Registers a new task definition from the supplied family
and containerDefinitions
. Optionally, you can add data volumes to your containers with the volumes
parameter. For more information about task definition parameters and defaults, see Amazon ECS Task Definitions in the Amazon Elastic Container Service Developer Guide.
You can specify a role for your task with the taskRoleArn
parameter. When you specify a role for a task, its containers can then use the latest versions of the CLI or SDKs to make API requests to the AWS services that are specified in the policy that's associated with the role. For more information, see IAM Roles for Tasks in the Amazon Elastic Container Service Developer Guide.
You can specify a Docker networking mode for the containers in your task definition with the networkMode
parameter. The available network modes correspond to those described in Network settings in the Docker run reference. If you specify the awsvpc
network mode, the task is allocated an elastic network interface, and you must specify a NetworkConfiguration when you create a service or run a task with the task definition. For more information, see Task Networking in the Amazon Elastic Container Service Developer Guide.
In the following example or examples, the Authorization header contents (AUTHPARAMS
) must be replaced with an AWS Signature Version 4 signature. For more information, see Signature Version 4 Signing Process in the General Reference.
You only need to learn how to sign HTTP requests if you intend to create them manually. When you use the or one of the SDKs to make requests to AWS, these tools automatically sign the requests for you, with the access key that you specify when you configure the tools. When you use these tools, you don't have to sign requests yourself.
container_definitions
(Attributes Set) A list of container definitions in JSON format that describe the different containers that make up your task. For more information about container definition parameters and defaults, see Amazon ECS Task Definitions in the Amazon Elastic Container Service Developer Guide. (see below for nested schema)cpu
(String) The number of cpu
units used by the task. If you use the EC2 launch type, this field is optional. Any value can be used. If you use the Fargate launch type, this field is required. You must use one of the following values. The value that you choose determines your range of valid values for the memory
parameter.
The CPU units cannot be less than 1 vCPU when you use Windows containers on Fargate.
memory
values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB)memory
values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB)memory
values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB)memory
values: 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB)memory
values: 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB)memory
values: 16 GB and 60 GB in 4 GB increments
This option requires Linux platform 1.4.0
or later.memory
values: 32GB and 120 GB in 8 GB increments
This option requires Linux platform 1.4.0
or later.ephemeral_storage
(Attributes) The ephemeral storage settings to use for tasks run with the task definition. (see below for nested schema)execution_role_arn
(String) The Amazon Resource Name (ARN) of the task execution role that grants the Amazon ECS container agent permission to make AWS API calls on your behalf. The task execution IAM role is required depending on the requirements of your task. For more information, see Amazon ECS task execution IAM role in the Amazon Elastic Container Service Developer Guide.family
(String) The name of a family that this task definition is registered to. Up to 255 letters (uppercase and lowercase), numbers, hyphens, and underscores are allowed.
A family groups multiple versions of a task definition. Amazon ECS gives the first task definition that you registered to a family a revision number of 1. Amazon ECS gives sequential revision numbers to each task definition that you add.
To use revision numbers when you update a task definition, specify this property. If you don't specify a value, CFNlong generates a new task definition each time that you update it.inference_accelerators
(Attributes Set) The Elastic Inference accelerators to use for the containers in the task. (see below for nested schema)ipc_mode
(String) The IPC resource namespace to use for the containers in the task. The valid values are host
, task
, or none
. If host
is specified, then all containers within the tasks that specified the host
IPC mode on the same container instance share the same IPC resources with the host Amazon EC2 instance. If task
is specified, all containers within the specified task share the same IPC resources. If none
is specified, then IPC resources within the containers of a task are private and not shared with other containers in a task or on the container instance. If no value is specified, then the IPC resource namespace sharing depends on the Docker daemon setting on the container instance. For more information, see IPC settings in the Docker run reference.
If the host
IPC mode is used, be aware that there is a heightened risk of undesired IPC namespace expose. For more information, see Docker security.
If you are setting namespaced kernel parameters using systemControls
for the containers in the task, the following will apply to your IPC resource namespace. For more information, see System Controls in the Amazon Elastic Container Service Developer Guide.
host
IPC mode, IPC namespace related systemControls
are not supported.task
IPC mode, IPC namespace related systemControls
will apply to all containers within a task.This parameter is not supported for Windows containers or tasks run on FARGATElong.
memory
(String) The amount (in MiB) of memory used by the task.
