aws-cdk-lib 2.126.0__py3-none-any.whl → 2.127.0__py3-none-any.whl

aws_cdk/aws_ecs/__init__.py

@@ -1680,6 +1680,32 @@ custom_service = ecs.FargateService(self, "CustomizedService",
 )
 ```
 
+To set a timeout for service connect, use `idleTimeout` and `perRequestTimeout`.
+
+**Note**: If `idleTimeout` is set to a time that is less than `perRequestTimeout`, the connection will close when
+the `idleTimeout` is reached and not the `perRequestTimeout`.
+
+```python
+# cluster: ecs.Cluster
+# task_definition: ecs.TaskDefinition
+
+
+service = ecs.FargateService(self, "Service",
+    cluster=cluster,
+    task_definition=task_definition,
+    service_connect_configuration=ecs.ServiceConnectProps(
+        services=[ecs.ServiceConnectService(
+            port_mapping_name="api",
+            idle_timeout=Duration.minutes(5),
+            per_request_timeout=Duration.minutes(5)
+        )
+        ]
+    )
+)
+```
+
+> Visit [Amazon ECS support for configurable timeout for services running with Service Connect](https://aws.amazon.com/about-aws/whats-new/2024/01/amazon-ecs-configurable-timeout-service-connect/) for more details.
+
 ## ServiceManagedVolume
 
 Amazon ECS now supports the attachment of Amazon Elastic Block Store (EBS) volumes to ECS tasks,
@@ -4593,7 +4619,9 @@ class BaseServiceOptions:
                         # the properties below are optional
                         discovery_name="discoveryName",
                         dns_name="dnsName",
+                        idle_timeout=cdk.Duration.minutes(30),
                         ingress_port_override=123,
+                        per_request_timeout=cdk.Duration.minutes(30),
                         port=123
                     )]
                 ),
@@ -4989,7 +5017,9 @@ class BaseServiceProps(BaseServiceOptions):
                         # the properties below are optional
                         discovery_name="discoveryName",
                         dns_name="dnsName",
+                        idle_timeout=cdk.Duration.minutes(30),
                         ingress_port_override=123,
+                        per_request_timeout=cdk.Duration.minutes(30),
                         port=123
                     )]
                 ),
@@ -9194,7 +9224,7 @@ class CfnService(
 
             Services with tasks that use the ``awsvpc`` network mode (for example, those with the Fargate launch type) only support Application Load Balancers and Network Load Balancers. Classic Load Balancers are not supported. Also, when you create any target groups for these services, you must choose ``ip`` as the target type, not ``instance`` . Tasks that use the ``awsvpc`` network mode are associated with an elastic network interface, not an Amazon EC2 instance.
 
-            :param container_name: The name of the container (as it appears in a container definition) to associate with the load balancer.
+            :param container_name: The name of the container (as it appears in a container definition) to associate with the load balancer. You need to specify the container name when configuring the target group for an Amazon ECS load balancer.
             :param container_port: The port on the container to associate with the load balancer. This port must correspond to a ``containerPort`` in the task definition the tasks in the service are using. For tasks that use the EC2 launch type, the container instance they're launched on must allow ingress traffic on the ``hostPort`` of the port mapping.
             :param load_balancer_name: The name of the load balancer to associate with the Amazon ECS service or task set. If you are using an Application Load Balancer or a Network Load Balancer the load balancer name parameter should be omitted.
             :param target_group_arn: The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set. A target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. For services using the ``ECS`` deployment controller, you can specify one or multiple target groups. For more information, see `Registering multiple target groups with a service <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html>`_ in the *Amazon Elastic Container Service Developer Guide* . For services using the ``CODE_DEPLOY`` deployment controller, you're required to define two target groups for the load balancer. For more information, see `Blue/green deployment with CodeDeploy <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html>`_ in the *Amazon Elastic Container Service Developer Guide* . .. epigraph:: If your service's task definition uses the ``awsvpc`` network mode, you must choose ``ip`` as the target type, not ``instance`` . Do this when creating your target groups because tasks that use the ``awsvpc`` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.
@@ -9235,6 +9265,8 @@ class CfnService(
         def container_name(self) -> typing.Optional[builtins.str]:
             '''The name of the container (as it appears in a container definition) to associate with the load balancer.
 
+            You need to specify the container name when configuring the target group for an Amazon ECS load balancer.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-service-loadbalancer.html#cfn-ecs-service-loadbalancer-containername
             '''
             result = self._values.get("container_name")
@@ -11571,6 +11603,7 @@ class CfnTaskDefinition(
                 # the properties below are optional
                 command=["command"],
                 cpu=123,
+                credential_specs=["credentialSpecs"],
                 depends_on=[ecs.CfnTaskDefinition.ContainerDependencyProperty(
                     condition="condition",
                     container_name="containerName"
@@ -12227,6 +12260,7 @@ class CfnTaskDefinition(
             "name": "name",
             "command": "command",
             "cpu": "cpu",
+            "credential_specs": "credentialSpecs",
             "depends_on": "dependsOn",
             "disable_networking": "disableNetworking",
             "dns_search_domains": "dnsSearchDomains",
@@ -12272,6 +12306,7 @@ class CfnTaskDefinition(
             name: builtins.str,
             command: typing.Optional[typing.Sequence[builtins.str]] = None,
             cpu: typing.Optional[jsii.Number] = None,
+            credential_specs: typing.Optional[typing.Sequence[builtins.str]] = None,
             depends_on: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnTaskDefinition.ContainerDependencyProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
             disable_networking: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
             dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -12316,6 +12351,7 @@ class CfnTaskDefinition(
             :param name: The name of a container. If you're linking multiple containers together in a task definition, the ``name`` of one container can be entered in the ``links`` of another container to connect the containers. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. This parameter maps to ``name`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--name`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ .
             :param command: The command that's passed to the container. This parameter maps to ``Cmd`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``COMMAND`` parameter to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . For more information, see `https://docs.docker.com/engine/reference/builder/#cmd <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/builder/#cmd>`_ . If there are multiple arguments, each argument is a separated string in the array.
             :param cpu: The number of ``cpu`` units reserved for the container. This parameter maps to ``CpuShares`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--cpu-shares`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . This field is optional for tasks using the Fargate launch type, and the only requirement is that the total amount of CPU reserved for all containers within a task be lower than the task-level ``cpu`` value. .. epigraph:: You can determine the number of CPU units that are available per EC2 instance type by multiplying the vCPUs listed for that instance type on the `Amazon EC2 Instances <https://docs.aws.amazon.com/ec2/instance-types/>`_ detail page by 1,024. Linux containers share unallocated CPU units with other containers on the container instance with the same ratio as their allocated amount. For example, if you run a single-container task on a single-core instance type with 512 CPU units specified for that container, and that's the only task running on the container instance, that container could use the full 1,024 CPU unit share at any given time. However, if you launched another copy of the same task on that container instance, each task is guaranteed a minimum of 512 CPU units when needed. Moreover, each container could float to higher CPU usage if the other container was not using it. If both tasks were 100% active all of the time, they would be limited to 512 CPU units. On Linux container instances, the Docker daemon on the container instance uses the CPU value to calculate the relative CPU share ratios for running containers. For more information, see `CPU share constraint <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#cpu-share-constraint>`_ in the Docker documentation. The minimum valid CPU share value that the Linux kernel allows is 2. However, the CPU parameter isn't required, and you can use CPU values below 2 in your container definitions. For CPU values below 2 (including null), the behavior varies based on your Amazon ECS container agent version: - *Agent versions less than or equal to 1.1.0:* Null and zero CPU values are passed to Docker as 0, which Docker then converts to 1,024 CPU shares. CPU values of 1 are passed to Docker as 1, which the Linux kernel converts to two CPU shares. - *Agent versions greater than or equal to 1.2.0:* Null, zero, and CPU values of 1 are passed to Docker as 2. On Windows container instances, the CPU limit is enforced as an absolute limit, or a quota. Windows containers only have access to the specified amount of CPU that's described in the task definition. A null or zero CPU value is passed to Docker as ``0`` , which Windows interprets as 1% of one CPU.
+            :param credential_specs: A list of ARNs in SSM or Amazon S3 to a credential spec ( ``CredSpec`` ) file that configures the container for Active Directory authentication. We recommend that you use this parameter instead of the ``dockerSecurityOptions`` . The maximum number of ARNs is 1. There are two formats for each ARN. - **credentialspecdomainless:MyARN** - You use ``credentialspecdomainless:MyARN`` to provide a ``CredSpec`` with an additional section for a secret in AWS Secrets Manager . You provide the login credentials to the domain in the secret. Each task that runs on any container instance can join different domains. You can use this format without joining the container instance to a domain. - **credentialspec:MyARN** - You use ``credentialspec:MyARN`` to provide a ``CredSpec`` for a single domain. You must join the container instance to the domain before you start any tasks that use this task definition. In both formats, replace ``MyARN`` with the ARN in SSM or Amazon S3. If you provide a ``credentialspecdomainless:MyARN`` , the ``credspec`` must provide a ARN in AWS Secrets Manager for a secret containing the username, password, and the domain to connect to. For better security, the instance isn't joined to the domain for domainless authentication. Other applications on the instance can't use the domainless credentials. You can use this parameter to run tasks on the same instance, even it the tasks need to join different domains. For more information, see `Using gMSAs for Windows Containers <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/windows-gmsa.html>`_ and `Using gMSAs for Linux Containers <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/linux-gmsa.html>`_ .
             :param depends_on: The dependencies defined for container startup and shutdown. A container can contain multiple dependencies. When a dependency is defined for container startup, for container shutdown it is reversed. For tasks using the EC2 launch type, the container instances require at least version 1.26.0 of the container agent to turn on container dependencies. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see `Updating the Amazon ECS Container Agent <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html>`_ in the *Amazon Elastic Container Service Developer Guide* . If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the ``ecs-init`` package. If your container instances are launched from version ``20190301`` or later, then they contain the required versions of the container agent and ``ecs-init`` . For more information, see `Amazon ECS-optimized Linux AMI <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html>`_ in the *Amazon Elastic Container Service Developer Guide* . For tasks using the Fargate launch type, the task or service requires the following platforms: - Linux platform version ``1.3.0`` or later. - Windows platform version ``1.0.0`` or later. If the task definition is used in a blue/green deployment that uses `AWS::CodeDeploy::DeploymentGroup BlueGreenDeploymentConfiguration <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codedeploy-deploymentgroup-bluegreendeploymentconfiguration.html>`_ , the ``dependsOn`` parameter is not supported. For more information see `Issue #680 <https://docs.aws.amazon.com/https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/680>`_ on the on the GitHub website.
