aws-cdk-lib 2.73.0__py3-none-any.whl → 2.76.0__py3-none-any.whl

aws_cdk/aws_ecs/__init__.py

@@ -738,22 +738,22 @@ The feature flag changes behavior for the entire CDK project. Therefore it is no
 declare const cluster: ecs.Cluster;
 
 // Import service from EC2 service attributes
-const service = ecs.Ec2Service.fromEc2ServiceAttributes(stack, 'EcsService', {
+const service = ecs.Ec2Service.fromEc2ServiceAttributes(this, 'EcsService', {
   serviceArn: 'arn:aws:ecs:us-west-2:123456789012:service/my-http-service',
   cluster,
 });
 
 // Import service from EC2 service ARN
-const service = ecs.Ec2Service.fromEc2ServiceArn(stack, 'EcsService', 'arn:aws:ecs:us-west-2:123456789012:service/my-http-service');
+const service = ecs.Ec2Service.fromEc2ServiceArn(this, 'EcsService', 'arn:aws:ecs:us-west-2:123456789012:service/my-http-service');
 
 // Import service from Fargate service attributes
-const service = ecs.FargateService.fromFargateServiceAttributes(stack, 'EcsService', {
+const service = ecs.FargateService.fromFargateServiceAttributes(this, 'EcsService', {
   serviceArn: 'arn:aws:ecs:us-west-2:123456789012:service/my-http-service',
   cluster,
 });
 
 // Import service from Fargate service ARN
-const service = ecs.FargateService.fromFargateServiceArn(stack, 'EcsService', 'arn:aws:ecs:us-west-2:123456789012:service/my-http-service');
+const service = ecs.FargateService.fromFargateServiceArn(this, 'EcsService', 'arn:aws:ecs:us-west-2:123456789012:service/my-http-service');
 ```
 
 ## Task Auto-Scaling
@@ -1168,11 +1168,10 @@ For more information visit https://docs.aws.amazon.com/AmazonECS/latest/develope
 When the service does not have a capacity provider strategy, the cluster's default capacity provider strategy will be used. Default Capacity Provider Strategy can be added by using the method `addDefaultCapacityProviderStrategy`. A capacity provider strategy cannot contain a mix of EC2 Autoscaling Group capacity providers and Fargate providers.
 
 ```python
-# Example automatically generated from non-compiling source. May contain errors.
-# capacity_provider: ecs.CapacityProvider
+# capacity_provider: ecs.AsgCapacityProvider
 
 
-cluster = ecs.Cluster(stack, "EcsCluster",
+cluster = ecs.Cluster(self, "EcsCluster",
     enable_fargate_capacity_providers=True
 )
 cluster.add_asg_capacity_provider(capacity_provider)
@@ -1182,11 +1181,10 @@ cluster.add_default_capacity_provider_strategy([capacity_provider="FARGATE", bas
 ```
 
 ```python
-# Example automatically generated from non-compiling source. May contain errors.
-# capacity_provider: ecs.CapacityProvider
+# capacity_provider: ecs.AsgCapacityProvider
 
 
-cluster = ecs.Cluster(stack, "EcsCluster",
+cluster = ecs.Cluster(self, "EcsCluster",
     enable_fargate_capacity_providers=True
 )
 cluster.add_asg_capacity_provider(capacity_provider)
@@ -1303,19 +1301,18 @@ To enable Service Connect, you must have created a CloudMap namespace. The CDK c
 or you can specify a custom namespace. You must also have created a named port mapping on at least one container in your Task Definition.
 
 ```python
-# Example automatically generated from non-compiling source. May contain errors.
 # cluster: ecs.Cluster
 # task_definition: ecs.TaskDefinition
-# container: ecs.ContainerDefinition
+# container_options: ecs.ContainerDefinitionOptions
+
 
+container = task_definition.add_container("MyContainer", container_options)
 
 container.add_port_mappings(
     name="api",
     container_port=8080
 )
 
-task_definition.add_container(container)
-
 cluster.add_default_cloud_map_namespace(
     name="local"
 )
@@ -1340,7 +1337,10 @@ be routed to the container's port 8080.
 To opt a service into using service connect without advertising a port, simply call the 'enableServiceConnect' method on an initialized service.
 
 ```python
-# Example automatically generated from non-compiling source. May contain errors.
+# cluster: ecs.Cluster
+# task_definition: ecs.TaskDefinition
+
+
 service = ecs.FargateService(self, "Service",
     cluster=cluster,
     task_definition=task_definition
@@ -1351,12 +1351,15 @@ service.enable_service_connect()
 Service Connect also allows custom logging, Service Discovery name, and configuration of the port where service connect traffic is received.
 
 ```python
-# Example automatically generated from non-compiling source. May contain errors.
+# cluster: ecs.Cluster
+# task_definition: ecs.TaskDefinition
+
+
 custom_service = ecs.FargateService(self, "CustomizedService",
     cluster=cluster,
     task_definition=task_definition,
     service_connect_configuration=ecs.ServiceConnectProps(
-        log_driver=ecs.LogDrivers.awslogs(
+        log_driver=ecs.LogDrivers.aws_logs(
             stream_prefix="sc-traffic"
         ),
         services=[ecs.ServiceConnectService(
@@ -1385,6 +1388,23 @@ task_definition.add_container("TheContainer",
     pseudo_terminal=True
 )
 ```
+
+## Specify a container ulimit
+
+You can specify a container `ulimits` by specifying them in the `ulimits` option while adding the container
+to the task definition.
+
+```python
+task_definition = ecs.Ec2TaskDefinition(self, "TaskDef")
+task_definition.add_container("TheContainer",
+    image=ecs.ContainerImage.from_registry("example-image"),
+    ulimits=[ecs.Ulimit(
+        hard_limit=128,
+        name=ecs.UlimitName.RSS,
+        soft_limit=128
+    )]
+)
+```
 '''
 import abc
 import builtins
@@ -3234,8 +3254,12 @@ class AssetImageProps(_DockerImageAssetOptions_9580cd76):
 
         Example::
 
-            # Example automatically generated from non-compiling source. May contain errors.
-                "MY_SECRET"DockerBuildSecret.from_src("file.txt")
+            from aws_cdk import DockerBuildSecret
+            
+            
+            build_secrets = {
+                "MY_SECRET": DockerBuildSecret.from_src("file.txt")
+            }
         '''
         result = self._values.get("build_secrets")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
@@ -5078,7 +5102,7 @@ class CfnCapacityProvider(
 
             :param auto_scaling_group_arn: The Amazon Resource Name (ARN) that identifies the Auto Scaling group.
             :param managed_scaling: The managed scaling settings for the Auto Scaling group capacity provider.
-            :param managed_termination_protection: The managed termination protection setting to use for the Auto Scaling group capacity provider. This determines whether the Auto Scaling group has managed termination protection. The default is off. .. epigraph:: When using managed termination protection, managed scaling must also be used otherwise managed termination protection doesn't work. When managed termination protection is on, Amazon ECS prevents the Amazon EC2 instances in an Auto Scaling group that contain tasks from being terminated during a scale-in action. The Auto Scaling group and each instance in the Auto Scaling group must have instance protection from scale-in actions enabled as well. For more information, see `Instance Protection <https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-instance-termination.html#instance-protection>`_ in the *AWS Auto Scaling User Guide* . When managed termination protection is off, your Amazon EC2 instances aren't protected from termination when the Auto Scaling group scales in.
+            :param managed_termination_protection: The managed termination protection setting to use for the Auto Scaling group capacity provider. This determines whether the Auto Scaling group has managed termination protection. The default is off. .. epigraph:: When using managed termination protection, managed scaling must also be used otherwise managed termination protection doesn't work. When managed termination protection is on, Amazon ECS prevents the Amazon EC2 instances in an Auto Scaling group that contain tasks from being terminated during a scale-in action. The Auto Scaling group and each instance in the Auto Scaling group must have instance protection from scale-in actions on as well. For more information, see `Instance Protection <https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-instance-termination.html#instance-protection>`_ in the *AWS Auto Scaling User Guide* . When managed termination protection is off, your Amazon EC2 instances aren't protected from termination when the Auto Scaling group scales in.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-capacityprovider-autoscalinggroupprovider.html
             :exampleMetadata: fixture=_generated
@@ -5146,7 +5170,7 @@ class CfnCapacityProvider(
 
                When using managed termination protection, managed scaling must also be used otherwise managed termination protection doesn't work.
 
-            When managed termination protection is on, Amazon ECS prevents the Amazon EC2 instances in an Auto Scaling group that contain tasks from being terminated during a scale-in action. The Auto Scaling group and each instance in the Auto Scaling group must have instance protection from scale-in actions enabled as well. For more information, see `Instance Protection <https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-instance-termination.html#instance-protection>`_ in the *AWS Auto Scaling User Guide* .
+            When managed termination protection is on, Amazon ECS prevents the Amazon EC2 instances in an Auto Scaling group that contain tasks from being terminated during a scale-in action. The Auto Scaling group and each instance in the Auto Scaling group must have instance protection from scale-in actions on as well. For more information, see `Instance Protection <https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-instance-termination.html#instance-protection>`_ in the *AWS Auto Scaling User Guide* .
 
             When managed termination protection is off, your Amazon EC2 instances aren't protected from termination when the Auto Scaling group scales in.
 
@@ -5189,7 +5213,7 @@ class CfnCapacityProvider(
         ) -> None:
             '''The managed scaling settings for the Auto Scaling group capacity provider.
 
-            When managed scaling is enabled, Amazon ECS manages the scale-in and scale-out actions of the Auto Scaling group. Amazon ECS manages a target tracking scaling policy using an Amazon ECS managed CloudWatch metric with the specified ``targetCapacity`` value as the target value for the metric. For more information, see `Using managed scaling <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/asg-capacity-providers.html#asg-capacity-providers-managed-scaling>`_ in the *Amazon Elastic Container Service Developer Guide* .
+            When managed scaling is turned on, Amazon ECS manages the scale-in and scale-out actions of the Auto Scaling group. Amazon ECS manages a target tracking scaling policy using an Amazon ECS managed CloudWatch metric with the specified ``targetCapacity`` value as the target value for the metric. For more information, see `Using managed scaling <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/asg-capacity-providers.html#asg-capacity-providers-managed-scaling>`_ in the *Amazon Elastic Container Service Developer Guide* .
 
             If managed scaling is off, the user must manage the scaling of the Auto Scaling group.
 
@@ -5908,8 +5932,8 @@ class CfnCluster(
 
             This parameter is used to turn on CloudWatch Container Insights for a cluster.
 
-            :param name: The name of the cluster setting. The only supported value is ``containerInsights`` .
-            :param value: The value to set for the cluster setting. The supported values are ``enabled`` and ``disabled`` . If ``enabled`` is specified, CloudWatch Container Insights will be enabled for the cluster, otherwise it will be off unless the ``containerInsights`` account setting is turned on. If a cluster value is specified, it will override the ``containerInsights`` value set with `PutAccountSetting <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PutAccountSetting.html>`_ or `PutAccountSettingDefault <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PutAccountSettingDefault.html>`_ .
+            :param name: The name of the cluster setting. The value is ``containerInsights`` .
+            :param value: The value to set for the cluster setting. The supported values are ``enabled`` and ``disabled`` . If you set ``name`` to ``containerInsights`` and ``value`` to ``enabled`` , CloudWatch Container Insights will be on for the cluster, otherwise it will be off unless the ``containerInsights`` account setting is turned on. If a cluster value is specified, it will override the ``containerInsights`` value set with `PutAccountSetting <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PutAccountSetting.html>`_ or `PutAccountSettingDefault <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PutAccountSettingDefault.html>`_ .
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-cluster-clustersettings.html
             :exampleMetadata: fixture=_generated
@@ -5939,7 +5963,7 @@ class CfnCluster(
         def name(self) -> typing.Optional[builtins.str]:
             '''The name of the cluster setting.
 
-            The only supported value is ``containerInsights`` .
+            The value is ``containerInsights`` .
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-cluster-clustersettings.html#cfn-ecs-cluster-clustersettings-name
             '''
@@ -5948,9 +5972,9 @@ class CfnCluster(
 
         @builtins.property
         def value(self) -> typing.Optional[builtins.str]:
-            '''The value to set for the cluster setting.
+            '''The value to set for the cluster setting. The supported values are ``enabled`` and ``disabled`` .
 
-            The supported values are ``enabled`` and ``disabled`` . If ``enabled`` is specified, CloudWatch Container Insights will be enabled for the cluster, otherwise it will be off unless the ``containerInsights`` account setting is turned on. If a cluster value is specified, it will override the ``containerInsights`` value set with `PutAccountSetting <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PutAccountSetting.html>`_ or `PutAccountSettingDefault <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PutAccountSettingDefault.html>`_ .
+            If you set ``name`` to ``containerInsights`` and ``value`` to ``enabled`` , CloudWatch Container Insights will be on for the cluster, otherwise it will be off unless the ``containerInsights`` account setting is turned on. If a cluster value is specified, it will override the ``containerInsights`` value set with `PutAccountSetting <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PutAccountSetting.html>`_ or `PutAccountSettingDefault <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PutAccountSettingDefault.html>`_ .
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-cluster-clustersettings.html#cfn-ecs-cluster-clustersettings-value
             '''
@@ -6223,7 +6247,7 @@ class CfnCluster(
 
             Tasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see `Service Connect <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
 
-            :param namespace: The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include hyphens (-), tilde (~), greater than (>), less than (<), or slash (/). If you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region. If you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the "API calls" method of instance discovery only. This instance discovery method is the "HTTP" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect. If you update the service with an empty string ``""`` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately. For more information about AWS Cloud Map , see `Working with Services <https://docs.aws.amazon.com/>`_ in the *AWS Cloud Map Developer Guide* .
+            :param namespace: The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace that's used when you create a service and don't specify a Service Connect configuration. The namespace name can include up to 1024 characters. The name is case-sensitive. The name can't include hyphens (-), tilde (~), greater than (>), less than (<), or slash (/). If you enter an existing namespace name or ARN, then that namespace will be used. Any namespace type is supported. The namespace must be in this account and this AWS Region. If you enter a new name, a AWS Cloud Map namespace will be created. Amazon ECS creates a AWS Cloud Map namespace with the "API calls" method of instance discovery only. This instance discovery method is the "HTTP" namespace type in the AWS Command Line Interface . Other types of instance discovery aren't used by Service Connect. If you update the service with an empty string ``""`` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately. For more information about AWS Cloud Map , see `Working with Services <https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html>`_ in the *AWS Cloud Map Developer Guide* .
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-cluster-serviceconnectdefaults.html
             :exampleMetadata: fixture=_generated
@@ -6257,7 +6281,7 @@ class CfnCluster(
 
             If you update the service with an empty string ``""`` for the namespace name, the cluster configuration for Service Connect is removed. Note that the namespace will remain in AWS Cloud Map and must be deleted separately.
 