If your tasks runs on Amazon EC2 instances, you must specify either a task-level memory value or a container-level memory value. This field is optional and any value can be used. If a task-level memory value is specified, the container-level memory value is optional. For more information regarding container-level memory and memory reservation, see ContainerDefinition.
If your tasks runs on FARGATElong, this field is required. You must use one of the following values. The value you choose determines your range of valid values for the cpu
parameter.
md5-8bdb2df4f2c08a4d48b7a5cadc9d1854
container_definitions
On Windows container instances, the CPU limit is enforced as an absolute limit, or a quota. Windows containers only have access to the specified amount of CPU that's described in the task definition. A null or zero CPU value is passed to Docker as 0
, which Windows interprets as 1% of one CPU.
credential_specs
(List of String) A list of ARNs in SSM or Amazon S3 to a credential spec (CredSpec
) file that configures the container for Active Directory authentication. We recommend that you use this parameter instead of the dockerSecurityOptions
. The maximum number of ARNs is 1.
There are two formats for each ARN.
md5-c1f62a26205a6bee93ea5331341ba803
If the task definition is used in a blue/green deployment that uses AWS::CodeDeploy::DeploymentGroup BlueGreenDeploymentConfiguration, the dependsOn
parameter is not supported. For more information see Issue #680 on the on the GitHub website. (see below for nested schema)
disable_networking
(Boolean) When this parameter is true, networking is off within the container. This parameter maps to NetworkDisabled
in the Create a container section of the Docker Remote API.
This parameter is not supported for Windows containers.dns_search_domains
(List of String) A list of DNS search domains that are presented to the container. This parameter maps to DnsSearch
in the Create a container section of the Docker Remote API and the --dns-search
option to docker run.
This parameter is not supported for Windows containers.dns_servers
(List of String) A list of DNS servers that are presented to the container. This parameter maps to Dns
in the Create a container section of the Docker Remote API and the --dns
option to docker run.
This parameter is not supported for Windows containers.docker_labels
(Map of String) A key/value map of labels to add to the container. This parameter maps to Labels
in the Create a container section of the Docker Remote API and the --label
option to docker run. This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: sudo docker version --format '{{.Server.APIVersion}}'
docker_security_options
(List of String) A list of strings to provide custom configuration for multiple security systems. For more information about valid values, see Docker Run Security Configuration. This field isn't valid for containers in tasks using the Fargate launch type.
For Linux tasks on EC2, this parameter can be used to reference custom labels for SELinux and AppArmor multi-level security systems.
For any tasks on EC2, this parameter can be used to reference a credential spec file that configures a container for Active Directory authentication. For more information, see Using gMSAs for Windows Containers and Using gMSAs for Linux Containers in the Amazon Elastic Container Service Developer Guide.
This parameter maps to SecurityOpt
in the Create a container section of the Docker Remote API and the --security-opt
option to docker run.
The Amazon ECS container agent running on a container instance must register with the ECS_SELINUX_CAPABLE=true
or ECS_APPARMOR_CAPABLE=true
environment variables before containers placed on that instance can use these security options. For more information, see Amazon ECS Container Agent Configuration in the Amazon Elastic Container Service Developer Guide.
For more information about valid values, see Docker Run Security Configuration.
Valid values: "no-new-privileges" | "apparmor:PROFILE" | "label:value" | "credentialspec:CredentialSpecFilePath"entry_point
(List of String) Early versions of the Amazon ECS container agent don't properly handle entryPoint
parameters. If you have problems using entryPoint
, update your container agent or enter your commands and arguments as command
array items instead.
The entry point that's passed to the container. This parameter maps to Entrypoint
in the Create a container section of the Docker Remote API and the --entrypoint
option to docker run. For more information, see https://docs.docker.com/engine/reference/builder/#entrypoint.environment
(Attributes Set) The environment variables to pass to a container. This parameter maps to Env
in the Create a container section of the Docker Remote API and the --env
option to docker run.
We don't recommend that you use plaintext environment variables for sensitive information, such as credential data. (see below for nested schema)environment_files
(Attributes List) A list of files containing the environment variables to pass to a container. This parameter maps to the --env-file
option to docker run.
You can specify up to ten environment files. The file must have a .env
file extension. Each line in an environment file contains an environment variable in VARIABLE=VALUE
format. Lines beginning with #
are treated as comments and are ignored. For more information about the environment variable file syntax, see Declare default environment variables in file.
