dcl-ops-lib 8.3.3 → 9.1.0

package/createFargateTask.js

@@ -1,13 +1,4 @@
 "use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createInternalService = exports.createFargateTask = exports.getFargateTaskRole = exports.getFargateExecutionRole = exports.getClusterInstance = exports.getDefaultLogs = void 0;
 const aws = require("@pulumi/aws");
@@ -22,11 +13,12 @@ const supra_1 = require("./supra");
 const stack_1 = require("./stack");
 const prometheus_1 = require("./prometheus");
 const accessTheInternet_1 = require("./accessTheInternet");
+const fargateHelpers_1 = require("./fargateHelpers");
 const getDefaultLogs = (serviceName, logGroup) => {
     return {
         logDriver: "awslogs",
         options: {
-            "awslogs-group": (0, stack_1.getStackScopedName)(serviceName),
+            "awslogs-group": logGroup.name,
             "awslogs-region": "us-east-1",
             "awslogs-stream-prefix": serviceName,
         },
@@ -41,20 +33,18 @@ const extraOpts = {
     },
 };
 const cachedClusterInstances = {};
-function getClusterInstance(cluster) {
-    return __awaiter(this, void 0, void 0, function* () {
-        if (undefined === cluster) {
-            const defaultClusterName = `${domain_1.env}-main`;
-            cluster = (yield aws.ecs.getCluster({ clusterName: defaultClusterName }, { async: true })).arn;
-        }
-        if (typeof cluster === "string") {
-            if (!cachedClusterInstances[cluster]) {
-                cachedClusterInstances[cluster] = (yield aws.ecs.getCluster({ clusterName: cluster }, { async: true })).arn;
-            }
-            return cachedClusterInstances[cluster];
+async function getClusterInstance(cluster) {
+    if (undefined === cluster) {
+        const defaultClusterName = `${domain_1.env}-main`;
+        cluster = (await aws.ecs.getCluster({ clusterName: defaultClusterName }, { async: true })).arn;
+    }
+    if (typeof cluster === "string") {
+        if (!cachedClusterInstances[cluster]) {
+            cachedClusterInstances[cluster] = (await aws.ecs.getCluster({ clusterName: cluster }, { async: true })).arn;
         }
-        return cluster.arn;
-    });
+        return cachedClusterInstances[cluster];
+    }
+    return cluster.arn;
 }
 exports.getClusterInstance = getClusterInstance;
 function getFargateExecutionRole(name, policyArnNamedMap) {
@@ -111,182 +101,123 @@ exports.getFargateTaskRole = getFargateTaskRole;
  * @param options.policyArnNamedMap key-value named map of policies to attach to the default execution role for this task
  * @param options.appAutoscaling Configuration for autoscaling
  */
-function createFargateTask(serviceName, dockerImage, dockerListeningPort, environment, hostname, options) {
-    return __awaiter(this, void 0, void 0, function* () {
-        let { healthCheck, healthCheckContainer, essential, dontExpose, securityGroups, cluster, memoryReservation, command, version, ephemeralStorageInGB, desiredCount, cpuReservation, extraPortMappings, extraALBMappings, executionRolePolicies, taskRolePolicies, ignoreServiceDiscovery, secrets, metrics, forceNewDeployment, dontAssignPublicIp, dependsOn, volumes, deregistrationDelay, mountPoints, repositoryCredentials, team, appAutoscaling, } = options;
-        if (undefined === essential) {
-            essential = true;
-        }
-        if (undefined === memoryReservation) {
-            memoryReservation = 512;
-        }
-        if (undefined === cpuReservation) {
-            cpuReservation = 256;
-        }
-        if (undefined === desiredCount) {
-            desiredCount = 1;
-        }
-        if (undefined === securityGroups) {
-            securityGroups = [];
-        }
-        if (undefined === version) {
-            version = (0, stack_1.getStackId)();
-        }
-        if (undefined === extraPortMappings) {
-            extraPortMappings = [];
-        }
-        if (undefined === extraALBMappings) {
-            extraALBMappings = [];
-        }
-        if (undefined === dependsOn) {
-            dependsOn = [];
-        }
-        if (undefined === mountPoints) {
-            mountPoints = [];
-        }
-        if (undefined === secrets) {
-            secrets = [];