-            For more information about AWS Cloud Map , see `Working with Services <https://docs.aws.amazon.com/>`_ in the *AWS Cloud Map Developer Guide* .
+            For more information about AWS Cloud Map , see `Working with Services <https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html>`_ in the *AWS Cloud Map Developer Guide* .
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-cluster-serviceconnectdefaults.html#cfn-ecs-cluster-serviceconnectdefaults-namespace
             '''
@@ -7239,7 +7263,7 @@ class CfnService(
         :param deployment_controller: The deployment controller to use for the service. If no deployment controller is specified, the default value of ``ECS`` is used.
         :param desired_count: The number of instantiations of the specified task definition to place and keep running on your cluster. For new services, if a desired count is not specified, a default value of ``1`` is used. When using the ``DAEMON`` scheduling strategy, the desired count is not required. For existing services, if a desired count is not specified, it is omitted from the operation.
         :param enable_ecs_managed_tags: Specifies whether to turn on Amazon ECS managed tags for the tasks within the service. For more information, see `Tagging your Amazon ECS resources <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-using-tags.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
-        :param enable_execute_command: Determines whether the execute command functionality is enabled for the service. If ``true`` , the execute command functionality is enabled for all containers in tasks as part of the service.
+        :param enable_execute_command: Determines whether the execute command functionality is turned on for the service. If ``true`` , the execute command functionality is turned on for all containers in tasks as part of the service.
         :param health_check_grace_period_seconds: The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing target health checks after a task has first started. This is only used when your service is configured to use a load balancer. If your service has a load balancer defined and you don't specify a health check grace period value, the default value of ``0`` is used. If you do not use an Elastic Load Balancing, we recommend that you use the ``startPeriod`` in the task definition health check parameters. For more information, see `Health check <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_HealthCheck.html>`_ . If your service's tasks take a while to start and respond to Elastic Load Balancing health checks, you can specify a health check grace period of up to 2,147,483,647 seconds (about 69 years). During that time, the Amazon ECS service scheduler ignores health check status. This grace period can prevent the service scheduler from marking tasks as unhealthy and stopping them before they have time to come up.
         :param launch_type: The launch type on which to run your service. For more information, see `Amazon ECS Launch Types <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_types.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
         :param load_balancers: A list of load balancer objects to associate with the service. If you specify the ``Role`` property, ``LoadBalancers`` must be specified as well. For information about the number of load balancers that you can specify per service, see `Service Load Balancing <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
@@ -7254,7 +7278,7 @@ class CfnService(
         :param service_name: The name of your service. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. Service names must be unique within a cluster, but you can have similarly named services in multiple clusters within a Region or across multiple Regions. .. epigraph:: The stack update fails if you change any properties that require replacement and the ``ServiceName`` is configured. This is because AWS CloudFormation creates the replacement service first, but each ``ServiceName`` must be unique in the cluster.
         :param service_registries: The details of the service discovery registry to associate with this service. For more information, see `Service discovery <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html>`_ . .. epigraph:: Each service may be associated with one service registry. Multiple service registries for each service isn't supported.
         :param tags: The metadata that you apply to the service to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. When a service is deleted, the tags are deleted as well. The following basic restrictions apply to tags: - Maximum number of tags per resource - 50 - For each resource, each tag key must be unique, and each tag key can have only one value. - Maximum key length - 128 Unicode characters in UTF-8 - Maximum value length - 256 Unicode characters in UTF-8 - If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @. - Tag keys and values are case-sensitive. - Do not use ``aws:`` , ``AWS:`` , or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for AWS use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.
-        :param task_definition: The ``family`` and ``revision`` ( ``family:revision`` ) or full ARN of the task definition to run in your service. If a ``revision`` isn't specified, the latest ``ACTIVE`` revision is used. A task definition must be specified if the service uses either the ``ECS`` or ``CODE_DEPLOY`` deployment controllers.
+        :param task_definition: The ``family`` and ``revision`` ( ``family:revision`` ) or full ARN of the task definition to run in your service. If a ``revision`` isn't specified, the latest ``ACTIVE`` revision is used. A task definition must be specified if the service uses either the ``ECS`` or ``CODE_DEPLOY`` deployment controllers. For more information about deployment types, see `Amazon ECS deployment types <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-types.html>`_ .
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__ec1192a1d20e03deef75c7fa1457b92ecf9506c5c5df97b5a4473fc3a9a714ef)
@@ -7496,9 +7520,9 @@ class CfnService(
     def enable_execute_command(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Determines whether the execute command functionality is enabled for the service.
+        '''Determines whether the execute command functionality is turned on for the service.
 
-        If ``true`` , the execute command functionality is enabled for all containers in tasks as part of the service.
+        If ``true`` , the execute command functionality is turned on for all containers in tasks as part of the service.
 
         :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-enableexecutecommand
         '''
@@ -7811,6 +7835,8 @@ class CfnService(
 
         A task definition must be specified if the service uses either the ``ECS`` or ``CODE_DEPLOY`` deployment controllers.
 
+        For more information about deployment types, see `Amazon ECS deployment types <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-types.html>`_ .
+
         :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-taskdefinition
         '''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "taskDefinition"))
@@ -8147,7 +8173,7 @@ class CfnService(
 
    The deployment circuit breaker can only be used for services using the rolling update ( ``ECS`` ) deployment type.
 
-            The *deployment circuit breaker* determines whether a service deployment will fail if the service can't reach a steady state. If enabled, a service deployment will transition to a failed state and stop launching new tasks. You can also configure Amazon ECS to roll back your service to the last completed deployment after a failure. For more information, see `Rolling update <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-ecs.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
+            The *deployment circuit breaker* determines whether a service deployment will fail if the service can't reach a steady state. If it is turned on, a service deployment will transition to a failed state and stop launching new tasks. You can also configure Amazon ECS to roll back your service to the last completed deployment after a failure. For more information, see `Rolling update <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-type-ecs.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
 
             :param enable: Determines whether to use the deployment circuit breaker logic for the service.
             :param rollback: Determines whether to configure Amazon ECS to roll back the service if a service deployment fails. If rollback is on, when a service deployment fails, the service is rolled back to the last deployment that completed successfully.
@@ -9072,7 +9098,7 @@ class CfnService(
 
             :param enabled: Specifies whether to use Service Connect with this service.
             :param log_configuration: ``CfnService.ServiceConnectConfigurationProperty.LogConfiguration``.
-            :param namespace: The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace for use with Service Connect. The namespace must be in the same AWS Region as the Amazon ECS service and cluster. The type of namespace doesn't affect Service Connect. For more information about AWS Cloud Map , see `Working with Services <https://docs.aws.amazon.com/>`_ in the *AWS Cloud Map Developer Guide* .
+            :param namespace: The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace for use with Service Connect. The namespace must be in the same AWS Region as the Amazon ECS service and cluster. The type of namespace doesn't affect Service Connect. For more information about AWS Cloud Map , see `Working with Services <https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html>`_ in the *AWS Cloud Map Developer Guide* .
             :param services: The list of Service Connect service objects. These are names and aliases (also known as endpoints) that are used by other Amazon ECS services to connect to this service. This field is not required for a "client" Amazon ECS service that's a member of a namespace only to connect to other services within the namespace. An example of this would be a frontend application that accepts incoming requests from either a load balancer that's attached to the service or by other means. An object selects a port from the task definition, assigns a name for the AWS Cloud Map service, and a list of aliases (endpoints) and ports for client applications to refer to this service.
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-service-serviceconnectconfiguration.html
@@ -9155,7 +9181,7 @@ class CfnService(
         def namespace(self) -> typing.Optional[builtins.str]:
             '''The namespace name or full Amazon Resource Name (ARN) of the AWS Cloud Map namespace for use with Service Connect.
 
-            The namespace must be in the same AWS Region as the Amazon ECS service and cluster. The type of namespace doesn't affect Service Connect. For more information about AWS Cloud Map , see `Working with Services <https://docs.aws.amazon.com/>`_ in the *AWS Cloud Map Developer Guide* .
+            The namespace must be in the same AWS Region as the Amazon ECS service and cluster. The type of namespace doesn't affect Service Connect. For more information about AWS Cloud Map , see `Working with Services <https://docs.aws.amazon.com/cloud-map/latest/dg/working-with-services.html>`_ in the *AWS Cloud Map Developer Guide* .
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-service-serviceconnectconfiguration.html#cfn-ecs-service-serviceconnectconfiguration-namespace
             '''
@@ -9502,7 +9528,7 @@ class CfnServiceProps:
         :param deployment_controller: The deployment controller to use for the service. If no deployment controller is specified, the default value of ``ECS`` is used.
         :param desired_count: The number of instantiations of the specified task definition to place and keep running on your cluster. For new services, if a desired count is not specified, a default value of ``1`` is used. When using the ``DAEMON`` scheduling strategy, the desired count is not required. For existing services, if a desired count is not specified, it is omitted from the operation.
         :param enable_ecs_managed_tags: Specifies whether to turn on Amazon ECS managed tags for the tasks within the service. For more information, see `Tagging your Amazon ECS resources <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-using-tags.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
-        :param enable_execute_command: Determines whether the execute command functionality is enabled for the service. If ``true`` , the execute command functionality is enabled for all containers in tasks as part of the service.
+        :param enable_execute_command: Determines whether the execute command functionality is turned on for the service. If ``true`` , the execute command functionality is turned on for all containers in tasks as part of the service.
         :param health_check_grace_period_seconds: The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing target health checks after a task has first started. This is only used when your service is configured to use a load balancer. If your service has a load balancer defined and you don't specify a health check grace period value, the default value of ``0`` is used. If you do not use an Elastic Load Balancing, we recommend that you use the ``startPeriod`` in the task definition health check parameters. For more information, see `Health check <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_HealthCheck.html>`_ . If your service's tasks take a while to start and respond to Elastic Load Balancing health checks, you can specify a health check grace period of up to 2,147,483,647 seconds (about 69 years). During that time, the Amazon ECS service scheduler ignores health check status. This grace period can prevent the service scheduler from marking tasks as unhealthy and stopping them before they have time to come up.
         :param launch_type: The launch type on which to run your service. For more information, see `Amazon ECS Launch Types <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_types.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
         :param load_balancers: A list of load balancer objects to associate with the service. If you specify the ``Role`` property, ``LoadBalancers`` must be specified as well. For information about the number of load balancers that you can specify per service, see `Service Load Balancing <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
@@ -9517,7 +9543,7 @@ class CfnServiceProps:
         :param service_name: The name of your service. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. Service names must be unique within a cluster, but you can have similarly named services in multiple clusters within a Region or across multiple Regions. .. epigraph:: The stack update fails if you change any properties that require replacement and the ``ServiceName`` is configured. This is because AWS CloudFormation creates the replacement service first, but each ``ServiceName`` must be unique in the cluster.
         :param service_registries: The details of the service discovery registry to associate with this service. For more information, see `Service discovery <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-discovery.html>`_ . .. epigraph:: Each service may be associated with one service registry. Multiple service registries for each service isn't supported.
         :param tags: The metadata that you apply to the service to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. When a service is deleted, the tags are deleted as well. The following basic restrictions apply to tags: - Maximum number of tags per resource - 50 - For each resource, each tag key must be unique, and each tag key can have only one value. - Maximum key length - 128 Unicode characters in UTF-8 - Maximum value length - 256 Unicode characters in UTF-8 - If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @. - Tag keys and values are case-sensitive. - Do not use ``aws:`` , ``AWS:`` , or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for AWS use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.
-        :param task_definition: The ``family`` and ``revision`` ( ``family:revision`` ) or full ARN of the task definition to run in your service. If a ``revision`` isn't specified, the latest ``ACTIVE`` revision is used. A task definition must be specified if the service uses either the ``ECS`` or ``CODE_DEPLOY`` deployment controllers.
+        :param task_definition: The ``family`` and ``revision`` ( ``family:revision`` ) or full ARN of the task definition to run in your service. If a ``revision`` isn't specified, the latest ``ACTIVE`` revision is used. A task definition must be specified if the service uses either the ``ECS`` or ``CODE_DEPLOY`` deployment controllers. For more information about deployment types, see `Amazon ECS deployment types <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-types.html>`_ .
 
         :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html
         :exampleMetadata: fixture=_generated
@@ -9782,9 +9808,9 @@ class CfnServiceProps:
     def enable_execute_command(
         self,
     ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-        '''Determines whether the execute command functionality is enabled for the service.
+        '''Determines whether the execute command functionality is turned on for the service.
 
-        If ``true`` , the execute command functionality is enabled for all containers in tasks as part of the service.
+        If ``true`` , the execute command functionality is turned on for all containers in tasks as part of the service.
 
         :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-enableexecutecommand
         '''
@@ -9996,6 +10022,8 @@ class CfnServiceProps:
 
         A task definition must be specified if the service uses either the ``ECS`` or ``CODE_DEPLOY`` deployment controllers.
 
+        For more information about deployment types, see `Amazon ECS deployment types <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/deployment-types.html>`_ .
+
         :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-taskdefinition
         '''
         result = self._values.get("task_definition")
@@ -10779,8 +10807,8 @@ class CfnTaskDefinition(
         ) -> None:
             '''The authorization configuration details for the Amazon EFS file system.
 
