW,
+                    actions: inlinePolicy.actions,
+                    resources: inlinePolicy.resources,
+                }));
+                return;
+            }
+            throw new Error(`Unknown Task Role preset policy: "${presetName}". Available: ${allKnownPresets.join(', ')}`);
+        });
+    }
+    /**
+     * Apply preset policies ให้ Execution Role
+     */
+    applyExecutionRolePresets(role, presets) {
+        const presetMap = {
+            'exec-secrets-injection': {
+                actions: [
+                    'secretsmanager:GetSecretValue',
+                ],
+                resources: ['*'],
+            },
+            'exec-ssm-injection': {
+                actions: [
+                    'ssm:GetParameters',
+                ],
+                resources: ['*'],
+            },
+            'exec-kms': {
+                actions: [
+                    'kms:Decrypt',
+                ],
+                resources: ['*'],
+            },
+        };
+        presets.forEach((presetName) => {
+            const preset = presetMap[presetName];
+            if (!preset) {
+                throw new Error(`Unknown Execution Role preset policy: "${presetName}". Available: ${Object.keys(presetMap).join(', ')}`);
+            }
+            role.addToPolicy(new iam.PolicyStatement({
+                effect: iam.Effect.ALLOW,
+                actions: preset.actions,
+                resources: preset.resources,
+            }));
+        });
+    }
+    // ==========================================
+    // Log Group
+    // ==========================================
+    createLogGroup(config) {
+        const logConfig = config.logging ?? {};
+        const logRemoval = logConfig.removalPolicy === 'retain'
+            ? aws_cdk_lib_1.RemovalPolicy.RETAIN
+            : aws_cdk_lib_1.RemovalPolicy.DESTROY;
+        return new logs.LogGroup(this, 'LogGroup', {
+            logGroupName: `/ecs/${config.stackName}/${config.container.name}`,
+            retention: logConfig.retention ?? logs.RetentionDays.ONE_WEEK,
+            removalPolicy: logRemoval,
+        });
+    }
+    // ==========================================
+    // Task Definition
+    // ==========================================
+    createTaskDefinition(config, taskRole, executionRole) {
+        const { container } = config;
+        // Use custom family name or generate from container name + stack name
+        const familyName = config.naming?.taskDefinitionFamily ?? `${container.name}-${config.stackName}`;
+        const taskDef = new ecs.FargateTaskDefinition(this, 'TaskDefinition', {
+            family: familyName,
+            cpu: container.cpu,
+            memoryLimitMiB: container.memory,
+            ephemeralStorageGiB: container.ephemeralStorageGiB,
+            taskRole,
+            executionRole,
+        });
+        const image = this.resolveContainerImage(container.image);
+        // initProcessEnabled จำเป็นสำหรับ ECS Exec (ใช้ tini เป็น PID 1)
+        const initProcessEnabled = container.initProcessEnabled ?? config.enableExecuteCommand ?? true;
+        const containerDef = taskDef.addContainer('MainContainer', {
+            image,
+            containerName: container.name,
+            logging: ecs.LogDrivers.awsLogs({
+                logGroup: this.logGroup,
+                streamPrefix: 'ecs',
+            }),
+            environment: container.environmentVariables,
+            command: container.command,
+            secrets: container.secrets
+                ? Object.fromEntries(Object.entries(container.secrets).map(([envName, secretValue]) => {
+                    // Support format: 'arn:...:secret:name-suffix:jsonField'
+                    // Secrets Manager ARN has exactly 6 parts separated by ':'
+                    // arn:aws:secretsmanager:region:account:secret:name-suffix
+                    // If there's a 7th part, it's the JSON field name
+                    //
+                    // When the ARN is a CDK Token (cross-stack reference), we can't split by ':'
+                    // because the token is not a real ARN string at synth time.