-        }
-        const { role: executionRole, policies: executionPolicies } = getFargateExecutionRole(`${serviceName}-${version}-execution`, executionRolePolicies || {});
-        dependsOn.push(...executionPolicies);
-        const { role: taskRole, policies } = getFargateTaskRole(`${serviceName}-${version}-task`, taskRolePolicies || {});
-        dependsOn.push(...policies);
-        let dockerLabels = {};
-        if (metrics && (metrics.port || dockerListeningPort)) {
-            dockerLabels.ECS_PROMETHEUS_EXPORTER_PORT =
-                "" + (metrics.port || dockerListeningPort);
-            dockerLabels.ECS_PROMETHEUS_METRICS_PATH = metrics.path || "/metrics";
-            if (metrics.jobName) {
-                dockerLabels.ECS_PROMETHEUS_JOB_NAME = metrics.jobName;
-            }
-            else {
-                dockerLabels.ECS_PROMETHEUS_JOB_NAME = serviceName;
-            }
+async function createFargateTask(serviceName, dockerImage, dockerListeningPort, environment, hostname, options) {
+    let { healthCheck, healthCheckContainer, essential, dontExpose, securityGroups, cluster, memoryReservation, command, version, ephemeralStorageInGB, desiredCount, cpuReservation, extraPortMappings, extraALBMappings, executionRolePolicies, taskRolePolicies, ignoreServiceDiscovery, secrets, metrics, forceNewDeployment, dontAssignPublicIp, dependsOn, volumes, deregistrationDelay, mountPoints, repositoryCredentials, team, appAutoscaling, } = options;
+    if (undefined === essential) {
+        essential = true;
+    }
+    if (undefined === memoryReservation) {
+        memoryReservation = fargateHelpers_1.DEFAULT_MEMORY;
+    }
+    if (undefined === cpuReservation) {
+        cpuReservation = fargateHelpers_1.DEFAULT_CPU;
+    }
+    if (undefined === desiredCount) {
+        desiredCount = fargateHelpers_1.DEFAULT_DESIRED_COUNT;
+    }
+    if (undefined === securityGroups) {
+        securityGroups = [];
+    }
+    if (undefined === version) {
+        version = (0, stack_1.getStackId)();
+    }
+    if (undefined === extraPortMappings) {
+        extraPortMappings = [];
+    }
+    if (undefined === extraALBMappings) {
+        extraALBMappings = [];
+    }
+    if (undefined === dependsOn) {
+        dependsOn = [];
+    }
+    if (undefined === mountPoints) {
+        mountPoints = [];
+    }
+    if (undefined === secrets) {
+        secrets = [];
+    }
+    const { role: executionRole, policies: executionPolicies } = getFargateExecutionRole(`${serviceName}-${version}-execution`, executionRolePolicies || {});
+    dependsOn.push(...executionPolicies);
+    const { role: taskRole, policies } = getFargateTaskRole(`${serviceName}-${version}-task`, taskRolePolicies || {});
+    dependsOn.push(...policies);
+    let dockerLabels = {};
+    if (metrics && (metrics.port || dockerListeningPort)) {
+        dockerLabels.ECS_PROMETHEUS_EXPORTER_PORT =
+            "" + (metrics.port || dockerListeningPort);
+        dockerLabels.ECS_PROMETHEUS_METRICS_PATH = metrics.path || "/metrics";
+        if (metrics.jobName) {
+            dockerLabels.ECS_PROMETHEUS_JOB_NAME = metrics.jobName;
         }
-        // this port should be the internal port used for administrative purposes
-        let serviceDiscoveryPort = dockerListeningPort;
-        const vpc = yield (0, vpc_1.getVpc)();
-        const taskSecurityGroup = new aws.ec2.SecurityGroup(`${serviceName}-${version}`, {
-            vpcId: vpc.id,
-            tags: { ServiceName: serviceName, Team: team },
-        });
-        if (dockerLabels.ECS_PROMETHEUS_EXPORTER_PORT) {
-            let fromPort = 0;
-            let toPort = 0;
-            new Set(dockerLabels.ECS_PROMETHEUS_EXPORTER_PORT.split(/;/g).map(($) => parseInt($))).forEach((port) => {
-                if (fromPort == 0 || fromPort > port)
-                    fromPort = port;
-                if (toPort == 0 || toPort < port)
-                    toPort = port;
-                // create a security group to enable metrics access by cwagent from inside the VPC
-                new aws.ec2.SecurityGroupRule(`metrics-${port}`, {
-                    type: "ingress",
-                    fromPort: port,