-            :param access_point_id: The Amazon EFS access point ID to use. If an access point is specified, the root directory value specified in the ``EFSVolumeConfiguration`` must either be omitted or set to ``/`` which will enforce the path set on the EFS access point. If an access point is used, transit encryption must be enabled in the ``EFSVolumeConfiguration`` . For more information, see `Working with Amazon EFS access points <https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html>`_ in the *Amazon Elastic File System User Guide* .
-            :param iam: Determines whether to use the Amazon ECS task role defined in a task definition when mounting the Amazon EFS file system. If enabled, transit encryption must be enabled in the ``EFSVolumeConfiguration`` . If this parameter is omitted, the default value of ``DISABLED`` is used. For more information, see `Using Amazon EFS access points <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#efs-volume-accesspoints>`_ in the *Amazon Elastic Container Service Developer Guide* .
+            :param access_point_id: The Amazon EFS access point ID to use. If an access point is specified, the root directory value specified in the ``EFSVolumeConfiguration`` must either be omitted or set to ``/`` which will enforce the path set on the EFS access point. If an access point is used, transit encryption must be on in the ``EFSVolumeConfiguration`` . For more information, see `Working with Amazon EFS access points <https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html>`_ in the *Amazon Elastic File System User Guide* .
+            :param iam: Determines whether to use the Amazon ECS task role defined in a task definition when mounting the Amazon EFS file system. If it is turned on, transit encryption must be turned on in the ``EFSVolumeConfiguration`` . If this parameter is omitted, the default value of ``DISABLED`` is used. For more information, see `Using Amazon EFS access points <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#efs-volume-accesspoints>`_ in the *Amazon Elastic Container Service Developer Guide* .
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-authorizationconfig.html
             :exampleMetadata: fixture=_generated
@@ -10810,7 +10838,7 @@ class CfnTaskDefinition(
         def access_point_id(self) -> typing.Optional[builtins.str]:
             '''The Amazon EFS access point ID to use.
 
-            If an access point is specified, the root directory value specified in the ``EFSVolumeConfiguration`` must either be omitted or set to ``/`` which will enforce the path set on the EFS access point. If an access point is used, transit encryption must be enabled in the ``EFSVolumeConfiguration`` . For more information, see `Working with Amazon EFS access points <https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html>`_ in the *Amazon Elastic File System User Guide* .
+            If an access point is specified, the root directory value specified in the ``EFSVolumeConfiguration`` must either be omitted or set to ``/`` which will enforce the path set on the EFS access point. If an access point is used, transit encryption must be on in the ``EFSVolumeConfiguration`` . For more information, see `Working with Amazon EFS access points <https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html>`_ in the *Amazon Elastic File System User Guide* .
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-authorizationconfig.html#cfn-ecs-taskdefinition-authorizationconfig-accesspointid
             '''
@@ -10821,7 +10849,7 @@ class CfnTaskDefinition(
         def iam(self) -> typing.Optional[builtins.str]:
             '''Determines whether to use the Amazon ECS task role defined in a task definition when mounting the Amazon EFS file system.
 
-            If enabled, transit encryption must be enabled in the ``EFSVolumeConfiguration`` . If this parameter is omitted, the default value of ``DISABLED`` is used. For more information, see `Using Amazon EFS access points <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#efs-volume-accesspoints>`_ in the *Amazon Elastic Container Service Developer Guide* .
+            If it is turned on, transit encryption must be turned on in the ``EFSVolumeConfiguration`` . If this parameter is omitted, the default value of ``DISABLED`` is used. For more information, see `Using Amazon EFS access points <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/efs-volumes.html#efs-volume-accesspoints>`_ in the *Amazon Elastic Container Service Developer Guide* .
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-authorizationconfig.html#cfn-ecs-taskdefinition-authorizationconfig-iam
             '''
@@ -10941,7 +10969,7 @@ class CfnTaskDefinition(
             :param dns_search_domains: A list of DNS search domains that are presented to the container. This parameter maps to ``DnsSearch`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--dns-search`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . .. epigraph:: This parameter is not supported for Windows containers.
             :param dns_servers: A list of DNS servers that are presented to the container. This parameter maps to ``Dns`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--dns`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . .. epigraph:: This parameter is not supported for Windows containers.
             :param docker_labels: A key/value map of labels to add to the container. This parameter maps to ``Labels`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--label`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: ``sudo docker version --format '{{.Server.APIVersion}}'``
-            :param docker_security_options: A list of strings to provide custom labels for SELinux and AppArmor multi-level security systems. This field isn't valid for containers in tasks using the Fargate launch type. With Windows containers, this parameter can be used to reference a credential spec file when configuring a container for Active Directory authentication. For more information, see `Using gMSAs for Windows Containers <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/windows-gmsa.html>`_ in the *Amazon Elastic Container Service Developer Guide* . This parameter maps to ``SecurityOpt`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--security-opt`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . .. epigraph:: The Amazon ECS container agent running on a container instance must register with the ``ECS_SELINUX_CAPABLE=true`` or ``ECS_APPARMOR_CAPABLE=true`` environment variables before containers placed on that instance can use these security options. For more information, see `Amazon ECS Container Agent Configuration <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html>`_ in the *Amazon Elastic Container Service Developer Guide* . For more information about valid values, see `Docker Run Security Configuration <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . Valid values: "no-new-privileges" | "apparmor:PROFILE" | "label:value" | "credentialspec:CredentialSpecFilePath"
+            :param docker_security_options: A list of strings to provide custom configuration for multiple security systems. For more information about valid values, see `Docker Run Security Configuration <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . This field isn't valid for containers in tasks using the Fargate launch type. For Linux tasks on EC2, this parameter can be used to reference custom labels for SELinux and AppArmor multi-level security systems. For any tasks on EC2, this parameter can be used to reference a credential spec file that configures a container for Active Directory authentication. For more information, see `Using gMSAs for Windows Containers <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/windows-gmsa.html>`_ and `Using gMSAs for Linux Containers <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/linux-gmsa.html>`_ in the *Amazon Elastic Container Service Developer Guide* . This parameter maps to ``SecurityOpt`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--security-opt`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . .. epigraph:: The Amazon ECS container agent running on a container instance must register with the ``ECS_SELINUX_CAPABLE=true`` or ``ECS_APPARMOR_CAPABLE=true`` environment variables before containers placed on that instance can use these security options. For more information, see `Amazon ECS Container Agent Configuration <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html>`_ in the *Amazon Elastic Container Service Developer Guide* . For more information about valid values, see `Docker Run Security Configuration <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . Valid values: "no-new-privileges" | "apparmor:PROFILE" | "label:value" | "credentialspec:CredentialSpecFilePath"
             :param entry_point: .. epigraph:: Early versions of the Amazon ECS container agent don't properly handle ``entryPoint`` parameters. If you have problems using ``entryPoint`` , update your container agent or enter your commands and arguments as ``command`` array items instead. The entry point that's passed to the container. This parameter maps to ``Entrypoint`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--entrypoint`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . For more information, see `https://docs.docker.com/engine/reference/builder/#entrypoint <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/builder/#entrypoint>`_ .
             :param environment: The environment variables to pass to a container. This parameter maps to ``Env`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--env`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . .. epigraph:: We don't recommend that you use plaintext environment variables for sensitive information, such as credential data.
             :param environment_files: A list of files containing the environment variables to pass to a container. This parameter maps to the ``--env-file`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . You can specify up to ten environment files. The file must have a ``.env`` file extension. Each line in an environment file contains an environment variable in ``VARIABLE=VALUE`` format. Lines beginning with ``#`` are treated as comments and are ignored. For more information about the environment variable file syntax, see `Declare default environment variables in file <https://docs.aws.amazon.com/https://docs.docker.com/compose/env-file/>`_ . If there are environment variables specified using the ``environment`` parameter in a container definition, they take precedence over the variables contained within an environment file. If multiple environment files are specified that contain the same variable, they're processed from the top down. We recommend that you use unique variable names. For more information, see `Specifying Environment Variables <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
@@ -11378,11 +11406,13 @@ class CfnTaskDefinition(
 
         @builtins.property
         def docker_security_options(self) -> typing.Optional[typing.List[builtins.str]]:
-            '''A list of strings to provide custom labels for SELinux and AppArmor multi-level security systems.
+            '''A list of strings to provide custom configuration for multiple security systems.
+
+            For more information about valid values, see `Docker Run Security Configuration <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ . This field isn't valid for containers in tasks using the Fargate launch type.
 
-            This field isn't valid for containers in tasks using the Fargate launch type.
+            For Linux tasks on EC2, this parameter can be used to reference custom labels for SELinux and AppArmor multi-level security systems.
 
-            With Windows containers, this parameter can be used to reference a credential spec file when configuring a container for Active Directory authentication. For more information, see `Using gMSAs for Windows Containers <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/windows-gmsa.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
+            For any tasks on EC2, this parameter can be used to reference a credential spec file that configures a container for Active Directory authentication. For more information, see `Using gMSAs for Windows Containers <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/windows-gmsa.html>`_ and `Using gMSAs for Linux Containers <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/linux-gmsa.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
 
             This parameter maps to ``SecurityOpt`` in the `Create a container <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate>`_ section of the `Docker Remote API <https://docs.aws.amazon.com/https://docs.docker.com/engine/api/v1.35/>`_ and the ``--security-opt`` option to `docker run <https://docs.aws.amazon.com/https://docs.docker.com/engine/reference/run/#security-configuration>`_ .
             .. epigraph::
@@ -12216,7 +12246,7 @@ class CfnTaskDefinition(
             :param filesystem_id: The Amazon EFS file system ID to use.
             :param authorization_config: The authorization configuration details for the Amazon EFS file system.
             :param root_directory: The directory within the Amazon EFS file system to mount as the root directory inside the host. If this parameter is omitted, the root of the Amazon EFS volume will be used. Specifying ``/`` will have the same effect as omitting this parameter. .. epigraph:: If an EFS access point is specified in the ``authorizationConfig`` , the root directory parameter must either be omitted or set to ``/`` which will enforce the path set on the EFS access point.
-            :param transit_encryption: Determines whether to use encryption for Amazon EFS data in transit between the Amazon ECS host and the Amazon EFS server. Transit encryption must be enabled if Amazon EFS IAM authorization is used. If this parameter is omitted, the default value of ``DISABLED`` is used. For more information, see `Encrypting data in transit <https://docs.aws.amazon.com/efs/latest/ug/encryption-in-transit.html>`_ in the *Amazon Elastic File System User Guide* .
+            :param transit_encryption: Determines whether to use encryption for Amazon EFS data in transit between the Amazon ECS host and the Amazon EFS server. Transit encryption must be turned on if Amazon EFS IAM authorization is used. If this parameter is omitted, the default value of ``DISABLED`` is used. For more information, see `Encrypting data in transit <https://docs.aws.amazon.com/efs/latest/ug/encryption-in-transit.html>`_ in the *Amazon Elastic File System User Guide* .
             :param transit_encryption_port: The port to use when sending encrypted data between the Amazon ECS host and the Amazon EFS server. If you do not specify a transit encryption port, it will use the port selection strategy that the Amazon EFS mount helper uses. For more information, see `EFS mount helper <https://docs.aws.amazon.com/efs/latest/ug/efs-mount-helper.html>`_ in the *Amazon Elastic File System User Guide* .
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-efsvolumeconfiguration.html
@@ -12299,7 +12329,7 @@ class CfnTaskDefinition(
         def transit_encryption(self) -> typing.Optional[builtins.str]:
             '''Determines whether to use encryption for Amazon EFS data in transit between the Amazon ECS host and the Amazon EFS server.
 
-            Transit encryption must be enabled if Amazon EFS IAM authorization is used. If this parameter is omitted, the default value of ``DISABLED`` is used. For more information, see `Encrypting data in transit <https://docs.aws.amazon.com/efs/latest/ug/encryption-in-transit.html>`_ in the *Amazon Elastic File System User Guide* .
+            Transit encryption must be turned on if Amazon EFS IAM authorization is used. If this parameter is omitted, the default value of ``DISABLED`` is used. For more information, see `Encrypting data in transit <https://docs.aws.amazon.com/efs/latest/ug/encryption-in-transit.html>`_ in the *Amazon Elastic File System User Guide* .
 
             :link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-efsvolumeconfiguration.html#cfn-ecs-taskdefinition-efsvolumeconfiguration-transitencryption
             '''
@@ -12421,7 +12451,9 @@ class CfnTaskDefinition(
             This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate . For more information, see `Fargate task storage <https://docs.aws.amazon.com/AmazonECS/latest/userguide/using_data_volumes.html>`_ in the *Amazon ECS User Guide for AWS Fargate* .
             .. epigraph::
 
-               This parameter is only supported for tasks hosted on Fargate using Linux platform version ``1.4.0`` or later. This parameter is not supported for Windows containers on Fargate.
+               For tasks using the Fargate launch type, the task requires the following platforms:
+
+               - Linux platform version ``1.4.0`` or later.
 
             :param size_in_gib: The total amount, in GiB, of ephemeral storage to set for the task. The minimum supported value is ``21`` GiB and the maximum supported value is ``200`` GiB.
 