If there are environment variables specified using the environment
parameter in a container definition, they take precedence over the variables contained within an environment file. If multiple environment files are specified that contain the same variable, they're processed from the top down. We recommend that you use unique variable names. For more information, see Specifying Environment Variables in the Amazon Elastic Container Service Developer Guide. (see below for nested schema)essential
(Boolean) If the essential
parameter of a container is marked as true
, and that container fails or stops for any reason, all other containers that are part of the task are stopped. If the essential
parameter of a container is marked as false
, its failure doesn't affect the rest of the containers in a task. If this parameter is omitted, a container is assumed to be essential.
All tasks must have at least one essential container. If you have an application that's composed of multiple containers, group containers that are used for a common purpose into components, and separate the different components into multiple task definitions. For more information, see Application Architecture in the Amazon Elastic Container Service Developer Guide.extra_hosts
(Attributes List) A list of hostnames and IP address mappings to append to the /etc/hosts
file on the container. This parameter maps to ExtraHosts
in the Create a container section of the Docker Remote API and the --add-host
option to docker run.
This parameter isn't supported for Windows containers or tasks that use the awsvpc
network mode. (see below for nested schema)firelens_configuration
(Attributes) The FireLens configuration for the container. This is used to specify and configure a log router for container logs. For more information, see Custom Log Routing in the Amazon Elastic Container Service Developer Guide. (see below for nested schema)health_check
(Attributes) The container health check command and associated configuration parameters for the container. This parameter maps to HealthCheck
in the Create a container section of the Docker Remote API and the HEALTHCHECK
parameter of docker run. (see below for nested schema)hostname
(String) The hostname to use for your container. This parameter maps to Hostname
in the Create a container section of the Docker Remote API and the --hostname
option to docker run.
The hostname
parameter is not supported if you're using the awsvpc
network mode.interactive
(Boolean) When this parameter is true
, you can deploy containerized applications that require stdin
or a tty
to be allocated. This parameter maps to OpenStdin
in the Create a container section of the Docker Remote API and the --interactive
option to docker run.links
(Set of String) The links
parameter allows containers to communicate with each other without the need for port mappings. This parameter is only supported if the network mode of a task definition is bridge
. The name:internalName
construct is analogous to name:alias
in Docker links. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed. For more information about linking Docker containers, go to Legacy container links in the Docker documentation. This parameter maps to Links
in the Create a container section of the Docker Remote API and the --link
option to docker run.
This parameter is not supported for Windows containers.
Containers that are collocated on a single container instance may be able to communicate with each other without requiring links or host port mappings. Network isolation is achieved on the container instance using security groups and VPC settings.linux_parameters
(Attributes) Linux-specific modifications that are applied to the container, such as Linux kernel capabilities. For more information see KernelCapabilities.
This parameter is not supported for Windows containers. (see below for nested schema)log_configuration
(Attributes) The log configuration specification for the container.
This parameter maps to LogConfig
in the Create a container section of the Docker Remote API and the --log-driver
option to docker run. By default, containers use the same logging driver that the Docker daemon uses. However, the container may use a different logging driver than the Docker daemon by specifying a log driver with this parameter in the container definition. To use a different logging driver for a container, the log system must be configured properly on the container instance (or on a different log server for remote logging options). For more information on the options for different supported log drivers, see Configure logging drivers in the Docker documentation.
Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon (shown in the LogConfiguration data type). Additional log drivers may be available in future releases of the Amazon ECS container agent.
This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: sudo docker version --format '{{.Server.APIVersion}}'
The Amazon ECS container agent running on a container instance must register the logging drivers available on that instance with the ECS_AVAILABLE_LOGGING_DRIVERS
environment variable before containers placed on that instance can use these log configuration options. For more information, see Amazon ECS Container Agent Configuration in the Amazon Elastic Container Service Developer Guide. (see below for nested schema)memory
(Number) The amount (in MiB) of memory to present to the container. If your container attempts to exceed the memory specified here, the container is killed. The total amount of memory reserved for all containers within a task must be lower than the task memory
value, if one is specified. This parameter maps to Memory
in the Create a container section of the Docker Remote API and the --memory
option to docker run.
If using the Fargate launch type, this parameter is optional.
If using the EC2 launch type, you must specify either a task-level memory value or a container-level memory value. If you specify both a container-level memory
and memoryReservation
value, memory
must be greater than memoryReservation
. If you specify memoryReservation
, then that value is subtracted from the available memory resources for the container instance where the container is placed. Otherwise, the value of memory
is used.
The Docker 20.10.0 or later daemon reserves a minimum of 6 MiB of memory for a container, so you should not specify fewer than 6 MiB of memory for your containers.
