Improving operational visibility with Amazon Web Services Fargate task retirement notifications

Introduction

Amazon Web Services Fargate , the serverless compute engine for containerized workloads, removes the undifferentiated heavy lifting of securing and patching the underlying infrastructure. In this blog post we dive into Amazon Web Services Fargate task retirement , one of the ways Amazon Web Services keeps the infrastructure secure and up to date.

Amazon Web Services has recently updated the Amazon Web Services Fargate task retirement process, consolidating the notifications customers receive about upcoming retirements, and rolling out a mechanism to allow customers to control the time between a notification and a task retirement . In this post, we will explore these changes in more detail and provide an example of how to use these notifications to achieve operational excellence .

Background

When deploying an Amazon Elastic Container Service (Amazon ECS) task on to Amazon Web Services Fargate, a platform version is specified in the Amazon ECS service or standalone task API call . A platform version refers to the runtime environment of the host operating system, a combination of the kernel and container runtime. Within a platform version, there is an internal construct known as a platform version revision. Platform version revisions are immutable and released as the runtime environment evolves, for example, if there are kernel bug fixes or security updates. Every time a new task is scheduled on to Amazon Web Services Fargate, it is always launched on to the latest revision of the specified platform version.

Over time, Amazon Web Services may determine that an existing platform version revision that is supporting running tasks needs to be retired. When a revision is retired, all tasks running on that revision will be stopped by Amazon Web Services Fargate. There are a number of reasons why a revision may need to be retired, including security vulnerabilities and performance improvements. In the past Amazon Web Services Fargate has retired one to two platform version revisions each month, however there is no fixed support period for a particular platform version revision. Due to the typical life span of a platform version revision, customers with short lived workloads will experience far fewer task retirements then a customer with a task running for multiple weeks.

The diagram above shows the full lifecycle of an Amazon Web Services Fargate platform version revision. Once a new platform version revision is launched, all new tasks will be scheduled on to this revision. Existing tasks that have already been scheduled and running will remain on the revision they were originally placed on for the duration of the task and will not be migrated to the new revision. If the task is replaced, for example as part of an update to an ECS service or Amazon Web Services Fargate task retirement, the new task will be placed on to latest platform version revision available at the time of launch.

Task retirement

The following diagram shows the end-to-end process of Amazon Web Services Fargate task retirement.

When Amazon Web Services marks a platform version revision as needing to be retired, we identify all of the tasks that are running on that platform version revision in all Amazon Web Services Regions. We then send out one notification per account per Region, highlighting the affected tasks or services and a date when the retirements will start to take place. The notification is sent via email to the primary email contact on the Amazon Web Services account, as well as to the Amazon Web Services Health Dashboard . Notifications sent to the Amazon Web Services Health Dashboard can be forwarded through Amazon EventBridge to Amazon Web Services services or third party tools .

Once a notification has been sent, a customer has a period of time (known as the task retirement wait period) to take manual action if they want to control the exact timing before Amazon Web Services Fargate initiates the automatic task retirement process. When Amazon Web Services Fargate stops a task, if the task is part of an ECS service, it will be stopped respecting the service’s minimumHealthyPercent value. For standalone tasks , it is customers’ responsibility to monitor the state of running tasks and start replacements.

To minimalize the impact of Amazon Web Services Fargate task retirement, workloads should be deployed following Amazon ECS best practices . For example, when deploying a stateless application as an Amazon ECS service, such as a web or API server, customers should deploy multiple task replicas and set the minimumHealthyPercent to 100%. Therefore, when Amazon Web Services Fargate starts retiring tasks, Amazon ECS will first schedule a new task and wait for it to be running , before retiring an old task.

For more information on the task retirement process, see the Amazon Web Services Fargate documentation .

Task retirement wait period

The length of the task retirement wait period can now be controlled by a new Amazon ECS AccountSetting , fargateTaskRetirementWaitPeriod . Before Amazon Web Services Fargate will stop a task for task retirement, customers can leverage the task retirement wait period to stop tasks on their own schedule, for example if they have workloads that can only be stopped in a specific window.

The task retirement wait period can be configured to one of the set time intervals in the table below. We recommend biasing towards a shorter wait period where possible, to pick up new platform version revisions sooner.

In the rare scenario of a critical security update, Amazon Web Services Fargate may override this task retirement wait period, sending a task retirement notification and immediately retiring the affected tasks. Mirroring the effect of setting the fargateTaskRetirementWaitPeriod to 0 .

The existing fargateTaskRetirementWaitPeriod value can be seen with the aws ecs list-account-settings command.