-                    toPort: port,
-                    protocol: "tcp",
-                    cidrBlocks: [vpc.cidrBlock],
-                    securityGroupId: taskSecurityGroup.id,
-                });
-                if (!extraPortMappings.find(($) => $.hostPort != metrics.port) &&
-                    (port != dockerListeningPort || dontExpose)) {
-                    extraPortMappings.push({
-                        containerPort: port,
-                        hostPort: port,
-                        protocol: "tcp",
-                    });
-                }
-                serviceDiscoveryPort = port;
-            });
-            // enable prometheus to access fromPort-toPort
-            (0, prometheus_1.makeSecurityGroupAccessibleByPrometheus)(taskSecurityGroup, fromPort, toPort, serviceName);
+        else {
+            dockerLabels.ECS_PROMETHEUS_JOB_NAME = serviceName;
         }
-        // enable egress traffic from the task to the internet
-        (0, accessTheInternet_1.makeSecurityGroupAccessTheInternetV2)(taskSecurityGroup, serviceName);
-        // make the container fully accessible from the bastion of the environment
-        (0, acceptBastion_1.makeSecurityGroupAccessibleFromBastion)(taskSecurityGroup, serviceName);
-        const targetGroups = [];
-        if (dontExpose) {
-            const service = yield createInternalService({
-                serviceName,
-                cluster,
-                desiredCount,
-                ephemeralStorageInGB,
-                executionRole,
-                taskRole,
-                assignPublicIp: !dontAssignPublicIp,
-                serviceDiscoveryPort,
-                forceNewDeployment,
-                ignoreServiceDiscovery,
-                securityGroups: [taskSecurityGroup.id, ...securityGroups],
-                containerInfo: {
-                    name: serviceName,
-                    secrets: [],
-                    environment,
-                    essential,
-                    image: dockerImage,
-                    command,
-                    healthCheck: healthCheckContainer,
-                    memoryReservation,
-                    cpu: cpuReservation,
-                    portMappings: extraPortMappings,
-                    dockerLabels,
-                    mountPoints,
-                    repositoryCredentials,
-                },
-                dependsOn,
-                volumes,
-                team,
-                targetGroups,
-                runtimePlatform: options.runtimePlatform,
-                appAutoscaling,
+    }
+    // this port should be the internal port used for administrative purposes
+    let serviceDiscoveryPort = dockerListeningPort;
+    const vpc = await (0, vpc_1.getVpc)();
+    const taskSecurityGroup = new aws.ec2.SecurityGroup(`${serviceName}-${version}`, {
+        vpcId: vpc.id,
+        tags: (0, fargateHelpers_1.createResourceTags)(serviceName, team),
+    });
+    if (dockerLabels.ECS_PROMETHEUS_EXPORTER_PORT) {
+        let fromPort = 0;
+        let toPort = 0;
+        new Set(dockerLabels.ECS_PROMETHEUS_EXPORTER_PORT.split(/;/g).map(($) => parseInt($))).forEach((port) => {
+            if (fromPort == 0 || fromPort > port)
+                fromPort = port;
+            if (toPort == 0 || toPort < port)
+                toPort = port;
+            // create a security group to enable metrics access by cwagent from inside the VPC
+            new aws.ec2.SecurityGroupRule(`metrics-${port}`, {
+                type: "ingress",
+                fromPort: port,
+                toPort: port,
+                protocol: "tcp",
+                cidrBlocks: [vpc.cidrBlock],
+                securityGroupId: taskSecurityGroup.id,
             });
-            return {
-                service,
-                endpoint: "not exposed",
-            };
-        }
-        const exposed = yield (0, exposePublicService_1.exposePublicService)(`${serviceName}-${version}`, hostname, dockerListeningPort, healthCheck, vpc.id, options.extraExposedServiceOptions, deregistrationDelay);
-        targetGroups.push(exposed.targetGroup);
-        for (let extraALBMapping of extraALBMappings) {