The Docker 19.03.13-ce or earlier daemon reserves a minimum of 4 MiB of memory for a container, so you should not specify fewer than 4 MiB of memory for your containers.memory_reservation
(Number) The soft limit (in MiB) of memory to reserve for the container. When system memory is under heavy contention, Docker attempts to keep the container memory to this soft limit. However, your container can consume more memory when it needs to, up to either the hard limit specified with the memory
parameter (if applicable), or all of the available memory on the container instance, whichever comes first. This parameter maps to MemoryReservation
in the Create a container section of the Docker Remote API and the --memory-reservation
option to docker run.
If a task-level memory value is not specified, you must specify a non-zero integer for one or both of memory
or memoryReservation
in a container definition. If you specify both, memory
must be greater than memoryReservation
. If you specify memoryReservation
, then that value is subtracted from the available memory resources for the container instance where the container is placed. Otherwise, the value of memory
is used.
For example, if your container normally uses 128 MiB of memory, but occasionally bursts to 256 MiB of memory for short periods of time, you can set a memoryReservation
of 128 MiB, and a memory
hard limit of 300 MiB. This configuration would allow the container to only reserve 128 MiB of memory from the remaining resources on the container instance, but also allow the container to consume more memory resources when needed.
The Docker 20.10.0 or later daemon reserves a minimum of 6 MiB of memory for a container. So, don't specify less than 6 MiB of memory for your containers.
The Docker 19.03.13-ce or earlier daemon reserves a minimum of 4 MiB of memory for a container. So, don't specify less than 4 MiB of memory for your containers.mount_points
(Attributes List) The mount points for data volumes in your container.
This parameter maps to Volumes
in the Create a container section of the Docker Remote API and the --volume
option to docker run.
Windows containers can mount whole directories on the same drive as $env:ProgramData
. Windows containers can't mount directories on a different drive, and mount point can't be across drives. (see below for nested schema)port_mappings
(Attributes Set) The list of port mappings for the container. Port mappings allow containers to access ports on the host container instance to send or receive traffic.
For task definitions that use the awsvpc
network mode, you should only specify the containerPort
. The hostPort
can be left blank or it must be the same value as the containerPort
.
Port mappings on Windows use the NetNAT
gateway address rather than localhost
. There is no loopback for port mappings on Windows, so you cannot access a container's mapped port from the host itself.
This parameter maps to PortBindings
in the Create a container section of the Docker Remote API and the --publish
option to docker run. If the network mode of a task definition is set to none
, then you can't specify port mappings. If the network mode of a task definition is set to host
, then host ports must either be undefined or they must match the container port in the port mapping.
After a task reaches the RUNNING
status, manual and automatic host and container port assignments are visible in the Network Bindings section of a container description for a selected task in the Amazon ECS console. The assignments are also visible in the networkBindings
section DescribeTasks responses. (see below for nested schema)privileged
(Boolean) When this parameter is true, the container is given elevated privileges on the host container instance (similar to the root
user). This parameter maps to Privileged
in the Create a container section of the Docker Remote API and the --privileged
option to docker run.
This parameter is not supported for Windows containers or tasks run on FARGATElong.pseudo_terminal
(Boolean) When this parameter is true
, a TTY is allocated. This parameter maps to Tty
in the Create a container section of the Docker Remote API and the --tty
option to docker run.readonly_root_filesystem
(Boolean) When this parameter is true, the container is given read-only access to its root file system. This parameter maps to ReadonlyRootfs
in the Create a container section of the Docker Remote API and the --read-only
option to docker run.
This parameter is not supported for Windows containers.repository_credentials
(Attributes) The private repository authentication credentials to use. (see below for nested schema)resource_requirements
(Attributes List) The type and amount of a resource to assign to a container. The only supported resource is a GPU. (see below for nested schema)secrets
(Attributes List) The secrets to pass to the container. For more information, see Specifying Sensitive Data in the Amazon Elastic Container Service Developer Guide. (see below for nested schema)start_timeout
(Number) Time duration (in seconds) to wait before giving up on resolving dependencies for a container. For example, you specify two containers in a task definition with containerA having a dependency on containerB reaching a COMPLETE
, SUCCESS
, or HEALTHY
status. If a startTimeout
value is specified for containerB and it doesn't reach the desired status within that time then containerA gives up and not start. This results in the task transitioning to a STOPPED
state.
When the ECS_CONTAINER_START_TIMEOUT
container agent configuration variable is used, it's enforced independently from this start timeout value.
