aws_ecs: Fargate service not created because NetworkConfiguration is not null with External deployment controller

[msysh]

Describe the bug

Creating a Fargate Service using an external deployment controller fails with following message:

Invalid request provided: CreateService error: NetworkConfiguration must be null.

Expected Behavior

When using an External deployment controller, it is expected that the Fargate Service will be deployed without network configuration.

Current Behavior

During the deployment process, getting following error:

20:36:57 | CREATE_FAILED        | AWS::ECS::Service        | FargateService/Service
Resource handler returned message: "Invalid request provided: CreateService error: NetworkConfiguration must be null. (Service: AmazonECS; Status Code: 400;
Error Code: InvalidParameterException; Request ID: 8c5d2a4c-9fbc-46c9-ae3e-c85fabc53825; Proxy: null)" (RequestToken: 4b95cca6-5f17-3ebe-3d07-1ea867b6a9e6, HandlerErrorCode: InvalidRequest)

This is because the generated template contains NetworkConfiguration.

Reproduction Steps

It can be reproduced with the following code:

import * as cdk from 'aws-cdk-lib';

const app = new cdk.App();
const stack = new cdk.Stack(app, 'Stack');

const vpc = new cdk.aws_ec2.Vpc(stack, 'Vpc', { maxAzs: 2, restrictDefaultSecurityGroup: false });

const cluster = new cdk.aws_ecs.Cluster(stack, 'Cluster', { vpc });

const taskDefinition = new cdk.aws_ecs.FargateTaskDefinition(stack, 'TaskDef');
taskDefinition.addContainer('web', {
  image: cdk.aws_ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
  memoryLimitMiB: 512,
});

new cdk.aws_ecs.FargateService(stack, 'Service', {
  cluster,
  taskDefinition,
  deploymentController: {
    type: cdk.aws_ecs.DeploymentControllerType.EXTERNAL,
  },
});

Possible Solution

In fargate-service.ts, if deploymentControllerType is external, skip network configuration generation.

The following modifications can be suggested:

if (!props.deploymentController ||
  (props.deploymentController && props.deploymentController?.type !== DeploymentControllerType.EXTERNAL)) {
  this.configureAwsVpcNetworkingWithSecurityGroups(props.cluster.vpc, props.assignPublicIp, props.vpcSubnets, securityGroups);
}

In addition, the following unit tests will need to be modified:

aws-cdk/packages/aws-cdk-lib/aws-ecs/test/fargate/fargate-service.test.ts

Lines 603 to 658 in cad0635

	test('ignore task definition and launch type if deployment controller is set to be EXTERNAL', () => {
	// GIVEN
	const stack = new cdk.Stack();
	const vpc = new ec2.Vpc(stack, 'MyVpc', {});
	const cluster = new ecs.Cluster(stack, 'EcsCluster', { vpc });
	const taskDefinition = new ecs.FargateTaskDefinition(stack, 'FargateTaskDef');
	taskDefinition.addContainer('web', {
	image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
	});
	new ecs.FargateService(stack, 'FargateService', {
	cluster,
	taskDefinition,
	deploymentController: {
	type: DeploymentControllerType.EXTERNAL,
	},
	});
	// THEN
	Annotations.fromStack(stack).hasWarning('/Default/FargateService', 'taskDefinition and launchType are blanked out when using external deployment controller.');
	Template.fromStack(stack).hasResourceProperties('AWS::ECS::Service', {
	Cluster: {
	Ref: 'EcsCluster97242B84',
	},
	DeploymentConfiguration: {
	MaximumPercent: 200,
	MinimumHealthyPercent: 50,
	},
	DeploymentController: {
	Type: 'EXTERNAL',
	},
	EnableECSManagedTags: false,
	NetworkConfiguration: {
	AwsvpcConfiguration: {
	AssignPublicIp: 'DISABLED',
	SecurityGroups: [
	{
	'Fn::GetAtt': [
	'FargateServiceSecurityGroup0A0E79CB',
	'GroupId',
	],
	},
	],
	Subnets: [
	{
	Ref: 'MyVpcPrivateSubnet1Subnet5057CF7E',
	},
	{
	Ref: 'MyVpcPrivateSubnet2Subnet0040C983',
	},
	],
	},
	},
	});
	});

Additional Information/Context

This problem does not occur with ECS on EC2.

Currently this problem can be avoided with an escape hatches as follows.

const cfnService = service.node.defaultChild as cdk.aws_ecs.CfnService;
cfnService.addDeletionOverride('Properties.NetworkConfiguration');

CDK CLI Version

2.87.0 (build 9fca790)

Framework Version

No response

Node.js Version

v16.14.0

OS

macOS 13.4

Language

Typescript

Language Version

No response

Other information

No response

[pahud]

Thank you for your report and the workaround with addDeletionOverride(). Yes, we should fix that.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[analytically]

could this cause NetworkLoadBalancedFargateService.getService not to return a FargateService instance anymore?

[msysh]

@analytically Thank you for notice. I would like to clarify. Is it means that you cannot get an instance with NetworkLoadBalancedFargateService.service when the deployment type is External? In case of my trying by short code, I could get the instance by NetworkLoadBalancedFargateService.service both before and after fixing this issue.
The short code is following:

import * as cdk from 'aws-cdk-lib';
import { NetworkLoadBalancedFargateService } from 'aws-cdk-lib/aws-ecs-patterns';

const app = new cdk.App();
const stack = new cdk.Stack(app, 'Stack');

const taskDefinition = new cdk.aws_ecs.FargateTaskDefinition(stack, 'FargateTaskDef');

taskDefinition.addContainer('web', {
  image: cdk.aws_ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
  memoryLimitMiB: 512,
  portMappings: [ { containerPort: 80, } ],
});

const service = new NetworkLoadBalancedFargateService(stack, 'Service', {
  deploymentController: {
    type: cdk.aws_ecs.DeploymentControllerType.EXTERNAL,
  },
  taskDefinition: taskDefinition,
});

// --------------------------
// I could get the instance.
// --------------------------
console.debug(service.service);

If your mention is not, could you please provide a reproduction step?