-            const exposedExtra = yield (0, exposePublicService_1.exposePublicService)(`${serviceName}-${extraALBMapping.dockerListeningPort}-${version}`, extraALBMapping.domain, extraALBMapping.dockerListeningPort, extraALBMapping.healthCheck, vpc.id, extraALBMapping.extraExposedServiceOptions);
-            targetGroups.push(exposedExtra.targetGroup);
-            // we have to do this check because the port might have been added to the array before if it's included in ECS_PROMETHEUS_EXPORTER_PORT
-            if (!extraPortMappings.find((port) => port.hostPort === extraALBMapping.dockerListeningPort)) {
+            if (!extraPortMappings.find(($) => $.hostPort != metrics.port) &&
+                (port != dockerListeningPort || dontExpose)) {
                 extraPortMappings.push({
-                    containerPort: extraALBMapping.dockerListeningPort,
-                    hostPort: extraALBMapping.dockerListeningPort,
+                    containerPort: port,
+                    hostPort: port,
+                    protocol: "tcp",
                 });
             }
-        }
-        const portMapping = {
-            containerPort: dockerListeningPort,
-            hostPort: dockerListeningPort,
-        };
-        // make the service accesible by the ALB
-        (0, acceptAlb_1.makeSecurityGroupAccessibleFromSharedAlb)(taskSecurityGroup);
-        const service = yield createInternalService({
+            serviceDiscoveryPort = port;
+        });
+        // enable prometheus to access fromPort-toPort
+        (0, prometheus_1.makeSecurityGroupAccessibleByPrometheus)(taskSecurityGroup, fromPort, toPort, serviceName);
+    }
+    // enable egress traffic from the task to the internet
+    (0, accessTheInternet_1.makeSecurityGroupAccessTheInternetV2)(taskSecurityGroup, serviceName);
+    // make the container fully accessible from the bastion of the environment
+    (0, acceptBastion_1.makeSecurityGroupAccessibleFromBastion)(taskSecurityGroup, serviceName);
+    const targetGroups = [];
+    if (dontExpose) {
+        const service = await createInternalService({
             serviceName,
             cluster,
             desiredCount,
             ephemeralStorageInGB,
             executionRole,
             taskRole,
-            forceNewDeployment,
             assignPublicIp: !dontAssignPublicIp,
+            serviceDiscoveryPort,
+            forceNewDeployment,
             ignoreServiceDiscovery,
             securityGroups: [taskSecurityGroup.id, ...securityGroups],
-            serviceDiscoveryPort,
             containerInfo: {
                 name: serviceName,
-                secrets,
+                secrets: [],
                 environment,
-                portMappings: [...extraPortMappings, portMapping],
                 essential,
                 image: dockerImage,
                 command,
                 healthCheck: healthCheckContainer,
                 memoryReservation,
                 cpu: cpuReservation,
+                portMappings: extraPortMappings,
                 dockerLabels,
                 mountPoints,
                 repositoryCredentials,
@@ -298,98 +229,148 @@ function createFargateTask(serviceName, dockerImage, dockerListeningPort, enviro
             runtimePlatform: options.runtimePlatform,
             appAutoscaling,
         });
-        return { endpoint: `https://${hostname}/`, service, exposed };
+        return {
+            service,
+            endpoint: "not exposed",
+        };
+    }
+    const exposed = await (0, exposePublicService_1.exposePublicService)(`${serviceName}-${version}`, hostname, dockerListeningPort, healthCheck, vpc.id, options.extraExposedServiceOptions, deregistrationDelay);
+    targetGroups.push(exposed.targetGroup);
+    for (let extraALBMapping of extraALBMappings) {
+        const exposedExtra = await (0, exposePublicService_1.exposePublicService)(`${serviceName}-${extraALBMapping.dockerListeningPort}-${version}`, extraALBMapping.domain, extraALBMapping.dockerListeningPort, extraALBMapping.healthCheck, vpc.id, extraALBMapping.extraExposedServiceOptions);
+        targetGroups.push(exposedExtra.targetGroup);