             :param disable_networking: When this parameter is true, networking is off within the container. This parameter maps to ``NetworkDisabled`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ . .. epigraph:: This parameter is not supported for Windows containers.
             :param dns_search_domains: A list of DNS search domains that are presented to the container. This parameter maps to ``DnsSearch`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--dns-search`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . .. epigraph:: This parameter is not supported for Windows containers.
@@ -12346,7 +12382,7 @@ class CfnTaskDefinition(
             :param secrets: The secrets to pass to the container. For more information, see `Specifying Sensitive Data <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
             :param start_timeout: Time duration (in seconds) to wait before giving up on resolving dependencies for a container. For example, you specify two containers in a task definition with containerA having a dependency on containerB reaching a ``COMPLETE`` , ``SUCCESS`` , or ``HEALTHY`` status. If a ``startTimeout`` value is specified for containerB and it doesn't reach the desired status within that time then containerA gives up and not start. This results in the task transitioning to a ``STOPPED`` state. .. epigraph:: When the ``ECS_CONTAINER_START_TIMEOUT`` container agent configuration variable is used, it's enforced independently from this start timeout value. For tasks using the Fargate launch type, the task or service requires the following platforms: - Linux platform version ``1.3.0`` or later. - Windows platform version ``1.0.0`` or later. For tasks using the EC2 launch type, your container instances require at least version ``1.26.0`` of the container agent to use a container start timeout value. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see `Updating the Amazon ECS Container Agent <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html>`_ in the *Amazon Elastic Container Service Developer Guide* . If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version ``1.26.0-1`` of the ``ecs-init`` package. If your container instances are launched from version ``20190301`` or later, then they contain the required versions of the container agent and ``ecs-init`` . For more information, see `Amazon ECS-optimized Linux AMI <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html>`_ in the *Amazon Elastic Container Service Developer Guide* . The valid values are 2-120 seconds.
             :param stop_timeout: Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own. For tasks using the Fargate launch type, the task or service requires the following platforms: - Linux platform version ``1.3.0`` or later. - Windows platform version ``1.0.0`` or later. The max stop timeout value is 120 seconds and if the parameter is not specified, the default value of 30 seconds is used. For tasks that use the EC2 launch type, if the ``stopTimeout`` parameter isn't specified, the value set for the Amazon ECS container agent configuration variable ``ECS_CONTAINER_STOP_TIMEOUT`` is used. If neither the ``stopTimeout`` parameter or the ``ECS_CONTAINER_STOP_TIMEOUT`` agent configuration variable are set, then the default values of 30 seconds for Linux containers and 30 seconds on Windows containers are used. Your container instances require at least version 1.26.0 of the container agent to use a container stop timeout value. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see `Updating the Amazon ECS Container Agent <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-update.html>`_ in the *Amazon Elastic Container Service Developer Guide* . If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the ``ecs-init`` package. If your container instances are launched from version ``20190301`` or later, then they contain the required versions of the container agent and ``ecs-init`` . For more information, see `Amazon ECS-optimized Linux AMI <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html>`_ in the *Amazon Elastic Container Service Developer Guide* . The valid values are 2-120 seconds.
-            :param system_controls: A list of namespaced kernel parameters to set in the container. This parameter maps to ``Sysctls`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--sysctl`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . For example, you can configure ``net.ipv4.tcp_keepalive_time`` setting to maintain longer lived connections. We don't recommend that you specify network-related ``systemControls`` parameters for multiple containers in a single task that also uses either the ``awsvpc`` or ``host`` network mode. Doing this has the following disadvantages: - For tasks that use the ``awsvpc`` network mode including Fargate, if you set ``systemControls`` for any container, it applies to all containers in the task. If you set different ``systemControls`` for multiple containers in a single task, the container that's started last determines which ``systemControls`` take effect. - For tasks that use the ``host`` network mode, the network namespace ``systemControls`` aren't supported. If you're setting an IPC resource namespace to use for the containers in the task, the following conditions apply to your system controls. For more information, see `IPC mode <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_definition_ipcmode>`_ . - For tasks that use the ``host`` IPC mode, IPC namespace ``systemControls`` aren't supported. - For tasks that use the ``task`` IPC mode, IPC namespace ``systemControls`` values apply to all containers within a task. .. epigraph:: This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version ``1.4.0`` or later (Linux). This isn't supported for Windows containers on Fargate.
+            :param system_controls: A list of namespaced kernel parameters to set in the container. This parameter maps to ``Sysctls`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--sysctl`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . For example, you can configure ``net.ipv4.tcp_keepalive_time`` setting to maintain longer lived connections.
             :param ulimits: A list of ``ulimits`` to set in the container. This parameter maps to ``Ulimits`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--ulimit`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/>`_ . Valid naming values are displayed in the `Ulimit <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_Ulimit.html>`_ data type. This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: ``sudo docker version --format '{{.Server.APIVersion}}'`` .. epigraph:: This parameter is not supported for Windows containers.
             :param user: The user to use inside the container. This parameter maps to ``User`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--user`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . .. epigraph:: When running tasks using the ``host`` network mode, don't run containers using the root user (UID 0). We recommend using a non-root user for better security. You can specify the ``user`` using the following formats. If specifying a UID or GID, you must specify it as a positive integer. - ``user`` - ``user:group`` - ``uid`` - ``uid:gid`` - ``user:gid`` - ``uid:group`` .. epigraph:: This parameter is not supported for Windows containers.