@@ -13522,7 +13554,7 @@ class CfnTaskDefinition(
             :param app_protocol: The application protocol that's used for the port mapping. This parameter only applies to Service Connect. We recommend that you set this parameter to be consistent with the protocol that your application uses. If you set this parameter, Amazon ECS adds protocol-specific connection handling to the Service Connect proxy. If you set this parameter, Amazon ECS adds protocol-specific telemetry in the Amazon ECS console and CloudWatch. If you don't set a value for this parameter, then TCP is used. However, Amazon ECS doesn't add protocol-specific telemetry for TCP. Tasks that run in a namespace can use short names to connect to services in the namespace. Tasks can connect to services across all of the clusters in the namespace. Tasks connect through a managed proxy container that collects logs and metrics for increased visibility. Only the tasks that Amazon ECS services create are supported with Service Connect. For more information, see `Service Connect <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
             :param container_port: The port number on the container that's bound to the user-specified or automatically assigned host port. If you use containers in a task with the ``awsvpc`` or ``host`` network mode, specify the exposed ports using ``containerPort`` . If you use containers in a task with the ``bridge`` network mode and you specify a container port and not a host port, your container automatically receives a host port in the ephemeral port range. For more information, see ``hostPort`` . Port mappings that are automatically assigned in this way do not count toward the 100 reserved ports limit of a container instance.
             :param container_port_range: The port number range on the container that's bound to the dynamically mapped host port range. The following rules apply when you specify a ``containerPortRange`` : - You must use either the ``bridge`` network mode or the ``awsvpc`` network mode. - This parameter is available for both the EC2 and AWS Fargate launch types. - This parameter is available for both the Linux and Windows operating systems. - The container instance must have at least version 1.67.0 of the container agent and at least version 1.67.0-1 of the ``ecs-init`` package - You can specify a maximum of 100 port ranges per container. - You do not specify a ``hostPortRange`` . The value of the ``hostPortRange`` is set as follows: - For containers in a task with the ``awsvpc`` network mode, the ``hostPort`` is set to the same value as the ``containerPort`` . This is a static mapping strategy. - For containers in a task with the ``bridge`` network mode, the Amazon ECS agent finds open host ports from the default ephemeral range and passes it to docker to bind them to the container ports. - The ``containerPortRange`` valid values are between 1 and 65535. - A port can only be included in one port mapping per container. - You cannot specify overlapping port ranges. - The first port in the range must be less than last port in the range. - Docker recommends that you turn off the docker-proxy in the Docker daemon config file when you have a large number of ports. For more information, see `Issue #11185 <https://docs.aws.amazon.com/https://github.com/moby/moby/issues/11185>`_ on the Github website. For information about how to turn off the docker-proxy in the Docker daemon config file, see `Docker daemon <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/bootstrap_container_instance.html#bootstrap_docker_daemon>`_ in the *Amazon ECS Developer Guide* . You can call ```DescribeTasks`` <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeTasks.html>`_ to view the ``hostPortRange`` which are the host ports that are bound to the container ports.
-            :param host_port: The port number on the container instance to reserve for your container. If you specify a ``containerPortRange`` , leave this field empty and the value of the ``hostPort`` is set as follows: - For containers in a task with the ``awsvpc`` network mode, the ``hostPort`` is set to the same value as the ``containerPort`` . This is a static mapping strategy. - For containers in a task with the ``bridge`` network mode, the Amazon ECS agent finds open ports on the host and automaticaly binds them to the container ports. This is a dynamic mapping strategy. If you use containers in a task with the ``awsvpc`` or ``host`` network mode, the ``hostPort`` can either be left blank or set to the same value as the ``containerPort`` . If you use containers in a task with the ``bridge`` network mode, you can specify a non-reserved host port for your container port mapping, or you can omit the ``hostPort`` (or set it to ``0`` ) while specifying a ``containerPort`` and your container automatically receives a port in the ephemeral port range for your container instance operating system and Docker version. The default ephemeral port range for Docker version 1.6.0 and later is listed on the instance under ``/proc/sys/net/ipv4/ip_local_port_range`` . If this kernel parameter is unavailable, the default ephemeral port range from 49153 through 65535 is used. Do not attempt to specify a host port in the ephemeral port range as these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range. The default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the Amazon ECS container agent ports 51678-51680. Any host port that was previously specified in a running task is also reserved while the task is running. That is, after a task stops, the host port is released. The current reserved ports are displayed in the ``remainingResources`` of `DescribeContainerInstances <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeContainerInstances.html>`_ output. A container instance can have up to 100 reserved ports at a time. This number includes the default reserved ports. Automatically assigned ports aren't included in the 100 reserved ports quota.
+            :param host_port: The port number on the container instance to reserve for your container. If you specify a ``containerPortRange`` , leave this field empty and the value of the ``hostPort`` is set as follows: - For containers in a task with the ``awsvpc`` network mode, the ``hostPort`` is set to the same value as the ``containerPort`` . This is a static mapping strategy. - For containers in a task with the ``bridge`` network mode, the Amazon ECS agent finds open ports on the host and automatically binds them to the container ports. This is a dynamic mapping strategy. If you use containers in a task with the ``awsvpc`` or ``host`` network mode, the ``hostPort`` can either be left blank or set to the same value as the ``containerPort`` . If you use containers in a task with the ``bridge`` network mode, you can specify a non-reserved host port for your container port mapping, or you can omit the ``hostPort`` (or set it to ``0`` ) while specifying a ``containerPort`` and your container automatically receives a port in the ephemeral port range for your container instance operating system and Docker version. The default ephemeral port range for Docker version 1.6.0 and later is listed on the instance under ``/proc/sys/net/ipv4/ip_local_port_range`` . If this kernel parameter is unavailable, the default ephemeral port range from 49153 through 65535 is used. Do not attempt to specify a host port in the ephemeral port range as these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range. The default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the Amazon ECS container agent ports 51678-51680. Any host port that was previously specified in a running task is also reserved while the task is running. That is, after a task stops, the host port is released. The current reserved ports are displayed in the ``remainingResources`` of `DescribeContainerInstances <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DescribeContainerInstances.html>`_ output. A container instance can have up to 100 reserved ports at a time. This number includes the default reserved ports. Automatically assigned ports aren't included in the 100 reserved ports quota.
             :param name: The name that's used for the port mapping. This parameter only applies to Service Connect. This parameter is the name that you use in the ``serviceConnectConfiguration`` of a service. The name can include up to 64 characters. The characters can include lowercase letters, numbers, underscores (_), and hyphens (-). The name can't start with a hyphen. For more information, see `Service Connect <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-connect.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
             :param protocol: The protocol used for the port mapping. Valid values are ``tcp`` and ``udp`` . The default is ``tcp`` .
 
@@ -13632,7 +13664,7 @@ class CfnTaskDefinition(
             If you specify a ``containerPortRange`` , leave this field empty and the value of the ``hostPort`` is set as follows:
 
             - For containers in a task with the ``awsvpc`` network mode, the ``hostPort`` is set to the same value as the ``containerPort`` . This is a static mapping strategy.
-            - For containers in a task with the ``bridge`` network mode, the Amazon ECS agent finds open ports on the host and automaticaly binds them to the container ports. This is a dynamic mapping strategy.
+            - For containers in a task with the ``bridge`` network mode, the Amazon ECS agent finds open ports on the host and automatically binds them to the container ports. This is a dynamic mapping strategy.
 
             If you use containers in a task with the ``awsvpc`` or ``host`` network mode, the ``hostPort`` can either be left blank or set to the same value as the ``containerPort`` .
 
@@ -13859,7 +13891,7 @@ class CfnTaskDefinition(
         def __init__(self, *, type: builtins.str, value: builtins.str) -> None:
             '''The type and amount of a resource to assign to a container.
 
-            The supported resource types are GPUs and Elastic Inference accelerators. For more information, see `Working with GPUs on Amazon ECS <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-gpu.html>`_ or `Working with Amazon Elastic Inference on Amazon ECS <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/url-ecs-dev;ecs-inference.html>`_ in the *Amazon Elastic Container Service Developer Guide*
+            The supported resource types are GPUs and Elastic Inference accelerators. For more information, see `Working with GPUs on Amazon ECS <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-gpu.html>`_ or `Working with Amazon Elastic Inference on Amazon ECS <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-inference.html>`_ in the *Amazon Elastic Container Service Developer Guide*
 
             :param type: The type of resource to assign to a container. The supported values are ``GPU`` or ``InferenceAccelerator`` .
             :param value: The value for the specified resource type. If the ``GPU`` type is used, the value is the number of physical ``GPUs`` the Amazon ECS container agent reserves for the container. The number of GPUs that's reserved for all containers in a task can't exceed the number of available GPUs on the container instance that the task is launched on. If the ``InferenceAccelerator`` type is used, the ``value`` matches the ``deviceName`` for an `InferenceAccelerator <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_InferenceAccelerator.html>`_ specified in a task definition.
@@ -14170,7 +14202,7 @@ class CfnTaskDefinition(
             type: builtins.str,
             expression: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''An object representing a constraint on task placement in the task definition.
+            '''The constraint on task placement in the task definition.
 
             For more information, see `Task placement constraints <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-placement-constraints.html>`_ in the *Amazon Elastic Container Service Developer Guide* .
             .. epigraph::
@@ -16376,19 +16408,18 @@ class CloudMapNamespaceOptions:
 
         Example::
 
-            # Example automatically generated from non-compiling source. May contain errors.
             # cluster: ecs.Cluster
             # task_definition: ecs.TaskDefinition
-            # container: ecs.ContainerDefinition
+            # container_options: ecs.ContainerDefinitionOptions
+            
             
+            container = task_definition.add_container("MyContainer", container_options)
             
             container.add_port_mappings(
                 name="api",
                 container_port=8080
             )
             
-            task_definition.add_container(container)
-            
             cluster.add_default_cloud_map_namespace(
                 name="local"
             )
@@ -16880,7 +16911,8 @@ class ClusterProps:
                     container_definition=container_definition,
                     environment=[tasks.TaskEnvironmentVariable(name="SOME_KEY", value=sfn.JsonPath.string_at("$.SomeKey"))]
                 )],
-                launch_target=tasks.EcsFargateLaunchTarget()
+                launch_target=tasks.EcsFargateLaunchTarget(),
+                propagated_tag_source=ecs.PropagatedTagSource.TASK_DEFINITION
             )
         '''
         if isinstance(capacity, dict):
@@ -16999,6 +17031,7 @@ class ClusterProps:
     jsii_struct_bases=[],
     name_mapping={
         "task_definition_arn": "taskDefinitionArn",
+        "execution_role": "executionRole",
         "network_mode": "networkMode",
         "task_role": "taskRole",
     },
@@ -17008,12 +17041,14 @@ class CommonTaskDefinitionAttributes:
         self,
         *,
         task_definition_arn: builtins.str,
+        execution_role: typing.Optional[_IRole_235f5d8e] = None,
         network_mode: typing.Optional["NetworkMode"] = None,
         task_role: typing.Optional[_IRole_235f5d8e] = None,
     ) -> None:
         '''The common task definition attributes used across all types of task definitions.
 
         :param task_definition_arn: The arn of the task definition.
+        :param execution_role: The IAM role that grants containers and Fargate agents permission to make AWS API calls on your behalf. Some tasks do not have an execution role. Default: - undefined
         :param network_mode: The networking mode to use for the containers in the task. Default: Network mode cannot be provided to the imported task.
         :param task_role: The name of the IAM role that grants containers in the task permission to call AWS APIs on your behalf. Default: Permissions cannot be granted to the imported task.
 
@@ -17032,6 +17067,7 @@ class CommonTaskDefinitionAttributes:
                 task_definition_arn="taskDefinitionArn",
             
                 # the properties below are optional
+                execution_role=role,
                 network_mode=ecs.NetworkMode.NONE,
                 task_role=role
             )
@@ -17039,11 +17075,14 @@ class CommonTaskDefinitionAttributes:
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__1a458c1ea772685ddb7eb49b075e7de9bed322fac4bbee8aeab1cf6b576bc995)
             check_type(argname="argument task_definition_arn", value=task_definition_arn, expected_type=type_hints["task_definition_arn"])
+            check_type(argname="argument execution_role", value=execution_role, expected_type=type_hints["execution_role"])
             check_type(argname="argument network_mode", value=network_mode, expected_type=type_hints["network_mode"])
             check_type(argname="argument task_role", value=task_role, expected_type=type_hints["task_role"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "task_definition_arn": task_definition_arn,
         }
+        if execution_role is not None:
+            self._values["execution_role"] = execution_role
         if network_mode is not None:
             self._values["network_mode"] = network_mode
         if task_role is not None:
@@ -17056,6 +17095,17 @@ class CommonTaskDefinitionAttributes:
         assert result is not None, "Required property 'task_definition_arn' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def execution_role(self) -> typing.Optional[_IRole_235f5d8e]:
+        '''The IAM role that grants containers and Fargate agents permission to make AWS API calls on your behalf.
+
+        Some tasks do not have an execution role.
+
+        :default: - undefined
+        '''
+        result = self._values.get("execution_role")
+        return typing.cast(typing.Optional[_IRole_235f5d8e], result)
+
     @builtins.property
     def network_mode(self) -> typing.Optional["NetworkMode"]:
         '''The networking mode to use for the containers in the task.
@@ -17293,7 +17343,8 @@ class Compatibility(enum.Enum):
                 placement_constraints=[
                     ecs.PlacementConstraint.member_of("blieptuut")
                 ]
-            )
+            ),
+            propagated_tag_source=ecs.PropagatedTagSource.TASK_DEFINITION
         )
     '''
 
@@ -17383,6 +17434,7 @@ class ContainerDefinition(
         start_timeout: typing.Optional[_Duration_4839e8c3] = None,
         stop_timeout: typing.Optional[_Duration_4839e8c3] = None,
         system_controls: typing.Optional[typing.Sequence[typing.Union["SystemControl", typing.Dict[builtins.str, typing.Any]]]] = None,
+        ulimits: typing.Optional[typing.Sequence[typing.Union["Ulimit", typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
         working_directory: typing.Optional[builtins.str] = None,
     ) -> None:
@@ -17421,6 +17473,7 @@ class ContainerDefinition(
         :param start_timeout: Time duration (in seconds) to wait before giving up on resolving dependencies for a container. Default: - none
         :param stop_timeout: Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own. Default: - none
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
+        :param ulimits: An array of ulimits to set in the container.
         :param user: The user name to use inside the container. Default: root
         :param working_directory: The working directory in which to run commands inside the container. Default: /
         '''
@@ -17460,6 +17513,7 @@ class ContainerDefinition(
             start_timeout=start_timeout,
             stop_timeout=stop_timeout,
             system_controls=system_controls,
+            ulimits=ulimits,
             user=user,
             working_directory=working_directory,
         )
@@ -17827,6 +17881,7 @@ class ContainerDefinition(
         "start_timeout": "startTimeout",
         "stop_timeout": "stopTimeout",
         "system_controls": "systemControls",
+        "ulimits": "ulimits",
         "user": "user",
         "working_directory": "workingDirectory",
     },
@@ -17865,6 +17920,7 @@ class ContainerDefinitionOptions:
         start_timeout: typing.Optional[_Duration_4839e8c3] = None,
         stop_timeout: typing.Optional[_Duration_4839e8c3] = None,
         system_controls: typing.Optional[typing.Sequence[typing.Union["SystemControl", typing.Dict[builtins.str, typing.Any]]]] = None,
+        ulimits: typing.Optional[typing.Sequence[typing.Union["Ulimit", typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
         working_directory: typing.Optional[builtins.str] = None,
     ) -> None:
@@ -17899,6 +17955,7 @@ class ContainerDefinitionOptions:
         :param start_timeout: Time duration (in seconds) to wait before giving up on resolving dependencies for a container. Default: - none
         :param stop_timeout: Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own. Default: - none
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
+        :param ulimits: An array of ulimits to set in the container.
         :param user: The user name to use inside the container. Default: root
         :param working_directory: The working directory in which to run commands inside the container. Default: /
 