+        // we have to do this check because the port might have been added to the array before if it's included in ECS_PROMETHEUS_EXPORTER_PORT
+        if (!extraPortMappings.find((port) => port.hostPort === extraALBMapping.dockerListeningPort)) {
+            extraPortMappings.push({
+                containerPort: extraALBMapping.dockerListeningPort,
+                hostPort: extraALBMapping.dockerListeningPort,
+            });
+        }
+    }
+    const portMapping = {
+        containerPort: dockerListeningPort,
+        hostPort: dockerListeningPort,
+    };
+    // make the service accesible by the ALB
+    (0, acceptAlb_1.makeSecurityGroupAccessibleFromSharedAlb)(taskSecurityGroup);
+    const service = await createInternalService({
+        serviceName,
+        cluster,
+        desiredCount,
+        ephemeralStorageInGB,
+        executionRole,
+        taskRole,
+        forceNewDeployment,
+        assignPublicIp: !dontAssignPublicIp,
+        ignoreServiceDiscovery,
+        securityGroups: [taskSecurityGroup.id, ...securityGroups],
+        serviceDiscoveryPort,
+        containerInfo: {
+            name: serviceName,
+            secrets,
+            environment,
+            portMappings: [...extraPortMappings, portMapping],
+            essential,
+            image: dockerImage,
+            command,
+            healthCheck: healthCheckContainer,
+            memoryReservation,
+            cpu: cpuReservation,
+            dockerLabels,
+            mountPoints,
+            repositoryCredentials,
+        },
+        dependsOn,
+        volumes,
+        team,
+        targetGroups,
+        runtimePlatform: options.runtimePlatform,
+        appAutoscaling,
     });
+    return { endpoint: `https://${hostname}/`, service, exposed };
 }
 exports.createFargateTask = createFargateTask;
-function createInternalService(config) {
-    var _a, _b;
-    return __awaiter(this, void 0, void 0, function* () {
-        let { serviceName, cluster, securityGroups, ignoreServiceDiscovery, serviceDiscoveryPort, desiredCount, executionRole, taskRole, containerInfo, assignPublicIp, dependsOn, volumes, team, targetGroups, runtimePlatform, ephemeralStorageInGB, appAutoscaling, forceNewDeployment, } = config;
-        if (!desiredCount && desiredCount !== 0)
-            desiredCount = 1;
-        assignPublicIp = !!assignPublicIp;
-        let serviceRegistries;
-        if (!ignoreServiceDiscovery) {
-            const serviceDiscovery = new aws.servicediscovery.Service(serviceName, {
-                name: serviceName,
-                description: "service discovery for " + serviceName,
-                dnsConfig: {
-                    dnsRecords: [
-                        { type: "A", ttl: 10 },
-                        { type: "SRV", ttl: 10 },
-                    ],
-                    namespaceId: (0, supra_1.getInternalServiceDiscoveryNamespaceId)(),
-                },
-            });
-            serviceRegistries = {
-                port: serviceDiscoveryPort,
-                registryArn: serviceDiscovery.arn,
-            };
-        }
-        const logGroup = new aws.cloudwatch.LogGroup((0, stack_1.getStackScopedName)(serviceName), {
-            name: (0, stack_1.getStackScopedName)(serviceName),
-            retentionInDays: 60,
-            tags: { ServiceName: serviceName, Team: team },
+async function createInternalService(config) {
+    let { serviceName, cluster, securityGroups, ignoreServiceDiscovery, serviceDiscoveryPort, desiredCount, executionRole, taskRole, containerInfo, assignPublicIp, dependsOn, volumes, team, targetGroups, runtimePlatform, ephemeralStorageInGB, appAutoscaling, forceNewDeployment, } = config;
+    if (!desiredCount && desiredCount !== 0)
+        desiredCount = 1;
+    assignPublicIp = !!assignPublicIp;
+    let serviceRegistries;
+    if (!ignoreServiceDiscovery) {
+        const serviceDiscovery = new aws.servicediscovery.Service(serviceName, {
+            name: serviceName,
+            description: "service discovery for " + serviceName,
+            dnsConfig: {
+                dnsRecords: [
+                    { type: "A", ttl: 10 },