             :param volumes_from: Data volumes to mount from another container. This parameter maps to ``VolumesFrom`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--volumes-from`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ .
@@ -12368,6 +12404,7 @@ class CfnTaskDefinition(
                     # the properties below are optional
                     command=["command"],
                     cpu=123,
+                    credential_specs=["credentialSpecs"],
                     depends_on=[ecs.CfnTaskDefinition.ContainerDependencyProperty(
                         condition="condition",
                         container_name="containerName"
@@ -12497,6 +12534,7 @@ class CfnTaskDefinition(
                 check_type(argname="argument name", value=name, expected_type=type_hints["name"])
                 check_type(argname="argument command", value=command, expected_type=type_hints["command"])
                 check_type(argname="argument cpu", value=cpu, expected_type=type_hints["cpu"])
+                check_type(argname="argument credential_specs", value=credential_specs, expected_type=type_hints["credential_specs"])
                 check_type(argname="argument depends_on", value=depends_on, expected_type=type_hints["depends_on"])
                 check_type(argname="argument disable_networking", value=disable_networking, expected_type=type_hints["disable_networking"])
                 check_type(argname="argument dns_search_domains", value=dns_search_domains, expected_type=type_hints["dns_search_domains"])
@@ -12540,6 +12578,8 @@ class CfnTaskDefinition(
                 self._values["command"] = command
             if cpu is not None:
                 self._values["cpu"] = cpu
+            if credential_specs is not None:
+                self._values["credential_specs"] = credential_specs
             if depends_on is not None:
                 self._values["depends_on"] = depends_on
             if disable_networking is not None:
@@ -12677,6 +12717,33 @@ class CfnTaskDefinition(
             result = self._values.get("cpu")
             return typing.cast(typing.Optional[jsii.Number], result)
 
+        @builtins.property
+        def credential_specs(self) -> typing.Optional[typing.List[builtins.str]]:
+            '''A list of ARNs in SSM or Amazon S3 to a credential spec ( ``CredSpec`` ) file that configures the container for Active Directory authentication.
+
+            We recommend that you use this parameter instead of the ``dockerSecurityOptions`` . The maximum number of ARNs is 1.
+
+            There are two formats for each ARN.
+
+            - **credentialspecdomainless:MyARN** - You use ``credentialspecdomainless:MyARN`` to provide a ``CredSpec`` with an additional section for a secret in AWS Secrets Manager . You provide the login credentials to the domain in the secret.
+
+            Each task that runs on any container instance can join different domains.
+
+            You can use this format without joining the container instance to a domain.
+
+            - **credentialspec:MyARN** - You use ``credentialspec:MyARN`` to provide a ``CredSpec`` for a single domain.
+
+            You must join the container instance to the domain before you start any tasks that use this task definition.
+
+            In both formats, replace ``MyARN`` with the ARN in SSM or Amazon S3.
+
+            If you provide a ``credentialspecdomainless:MyARN`` , the ``credspec`` must provide a ARN in AWS Secrets Manager for a secret containing the username, password, and the domain to connect to. For better security, the instance isn't joined to the domain for domainless authentication. Other applications on the instance can't use the domainless credentials. You can use this parameter to run tasks on the same instance, even it the tasks need to join different domains. For more information, see `Using gMSAs for Windows Containers <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/windows-gmsa.html>`_ and `Using gMSAs for Linux Containers <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/linux-gmsa.html>`_ .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-containerdefinition.html#cfn-ecs-taskdefinition-containerdefinition-credentialspecs
+            '''
+            result = self._values.get("credential_specs")
+            return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
         @builtins.property
         def depends_on(
             self,
@@ -13170,20 +13237,6 @@ class CfnTaskDefinition(
 
             This parameter maps to ``Sysctls`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--sysctl`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . For example, you can configure ``net.ipv4.tcp_keepalive_time`` setting to maintain longer lived connections.
 
-            We don't recommend that you specify network-related ``systemControls`` parameters for multiple containers in a single task that also uses either the ``awsvpc`` or ``host`` network mode. Doing this has the following disadvantages:
-
-            - For tasks that use the ``awsvpc`` network mode including Fargate, if you set ``systemControls`` for any container, it applies to all containers in the task. If you set different ``systemControls`` for multiple containers in a single task, the container that's started last determines which ``systemControls`` take effect.
-            - For tasks that use the ``host`` network mode, the network namespace ``systemControls`` aren't supported.
-
-            If you're setting an IPC resource namespace to use for the containers in the task, the following conditions apply to your system controls. For more information, see `IPC mode <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_definition_ipcmode>`_ .
-
-            - For tasks that use the ``host`` IPC mode, IPC namespace ``systemControls`` aren't supported.
-            - For tasks that use the ``task`` IPC mode, IPC namespace ``systemControls`` values apply to all containers within a task.
-
-            .. epigraph::
-
-               This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version ``1.4.0`` or later (Linux). This isn't supported for Windows containers on Fargate.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-containerdefinition.html#cfn-ecs-taskdefinition-containerdefinition-systemcontrols
             '''
             result = self._values.get("system_controls")
@@ -13821,7 +13874,7 @@ class CfnTaskDefinition(
         def __init__(self, *, size_in_gib: typing.Optional[jsii.Number] = None) -> None:
             '''The amount of ephemeral storage to allocate for the task.
