feat(scheduler-targets): EcsRunTask scheduler target

[gracelu0]

Issue # (if applicable)

Closes #27456

Reason for this change

Currently the module supports all templated targets for EventBridge scheduler except for EcsRunTask.

Description of changes

• Added new base class EcsRunTask with public static methods onFargate and onEc2 depending on where user wants to schedule their ECS task. Decided on this design since some of the parameters in EcsParameters only apply one of Fargate or EC2.

Describe any new or updated permissions being added

• Grant ecs:RunTask to the schedule execution role for the task definition

  this.props.taskDefinition.grantRun(role);

// TaskDefinition grant method 
  public grantRun(grantee: iam.IGrantable) {
    grantee.grantPrincipal.addToPrincipalPolicy(this.passRoleStatement);
    return iam.Grant.addToPrincipal({
      grantee,
      actions: ['ecs:RunTask'],
      resourceArns: [this.taskDefinitionArn],
    });
  }

• If tags are defined, grant ecs:TagResourceto the schedule execution tole for tasks in the cluster

    if (this.props.propagateTags === true || this.props.tags) {
      role.addToPrincipalPolicy(new PolicyStatement({
        actions: ['ecs:TagResource'],
        resources: [`arn:${this.cluster.stack.partition}:ecs:${this.cluster.env.region}:${this.props.taskDefinition.env.account}:task/${this.cluster.clusterName}/*`],
      }));
    }

• iam:PassRole permissions to the schedule execution role for each task execution role (docs)

    if (this.props.taskDefinition.executionRole !== undefined) {
      role.addToPrincipalPolicy(new PolicyStatement({
        actions: ['iam:PassRole'],
        resources: [this.props.taskDefinition.executionRole.roleArn],
      }));
    }

• for fargate, iam:PassRole permissions to the schedule execution role for the task role

    if (this.props.taskDefinition.isFargateCompatible) {
      role.addToPrincipalPolicy(new PolicyStatement({
        actions: ['iam:PassRole'],
        resources: [this.props.taskDefinition.taskRole.roleArn],
      }));
    }

Description of how you validated changes

Added unit tests and integration tests with assertions.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.24%. Comparing base (7f5bf4e) to head (109b25f).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33697   +/-   ##
=======================================
  Coverage   82.24%   82.24%           
=======================================
  Files         119      119           
  Lines        6875     6875           
  Branches     1161     1161           
=======================================
  Hits         5654     5654           
  Misses       1118     1118           
  Partials      103      103           

Flag	Coverage Δ
suite.unit	82.24% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.24% <ø> (ø)

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 109b25f
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[godwingrs22]

Thanks @gracelu0 for this great work. LGTM overall. Left few nits and comments for my understanding.

[godwingrs22]

nit: May be it would be good to rename the property like vpcSubnets or subnets

[godwingrs22]

qq: For my understanding, do we need to add PassRole statement to the executionRole?

grantRun already provides the passRole statement required to run this task defintion. Usually ExecutionRole grants the ECS Fargate agent to make AWS API calls on behalf. I'm not sure if we need to add PassRole statement to it. From the unit test, I could see two times the PassRole is added for the same ARN

[godwingrs22]

Same here not sure if we need to add PassRole statement to the task role.

[godwingrs22]

Can we have one test case for assignPublicIp: true with public subnet?

[godwingrs22]

nit: since this taskDefinition is for Fargate, would be good to rename to fargateTaskDefinition ?

[godwingrs22]

Can we a unit test for both fargate and ec2 task by calling like below also?

new scheduler.Schedule(stack, 'Schedule', {
        schedule: scheduler.ScheduleExpression.rate(cdk.Duration.minutes(5)),
        target: new targets.FargateTask(...)
      });

new scheduler.Schedule(stack, 'Schedule', {
        schedule: scheduler.ScheduleExpression.rate(cdk.Duration.minutes(5)),
        target: new targets.EC2Task(...)
      });

[godwingrs22]

Can we also assert PlacementStrategy?

[godwingrs22]

nit: Good to have a test case for this capacityProviderStrategies and launchType behaviour.