+                    { type: "SRV", ttl: 10 },
+                ],
+                namespaceId: (0, supra_1.getInternalServiceDiscoveryNamespaceId)(),
+            },
         });
-        const taskDefinition = new aws.ecs.TaskDefinition((0, stack_1.getStackScopedName)(serviceName) + "-taskdefinition", {
-            executionRoleArn: executionRole === null || executionRole === void 0 ? void 0 : executionRole.arn,
-            taskRoleArn: taskRole === null || taskRole === void 0 ? void 0 : taskRole.arn,
-            tags: { ServiceName: serviceName, Team: team },
-            containerDefinitions: pulumi.jsonStringify([
-                Object.assign(Object.assign({}, containerInfo), { logConfiguration: (0, exports.getDefaultLogs)(serviceName, logGroup) }),
-            ]),
-            ephemeralStorage: !!ephemeralStorageInGB
-                ? {
-                    sizeInGib: ephemeralStorageInGB,
-                }
-                : undefined,
-            cpu: (_a = containerInfo.cpu) === null || _a === void 0 ? void 0 : _a.toString(),
-            memory: (_b = containerInfo.memoryReservation) === null || _b === void 0 ? void 0 : _b.toString(),
-            runtimePlatform: runtimePlatform,
-            requiresCompatibilities: ["FARGATE"],
-            networkMode: "awsvpc",
-            volumes: volumes,
-            family: (0, stack_1.getStackScopedName)(serviceName),
-        }, { dependsOn: [logGroup] });
-        const service = new aws.ecs.Service((0, stack_1.getStackScopedName)(serviceName), {
-            cluster: yield getClusterInstance(cluster),
-            tags: { ServiceName: serviceName, StackId: (0, stack_1.getStackId)(), Team: team },
-            networkConfiguration: {
-                subnets: yield (0, network_1.getPrivateSubnetIds)(),
-                securityGroups: securityGroups,
+        serviceRegistries = {
+            port: serviceDiscoveryPort,
+            registryArn: serviceDiscovery.arn,
+        };
+    }
+    const logGroup = (0, fargateHelpers_1.createLogGroup)(serviceName, team);
+    const taskDefinition = (0, fargateHelpers_1.createFargateTaskDefinition)({
+        name: serviceName,
+        executionRoleArn: executionRole?.arn,
+        taskRoleArn: taskRole?.arn,
+        containerDefinitions: pulumi.jsonStringify([
+            {
+                ...containerInfo,
+                logConfiguration: (0, exports.getDefaultLogs)(serviceName, logGroup),
             },
-            serviceRegistries,
-            desiredCount,
-            launchType: "FARGATE",
-            enableEcsManagedTags: true,
-            forceNewDeployment,
-            waitForSteadyState: false,
-            taskDefinition: taskDefinition.arn,
-            loadBalancers: [
-                ...targetGroups.map((tg) => ({
-                    targetGroupArn: tg.arn,
-                    containerName: serviceName,
-                    containerPort: tg.port,
-                })),
-            ],
-        }, Object.assign(Object.assign({}, extraOpts), { dependsOn }));
-        if (appAutoscaling) {
-            setAutoscaling(service, serviceName, { appAutoscaling, desiredCount });
-        }
-        return service;
+        ]),
+        team,
+        cpu: containerInfo.cpu ?? fargateHelpers_1.DEFAULT_CPU,
+        memory: containerInfo.memoryReservation ?? fargateHelpers_1.DEFAULT_MEMORY,
+        ephemeralStorageInGB,
+        runtimePlatform,
+        volumes,
+        dependsOn: [logGroup],
+    });
+    const service = new aws.ecs.Service((0, stack_1.getStackScopedName)(serviceName), {
+        cluster: await getClusterInstance(cluster),
+        tags: (0, fargateHelpers_1.createResourceTags)(serviceName, team, { StackId: (0, stack_1.getStackId)() }),
+        networkConfiguration: {
+            subnets: await (0, network_1.getPrivateSubnetIds)(),
+            securityGroups: securityGroups,
+        },
+        serviceRegistries,
+        desiredCount,
+        launchType: "FARGATE",
+        enableEcsManagedTags: true,
+        forceNewDeployment,
+        waitForSteadyState: false,
+        taskDefinition: taskDefinition.arn,
+        loadBalancers: [
+            ...targetGroups.map((tg) => ({