 
-            This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate . For more information, see `Fargate task storage <https://docs.aws.amazon.com/AmazonECS/latest/userguide/using_data_volumes.html>`_ in the *Amazon ECS User Guide for AWS Fargate* .
+            This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate . For more information, see `Using data volumes in tasks <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_data_volumes.html>`_ in the *Amazon ECS Developer Guide;* .
             .. epigraph::
 
                For tasks using the Fargate launch type, the task requires the following platforms:
@@ -15507,12 +15560,21 @@ class CfnTaskDefinition(
         ) -> None:
             '''A list of namespaced kernel parameters to set in the container.
 
-            This parameter maps to ``Sysctls`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--sysctl`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ .
+            This parameter maps to ``Sysctls`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--sysctl`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . For example, you can configure ``net.ipv4.tcp_keepalive_time`` setting to maintain longer lived connections.
+
+            We don't recommend that you specify network-related ``systemControls`` parameters for multiple containers in a single task that also uses either the ``awsvpc`` or ``host`` network mode. Doing this has the following disadvantages:
+
+            - For tasks that use the ``awsvpc`` network mode including Fargate, if you set ``systemControls`` for any container, it applies to all containers in the task. If you set different ``systemControls`` for multiple containers in a single task, the container that's started last determines which ``systemControls`` take effect.
+            - For tasks that use the ``host`` network mode, the network namespace ``systemControls`` aren't supported.
+
+            If you're setting an IPC resource namespace to use for the containers in the task, the following conditions apply to your system controls. For more information, see `IPC mode <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_definition_ipcmode>`_ .
 
-            We don't recommend that you specify network-related ``systemControls`` parameters for multiple containers in a single task. This task also uses either the ``awsvpc`` or ``host`` network mode. It does it for the following reasons.
+            - For tasks that use the ``host`` IPC mode, IPC namespace ``systemControls`` aren't supported.
+            - For tasks that use the ``task`` IPC mode, IPC namespace ``systemControls`` values apply to all containers within a task.
+
+            .. epigraph::
 
-            - For tasks that use the ``awsvpc`` network mode, if you set ``systemControls`` for any container, it applies to all containers in the task. If you set different ``systemControls`` for multiple containers in a single task, the container that's started last determines which ``systemControls`` take effect.
-            - For tasks that use the ``host`` network mode, the ``systemControls`` parameter applies to the container instance's kernel parameter and that of all containers of any tasks running on that container instance.
+               This parameter is not supported for Windows containers. > This parameter is only supported for tasks that are hosted on AWS Fargate if the tasks are using platform version ``1.4.0`` or later (Linux). This isn't supported for Windows containers on Fargate.
 
             :param namespace: The namespaced kernel parameter to set a ``value`` for.
             :param value: The namespaced kernel parameter to set a ``value`` for. Valid IPC namespace values: ``"kernel.msgmax" | "kernel.msgmnb" | "kernel.msgmni" | "kernel.sem" | "kernel.shmall" | "kernel.shmmax" | "kernel.shmmni" | "kernel.shm_rmid_forced"`` , and ``Sysctls`` that start with ``"fs.mqueue.*"`` Valid network namespace values: ``Sysctls`` that start with ``"net.*"`` All of these values are supported by Fargate.
@@ -16176,6 +16238,7 @@ class CfnTaskDefinitionProps:
                     # the properties below are optional
                     command=["command"],
                     cpu=123,
+                    credential_specs=["credentialSpecs"],
                     depends_on=[ecs.CfnTaskDefinition.ContainerDependencyProperty(
                         condition="condition",
                         container_name="containerName"
@@ -17159,7 +17222,7 @@ class CfnTaskSet(
 
             A service-linked role is required for services that use multiple target groups. For more information, see `Using service-linked roles <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
 
-            :param container_name: The name of the container (as it appears in a container definition) to associate with the load balancer.
+            :param container_name: The name of the container (as it appears in a container definition) to associate with the load balancer. You need to specify the container name when configuring the target group for an Amazon ECS load balancer.
             :param container_port: The port on the container to associate with the load balancer. This port must correspond to a ``containerPort`` in the task definition the tasks in the service are using. For tasks that use the EC2 launch type, the container instance they're launched on must allow ingress traffic on the ``hostPort`` of the port mapping.
             :param target_group_arn: The full Amazon Resource Name (ARN) of the Elastic Load Balancing target group or groups associated with a service or task set. A target group ARN is only specified when using an Application Load Balancer or Network Load Balancer. For services using the ``ECS`` deployment controller, you can specify one or multiple target groups. For more information, see `Registering multiple target groups with a service <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/register-multiple-targetgroups.html>`_ in the *Amazon Elastic Container Service Developer Guide* . For services using the ``CODE_DEPLOY`` deployment controller, you're required to define two target groups for the load balancer. For more information, see `Blue/green deployment with CodeDeploy <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-bluegreen.html>`_ in the *Amazon Elastic Container Service Developer Guide* . .. epigraph:: If your service's task definition uses the ``awsvpc`` network mode, you must choose ``ip`` as the target type, not ``instance`` . Do this when creating your target groups because tasks that use the ``awsvpc`` network mode are associated with an elastic network interface, not an Amazon EC2 instance. This network mode is required for the Fargate launch type.