For tasks using the Fargate launch type, the task or service requires the following platforms:
1.3.0
or later.1.0.0
or later.For tasks using the EC2 launch type, your container instances require at least version 1.26.0
of the container agent to use a container start timeout value. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see Updating the Amazon ECS Container Agent in the Amazon Elastic Container Service Developer Guide. If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1
of the ecs-init
package. If your container instances are launched from version 20190301
or later, then they contain the required versions of the container agent and ecs-init
. For more information, see Amazon ECS-optimized Linux AMI in the Amazon Elastic Container Service Developer Guide.
The valid values are 2-120 seconds.
stop_timeout
(Number) Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own.
For tasks using the Fargate launch type, the task or service requires the following platforms:
1.3.0
or later.1.0.0
or later.The max stop timeout value is 120 seconds and if the parameter is not specified, the default value of 30 seconds is used.
For tasks that use the EC2 launch type, if the stopTimeout
parameter isn't specified, the value set for the Amazon ECS container agent configuration variable ECS_CONTAINER_STOP_TIMEOUT
is used. If neither the stopTimeout
parameter or the ECS_CONTAINER_STOP_TIMEOUT
agent configuration variable are set, then the default values of 30 seconds for Linux containers and 30 seconds on Windows containers are used. Your container instances require at least version 1.26.0 of the container agent to use a container stop timeout value. However, we recommend using the latest container agent version. For information about checking your agent version and updating to the latest version, see Updating the Amazon ECS Container Agent in the Amazon Elastic Container Service Developer Guide. If you're using an Amazon ECS-optimized Linux AMI, your instance needs at least version 1.26.0-1 of the ecs-init
package. If your container instances are launched from version 20190301
or later, then they contain the required versions of the container agent and ecs-init
. For more information, see Amazon ECS-optimized Linux AMI in the Amazon Elastic Container Service Developer Guide.
The valid values are 2-120 seconds.
system_controls
(Attributes List) A list of namespaced kernel parameters to set in the container. This parameter maps to Sysctls
in the Create a container section of the Docker Remote API and the --sysctl
option to docker run. For example, you can configure net.ipv4.tcp_keepalive_time
setting to maintain longer lived connections. (see below for nested schema)ulimits
(Attributes List) A list of ulimits
to set in the container. This parameter maps to Ulimits
in the Create a container section of the Docker Remote API and the --ulimit
option to docker run. Valid naming values are displayed in the Ulimit data type. This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log in to your container instance and run the following command: sudo docker version --format '{{.Server.APIVersion}}'
This parameter is not supported for Windows containers. (see below for nested schema)user
(String) The user to use inside the container. This parameter maps to User
in the Create a container section of the Docker Remote API and the --user
option to docker run.
When running tasks using the host
network mode, don't run containers using the root user (UID 0). We recommend using a non-root user for better security.
You can specify the user
using the following formats. If specifying a UID or GID, you must specify it as a positive integer.
user
user:group
uid
uid:gid
user:gid
uid:group
This parameter is not supported for Windows containers.
volumes_from
(Attributes Set) Data volumes to mount from another container. This parameter maps to VolumesFrom
in the Create a container section of the Docker Remote API and the --volumes-from
option to docker run. (see below for nested schema)working_directory
(String) The working directory to run commands inside the container in. This parameter maps to WorkingDir
in the Create a container section of the Docker Remote API and the --workdir
option to docker run.container_definitions.depends_on
container_definitions.environment
container_definitions.environment_files
container_definitions.extra_hosts
container_definitions.firelens_configuration
container_definitions.health_check
container_definitions.linux_parameters
container_definitions.linux_parameters.capabilities
container_definitions.linux_parameters.devices
container_definitions.linux_parameters.tmpfs
container_definitions.log_configuration
container_definitions.log_configuration.secret_options
container_definitions.mount_points
container_definitions.port_mappings
You can call DescribeTasks to view the hostPortRange
which are the host ports that are bound to the container ports.
host_port
(Number) The port number on the container instance to reserve for your container.
If you specify a containerPortRange
, leave this field empty and the value of the hostPort
is set as follows:
awsvpc
network mode, the hostPort
is set to the same value as the containerPort
. This is a static mapping strategy.bridge
network mode, the Amazon ECS agent finds open ports on the host and automatically binds them to the container ports. This is a dynamic mapping strategy.If you use containers in a task with the awsvpc
or host
network mode, the hostPort
can either be left blank or set to the same value as the containerPort
.