@@ -17968,6 +18025,7 @@ class ContainerDefinitionOptions:
             check_type(argname="argument start_timeout", value=start_timeout, expected_type=type_hints["start_timeout"])
             check_type(argname="argument stop_timeout", value=stop_timeout, expected_type=type_hints["stop_timeout"])
             check_type(argname="argument system_controls", value=system_controls, expected_type=type_hints["system_controls"])
+            check_type(argname="argument ulimits", value=ulimits, expected_type=type_hints["ulimits"])
             check_type(argname="argument user", value=user, expected_type=type_hints["user"])
             check_type(argname="argument working_directory", value=working_directory, expected_type=type_hints["working_directory"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
@@ -18031,6 +18089,8 @@ class ContainerDefinitionOptions:
             self._values["stop_timeout"] = stop_timeout
         if system_controls is not None:
             self._values["system_controls"] = system_controls
+        if ulimits is not None:
+            self._values["ulimits"] = ulimits
         if user is not None:
             self._values["user"] = user
         if working_directory is not None:
@@ -18357,6 +18417,12 @@ class ContainerDefinitionOptions:
         result = self._values.get("system_controls")
         return typing.cast(typing.Optional[typing.List["SystemControl"]], result)
 
+    @builtins.property
+    def ulimits(self) -> typing.Optional[typing.List["Ulimit"]]:
+        '''An array of ulimits to set in the container.'''
+        result = self._values.get("ulimits")
+        return typing.cast(typing.Optional[typing.List["Ulimit"]], result)
+
     @builtins.property
     def user(self) -> typing.Optional[builtins.str]:
         '''The user name to use inside the container.
@@ -18421,6 +18487,7 @@ class ContainerDefinitionOptions:
         "start_timeout": "startTimeout",
         "stop_timeout": "stopTimeout",
         "system_controls": "systemControls",
+        "ulimits": "ulimits",
         "user": "user",
         "working_directory": "workingDirectory",
         "task_definition": "taskDefinition",
@@ -18460,6 +18527,7 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
         start_timeout: typing.Optional[_Duration_4839e8c3] = None,
         stop_timeout: typing.Optional[_Duration_4839e8c3] = None,
         system_controls: typing.Optional[typing.Sequence[typing.Union["SystemControl", typing.Dict[builtins.str, typing.Any]]]] = None,
+        ulimits: typing.Optional[typing.Sequence[typing.Union["Ulimit", typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
         working_directory: typing.Optional[builtins.str] = None,
         task_definition: "TaskDefinition",
@@ -18496,6 +18564,7 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
         :param start_timeout: Time duration (in seconds) to wait before giving up on resolving dependencies for a container. Default: - none
         :param stop_timeout: Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own. Default: - none
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
+        :param ulimits: An array of ulimits to set in the container.
         :param user: The user name to use inside the container. Default: root
         :param working_directory: The working directory in which to run commands inside the container. Default: /
         :param task_definition: The name of the task definition that includes this container definition. [disable-awslint:ref-via-interface]
@@ -18578,6 +18647,11 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
                     namespace="namespace",
                     value="value"
                 )],
+                ulimits=[ecs.Ulimit(
+                    hard_limit=123,
+                    name=ecs.UlimitName.CORE,
+                    soft_limit=123
+                )],
                 user="user",
                 working_directory="workingDirectory"
             )
@@ -18616,6 +18690,7 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
             check_type(argname="argument start_timeout", value=start_timeout, expected_type=type_hints["start_timeout"])
             check_type(argname="argument stop_timeout", value=stop_timeout, expected_type=type_hints["stop_timeout"])
             check_type(argname="argument system_controls", value=system_controls, expected_type=type_hints["system_controls"])
+            check_type(argname="argument ulimits", value=ulimits, expected_type=type_hints["ulimits"])
             check_type(argname="argument user", value=user, expected_type=type_hints["user"])
             check_type(argname="argument working_directory", value=working_directory, expected_type=type_hints["working_directory"])
             check_type(argname="argument task_definition", value=task_definition, expected_type=type_hints["task_definition"])
@@ -18681,6 +18756,8 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
             self._values["stop_timeout"] = stop_timeout
         if system_controls is not None:
             self._values["system_controls"] = system_controls
+        if ulimits is not None:
+            self._values["ulimits"] = ulimits
         if user is not None:
             self._values["user"] = user
         if working_directory is not None:
@@ -19007,6 +19084,12 @@ class ContainerDefinitionProps(ContainerDefinitionOptions):
         result = self._values.get("system_controls")
         return typing.cast(typing.Optional[typing.List["SystemControl"]], result)
 
+    @builtins.property
+    def ulimits(self) -> typing.Optional[typing.List["Ulimit"]]:
+        '''An array of ulimits to set in the container.'''
+        result = self._values.get("ulimits")
+        return typing.cast(typing.Optional[typing.List["Ulimit"]], result)
+
     @builtins.property
     def user(self) -> typing.Optional[builtins.str]:
         '''The user name to use inside the container.
@@ -19154,29 +19237,23 @@ class ContainerImage(
 
     Example::
 
-        # cluster: ecs.Cluster
-        
-        load_balanced_fargate_service = ecs_patterns.ApplicationLoadBalancedFargateService(self, "Service",
-            cluster=cluster,
-            memory_limit_mi_b=1024,
-            desired_count=1,
-            cpu=512,
-            task_image_options=ecsPatterns.ApplicationLoadBalancedTaskImageOptions(
-                image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample")
-            )
-        )
+        import aws_cdk as cdk
+        import aws_cdk.aws_efs as efs
         
-        scalable_target = load_balanced_fargate_service.service.auto_scale_task_count(
-            min_capacity=1,
-            max_capacity=20
-        )
+        # my_file_system: efs.IFileSystem
         
-        scalable_target.scale_on_cpu_utilization("CpuScaling",
-            target_utilization_percent=50
-        )
         
-        scalable_target.scale_on_memory_utilization("MemoryScaling",
-            target_utilization_percent=50
+        job_defn = batch.EcsJobDefinition(self, "JobDefn",
+            container=batch.EcsEc2ContainerDefinition(self, "containerDefn",
+                image=ecs.ContainerImage.from_registry("public.ecr.aws/amazonlinux/amazonlinux:latest"),
+                memory=cdk.Size.mebibytes(2048),
+                cpu=256,
+                volumes=[batch.EcsVolume.efs(
+                    name="myVolume",
+                    file_system=my_file_system,
+                    container_path="/Volumes/myVolume"
+                )]
+            )
         )
     '''
 
@@ -19692,20 +19769,31 @@ class DeploymentController:
 
         Example::
 
+            # my_application: codedeploy.EcsApplication
             # cluster: ecs.Cluster
+            # task_definition: ecs.FargateTaskDefinition
+            # blue_target_group: elbv2.ITargetGroup
+            # green_target_group: elbv2.ITargetGroup
+            # listener: elbv2.IApplicationListener
             
-            load_balanced_fargate_service = ecs_patterns.ApplicationLoadBalancedFargateService(self, "Service",
+            
+            service = ecs.FargateService(self, "Service",
                 cluster=cluster,
-                memory_limit_mi_b=1024,
-                desired_count=1,
-                cpu=512,
-                task_image_options=ecsPatterns.ApplicationLoadBalancedTaskImageOptions(
-                    image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample")
-                ),
+                task_definition=task_definition,
                 deployment_controller=ecs.DeploymentController(
                     type=ecs.DeploymentControllerType.CODE_DEPLOY
                 )
             )
+            
+            codedeploy.EcsDeploymentGroup(self, "BlueGreenDG",
+                service=service,
+                blue_green_deployment_config=codedeploy.EcsBlueGreenDeploymentConfig(
+                    blue_target_group=blue_target_group,
+                    green_target_group=green_target_group,
+                    listener=listener
+                ),
+                deployment_config=codedeploy.EcsDeploymentConfig.CANARY_10PERCENT_5MINUTES
+            )
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__919598d1dc3ec32befe4a81bbf3a26a387685443884de6cb5971808667ffb28b)
@@ -19743,20 +19831,31 @@ class DeploymentControllerType(enum.Enum):
 
     Example::
 
+        # my_application: codedeploy.EcsApplication
         # cluster: ecs.Cluster
+        # task_definition: ecs.FargateTaskDefinition
+        # blue_target_group: elbv2.ITargetGroup
+        # green_target_group: elbv2.ITargetGroup
+        # listener: elbv2.IApplicationListener
         
-        load_balanced_fargate_service = ecs_patterns.ApplicationLoadBalancedFargateService(self, "Service",
+        
+        service = ecs.FargateService(self, "Service",
             cluster=cluster,
-            memory_limit_mi_b=1024,
-            desired_count=1,
-            cpu=512,
-            task_image_options=ecsPatterns.ApplicationLoadBalancedTaskImageOptions(
-                image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample")
-            ),
+            task_definition=task_definition,
             deployment_controller=ecs.DeploymentController(
                 type=ecs.DeploymentControllerType.CODE_DEPLOY
             )
         )
+        
+        codedeploy.EcsDeploymentGroup(self, "BlueGreenDG",
+            service=service,
+            blue_green_deployment_config=codedeploy.EcsBlueGreenDeploymentConfig(
+                blue_target_group=blue_target_group,
+                green_target_group=green_target_group,
+                listener=listener
+            ),
+            deployment_config=codedeploy.EcsDeploymentConfig.CANARY_10PERCENT_5MINUTES
+        )
     '''
 
     ECS = "ECS"
@@ -20505,6 +20604,7 @@ class Ec2ServiceProps(BaseServiceOptions):
     jsii_struct_bases=[CommonTaskDefinitionAttributes],
     name_mapping={
         "task_definition_arn": "taskDefinitionArn",
+        "execution_role": "executionRole",
         "network_mode": "networkMode",
         "task_role": "taskRole",
     },
@@ -20514,12 +20614,14 @@ class Ec2TaskDefinitionAttributes(CommonTaskDefinitionAttributes):
         self,
         *,
         task_definition_arn: builtins.str,
+        execution_role: typing.Optional[_IRole_235f5d8e] = None,
         network_mode: typing.Optional["NetworkMode"] = None,
         task_role: typing.Optional[_IRole_235f5d8e] = None,
     ) -> None:
         '''Attributes used to import an existing EC2 task definition.
 
         :param task_definition_arn: The arn of the task definition.
+        :param execution_role: The IAM role that grants containers and Fargate agents permission to make AWS API calls on your behalf. Some tasks do not have an execution role. Default: - undefined
         :param network_mode: The networking mode to use for the containers in the task. Default: Network mode cannot be provided to the imported task.
         :param task_role: The name of the IAM role that grants containers in the task permission to call AWS APIs on your behalf. Default: Permissions cannot be granted to the imported task.
 
@@ -20538,6 +20640,7 @@ class Ec2TaskDefinitionAttributes(CommonTaskDefinitionAttributes):
                 task_definition_arn="taskDefinitionArn",
             
                 # the properties below are optional
+                execution_role=role,
                 network_mode=ecs.NetworkMode.NONE,
                 task_role=role
             )
@@ -20545,11 +20648,14 @@ class Ec2TaskDefinitionAttributes(CommonTaskDefinitionAttributes):
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__e90e61a002f578b0dbe160c067f2d3de15287892110df7eedcbbfa7f0c7d391d)
             check_type(argname="argument task_definition_arn", value=task_definition_arn, expected_type=type_hints["task_definition_arn"])
+            check_type(argname="argument execution_role", value=execution_role, expected_type=type_hints["execution_role"])
             check_type(argname="argument network_mode", value=network_mode, expected_type=type_hints["network_mode"])
             check_type(argname="argument task_role", value=task_role, expected_type=type_hints["task_role"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "task_definition_arn": task_definition_arn,
         }
+        if execution_role is not None:
+            self._values["execution_role"] = execution_role
         if network_mode is not None:
             self._values["network_mode"] = network_mode
         if task_role is not None:
@@ -20562,6 +20668,17 @@ class Ec2TaskDefinitionAttributes(CommonTaskDefinitionAttributes):
         assert result is not None, "Required property 'task_definition_arn' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def execution_role(self) -> typing.Optional[_IRole_235f5d8e]:
+        '''The IAM role that grants containers and Fargate agents permission to make AWS API calls on your behalf.
+
+        Some tasks do not have an execution role.
+
+        :default: - undefined
+        '''
+        result = self._values.get("execution_role")
+        return typing.cast(typing.Optional[_IRole_235f5d8e], result)
+
     @builtins.property
     def network_mode(self) -> typing.Optional["NetworkMode"]:
         '''The networking mode to use for the containers in the task.
@@ -20816,20 +20933,18 @@ class EcrImage(
 ):
     '''An image from an Amazon ECR repository.
 
-    :exampleMetadata: infused
+    :exampleMetadata: fixture=_generated
 
     Example::
 
-        db_secret = secretsmanager.Secret(self, "secret")
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_ecr_assets as ecr_assets
+        from aws_cdk import aws_ecs as ecs
         
-        batch.JobDefinition(self, "batch-job-def-secrets",
-            container=batch.JobDefinitionContainer(
-                image=ecs.EcrImage.from_registry("docker/whalesay"),
-                secrets={
-                    "PASSWORD": ecs.Secret.from_secrets_manager(db_secret, "password")
-                }
-            )
-        )
+        # docker_image_asset: ecr_assets.DockerImageAsset
+        
+        ecr_image = ecs.EcrImage.from_docker_image_asset(docker_image_asset)
     '''
 
     def __init__(
@@ -22238,6 +22353,7 @@ class ExternalServiceProps(BaseServiceOptions):
     jsii_struct_bases=[CommonTaskDefinitionAttributes],
     name_mapping={
         "task_definition_arn": "taskDefinitionArn",
+        "execution_role": "executionRole",
         "network_mode": "networkMode",
         "task_role": "taskRole",
     },
@@ -22247,12 +22363,14 @@ class ExternalTaskDefinitionAttributes(CommonTaskDefinitionAttributes):
         self,
         *,
         task_definition_arn: builtins.str,
+        execution_role: typing.Optional[_IRole_235f5d8e] = None,
         network_mode: typing.Optional["NetworkMode"] = None,
         task_role: typing.Optional[_IRole_235f5d8e] = None,
     ) -> None:
         '''Attributes used to import an existing External task definition.
 
         :param task_definition_arn: The arn of the task definition.
+        :param execution_role: The IAM role that grants containers and Fargate agents permission to make AWS API calls on your behalf. Some tasks do not have an execution role. Default: - undefined
         :param network_mode: The networking mode to use for the containers in the task. Default: Network mode cannot be provided to the imported task.
         :param task_role: The name of the IAM role that grants containers in the task permission to call AWS APIs on your behalf. Default: Permissions cannot be granted to the imported task.
 