+                    // Use a separator that won't appear in ARNs: '::' (double colon)
+                    let secretArn;
+                    let jsonField;
+                    if (secretValue.includes('::')) {
+                        // New format: 'arn:...:secret:name::jsonField' (double colon separator)
+                        const separatorIndex = secretValue.indexOf('::');
+                        secretArn = secretValue.substring(0, separatorIndex);
+                        jsonField = secretValue.substring(separatorIndex + 2);
+                    }
+                    else if (!cdk.Token.isUnresolved(secretValue)) {
+                        // Legacy format: only works with resolved (literal) strings
+                        const parts = secretValue.split(':');
+                        if (parts.length > 7) {
+                            secretArn = parts.slice(0, 7).join(':');
+                            jsonField = parts.slice(7).join(':');
+                        }
+                        else {
+                            secretArn = secretValue;
+                        }
+                    }
+                    else {
+                        // Token without '::' separator — treat entire value as ARN (no JSON field)
+                        secretArn = secretValue;
+                    }
+                    const secret = cdk.aws_secretsmanager.Secret.fromSecretCompleteArn(this, `Secret-${envName}`, secretArn);
+                    return [
+                        envName,
+                        jsonField
+                            ? ecs.Secret.fromSecretsManager(secret, jsonField)
+                            : ecs.Secret.fromSecretsManager(secret),
+                    ];
+                }))
+                : undefined,
+            linuxParameters: new ecs.LinuxParameters(this, 'LinuxParams', {
+                initProcessEnabled,
+            }),
+        });
+        containerDef.addPortMappings({
+            containerPort: container.port,
+            protocol: ecs.Protocol.TCP,
+        });
+        return taskDef;
+    }
+    // ==========================================
+    // Resolve Container Image
+    // ==========================================
+    /**
+     * ถ้า image URL เป็น ECR pattern (*.dkr.ecr.*.amazonaws.com/repo:tag)
+     * ใช้ fromEcrRepository เพื่อให้ CDK auto-grant ECR pull policy
+     * ไม่งั้นใช้ fromRegistry ปกติ (Docker Hub, public ECR, etc.)
+     */
+    resolveContainerImage(imageUri) {
+        // Local path pattern: starts with './', '../', or '/' → use fromAsset (CDK builds & pushes to ECR)
+        if (imageUri.startsWith('./') || imageUri.startsWith('../') || imageUri.startsWith('/')) {
+            return ecs.ContainerImage.fromAsset(imageUri);
+        }
+        // ECR private pattern: {account}.dkr.ecr.{region}.amazonaws.com/{repo}:{tag}
+        const ecrMatch = imageUri.match(/^(\d+)\.dkr\.ecr\.([^.]+)\.amazonaws\.com\/([^:]+)(?::(.+))?$/);
+        if (ecrMatch) {
+            const [, , region, repoName, tag] = ecrMatch;
+            const repo = ecr.Repository.fromRepositoryAttributes(this, 'EcrRepo', {
+                repositoryArn: `arn:aws:ecr:${region}:${cdk.Stack.of(this).account}:repository/${repoName}`,
+                repositoryName: repoName,
+            });
+            return ecs.ContainerImage.fromEcrRepository(repo, tag ?? 'latest');
+        }
+        return ecs.ContainerImage.fromRegistry(imageUri);
+    }
+    // ==========================================
+    // Fargate Service
+    // ==========================================
+    createFargateService(config, ecsClusterConstruct, taskDef, subnets) {
+        return new ecs.FargateService(this, 'FargateService', {
+            cluster: ecsClusterConstruct.cluster,
+            taskDefinition: taskDef,
+            desiredCount: config.container.desiredCount,
+            securityGroups: [this.securityGroup],
+            vpcSubnets: { subnets },
+            serviceName: `${config.container.name}`,
+            enableExecuteCommand: config.enableExecuteCommand ?? true,
+            circuitBreaker: (config.circuitBreakerEnabled ?? true) ? { rollback: true } : undefined,
+            minHealthyPercent: config.minHealthyPercent ?? 50,
+            maxHealthyPercent: config.maxHealthyPercent ?? 200,
+            assignPublicIp: config.assignPublicIp ?? false,
+        });
+    }
+    // ==========================================
+    // Target Group (web mode only)
+    // ==========================================
+    createTargetGroup(config, vpc) {
+        const routing = config.routing;
+        // Target Group name: use custom name or generate from container name (max 32 chars)