 
@@ -17195,6 +17258,8 @@ class CfnTaskSet(
         def container_name(self) -> typing.Optional[builtins.str]:
             '''The name of the container (as it appears in a container definition) to associate with the load balancer.
 
+            You need to specify the container name when configuring the target group for an Amazon ECS load balancer.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskset-loadbalancer.html#cfn-ecs-taskset-loadbalancer-containername
             '''
             result = self._values.get("container_name")
@@ -22017,7 +22082,7 @@ class Ec2ServiceProps(BaseServiceOptions):
         :param volume_configurations: Configuration details for a volume used by the service. This allows you to specify details about the EBS volume that can be attched to ECS tasks. Default: - undefined
         :param task_definition: The task definition to use for tasks in the service. [disable-awslint:ref-via-interface]
         :param assign_public_ip: Specifies whether the task's elastic network interface receives a public IP address. If true, each task will receive a public IP address. This property is only used for tasks that use the awsvpc network mode. Default: false
-        :param daemon: Specifies whether the service will use the daemon scheduling strategy. If true, the service scheduler deploys exactly one task on each container instance in your cluster. When you are using this strategy, do not specify a desired number of tasks orany task placement strategies. Default: false
+        :param daemon: Specifies whether the service will use the daemon scheduling strategy. If true, the service scheduler deploys exactly one task on each container instance in your cluster. When you are using this strategy, do not specify a desired number of tasks or any task placement strategies. Default: false
         :param placement_constraints: The placement constraints to use for tasks in the service. For more information, see `Amazon ECS Task Placement Constraints <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-placement-constraints.html>`_. Default: - No constraints.
         :param placement_strategies: The placement strategies to use for tasks in the service. For more information, see `Amazon ECS Task Placement Strategies <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-placement-strategies.html>`_. Default: - No strategies.
         :param security_groups: The security groups to associate with the service. If you do not specify a security group, a new security group is created. This property is only used for tasks that use the awsvpc network mode. Default: - A new security group is created.
@@ -22331,7 +22396,7 @@ class Ec2ServiceProps(BaseServiceOptions):
 
         If true, the service scheduler deploys exactly one task on each container instance in your cluster.
 
-        When you are using this strategy, do not specify a desired number of tasks orany task placement strategies.
+        When you are using this strategy, do not specify a desired number of tasks or any task placement strategies.
 
         :default: false
         '''
@@ -24749,33 +24814,27 @@ class FargateServiceProps(BaseServiceOptions):
             
             # cluster: ecs.Cluster
             # task_definition: ecs.TaskDefinition
+            # elb_alarm: cw.Alarm
+            
             
-            service_name = "MyFargateService"
             service = ecs.FargateService(self, "Service",
-                service_name=service_name,
                 cluster=cluster,
-                task_definition=task_definition
+                task_definition=task_definition,
+                deployment_alarms=ecs.DeploymentAlarmConfig(
+                    alarm_names=[elb_alarm.alarm_name],
+                    behavior=ecs.AlarmBehavior.ROLLBACK_ON_ALARM
+                )
             )
             
-            cpu_metric = cw.Metric(
-                metric_name="CPUUtilization",
-                namespace="AWS/ECS",
-                period=Duration.minutes(5),
-                statistic="Average",
-                dimensions_map={
-                    "ClusterName": cluster.cluster_name,
-                    # Using `service.serviceName` here will cause a circular dependency
-                    "ServiceName": service_name
-                }
-            )
-            my_alarm = cw.Alarm(self, "CPUAlarm",
-                alarm_name="cpuAlarmName",
-                metric=cpu_metric,
+            # Defining a deployment alarm after the service has been created
+            cpu_alarm_name = "MyCpuMetricAlarm"
+            cw.Alarm(self, "CPUAlarm",
+                alarm_name=cpu_alarm_name,
+                metric=service.metric_cpu_utilization(),
                 evaluation_periods=2,
                 threshold=80
             )
-            
-            service.enable_deployment_alarms([my_alarm.alarm_name],
+            service.enable_deployment_alarms([cpu_alarm_name],
                 behavior=ecs.AlarmBehavior.FAIL_ON_ALARM
             )
         '''
@@ -32412,28 +32471,21 @@ class ServiceConnectProps:
 
             # cluster: ecs.Cluster
             # task_definition: ecs.TaskDefinition
-            # container_options: ecs.ContainerDefinitionOptions
             
             
-            container = task_definition.add_container("MyContainer", container_options)
-            
-            container.add_port_mappings(
-                name="api",
-                container_port=8080
-            )
-            
-            cluster.add_default_cloud_map_namespace(
-                name="local"
-            )
-            
-            service = ecs.FargateService(self, "Service",
+            custom_service = ecs.FargateService(self, "CustomizedService",
                 cluster=cluster,
                 task_definition=task_definition,
                 service_connect_configuration=ecs.ServiceConnectProps(
+                    log_driver=ecs.LogDrivers.aws_logs(
+                        stream_prefix="sc-traffic"
+                    ),
                     services=[ecs.ServiceConnectService(
                         port_mapping_name="api",
-                        dns_name="http-api",
-                        port=80
+                        dns_name="customized-api",
+                        port=80,
+                        ingress_port_override=20040,
+                        discovery_name="custom"
                     )
                     ]
                 )
@@ -32500,7 +32552,9 @@ class ServiceConnectProps:
         "port_mapping_name": "portMappingName",
         "discovery_name": "discoveryName",
         "dns_name": "dnsName",
+        "idle_timeout": "idleTimeout",
         "ingress_port_override": "ingressPortOverride",
+        "per_request_timeout": "perRequestTimeout",
         "port": "port",
     },
 )
@@ -32511,7 +32565,9 @@ class ServiceConnectService:
         port_mapping_name: builtins.str,
         discovery_name: typing.Optional[builtins.str] = None,
         dns_name: typing.Optional[builtins.str] = None,
+        idle_timeout: typing.Optional[_Duration_4839e8c3] = None,
         ingress_port_override: typing.Optional[jsii.Number] = None,
+        per_request_timeout: typing.Optional[_Duration_4839e8c3] = None,
         port: typing.Optional[jsii.Number] = None,
     ) -> None:
         '''Interface for service connect Service props.