If you use containers in a task with the bridge
network mode, you can specify a non-reserved host port for your container port mapping, or you can omit the hostPort
(or set it to 0
) while specifying a containerPort
and your container automatically receives a port in the ephemeral port range for your container instance operating system and Docker version.
The default ephemeral port range for Docker version 1.6.0 and later is listed on the instance under /proc/sys/net/ipv4/ip_local_port_range
. If this kernel parameter is unavailable, the default ephemeral port range from 49153 through 65535 (Linux) or 49152 through 65535 (Windows) is used. Do not attempt to specify a host port in the ephemeral port range as these are reserved for automatic assignment. In general, ports below 32768 are outside of the ephemeral port range.
The default reserved ports are 22 for SSH, the Docker ports 2375 and 2376, and the Amazon ECS container agent ports 51678-51680. Any host port that was previously specified in a running task is also reserved while the task is running. That is, after a task stops, the host port is released. The current reserved ports are displayed in the remainingResources
of DescribeContainerInstances output. A container instance can have up to 100 reserved ports at a time. This number includes the default reserved ports. Automatically assigned ports aren't included in the 100 reserved ports quota.
name
(String) The name that's used for the port mapping. This parameter only applies to Service Connect. This parameter is the name that you use in the serviceConnectConfiguration
of a service. The name can include up to 64 characters. The characters can include lowercase letters, numbers, underscores (_), and hyphens (-). The name can't start with a hyphen.
For more information, see Service Connect in the Amazon Elastic Container Service Developer Guide.protocol
(String) The protocol used for the port mapping. Valid values are tcp
and udp
. The default is tcp
. protocol
is immutable in a Service Connect service. Updating this field requires a service deletion and redeployment.container_definitions.repository_credentials
Optional:
credentials_parameter
(String) The Amazon Resource Name (ARN) of the secret containing the private repository credentials.
When you use the Amazon ECS API, CLI, or AWS SDK, if the secret exists in the same Region as the task that you're launching then you can use either the full ARN or the name of the secret. When you use the AWS Management Console, you must specify the full ARN of the secret.container_definitions.resource_requirements
Required:
type
(String) The type of resource to assign to a container. The supported values are GPU
or InferenceAccelerator
.value
(String) The value for the specified resource type.
If the GPU
type is used, the value is the number of physical GPUs
the Amazon ECS container agent reserves for the container. The number of GPUs that's reserved for all containers in a task can't exceed the number of available GPUs on the container instance that the task is launched on.
If the InferenceAccelerator
type is used, the value
matches the deviceName
for an InferenceAccelerator specified in a task definition.container_definitions.secrets
Required:
name
(String) The name of the secret.value_from
(String) The secret to expose to the container. The supported values are either the full ARN of the ASMlong secret or the full ARN of the parameter in the SSM Parameter Store.
For information about the require IAMlong permissions, see Required IAM permissions for Amazon ECS secrets (for Secrets Manager) or Required IAM permissions for Amazon ECS secrets (for Systems Manager Parameter store) in the Amazon Elastic Container Service Developer Guide.
If the SSM Parameter Store parameter exists in the same Region as the task you're launching, then you can use either the full ARN or name of the parameter. If the parameter exists in a different Region, then the full ARN must be specified.container_definitions.system_controls
Optional:
namespace
(String) The namespaced kernel parameter to set a value
for.value
(String) The namespaced kernel parameter to set a value
for.
Valid IPC namespace values: "kernel.msgmax" | "kernel.msgmnb" | "kernel.msgmni" | "kernel.sem" | "kernel.shmall" | "kernel.shmmax" | "kernel.shmmni" | "kernel.shm_rmid_forced"
, and Sysctls
that start with "fs.mqueue.*"
Valid network namespace values: Sysctls
that start with "net.*"
All of these values are supported by Fargate.container_definitions.ulimits
Required:
hard_limit
(Number) The hard limit for the ulimit
type.name
(String) The type
of the ulimit
.soft_limit
(Number) The soft limit for the ulimit
type.container_definitions.volumes_from
Optional:
read_only
(Boolean) If this value is true
, the container has read-only access to the volume. If this value is false
, then the container can write to the volume. The default value is false
.source_container
(String) The name of another container within the same task definition to mount volumes from.ephemeral_storage
Optional:
size_in_gi_b
(Number) The total amount, in GiB, of ephemeral storage to set for the task. The minimum supported value is 20
GiB and the maximum supported value is 200
GiB.inference_accelerators
Optional:
device_name
(String) The Elastic Inference accelerator device name. The deviceName
must also be referenced in a container definition as a ResourceRequirement.device_type
(String) The Elastic Inference accelerator type to use.placement_constraints
Required:
type
(String) The type of constraint. The MemberOf
constraint restricts selection to be from a group of valid candidates.Optional:
expression
(String) A cluster query language expression to apply to the constraint. For more information, see Cluster query language in the Amazon Elastic Container Service Developer Guide.proxy_configuration
Required:
container_name
(String) The name of the container that will serve as the App Mesh proxy.Optional:
proxy_configuration_properties
(Attributes Set) The set of network configuration parameters to provide the Container Network Interface (CNI) plugin, specified as key-value pairs.