+        let tgName;
+        if (config.naming?.targetGroupName) {
+            tgName = config.naming.targetGroupName.substring(0, 32);
+        }
+        else {
+            const tgNameBase = `${config.container.name}`;
+            tgName = tgNameBase.length > 29
+                ? `${tgNameBase.substring(0, 29)}-tg`
+                : `${tgNameBase}-tg`;
+        }
+        return new elbv2.ApplicationTargetGroup(this, 'TargetGroup', {
+            vpc,
+            targetGroupName: tgName,
+            port: config.container.port,
+            protocol: elbv2.ApplicationProtocol.HTTP,
+            targets: [this.service],
+            targetType: elbv2.TargetType.IP,
+            healthCheck: {
+                path: routing.healthCheckPath,
+                interval: cdk.Duration.seconds(routing.healthCheckInterval ?? 30),
+                timeout: cdk.Duration.seconds(routing.healthCheckTimeout ?? 5),
+                healthyThresholdCount: routing.healthyThresholdCount ?? 2,
+                unhealthyThresholdCount: routing.unhealthyThresholdCount ?? 3,
+            },
+            deregistrationDelay: cdk.Duration.seconds(routing.deregistrationDelay ?? 30),
+        });
+    }
+    // ==========================================
+    // Listener Rule (web mode only)
+    // ==========================================
+    createListenerRule(config, albConstruct) {
+        const routing = config.routing;
+        // ใช้ HTTPS listener (ถ้ามี), fallback ไป HTTP
+        const listener = albConstruct.httpsListener ?? albConstruct.httpListener;
+        if (!listener) {
+            throw new Error('ALB has no listeners available for ECS Service routing');
+        }
+        const conditions = [];
+        // Host header condition (optional)
+        if (routing.domainName && routing.domainName !== '*') {
+            conditions.push(elbv2.ListenerCondition.hostHeaders([routing.domainName]));
+        }
+        // Path pattern condition
+        conditions.push(elbv2.ListenerCondition.pathPatterns([routing.pathPattern]));
+        return new elbv2.ApplicationListenerRule(this, 'ListenerRule', {
+            listener,
+            priority: routing.priority,
+            conditions,
+            targetGroups: [this.targetGroup],
+        });
+    }
+    // ==========================================
+    // Outputs
+    // ==========================================
+    createOutputs(config) {
+        const stack = cdk.Stack.of(this);
+        const prefix = config.stackName;
+        const svcName = config.container.name;
+        new cdk.CfnOutput(stack, `${svcName}-ServiceArn`, {
+            value: this.service.serviceArn,
+            description: `ECS Service ARN (${svcName})`,
+            exportName: `${prefix}-${svcName}-Service-Arn`,
+        });
+        new cdk.CfnOutput(stack, `${svcName}-ServiceName`, {
+            value: this.service.serviceName,
+            description: `ECS Service Name (${svcName})`,
+            exportName: `${prefix}-${svcName}-Service-Name`,
+        });
+        if (!this.isWorkerMode && this.targetGroup) {
+            new cdk.CfnOutput(stack, `${svcName}-TargetGroupArn`, {
+                value: this.targetGroup.targetGroupArn,
+                description: `Target Group ARN (${svcName})`,
+                exportName: `${prefix}-${svcName}-TargetGroup-Arn`,
+            });
+        }
+        new cdk.CfnOutput(stack, `${svcName}-SecurityGroupId`, {
+            value: this.securityGroup.securityGroupId,
+            description: `Service Security Group ID (${svcName})`,
+            exportName: `${prefix}-${svcName}-SecurityGroup-Id`,
+        });
+        new cdk.CfnOutput(stack, `${svcName}-ServiceMode`, {
+            value: this.isWorkerMode ? 'worker' : 'web',
+            description: `Service Mode (${svcName})`,
+        });
+        // ECS Exec command
+        if (config.enableExecuteCommand !== false) {
+            new cdk.CfnOutput(stack, `${svcName}-EcsExecCommand`, {
+                value: `aws ecs execute-command --cluster ${config.source.ecsClusterStackName} --task TASK_ID --container ${svcName} --interactive --command "/bin/sh"`,
+                description: `ECS Exec command - replace TASK_ID with actual task ID (${svcName})`,
+            });
+            new cdk.CfnOutput(stack, `${svcName}-ListTasksCommand`, {
+                value: `aws ecs list-tasks --cluster ${config.source.ecsClusterStackName} --service-name ${svcName} --query 'taskArns[0]' --output text`,
+                description: `List running tasks to get TASK_ID (${svcName})`,
+            });
+        }
+    }
+}
+exports.EcsServiceConstruct = EcsServiceConstruct;