@@ -32519,7 +32575,9 @@ class ServiceConnectService:
         :param port_mapping_name: portMappingName specifies which port and protocol combination should be used for this service connect service.
         :param discovery_name: Optionally specifies an intermediate dns name to register in the CloudMap namespace. This is required if you wish to use the same port mapping name in more than one service. Default: - port mapping name
         :param dns_name: The terse DNS alias to use for this port mapping in the service connect mesh. Service Connect-enabled clients will be able to reach this service at http://dnsName:port. Default: - No alias is created. The service is reachable at ``portMappingName.namespace:port``.
+        :param idle_timeout: The amount of time in seconds a connection for Service Connect will stay active while idle. A value of 0 can be set to disable ``idleTimeout``. If ``idleTimeout`` is set to a time that is less than ``perRequestTimeout``, the connection will close when the ``idleTimeout`` is reached and not the ``perRequestTimeout``. Default: - Duration.minutes(5) for HTTP/HTTP2/GRPC, Duration.hours(1) for TCP.
         :param ingress_port_override: Optional. The port on the Service Connect agent container to use for traffic ingress to this service. Default: - none
+        :param per_request_timeout: The amount of time waiting for the upstream to respond with a complete response per request for Service Connect. A value of 0 can be set to disable ``perRequestTimeout``. Can only be set when the ``appProtocol`` for the application container is HTTP/HTTP2/GRPC. If ``idleTimeout`` is set to a time that is less than ``perRequestTimeout``, the connection will close when the ``idleTimeout`` is reached and not the ``perRequestTimeout``. Default: - Duration.seconds(15)
         :param port: The port for clients to use to communicate with this service via Service Connect. Default: the container port specified by the port mapping in portMappingName.
 
         :exampleMetadata: fixture=_generated
@@ -32528,6 +32586,7 @@ class ServiceConnectService:
 
             # The code below shows an example of how to instantiate this type.
             # The values are placeholders you should change.
+            import aws_cdk as cdk
             from aws_cdk import aws_ecs as ecs
             
             service_connect_service = ecs.ServiceConnectService(
@@ -32536,7 +32595,9 @@ class ServiceConnectService:
                 # the properties below are optional
                 discovery_name="discoveryName",
                 dns_name="dnsName",
+                idle_timeout=cdk.Duration.minutes(30),
                 ingress_port_override=123,
+                per_request_timeout=cdk.Duration.minutes(30),
                 port=123
             )
         '''
@@ -32545,7 +32606,9 @@ class ServiceConnectService:
             check_type(argname="argument port_mapping_name", value=port_mapping_name, expected_type=type_hints["port_mapping_name"])
             check_type(argname="argument discovery_name", value=discovery_name, expected_type=type_hints["discovery_name"])
             check_type(argname="argument dns_name", value=dns_name, expected_type=type_hints["dns_name"])
+            check_type(argname="argument idle_timeout", value=idle_timeout, expected_type=type_hints["idle_timeout"])
             check_type(argname="argument ingress_port_override", value=ingress_port_override, expected_type=type_hints["ingress_port_override"])
+            check_type(argname="argument per_request_timeout", value=per_request_timeout, expected_type=type_hints["per_request_timeout"])
             check_type(argname="argument port", value=port, expected_type=type_hints["port"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "port_mapping_name": port_mapping_name,
@@ -32554,8 +32617,12 @@ class ServiceConnectService:
             self._values["discovery_name"] = discovery_name
         if dns_name is not None:
             self._values["dns_name"] = dns_name
+        if idle_timeout is not None:
+            self._values["idle_timeout"] = idle_timeout
         if ingress_port_override is not None:
             self._values["ingress_port_override"] = ingress_port_override
+        if per_request_timeout is not None:
+            self._values["per_request_timeout"] = per_request_timeout
         if port is not None:
             self._values["port"] = port
 
@@ -32589,6 +32656,20 @@ class ServiceConnectService:
         result = self._values.get("dns_name")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def idle_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''The amount of time in seconds a connection for Service Connect will stay active while idle.
+
+        A value of 0 can be set to disable ``idleTimeout``.
+
+        If ``idleTimeout`` is set to a time that is less than ``perRequestTimeout``, the connection will close
+        when the ``idleTimeout`` is reached and not the ``perRequestTimeout``.