IgnoredUID
- (Required) The user ID (UID) of the proxy container as defined by the user
parameter in a container definition. This is used to ensure the proxy ignores its own traffic. If IgnoredGID
is specified, this field can be empty.IgnoredGID
- (Required) The group ID (GID) of the proxy container as defined by the user
parameter in a container definition. This is used to ensure the proxy ignores its own traffic. If IgnoredUID
is specified, this field can be empty.AppPorts
- (Required) The list of ports that the application uses. Network traffic to these ports is forwarded to the ProxyIngressPort
and ProxyEgressPort
.ProxyIngressPort
- (Required) Specifies the port that incoming traffic to the AppPorts
is directed to.ProxyEgressPort
- (Required) Specifies the port that outgoing traffic from the AppPorts
is directed to.EgressIgnoredPorts
- (Required) The egress traffic going to the specified ports is ignored and not redirected to the ProxyEgressPort
. It can be an empty list.EgressIgnoredIPs
- (Required) The egress traffic going to the specified IP addresses is ignored and not redirected to the ProxyEgressPort
. It can be an empty list. (see below for nested schema)type
(String) The proxy type. The only supported value is APPMESH
.proxy_configuration.proxy_configuration_properties
Optional:
name
(String) The name of the key-value pair. For environment variables, this is the name of the environment variable.value
(String) The value of the key-value pair. For environment variables, this is the value of the environment variable.runtime_platform
Optional:
cpu_architecture
(String) The CPU architecture.
You can run your Linux tasks on an ARM-based platform by setting the value to ARM64
. This option is available for tasks that run on Linux Amazon EC2 instance or Linux containers on Fargate.operating_system_family
(String) The operating system.tags
Optional:
key
(String) One part of a key-value pair that make up a tag. A key
is a general label that acts like a category for more specific tag values.value
(String) The optional part of a key-value pair that make up a tag. A value
acts as a descriptor within a tag category (key).volumes
Optional:
configured_at_launch
(Boolean) Indicates whether the volume should be configured at launch time. This is used to create Amazon EBS volumes for standalone tasks or tasks created as part of a service. Each task definition revision may only have one volume configured at launch in the volume configuration.
To configure a volume at launch time, use this task definition revision and specify a volumeConfigurations
object when calling the CreateService
, UpdateService
, RunTask
or StartTask
APIs.docker_volume_configuration
(Attributes) This parameter is specified when you use Docker volumes.
Windows containers only support the use of the local
driver. To use bind mounts, specify the host
parameter instead.
Docker volumes aren't supported by tasks run on FARGATElong. (see below for nested schema)efs_volume_configuration
(Attributes) This parameter is specified when you use an Amazon Elastic File System file system for task storage. (see below for nested schema)fsx_windows_file_server_volume_configuration
(Attributes) This parameter is specified when you use Amazon FSx for Windows File Server file system for task storage. (see below for nested schema)host
(Attributes) This parameter is specified when you use bind mount host volumes. The contents of the host
parameter determine whether your bind mount host volume persists on the host container instance and where it's stored. If the host
parameter is empty, then the Docker daemon assigns a host path for your data volume. However, the data isn't guaranteed to persist after the containers that are associated with it stop running.
Windows containers can mount whole directories on the same drive as $env:ProgramData
. Windows containers can't mount directories on a different drive, and mount point can't be across drives. For example, you can mount C:\my\path:C:\my\path
and D:\:D:\
, but not D:\my\path:C:\my\path
or D:\:C:\my\path
. (see below for nested schema)name
(String) The name of the volume. Up to 255 letters (uppercase and lowercase), numbers, underscores, and hyphens are allowed.
When using a volume configured at launch, the name
is required and must also be specified as the volume name in the ServiceVolumeConfiguration
or TaskVolumeConfiguration
parameter when creating your service or standalone task.