@@ -22271,6 +22389,7 @@ class ExternalTaskDefinitionAttributes(CommonTaskDefinitionAttributes):
                 task_definition_arn="taskDefinitionArn",
             
                 # the properties below are optional
+                execution_role=role,
                 network_mode=ecs.NetworkMode.NONE,
                 task_role=role
             )
@@ -22278,11 +22397,14 @@ class ExternalTaskDefinitionAttributes(CommonTaskDefinitionAttributes):
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__2d58078e68b889d5f10f95714f42385491c26bf6ec084584b1a1487cc3acf7a2)
             check_type(argname="argument task_definition_arn", value=task_definition_arn, expected_type=type_hints["task_definition_arn"])
+            check_type(argname="argument execution_role", value=execution_role, expected_type=type_hints["execution_role"])
             check_type(argname="argument network_mode", value=network_mode, expected_type=type_hints["network_mode"])
             check_type(argname="argument task_role", value=task_role, expected_type=type_hints["task_role"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "task_definition_arn": task_definition_arn,
         }
+        if execution_role is not None:
+            self._values["execution_role"] = execution_role
         if network_mode is not None:
             self._values["network_mode"] = network_mode
         if task_role is not None:
@@ -22295,6 +22417,17 @@ class ExternalTaskDefinitionAttributes(CommonTaskDefinitionAttributes):
         assert result is not None, "Required property 'task_definition_arn' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def execution_role(self) -> typing.Optional[_IRole_235f5d8e]:
+        '''The IAM role that grants containers and Fargate agents permission to make AWS API calls on your behalf.
+
+        Some tasks do not have an execution role.
+
+        :default: - undefined
+        '''
+        result = self._values.get("execution_role")
+        return typing.cast(typing.Optional[_IRole_235f5d8e], result)
+
     @builtins.property
     def network_mode(self) -> typing.Optional["NetworkMode"]:
         '''The networking mode to use for the containers in the task.
@@ -23027,6 +23160,7 @@ class FargateServiceProps(BaseServiceOptions):
     jsii_struct_bases=[CommonTaskDefinitionAttributes],
     name_mapping={
         "task_definition_arn": "taskDefinitionArn",
+        "execution_role": "executionRole",
         "network_mode": "networkMode",
         "task_role": "taskRole",
     },
@@ -23036,12 +23170,14 @@ class FargateTaskDefinitionAttributes(CommonTaskDefinitionAttributes):
         self,
         *,
         task_definition_arn: builtins.str,
+        execution_role: typing.Optional[_IRole_235f5d8e] = None,
         network_mode: typing.Optional["NetworkMode"] = None,
         task_role: typing.Optional[_IRole_235f5d8e] = None,
     ) -> None:
         '''Attributes used to import an existing Fargate task definition.
 
         :param task_definition_arn: The arn of the task definition.
+        :param execution_role: The IAM role that grants containers and Fargate agents permission to make AWS API calls on your behalf. Some tasks do not have an execution role. Default: - undefined
         :param network_mode: The networking mode to use for the containers in the task. Default: Network mode cannot be provided to the imported task.
         :param task_role: The name of the IAM role that grants containers in the task permission to call AWS APIs on your behalf. Default: Permissions cannot be granted to the imported task.
 
@@ -23060,6 +23196,7 @@ class FargateTaskDefinitionAttributes(CommonTaskDefinitionAttributes):
                 task_definition_arn="taskDefinitionArn",
             
                 # the properties below are optional
+                execution_role=role,
                 network_mode=ecs.NetworkMode.NONE,
                 task_role=role
             )
@@ -23067,11 +23204,14 @@ class FargateTaskDefinitionAttributes(CommonTaskDefinitionAttributes):
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__5dd329152ba42239c8e48630ce2d0477a28dd88014af62f4536ef752f002010e)
             check_type(argname="argument task_definition_arn", value=task_definition_arn, expected_type=type_hints["task_definition_arn"])
+            check_type(argname="argument execution_role", value=execution_role, expected_type=type_hints["execution_role"])
             check_type(argname="argument network_mode", value=network_mode, expected_type=type_hints["network_mode"])
             check_type(argname="argument task_role", value=task_role, expected_type=type_hints["task_role"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "task_definition_arn": task_definition_arn,
         }
+        if execution_role is not None:
+            self._values["execution_role"] = execution_role
         if network_mode is not None:
             self._values["network_mode"] = network_mode
         if task_role is not None:
@@ -23084,6 +23224,17 @@ class FargateTaskDefinitionAttributes(CommonTaskDefinitionAttributes):
         assert result is not None, "Required property 'task_definition_arn' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def execution_role(self) -> typing.Optional[_IRole_235f5d8e]:
+        '''The IAM role that grants containers and Fargate agents permission to make AWS API calls on your behalf.
+
+        Some tasks do not have an execution role.
+
+        :default: - undefined
+        '''
+        result = self._values.get("execution_role")
+        return typing.cast(typing.Optional[_IRole_235f5d8e], result)
+
     @builtins.property
     def network_mode(self) -> typing.Optional["NetworkMode"]:
         '''The networking mode to use for the containers in the task.
@@ -23682,6 +23833,11 @@ class FirelensLogRouter(
                 namespace="namespace",
                 value="value"
             )],
+            ulimits=[ecs.Ulimit(
+                hard_limit=123,
+                name=ecs.UlimitName.CORE,
+                soft_limit=123
+            )],
             user="user",
             working_directory="workingDirectory"
         )
@@ -23724,6 +23880,7 @@ class FirelensLogRouter(
         start_timeout: typing.Optional[_Duration_4839e8c3] = None,
         stop_timeout: typing.Optional[_Duration_4839e8c3] = None,
         system_controls: typing.Optional[typing.Sequence[typing.Union["SystemControl", typing.Dict[builtins.str, typing.Any]]]] = None,
+        ulimits: typing.Optional[typing.Sequence[typing.Union["Ulimit", typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
         working_directory: typing.Optional[builtins.str] = None,
     ) -> None:
@@ -23763,6 +23920,7 @@ class FirelensLogRouter(
         :param start_timeout: Time duration (in seconds) to wait before giving up on resolving dependencies for a container. Default: - none
         :param stop_timeout: Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own. Default: - none
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
+        :param ulimits: An array of ulimits to set in the container.
         :param user: The user name to use inside the container. Default: root
         :param working_directory: The working directory in which to run commands inside the container. Default: /
         '''
@@ -23803,6 +23961,7 @@ class FirelensLogRouter(
             start_timeout=start_timeout,
             stop_timeout=stop_timeout,
             system_controls=system_controls,
+            ulimits=ulimits,
             user=user,
             working_directory=working_directory,
         )
@@ -23864,6 +24023,7 @@ class FirelensLogRouter(
         "start_timeout": "startTimeout",
         "stop_timeout": "stopTimeout",
         "system_controls": "systemControls",
+        "ulimits": "ulimits",
         "user": "user",
         "working_directory": "workingDirectory",
         "firelens_config": "firelensConfig",
@@ -23903,6 +24063,7 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
         start_timeout: typing.Optional[_Duration_4839e8c3] = None,
         stop_timeout: typing.Optional[_Duration_4839e8c3] = None,
         system_controls: typing.Optional[typing.Sequence[typing.Union["SystemControl", typing.Dict[builtins.str, typing.Any]]]] = None,
+        ulimits: typing.Optional[typing.Sequence[typing.Union["Ulimit", typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
         working_directory: typing.Optional[builtins.str] = None,
         firelens_config: typing.Union[FirelensConfig, typing.Dict[builtins.str, typing.Any]],
@@ -23939,6 +24100,7 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
         :param start_timeout: Time duration (in seconds) to wait before giving up on resolving dependencies for a container. Default: - none
         :param stop_timeout: Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own. Default: - none
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
+        :param ulimits: An array of ulimits to set in the container.
         :param user: The user name to use inside the container. Default: root
         :param working_directory: The working directory in which to run commands inside the container. Default: /
         :param firelens_config: Firelens configuration.
@@ -24029,6 +24191,11 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
                     namespace="namespace",
                     value="value"
                 )],
+                ulimits=[ecs.Ulimit(
+                    hard_limit=123,
+                    name=ecs.UlimitName.CORE,
+                    soft_limit=123
+                )],
                 user="user",
                 working_directory="workingDirectory"
             )
@@ -24069,6 +24236,7 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
             check_type(argname="argument start_timeout", value=start_timeout, expected_type=type_hints["start_timeout"])
             check_type(argname="argument stop_timeout", value=stop_timeout, expected_type=type_hints["stop_timeout"])
             check_type(argname="argument system_controls", value=system_controls, expected_type=type_hints["system_controls"])
+            check_type(argname="argument ulimits", value=ulimits, expected_type=type_hints["ulimits"])
             check_type(argname="argument user", value=user, expected_type=type_hints["user"])
             check_type(argname="argument working_directory", value=working_directory, expected_type=type_hints["working_directory"])
             check_type(argname="argument firelens_config", value=firelens_config, expected_type=type_hints["firelens_config"])
@@ -24134,6 +24302,8 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
             self._values["stop_timeout"] = stop_timeout
         if system_controls is not None:
             self._values["system_controls"] = system_controls
+        if ulimits is not None:
+            self._values["ulimits"] = ulimits
         if user is not None:
             self._values["user"] = user
         if working_directory is not None:
@@ -24460,6 +24630,12 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
         result = self._values.get("system_controls")
         return typing.cast(typing.Optional[typing.List["SystemControl"]], result)
 
+    @builtins.property
+    def ulimits(self) -> typing.Optional[typing.List["Ulimit"]]:
+        '''An array of ulimits to set in the container.'''
+        result = self._values.get("ulimits")
+        return typing.cast(typing.Optional[typing.List["Ulimit"]], result)
+
     @builtins.property
     def user(self) -> typing.Optional[builtins.str]:
         '''The user name to use inside the container.
@@ -24531,6 +24707,7 @@ class FirelensLogRouterDefinitionOptions(ContainerDefinitionOptions):
         "start_timeout": "startTimeout",
         "stop_timeout": "stopTimeout",
         "system_controls": "systemControls",
+        "ulimits": "ulimits",
         "user": "user",
         "working_directory": "workingDirectory",
         "task_definition": "taskDefinition",
@@ -24571,6 +24748,7 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
         start_timeout: typing.Optional[_Duration_4839e8c3] = None,
         stop_timeout: typing.Optional[_Duration_4839e8c3] = None,
         system_controls: typing.Optional[typing.Sequence[typing.Union["SystemControl", typing.Dict[builtins.str, typing.Any]]]] = None,
+        ulimits: typing.Optional[typing.Sequence[typing.Union["Ulimit", typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
         working_directory: typing.Optional[builtins.str] = None,
         task_definition: "TaskDefinition",
@@ -24608,6 +24786,7 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
         :param start_timeout: Time duration (in seconds) to wait before giving up on resolving dependencies for a container. Default: - none
         :param stop_timeout: Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own. Default: - none
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
+        :param ulimits: An array of ulimits to set in the container.
         :param user: The user name to use inside the container. Default: root
         :param working_directory: The working directory in which to run commands inside the container. Default: /
         :param task_definition: The name of the task definition that includes this container definition. [disable-awslint:ref-via-interface]
@@ -24701,6 +24880,11 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
                     namespace="namespace",
                     value="value"
                 )],
+                ulimits=[ecs.Ulimit(
+                    hard_limit=123,
+                    name=ecs.UlimitName.CORE,
+                    soft_limit=123
+                )],
                 user="user",
                 working_directory="workingDirectory"
             )
@@ -24741,6 +24925,7 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
             check_type(argname="argument start_timeout", value=start_timeout, expected_type=type_hints["start_timeout"])
             check_type(argname="argument stop_timeout", value=stop_timeout, expected_type=type_hints["stop_timeout"])
             check_type(argname="argument system_controls", value=system_controls, expected_type=type_hints["system_controls"])
+            check_type(argname="argument ulimits", value=ulimits, expected_type=type_hints["ulimits"])
             check_type(argname="argument user", value=user, expected_type=type_hints["user"])
             check_type(argname="argument working_directory", value=working_directory, expected_type=type_hints["working_directory"])
             check_type(argname="argument task_definition", value=task_definition, expected_type=type_hints["task_definition"])
@@ -24808,6 +24993,8 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
             self._values["stop_timeout"] = stop_timeout
         if system_controls is not None:
             self._values["system_controls"] = system_controls
+        if ulimits is not None:
+            self._values["ulimits"] = ulimits
         if user is not None:
             self._values["user"] = user
         if working_directory is not None:
@@ -25134,6 +25321,12 @@ class FirelensLogRouterProps(ContainerDefinitionProps):
         result = self._values.get("system_controls")
         return typing.cast(typing.Optional[typing.List["SystemControl"]], result)
 
+    @builtins.property
+    def ulimits(self) -> typing.Optional[typing.List["Ulimit"]]:
+        '''An array of ulimits to set in the container.'''
+        result = self._values.get("ulimits")
+        return typing.cast(typing.Optional[typing.List["Ulimit"]], result)
+
     @builtins.property
     def user(self) -> typing.Optional[builtins.str]:
         '''The user name to use inside the container.
@@ -27305,17 +27498,17 @@ class LogDriver(
 
     Example::
 
+        # secret: ecs.Secret
+        
+        
         # Create a Task Definition for the container to start
         task_definition = ecs.Ec2TaskDefinition(self, "TaskDef")
         task_definition.add_container("TheContainer",
             image=ecs.ContainerImage.from_registry("example-image"),
             memory_limit_mi_b=256,
-            logging=ecs.LogDrivers.firelens(
-                options={
-                    "Name": "firehose",
-                    "region": "us-west-2",
-                    "delivery_stream": "my-stream"
-                }
+            logging=ecs.LogDrivers.splunk(
+                secret_token=secret,
+                url="my-splunk-url"
             )
         )
     '''
@@ -27508,12 +27701,18 @@ class LogDrivers(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_ecs.LogDriv
 
     Example::
 