+                targetGroupArn: tg.arn,
+                containerName: serviceName,
+                containerPort: tg.port,
+            })),
+        ],
+    }, {
+        ...extraOpts,
+        dependsOn,
     });
+    if (appAutoscaling) {
+        setAutoscaling(service, serviceName, { appAutoscaling, desiredCount });
+    }
+    return service;
 }
 exports.createInternalService = createInternalService;
 function setAutoscaling(service, serviceName, config) {
-    var _a;
     if ((!config.appAutoscaling.policy && !config.appAutoscaling.scheduleAction) ||
         (config.appAutoscaling.policy && config.appAutoscaling.scheduleAction)) {
         throw new Error("Invalid autoscaling configuration. You must provide either a policy OR a scheduleAction.");
     }
     const ecsTarget = new aws.appautoscaling.Target(`ecs-target-${(0, stack_1.getStackScopedName)(serviceName)}`, {
         maxCapacity: config.appAutoscaling.maxCapacity,
-        minCapacity: (_a = config.appAutoscaling.minCapacity) !== null && _a !== void 0 ? _a : config.desiredCount,
+        minCapacity: config.appAutoscaling.minCapacity ?? config.desiredCount,
         resourceId: service.id.apply((id) => {
             return id.split(":").pop();
         }),

package/createImageFromContext.js

@@ -9,9 +9,13 @@ function createImageFromContext(name, context, options, imageOpts) {
     const registry = (0, getImageRegistryAndCredentials_1.getImageRegistryAndCredentials)(ecr);
     const image = new docker.Image(`${name}-image`, {
         imageName: ecr.repositoryUrl,
-        build: Object.assign({ context, args: {
+        build: {
+            context,
+            args: {
                 DOCKER_BUILDKIT: "1",
-            } }, options),
+            },
+            ...options,
+        },
         registry: registry,
     }, imageOpts);
     return {

package/createSQSTriggeredFargateTask.d.ts

@@ -0,0 +1,63 @@
+import * as pulumi from "@pulumi/pulumi";
+import { BaseFargateTaskOptions } from "./scheduledTaskBase";
+/**
+ * SQS trigger configuration for the task
+ */
+export type SqsTriggerConfig = {
+    /**
+     * ARN of the SQS queue to trigger from
+     */
+    queueArn: pulumi.Input<string>;
+    /**
+     * Number of messages per batch (default: 1)
+     * Each batch triggers one task invocation
+     */
+    batchSize?: number;
+    /**
+     * Maximum batching window in seconds (default: 0)
+     * How long to wait to accumulate messages before triggering
+     */
+    maximumBatchingWindowSeconds?: number;
+};
+/**
+ * Options for creating an SQS-triggered Fargate task
+ */
+export type SQSTriggeredFargateTaskOptions = BaseFargateTaskOptions & {
+    /**
+     * SQS queue trigger configuration - required
+     */
+    sqsTrigger: SqsTriggerConfig;
+};
+/**
+ * Creates a Fargate task that is triggered by messages in an SQS queue.
+ * Uses EventBridge Pipes to connect the SQS queue to ECS task execution.
+ *
+ * @param taskName A name for this task. For example, "order-processor"
+ * @param dockerImage The docker image to run
+ * @param options Configuration options for the SQS-triggered task
+ *
+ * @example
+ * ```typescript
+ * await createSQSTriggeredFargateTask("order-processor", "myapp/processor:latest", {
+ *   sqsTrigger: {
+ *     queueArn: ordersQueue.arn,
+ *     batchSize: 10,
+ *     maximumBatchingWindowSeconds: 30,
+ *   },
+ *   cpu: 512,
+ *   memory: 1024,
+ *   environment: [{ name: "DB_HOST", value: dbHost }],
+ *   slackChannel: "#order-processing-alerts",
+ *   team: "platform",
+ * });
+ * ```
+ */
+export declare function createSQSTriggeredFargateTask(taskName: string, dockerImage: string | Promise<string> | pulumi.OutputInstance<string>, options: SQSTriggeredFargateTaskOptions): Promise<{
+    taskDefinition: import("@pulumi/aws/ecs/taskDefinition").TaskDefinition;
+    taskSecurityGroup: import("@pulumi/aws/ec2/securityGroup").SecurityGroup;
+    logGroup: import("@pulumi/aws/cloudwatch/logGroup").LogGroup;
+    executionRole: import("@pulumi/aws/iam/role").Role;
+    taskRole: import("@pulumi/aws/iam/role").Role;
+    eventBridgeRole: import("@pulumi/aws/iam/role").Role;
+    pipe: import("@pulumi/aws/pipes/pipe").Pipe;
+}>;