+
+        :default: - Duration.minutes(5) for HTTP/HTTP2/GRPC, Duration.hours(1) for TCP.
+        '''
+        result = self._values.get("idle_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
     @builtins.property
     def ingress_port_override(self) -> typing.Optional[jsii.Number]:
         '''Optional.
@@ -32600,6 +32681,21 @@ class ServiceConnectService:
         result = self._values.get("ingress_port_override")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def per_request_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''The amount of time waiting for the upstream to respond with a complete response per request for Service Connect.
+
+        A value of 0 can be set to disable ``perRequestTimeout``.
+        Can only be set when the ``appProtocol`` for the application container is HTTP/HTTP2/GRPC.
+
+        If ``idleTimeout`` is set to a time that is less than ``perRequestTimeout``, the connection will close
+        when the ``idleTimeout`` is reached and not the ``perRequestTimeout``.
+
+        :default: - Duration.seconds(15)
+        '''
+        result = self._values.get("per_request_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
     @builtins.property
     def port(self) -> typing.Optional[jsii.Number]:
         '''The port for clients to use to communicate with this service via Service Connect.
@@ -38464,7 +38560,7 @@ class Ec2Service(
         :param id: -
         :param task_definition: The task definition to use for tasks in the service. [disable-awslint:ref-via-interface]
         :param assign_public_ip: Specifies whether the task's elastic network interface receives a public IP address. If true, each task will receive a public IP address. This property is only used for tasks that use the awsvpc network mode. Default: false
-        :param daemon: Specifies whether the service will use the daemon scheduling strategy. If true, the service scheduler deploys exactly one task on each container instance in your cluster. When you are using this strategy, do not specify a desired number of tasks orany task placement strategies. Default: false
+        :param daemon: Specifies whether the service will use the daemon scheduling strategy. If true, the service scheduler deploys exactly one task on each container instance in your cluster. When you are using this strategy, do not specify a desired number of tasks or any task placement strategies. Default: false
         :param placement_constraints: The placement constraints to use for tasks in the service. For more information, see `Amazon ECS Task Placement Constraints <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-placement-constraints.html>`_. Default: - No constraints.
         :param placement_strategies: The placement strategies to use for tasks in the service. For more information, see `Amazon ECS Task Placement Strategies <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-placement-strategies.html>`_. Default: - No strategies.
         :param security_groups: The security groups to associate with the service. If you do not specify a security group, a new security group is created. This property is only used for tasks that use the awsvpc network mode. Default: - A new security group is created.
@@ -39300,33 +39396,27 @@ class FargateService(
         
         # cluster: ecs.Cluster
         # task_definition: ecs.TaskDefinition
+        # elb_alarm: cw.Alarm
+        
         
-        service_name = "MyFargateService"
         service = ecs.FargateService(self, "Service",
-            service_name=service_name,
             cluster=cluster,
-            task_definition=task_definition
+            task_definition=task_definition,
+            deployment_alarms=ecs.DeploymentAlarmConfig(
+                alarm_names=[elb_alarm.alarm_name],
+                behavior=ecs.AlarmBehavior.ROLLBACK_ON_ALARM
+            )
         )
         
-        cpu_metric = cw.Metric(
-            metric_name="CPUUtilization",
-            namespace="AWS/ECS",
-            period=Duration.minutes(5),
-            statistic="Average",
-            dimensions_map={
-                "ClusterName": cluster.cluster_name,
-                # Using `service.serviceName` here will cause a circular dependency
-                "ServiceName": service_name
-            }
-        )
-        my_alarm = cw.Alarm(self, "CPUAlarm",
-            alarm_name="cpuAlarmName",
-            metric=cpu_metric,
+        # Defining a deployment alarm after the service has been created
+        cpu_alarm_name = "MyCpuMetricAlarm"
+        cw.Alarm(self, "CPUAlarm",
+            alarm_name=cpu_alarm_name,
+            metric=service.metric_cpu_utilization(),
             evaluation_periods=2,
             threshold=80
         )
-        
-        service.enable_deployment_alarms([my_alarm.alarm_name],
+        service.enable_deployment_alarms([cpu_alarm_name],
             behavior=ecs.AlarmBehavior.FAIL_ON_ALARM
         )
     '''
@@ -40983,6 +41073,7 @@ def _typecheckingstub__d367f5be98d90056ca7f199c577c5744b20417ce5d1c8ad339824ec9d
     name: builtins.str,
     command: typing.Optional[typing.Sequence[builtins.str]] = None,
     cpu: typing.Optional[jsii.Number] = None,
+    credential_specs: typing.Optional[typing.Sequence[builtins.str]] = None,
     depends_on: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnTaskDefinition.ContainerDependencyProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     disable_networking: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     dns_search_domains: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -42859,7 +42950,9 @@ def _typecheckingstub__5fc70dc513eac25b19e79ac6e7ba5dc61662a4299bbba170094fabb95
     port_mapping_name: builtins.str,
     discovery_name: typing.Optional[builtins.str] = None,
     dns_name: typing.Optional[builtins.str] = None,
+    idle_timeout: typing.Optional[_Duration_4839e8c3] = None,
     ingress_port_override: typing.Optional[jsii.Number] = None,
+    per_request_timeout: typing.Optional[_Duration_4839e8c3] = None,
     port: typing.Optional[jsii.Number] = None,
 ) -> None:
     """Type checking stubs"""