+        # secret: ecs.Secret
+        
+        
         # Create a Task Definition for the container to start
         task_definition = ecs.Ec2TaskDefinition(self, "TaskDef")
         task_definition.add_container("TheContainer",
             image=ecs.ContainerImage.from_registry("example-image"),
             memory_limit_mi_b=256,
-            logging=ecs.LogDrivers.aws_logs(stream_prefix="EventDemo")
+            logging=ecs.LogDrivers.splunk(
+                secret_token=secret,
+                url="my-splunk-url"
+            )
         )
     '''
 
@@ -28304,7 +28503,8 @@ class PlacementConstraint(
                 placement_constraints=[
                     ecs.PlacementConstraint.member_of("blieptuut")
                 ]
-            )
+            ),
+            propagated_tag_source=ecs.PropagatedTagSource.TASK_DEFINITION
         )
     '''
 
@@ -28383,7 +28583,8 @@ class PlacementStrategy(
                 placement_constraints=[
                     ecs.PlacementConstraint.member_of("blieptuut")
                 ]
-            )
+            ),
+            propagated_tag_source=ecs.PropagatedTagSource.TASK_DEFINITION
         )
     '''
 
@@ -28692,7 +28893,42 @@ class PortMapping:
 
 @jsii.enum(jsii_type="aws-cdk-lib.aws_ecs.PropagatedTagSource")
 class PropagatedTagSource(enum.Enum):
-    '''Propagate tags from either service or task definition.'''
+    '''Propagate tags from either service or task definition.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        vpc = ec2.Vpc.from_lookup(self, "Vpc",
+            is_default=True
+        )
+        
+        cluster = ecs.Cluster(self, "FargateCluster", vpc=vpc)
+        
+        task_definition = ecs.TaskDefinition(self, "TD",
+            memory_mi_b="512",
+            cpu="256",
+            compatibility=ecs.Compatibility.FARGATE
+        )
+        
+        container_definition = task_definition.add_container("TheContainer",
+            image=ecs.ContainerImage.from_registry("foo/bar"),
+            memory_limit_mi_b=256
+        )
+        
+        run_task = tasks.EcsRunTask(self, "RunFargate",
+            integration_pattern=sfn.IntegrationPattern.RUN_JOB,
+            cluster=cluster,
+            task_definition=task_definition,
+            assign_public_ip=True,
+            container_overrides=[tasks.ContainerOverride(
+                container_definition=container_definition,
+                environment=[tasks.TaskEnvironmentVariable(name="SOME_KEY", value=sfn.JsonPath.string_at("$.SomeKey"))]
+            )],
+            launch_target=tasks.EcsFargateLaunchTarget(),
+            propagated_tag_source=ecs.PropagatedTagSource.TASK_DEFINITION
+        )
+    '''
 
     SERVICE = "SERVICE"
     '''Propagate tags from service.'''
@@ -28846,17 +29082,17 @@ class RepositoryImage(
     Example::
 
         # Example automatically generated from non-compiling source. May contain errors.
-        import aws_cdk.aws_batch as batch
+        import aws_cdk.aws_batch_alpha as batch
         from aws_cdk.aws_ecs import ContainerImage
         
         
         job_queue = batch.JobQueue(self, "MyQueue",
-            compute_environments=[{
-                "compute_environment": batch.ComputeEnvironment(self, "ComputeEnvironment",
+            compute_environments=[batch.OrderedComputeEnvironment(
+                compute_environment=batch.ComputeEnvironment(self, "ComputeEnvironment",
                     managed=False
                 ),
-                "order": 1
-            }
+                order=1
+            )
             ]
         )
         
@@ -28869,14 +29105,14 @@ class RepositoryImage(
         queue = sqs.Queue(self, "Queue")
         
         rule = events.Rule(self, "Rule",
-            schedule=events.Schedule.rate(cdk.Duration.hours(1))
+            schedule=events.Schedule.rate(Duration.hours(1))
         )
         
         rule.add_target(targets.BatchJob(job_queue.job_queue_arn, job_queue, job_definition.job_definition_arn, job_definition,
             dead_letter_queue=queue,
             event=events.RuleTargetInput.from_object({"SomeParam": "SomeValue"}),
             retry_attempts=2,
-            max_event_age=cdk.Duration.hours(2)
+            max_event_age=Duration.hours(2)
         ))
     '''
 
@@ -30118,19 +30354,18 @@ class ServiceConnectProps:
 
         Example::
 
-            # Example automatically generated from non-compiling source. May contain errors.
             # cluster: ecs.Cluster
             # task_definition: ecs.TaskDefinition
-            # container: ecs.ContainerDefinition
+            # container_options: ecs.ContainerDefinitionOptions
+            
             
+            container = task_definition.add_container("MyContainer", container_options)
             
             container.add_port_mappings(
                 name="api",
                 container_port=8080
             )
             
-            task_definition.add_container(container)
-            
             cluster.add_default_cloud_map_namespace(
                 name="local"
             )
@@ -31405,31 +31640,20 @@ class TaskDefinition(
 
     Example::
 
-        # task_definition: ecs.TaskDefinition
         # cluster: ecs.Cluster
+        # task_definition: ecs.TaskDefinition
+        # vpc: ec2.Vpc
         
+        service = ecs.FargateService(self, "Service", cluster=cluster, task_definition=task_definition)
         
-        # Add a container to the task definition
-        specific_container = task_definition.add_container("Container",
-            image=ecs.ContainerImage.from_registry("/aws/aws-example-app"),
-            memory_limit_mi_b=2048
-        )
-        
-        # Add a port mapping
-        specific_container.add_port_mappings(
-            container_port=7600,
-            protocol=ecs.Protocol.TCP
-        )
-        
-        ecs.Ec2Service(self, "Service",
-            cluster=cluster,
-            task_definition=task_definition,
-            cloud_map_options=ecs.CloudMapOptions(
-                # Create SRV records - useful for bridge networking
-                dns_record_type=cloudmap.DnsRecordType.SRV,
-                # Targets port TCP port 7600 `specificContainer`
-                container=specific_container,
-                container_port=7600
+        lb = elbv2.ApplicationLoadBalancer(self, "LB", vpc=vpc, internet_facing=True)
+        listener = lb.add_listener("Listener", port=80)
+        service.register_load_balancer_targets(
+            container_name="web",
+            container_port=80,
+            new_target_group_id="ECS",
+            listener=ecs.ListenerConfig.application_listener(listener,
+                protocol=elbv2.ApplicationProtocol.HTTPS
             )
         )
     '''
@@ -31531,6 +31755,7 @@ class TaskDefinition(
         *,
         compatibility: typing.Optional[Compatibility] = None,
         task_definition_arn: builtins.str,
+        execution_role: typing.Optional[_IRole_235f5d8e] = None,
         network_mode: typing.Optional[NetworkMode] = None,
         task_role: typing.Optional[_IRole_235f5d8e] = None,
     ) -> ITaskDefinition:
@@ -31540,6 +31765,7 @@ class TaskDefinition(
         :param id: -
         :param compatibility: What launch types this task definition should be compatible with. Default: Compatibility.EC2_AND_FARGATE
         :param task_definition_arn: The arn of the task definition.
+        :param execution_role: The IAM role that grants containers and Fargate agents permission to make AWS API calls on your behalf. Some tasks do not have an execution role. Default: - undefined
         :param network_mode: The networking mode to use for the containers in the task. Default: Network mode cannot be provided to the imported task.
         :param task_role: The name of the IAM role that grants containers in the task permission to call AWS APIs on your behalf. Default: Permissions cannot be granted to the imported task.
         '''
@@ -31550,6 +31776,7 @@ class TaskDefinition(
         attrs = TaskDefinitionAttributes(
             compatibility=compatibility,
             task_definition_arn=task_definition_arn,
+            execution_role=execution_role,
             network_mode=network_mode,
             task_role=task_role,
         )
@@ -31591,6 +31818,7 @@ class TaskDefinition(
         start_timeout: typing.Optional[_Duration_4839e8c3] = None,
         stop_timeout: typing.Optional[_Duration_4839e8c3] = None,
         system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
+        ulimits: typing.Optional[typing.Sequence[typing.Union["Ulimit", typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
         working_directory: typing.Optional[builtins.str] = None,
     ) -> ContainerDefinition:
@@ -31627,6 +31855,7 @@ class TaskDefinition(
         :param start_timeout: Time duration (in seconds) to wait before giving up on resolving dependencies for a container. Default: - none
         :param stop_timeout: Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own. Default: - none
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
+        :param ulimits: An array of ulimits to set in the container.
         :param user: The user name to use inside the container. Default: root
         :param working_directory: The working directory in which to run commands inside the container. Default: /
         '''
@@ -31664,6 +31893,7 @@ class TaskDefinition(
             start_timeout=start_timeout,
             stop_timeout=stop_timeout,
             system_controls=system_controls,
+            ulimits=ulimits,
             user=user,
             working_directory=working_directory,
         )
@@ -31720,6 +31950,7 @@ class TaskDefinition(
         start_timeout: typing.Optional[_Duration_4839e8c3] = None,
         stop_timeout: typing.Optional[_Duration_4839e8c3] = None,
         system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
+        ulimits: typing.Optional[typing.Sequence[typing.Union["Ulimit", typing.Dict[builtins.str, typing.Any]]]] = None,
         user: typing.Optional[builtins.str] = None,
         working_directory: typing.Optional[builtins.str] = None,
     ) -> FirelensLogRouter:
@@ -31757,6 +31988,7 @@ class TaskDefinition(
         :param start_timeout: Time duration (in seconds) to wait before giving up on resolving dependencies for a container. Default: - none
         :param stop_timeout: Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own. Default: - none
         :param system_controls: A list of namespaced kernel parameters to set in the container. Default: - No system controls are set.
+        :param ulimits: An array of ulimits to set in the container.
         :param user: The user name to use inside the container. Default: root
         :param working_directory: The working directory in which to run commands inside the container. Default: /
         '''
@@ -31795,6 +32027,7 @@ class TaskDefinition(
             start_timeout=start_timeout,
             stop_timeout=stop_timeout,
             system_controls=system_controls,
+            ulimits=ulimits,
             user=user,
             working_directory=working_directory,
         )
@@ -32042,6 +32275,7 @@ class TaskDefinition(
     jsii_struct_bases=[CommonTaskDefinitionAttributes],
     name_mapping={
         "task_definition_arn": "taskDefinitionArn",
+        "execution_role": "executionRole",
         "network_mode": "networkMode",
         "task_role": "taskRole",
         "compatibility": "compatibility",
@@ -32052,6 +32286,7 @@ class TaskDefinitionAttributes(CommonTaskDefinitionAttributes):
         self,
         *,
         task_definition_arn: builtins.str,
+        execution_role: typing.Optional[_IRole_235f5d8e] = None,
         network_mode: typing.Optional[NetworkMode] = None,
         task_role: typing.Optional[_IRole_235f5d8e] = None,
         compatibility: typing.Optional[Compatibility] = None,
@@ -32059,6 +32294,7 @@ class TaskDefinitionAttributes(CommonTaskDefinitionAttributes):
         '''A reference to an existing task definition.
 
         :param task_definition_arn: The arn of the task definition.
+        :param execution_role: The IAM role that grants containers and Fargate agents permission to make AWS API calls on your behalf. Some tasks do not have an execution role. Default: - undefined
         :param network_mode: The networking mode to use for the containers in the task. Default: Network mode cannot be provided to the imported task.
         :param task_role: The name of the IAM role that grants containers in the task permission to call AWS APIs on your behalf. Default: Permissions cannot be granted to the imported task.
         :param compatibility: What launch types this task definition should be compatible with. Default: Compatibility.EC2_AND_FARGATE
@@ -32079,6 +32315,7 @@ class TaskDefinitionAttributes(CommonTaskDefinitionAttributes):
             
                 # the properties below are optional
                 compatibility=ecs.Compatibility.EC2,
+                execution_role=role,
                 network_mode=ecs.NetworkMode.NONE,
                 task_role=role
             )
@@ -32086,12 +32323,15 @@ class TaskDefinitionAttributes(CommonTaskDefinitionAttributes):
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__723c7f01009409e12e945705433183d486be735607b50d3b8dd0ec765a5e03e3)
             check_type(argname="argument task_definition_arn", value=task_definition_arn, expected_type=type_hints["task_definition_arn"])
+            check_type(argname="argument execution_role", value=execution_role, expected_type=type_hints["execution_role"])
             check_type(argname="argument network_mode", value=network_mode, expected_type=type_hints["network_mode"])
             check_type(argname="argument task_role", value=task_role, expected_type=type_hints["task_role"])
             check_type(argname="argument compatibility", value=compatibility, expected_type=type_hints["compatibility"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "task_definition_arn": task_definition_arn,
         }
+        if execution_role is not None:
+            self._values["execution_role"] = execution_role
         if network_mode is not None:
             self._values["network_mode"] = network_mode
         if task_role is not None:
@@ -32106,6 +32346,17 @@ class TaskDefinitionAttributes(CommonTaskDefinitionAttributes):
         assert result is not None, "Required property 'task_definition_arn' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def execution_role(self) -> typing.Optional[_IRole_235f5d8e]:
+        '''The IAM role that grants containers and Fargate agents permission to make AWS API calls on your behalf.
+
+        Some tasks do not have an execution role.
+
+        :default: - undefined
+        '''
+        result = self._values.get("execution_role")
+        return typing.cast(typing.Optional[_IRole_235f5d8e], result)
+
     @builtins.property
     def network_mode(self) -> typing.Optional[NetworkMode]:
         '''The networking mode to use for the containers in the task.
@@ -32240,7 +32491,8 @@ class TaskDefinitionProps(CommonTaskDefinitionProps):
                     placement_constraints=[
                         ecs.PlacementConstraint.member_of("blieptuut")
                     ]
-                )
+                ),
+                propagated_tag_source=ecs.PropagatedTagSource.TASK_DEFINITION
             )
         '''
         if isinstance(runtime_platform, dict):
@@ -32886,7 +33138,22 @@ class Ulimit:
 
 @jsii.enum(jsii_type="aws-cdk-lib.aws_ecs.UlimitName")
 class UlimitName(enum.Enum):
-    '''Type of resource to set a limit on.'''
+    '''Type of resource to set a limit on.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        task_definition = ecs.Ec2TaskDefinition(self, "TaskDef")
+        task_definition.add_container("TheContainer",
+            image=ecs.ContainerImage.from_registry("example-image"),
+            ulimits=[ecs.Ulimit(
+                hard_limit=128,
+                name=ecs.UlimitName.RSS,
+                soft_limit=128
+            )]
+        )
+    '''
 