$ aws ecs list-account-settings \
    --name fargateTaskRetirementWaitPeriod \
    --effective-settings
{
    "settings": [
        {
            "name": " fargateTaskRetirementWaitPeriod",
            "value": "14",
            "principalArn": "arn:aws:iam::123456789012:root"
        }
    ]
}

The fargateTaskRetirementWaitPeriod can be configured with the aws ecs put-account-setting-default command.

$ aws ecs put-account-setting-default \
    --name fargateTaskRetirementWaitPeriod \
    --value 14

For more information on the task retirement wait time, see the task retirement and the Amazon ECS AccountSetting documentation.

Solution overview: Capturing task retirement notifications

When there is an upcoming task retirement, Amazon Web Services sends a task retirement notification to the Amazon Web Services Health Dashboard and to the primary email contact on the Amazon Web Services account. The Amazon Web Services Health Dashboard provides a number of integrations into other Amazon Web Services services, including Amazon EventBridge . By leveraging Amazon EventBridge customers can build automations from a task retirement notification, such as increasing the visibility of the upcoming retirement by forwarding the message to a ChatOps tool.

Amazon Web Services Health Aware is a great resource in showing the power of the Amazon Web Services Health Dashboard and how notifications can be distributed throughout an organization. In this walkthrough, we take inspiration from this project and forward a task retirement notification to the chat application, Slack. The notifications are captured by an EventBridge rule looking for events with the Event Detail Type: "AWS Health Event" and the Event Detail Type Code: "AWS_ECS_TASK_PATCHING_RETIREMENT" . Once the rule has captured a notification, it will trigger an Amazon Web Services Lambda function that parses the event for affected resources and forwards it to a Slack Incoming Webhook .

The following diagram below shows the high-level architecture of this solution.

Prerequisites

To complete the walkthrough, the following prerequisites need to be in place:

• An existing Slack workspace with the Incoming Webhook Slack application installed and enabled.
• An Amazon Web Services account with the relevant permissions to deploy an Amazon EventBridge rule and Amazon Web Services Lambda function.
• The Amazon Web Services SAM CLI installed and configured on a local development workstation.

Solution walkthrough

1. The sample code of the walkthrough is stored in a GitHub repository . The first step of this walkthrough is to clone the repository to a local development workstation.

$ git clone https://github.com/aws-samples/capturing-aws-fargate-task-retirement-notifications.git
$ cd capturing-aws-fargate-task-retirement-notifications

2. Next, we build and deploy the Lambda function and the EventBridge rule defined in an Amazon Web Services SAM template cloudformation.yaml . Note you will need to enter parameters in to the deployment wizard, including your Slack workspace URI and Slack channel.

$ sam build --template cloudformation.yaml 
$ sam deploy --guided
Configuring SAM deploy
======================

     Looking for config file [samconfig.toml] :  Not found

    Setting default arguments for 'sam deploy'
    =========================================
    Stack Name [sam-app]: FargateTaskRetirementNotifications
    AWS Region [eu-west-1]: eu-west-1
    Parameter SlackWorkspaceURL []: https://hooks.slack.com/services/workspace/app/token
    Parameter SlackChannel []: platform-eng
    #Shows you resources changes to be deployed and require a 'Y' to initiate deploy
    Confirm changes before deploy [y/N]: y
    #SAM needs permission to be able to create roles to connect to the resources in your template
    Allow SAM CLI IAM role creation [Y/n]:        
    #Preserves the state of previously provisioned resources when an operation fails
    Disable rollback [y/N]: 
    Save arguments to configuration file [Y/n]: 
    SAM configuration file [samconfig.toml]: 
    SAM configuration environment [default]:

3. Test it! Here we send two sample events to Amazon EventBridge to ensure everything is working correctly. Because we are unable to simulate Amazon Web Services Health notifications, we will instead trigger the workflow by creating EventBridge events that match the EventBridge rule. There are two events in the sample repository, one for tasks attached to an Amazon ECS service and one for standalone tasks.

$ aws events put-events --entries file://sample_service_event.json
$ aws events put-events --entries file://sample_task_event.json

4. In your Slack workspace, you should now see two Slack notifications, one for each test event.

Clean Up

To clean up the sample walkthrough, use the Amazon Web Services SAM CLI to remove the CloudFormation stack with $ sam delete .

Conclusion

In this blog post, we dived deep into the Amazon Web Services Fargate task retirement process. We have shown how the task retirement wait period can be adjusted if customers want to control the time between a notification and a retirement. Finally, we have shown how customers can capture task retirement notifications with Amazon EventBridge and Amazon Web Services Lambda. To learn more about the Amazon Web Services Fargate task retirement, please the Amazon Web Services Fargate documentation .