For all other types of volumes, this name is referenced in the sourceVolume
parameter of the mountPoints
object in the container definition.
When a volume is using the efsVolumeConfiguration
, the name is required.volumes.docker_volume_configuration
Optional:
autoprovision
(Boolean) If this value is true
, the Docker volume is created if it doesn't already exist.
This field is only used if the scope
is shared
.driver
(String) The Docker volume driver to use. The driver value must match the driver name provided by Docker because it is used for task placement. If the driver was installed using the Docker plugin CLI, use docker plugin ls
to retrieve the driver name from your container instance. If the driver was installed using another method, use Docker plugin discovery to retrieve the driver name. For more information, see Docker plugin discovery. This parameter maps to Driver
in the Create a volume section of the Docker Remote API and the xxdriver
option to docker volume create.driver_opts
(Map of String) A map of Docker driver-specific options passed through. This parameter maps to DriverOpts
in the Create a volume section of the Docker Remote API and the xxopt
option to docker volume create.labels
(Map of String) Custom metadata to add to your Docker volume. This parameter maps to Labels
in the Create a volume section of the Docker Remote API and the xxlabel
option to docker volume create.scope
(String) The scope for the Docker volume that determines its lifecycle. Docker volumes that are scoped to a task
are automatically provisioned when the task starts and destroyed when the task stops. Docker volumes that are scoped as shared
persist after the task stops.volumes.efs_volume_configuration
Required:
filesystem_id
(String) The Amazon EFS file system ID to use.Optional:
authorization_config
(Attributes) The authorization configuration details for the Amazon EFS file system. (see below for nested schema)root_directory
(String) The directory within the Amazon EFS file system to mount as the root directory inside the host. If this parameter is omitted, the root of the Amazon EFS volume will be used. Specifying /
will have the same effect as omitting this parameter.
If an EFS access point is specified in the authorizationConfig
, the root directory parameter must either be omitted or set to /
which will enforce the path set on the EFS access point.transit_encryption
(String) Determines whether to use encryption for Amazon EFS data in transit between the Amazon ECS host and the Amazon EFS server. Transit encryption must be turned on if Amazon EFS IAM authorization is used. If this parameter is omitted, the default value of DISABLED
is used. For more information, see Encrypting data in transit in the Amazon Elastic File System User Guide.transit_encryption_port
(Number) The port to use when sending encrypted data between the Amazon ECS host and the Amazon EFS server. If you do not specify a transit encryption port, it will use the port selection strategy that the Amazon EFS mount helper uses. For more information, see EFS mount helper in the Amazon Elastic File System User Guide.volumes.efs_volume_configuration.authorization_config
Optional:
access_point_id
(String) The Amazon EFS access point ID to use. If an access point is specified, the root directory value specified in the EFSVolumeConfiguration
must either be omitted or set to /
which will enforce the path set on the EFS access point. If an access point is used, transit encryption must be on in the EFSVolumeConfiguration
. For more information, see Working with Amazon EFS access points in the Amazon Elastic File System User Guide.iam
(String) Determines whether to use the Amazon ECS task role defined in a task definition when mounting the Amazon EFS file system. If it is turned on, transit encryption must be turned on in the EFSVolumeConfiguration
. If this parameter is omitted, the default value of DISABLED
is used. For more information, see Using Amazon EFS access points in the Amazon Elastic Container Service Developer Guide.volumes.fsx_windows_file_server_volume_configuration
Required:
file_system_id
(String) The Amazon FSx for Windows File Server file system ID to use.root_directory
(String) The directory within the Amazon FSx for Windows File Server file system to mount as the root directory inside the host.Optional:
authorization_config
(Attributes) The authorization configuration details for the Amazon FSx for Windows File Server file system. (see below for nested schema)volumes.fsx_windows_file_server_volume_configuration.authorization_config
Required:
credentials_parameter
(String)domain
(String)volumes.host
Optional:
source_path
(String) When the host
parameter is used, specify a sourcePath
to declare the path on the host container instance that's presented to the container. If this parameter is empty, then the Docker daemon has assigned a host path for you. If the host
parameter contains a sourcePath
file location, then the data volume persists at the specified location on the host container instance until you delete it manually. If the sourcePath
value doesn't exist on the host container instance, the Docker daemon creates it. If the location does exist, the contents of the source path folder are exported.
If you're using the Fargate launch type, the sourcePath
parameter is not supported.Import is supported using the following syntax:
$ terraform import awscc_ecs_task_definition.example <resource ID>