     CORE = "CORE"
     CPU = "CPU"
@@ -33310,6 +33577,7 @@ class AssetImage(
 
     Example::
 
+        from constructs import Construct
         from aws_cdk import App, Stack
         import aws_cdk.aws_ec2 as ec2
         import aws_cdk.aws_ecs as ecs
@@ -33317,20 +33585,21 @@ class AssetImage(
         import aws_cdk.cx_api as cxapi
         import path as path
         
-        app = App()
+        class MyStack(Stack):
+            def __init__(self, scope, id):
+                super().__init__(scope, id)
         
-        stack = Stack(app, "aws-ecs-patterns-queue")
-        stack.node.set_context(cxapi.ECS_REMOVE_DEFAULT_DESIRED_COUNT, True)
+                self.node.set_context(cxapi.ECS_REMOVE_DEFAULT_DESIRED_COUNT, True)
         
-        vpc = ec2.Vpc(stack, "VPC",
-            max_azs=2
-        )
+                vpc = ec2.Vpc(self, "VPC",
+                    max_azs=2
+                )
         
-        ecs_patterns.QueueProcessingFargateService(stack, "QueueProcessingService",
-            vpc=vpc,
-            memory_limit_mi_b=512,
-            image=ecs.AssetImage(path.join(__dirname, "..", "sqs-reader"))
-        )
+                ecs_patterns.QueueProcessingFargateService(self, "QueueProcessingService",
+                    vpc=vpc,
+                    memory_limit_mi_b=512,
+                    image=ecs.AssetImage(path.join(__dirname, "..", "sqs-reader"))
+                )
     '''
 
     def __init__(
@@ -33553,7 +33822,8 @@ class Cluster(
                 container_definition=container_definition,
                 environment=[tasks.TaskEnvironmentVariable(name="SOME_KEY", value=sfn.JsonPath.string_at("$.SomeKey"))]
             )],
-            launch_target=tasks.EcsFargateLaunchTarget()
+            launch_target=tasks.EcsFargateLaunchTarget(),
+            propagated_tag_source=ecs.PropagatedTagSource.TASK_DEFINITION
         )
     '''
 
@@ -34747,7 +35017,6 @@ class BaseService(
 
     Example::
 
-        # Example automatically generated from non-compiling source. May contain errors.
         import aws_cdk.aws_ecs as ecs
         
         
@@ -35582,6 +35851,7 @@ class Ec2TaskDefinition(
         id: builtins.str,
         *,
         task_definition_arn: builtins.str,
+        execution_role: typing.Optional[_IRole_235f5d8e] = None,
         network_mode: typing.Optional[NetworkMode] = None,
         task_role: typing.Optional[_IRole_235f5d8e] = None,
     ) -> IEc2TaskDefinition:
@@ -35590,6 +35860,7 @@ class Ec2TaskDefinition(
         :param scope: -
         :param id: -
         :param task_definition_arn: The arn of the task definition.
+        :param execution_role: The IAM role that grants containers and Fargate agents permission to make AWS API calls on your behalf. Some tasks do not have an execution role. Default: - undefined
         :param network_mode: The networking mode to use for the containers in the task. Default: Network mode cannot be provided to the imported task.
         :param task_role: The name of the IAM role that grants containers in the task permission to call AWS APIs on your behalf. Default: Permissions cannot be granted to the imported task.
         '''
@@ -35599,6 +35870,7 @@ class Ec2TaskDefinition(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         attrs = Ec2TaskDefinitionAttributes(
             task_definition_arn=task_definition_arn,
+            execution_role=execution_role,
             network_mode=network_mode,
             task_role=task_role,
         )
@@ -35980,6 +36252,7 @@ class ExternalTaskDefinition(
         id: builtins.str,
         *,
         task_definition_arn: builtins.str,
+        execution_role: typing.Optional[_IRole_235f5d8e] = None,
         network_mode: typing.Optional[NetworkMode] = None,
         task_role: typing.Optional[_IRole_235f5d8e] = None,
     ) -> IExternalTaskDefinition:
@@ -35988,6 +36261,7 @@ class ExternalTaskDefinition(
         :param scope: -
         :param id: -
         :param task_definition_arn: The arn of the task definition.
+        :param execution_role: The IAM role that grants containers and Fargate agents permission to make AWS API calls on your behalf. Some tasks do not have an execution role. Default: - undefined
         :param network_mode: The networking mode to use for the containers in the task. Default: Network mode cannot be provided to the imported task.
         :param task_role: The name of the IAM role that grants containers in the task permission to call AWS APIs on your behalf. Default: Permissions cannot be granted to the imported task.
         '''
@@ -35997,6 +36271,7 @@ class ExternalTaskDefinition(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         attrs = ExternalTaskDefinitionAttributes(
             task_definition_arn=task_definition_arn,
+            execution_role=execution_role,
             network_mode=network_mode,
             task_role=task_role,
         )
@@ -36280,6 +36555,7 @@ class FargateTaskDefinition(
         id: builtins.str,
         *,
         task_definition_arn: builtins.str,
+        execution_role: typing.Optional[_IRole_235f5d8e] = None,
         network_mode: typing.Optional[NetworkMode] = None,
         task_role: typing.Optional[_IRole_235f5d8e] = None,
     ) -> IFargateTaskDefinition:
@@ -36288,6 +36564,7 @@ class FargateTaskDefinition(
         :param scope: -
         :param id: -
         :param task_definition_arn: The arn of the task definition.
+        :param execution_role: The IAM role that grants containers and Fargate agents permission to make AWS API calls on your behalf. Some tasks do not have an execution role. Default: - undefined
         :param network_mode: The networking mode to use for the containers in the task. Default: Network mode cannot be provided to the imported task.
         :param task_role: The name of the IAM role that grants containers in the task permission to call AWS APIs on your behalf. Default: Permissions cannot be granted to the imported task.
         '''
@@ -36297,6 +36574,7 @@ class FargateTaskDefinition(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         attrs = FargateTaskDefinitionAttributes(
             task_definition_arn=task_definition_arn,
+            execution_role=execution_role,
             network_mode=network_mode,
             task_role=task_role,
         )
@@ -38061,6 +38339,7 @@ def _typecheckingstub__8819884fed76c2873e86d47e66faba011202f5d697aa512d17a66e595
 def _typecheckingstub__1a458c1ea772685ddb7eb49b075e7de9bed322fac4bbee8aeab1cf6b576bc995(
     *,
     task_definition_arn: builtins.str,
+    execution_role: typing.Optional[_IRole_235f5d8e] = None,
     network_mode: typing.Optional[NetworkMode] = None,
     task_role: typing.Optional[_IRole_235f5d8e] = None,
 ) -> None:
@@ -38113,6 +38392,7 @@ def _typecheckingstub__d8756b492e023ad8d33a399196b15b610f709400ce213e179f17dd1f6
     start_timeout: typing.Optional[_Duration_4839e8c3] = None,
     stop_timeout: typing.Optional[_Duration_4839e8c3] = None,
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
+    ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
     working_directory: typing.Optional[builtins.str] = None,
 ) -> None:
@@ -38233,6 +38513,7 @@ def _typecheckingstub__f2e5f24c1574825a81dd77783d48886a430a675a0e04f03559eca98b5
     start_timeout: typing.Optional[_Duration_4839e8c3] = None,
     stop_timeout: typing.Optional[_Duration_4839e8c3] = None,
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
+    ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
     working_directory: typing.Optional[builtins.str] = None,
 ) -> None:
@@ -38271,6 +38552,7 @@ def _typecheckingstub__20c974a49c79829fac0811dffaf78c449f92ae136414b96232160d37c
     start_timeout: typing.Optional[_Duration_4839e8c3] = None,
     stop_timeout: typing.Optional[_Duration_4839e8c3] = None,
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
+    ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
     working_directory: typing.Optional[builtins.str] = None,
     task_definition: TaskDefinition,
@@ -38439,6 +38721,7 @@ def _typecheckingstub__95634258086aa3448fbdfd9896017a2cbeb858f382deb61186bb9e22b
 def _typecheckingstub__e90e61a002f578b0dbe160c067f2d3de15287892110df7eedcbbfa7f0c7d391d(
     *,
     task_definition_arn: builtins.str,
+    execution_role: typing.Optional[_IRole_235f5d8e] = None,
     network_mode: typing.Optional[NetworkMode] = None,
     task_role: typing.Optional[_IRole_235f5d8e] = None,
 ) -> None:
@@ -38616,6 +38899,7 @@ def _typecheckingstub__3cc413964caae89bfcfbcabff8356ffe5c054f46824be99731a77b64e
 def _typecheckingstub__2d58078e68b889d5f10f95714f42385491c26bf6ec084584b1a1487cc3acf7a2(
     *,
     task_definition_arn: builtins.str,
+    execution_role: typing.Optional[_IRole_235f5d8e] = None,
     network_mode: typing.Optional[NetworkMode] = None,
     task_role: typing.Optional[_IRole_235f5d8e] = None,
 ) -> None:
@@ -38671,6 +38955,7 @@ def _typecheckingstub__8290283f61f3e2d289b7e7f81cad1a5d1e9ed9dbc07ccce2b57604682
 def _typecheckingstub__5dd329152ba42239c8e48630ce2d0477a28dd88014af62f4536ef752f002010e(
     *,
     task_definition_arn: builtins.str,
+    execution_role: typing.Optional[_IRole_235f5d8e] = None,
     network_mode: typing.Optional[NetworkMode] = None,
     task_role: typing.Optional[_IRole_235f5d8e] = None,
 ) -> None:
@@ -38748,6 +39033,7 @@ def _typecheckingstub__aa1e4969dd0e00a5737510c273aa9546ad4ce7bc5a8a146f2a37666b0
     start_timeout: typing.Optional[_Duration_4839e8c3] = None,
     stop_timeout: typing.Optional[_Duration_4839e8c3] = None,
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
+    ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
     working_directory: typing.Optional[builtins.str] = None,
 ) -> None:
@@ -38792,6 +39078,7 @@ def _typecheckingstub__2bb9382e9a7b1b34a020902905c4bf83e2d4970135e7592e5b5a1da62
     start_timeout: typing.Optional[_Duration_4839e8c3] = None,
     stop_timeout: typing.Optional[_Duration_4839e8c3] = None,
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
+    ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
     working_directory: typing.Optional[builtins.str] = None,
     firelens_config: typing.Union[FirelensConfig, typing.Dict[builtins.str, typing.Any]],
@@ -38831,6 +39118,7 @@ def _typecheckingstub__498b2375cb2035a958edbdd10ad5f4352caa5773be14b63a07c337871
     start_timeout: typing.Optional[_Duration_4839e8c3] = None,
     stop_timeout: typing.Optional[_Duration_4839e8c3] = None,
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
+    ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
     working_directory: typing.Optional[builtins.str] = None,
     task_definition: TaskDefinition,
@@ -39478,6 +39766,7 @@ def _typecheckingstub__33efccb48f741fbca68f3379a33fab8d93a2872fc8c2a118c9704894b
     *,
     compatibility: typing.Optional[Compatibility] = None,
     task_definition_arn: builtins.str,
+    execution_role: typing.Optional[_IRole_235f5d8e] = None,
     network_mode: typing.Optional[NetworkMode] = None,
     task_role: typing.Optional[_IRole_235f5d8e] = None,
 ) -> None:
@@ -39517,6 +39806,7 @@ def _typecheckingstub__8fe416001b357a118b80b0f9e3432c5bffbeffe29c2f7e67a02e5589c
     start_timeout: typing.Optional[_Duration_4839e8c3] = None,
     stop_timeout: typing.Optional[_Duration_4839e8c3] = None,
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
+    ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
     working_directory: typing.Optional[builtins.str] = None,
 ) -> None:
@@ -39563,6 +39853,7 @@ def _typecheckingstub__a448c235107c9543bb055362134e3500d0a20b6f51e433675f952a773
     start_timeout: typing.Optional[_Duration_4839e8c3] = None,
     stop_timeout: typing.Optional[_Duration_4839e8c3] = None,
     system_controls: typing.Optional[typing.Sequence[typing.Union[SystemControl, typing.Dict[builtins.str, typing.Any]]]] = None,
+    ulimits: typing.Optional[typing.Sequence[typing.Union[Ulimit, typing.Dict[builtins.str, typing.Any]]]] = None,
     user: typing.Optional[builtins.str] = None,
     working_directory: typing.Optional[builtins.str] = None,
 ) -> None:
@@ -39614,6 +39905,7 @@ def _typecheckingstub__9a9f5e275c7ec18083bd47fd70c94d0dee80deddee22c30c6ef86cb08
 def _typecheckingstub__723c7f01009409e12e945705433183d486be735607b50d3b8dd0ec765a5e03e3(
     *,
     task_definition_arn: builtins.str,
+    execution_role: typing.Optional[_IRole_235f5d8e] = None,
     network_mode: typing.Optional[NetworkMode] = None,
     task_role: typing.Optional[_IRole_235f5d8e] = None,
     compatibility: typing.Optional[Compatibility] = None,
@@ -40095,6 +40387,7 @@ def _typecheckingstub__d794d0fc9ba23db2d5f4c804346c25e9732a8bd6c40b66b459e4b0596
     id: builtins.str,
     *,
     task_definition_arn: builtins.str,
+    execution_role: typing.Optional[_IRole_235f5d8e] = None,
     network_mode: typing.Optional[NetworkMode] = None,
     task_role: typing.Optional[_IRole_235f5d8e] = None,
 ) -> None:
@@ -40192,6 +40485,7 @@ def _typecheckingstub__ccd4d51c36358a0ea1efb52a38fa0bccb9e2db43ee7dc217a32ca2bf2
     id: builtins.str,
     *,
     task_definition_arn: builtins.str,
+    execution_role: typing.Optional[_IRole_235f5d8e] = None,
     network_mode: typing.Optional[NetworkMode] = None,
     task_role: typing.Optional[_IRole_235f5d8e] = None,
 ) -> None:
@@ -40274,6 +40568,7 @@ def _typecheckingstub__59be62eab8487bb224b6839e6560b22ec29653bf5f8e319f85996fa99
     id: builtins.str,
     *,
     task_definition_arn: builtins.str,
+    execution_role: typing.Optional[_IRole_235f5d8e] = None,
     network_mode: typing.Optional[NetworkMode] = None,
     task_role: typing.Optional[_IRole_235f5d8e] = None,
 ) -> None: