ECS CloudFormation Template Reference
This is the complete CloudFormation template for deploying the ECS deployment tracker Lambda function.
Template
AWSTemplateFormatVersion: '2010-09-09'
Description: 'ECS Deployment Tracker - Captures image SHAs from ECS deployments and posts to endpoint'
Parameters:
DeploymentEndpointUrl:
Type: String
Description: 'HTTPS endpoint URL to POST deployment data'
Default: 'https://app.cardinalhq.io/_/chip/workloads'
ApiKey:
Type: String
Description: 'API key for endpoint authentication'
NoEcho: true
Default: ''
Resources:
# IAM Role for Lambda execution
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: ecs-deployment-tracker-role
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
# CloudWatch Logs permissions
- PolicyName: CloudWatchLogs
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: logs:CreateLogGroup
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*'
- Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/ecs-deployment-tracker:*'
# ECS Read permissions
- PolicyName: ECSReadAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ecs:DescribeServices
- ecs:DescribeTaskDefinition
Resource: '*'
# ECR Read permissions
- PolicyName: ECRReadAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ecr:DescribeImages
- ecr:BatchGetImage
Resource: '*'
# Lambda Function
DeploymentTrackerFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: ecs-deployment-tracker
Runtime: python3.13
Handler: lambda_function.lambda_handler
Role: !GetAtt LambdaExecutionRole.Arn
Environment:
Variables:
DEPLOYMENT_ENDPOINT_URL: !Ref DeploymentEndpointUrl
API_KEY: !Ref ApiKey
Code:
ZipFile: |
# Placeholder - replace with actual code from ecs-deployment-tracker.py
# Or upload Lambda code to S3 and reference it:
# Code:
# S3Bucket: your-bucket
# S3Key: ecs-deployment-tracker.zip
import json
def lambda_handler(event, context):
print(json.dumps(event))
return {"statusCode": 200, "body": "Replace this code"}
# EventBridge Rule for ECS Deployment State Changes
DeploymentEventRule:
Type: AWS::Events::Rule
Properties:
Name: ecs-deployment-tracker-trigger
Description: 'Trigger Lambda on ECS deployment completion'
State: ENABLED
EventPattern:
source:
- aws.ecs
detail-type:
- ECS Deployment State Change
detail:
eventType:
- SERVICE_DEPLOYMENT_COMPLETED
Targets:
- Arn: !GetAtt DeploymentTrackerFunction.Arn
Id: DeploymentTrackerTarget
# Permission for EventBridge to invoke Lambda
LambdaInvokePermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !Ref DeploymentTrackerFunction
Action: lambda:InvokeFunction
Principal: events.amazonaws.com
SourceArn: !GetAtt DeploymentEventRule.Arn
Outputs:
LambdaFunctionArn:
Description: 'ARN of the deployment tracker Lambda function'
Value: !GetAtt DeploymentTrackerFunction.Arn
LambdaFunctionName:
Description: 'Name of the Lambda function'
Value: !Ref DeploymentTrackerFunction
EventBridgeRuleArn:
Description: 'ARN of the EventBridge rule'
Value: !GetAtt DeploymentEventRule.Arn
IAMRoleArn:
Description: 'ARN of the Lambda execution role'
Value: !GetAtt LambdaExecutionRole.ArnParameters
| Parameter | Description | Default |
|---|---|---|
DeploymentEndpointUrl | HTTPS endpoint URL to POST deployment data | https://app.cardinalhq.io/_/chip/workloads |
ApiKey | API key for endpoint authentication | (empty) |
Resources Created
| Resource Type | Name | Description |
|---|---|---|
AWS::IAM::Role | ecs-deployment-tracker-role | Lambda execution role with minimal permissions |
AWS::Lambda::Function | ecs-deployment-tracker | Lambda function to process deployment events |
AWS::Events::Rule | ecs-deployment-tracker-trigger | EventBridge rule to trigger on ECS deployments |
AWS::Lambda::Permission | LambdaInvokePermission | Allows EventBridge to invoke the Lambda |
IAM Permissions
The Lambda execution role grants the following permissions:
CloudWatch Logs:
logs:CreateLogGrouplogs:CreateLogStreamlogs:PutLogEvents
ECS:
ecs:DescribeServicesecs:DescribeTaskDefinition
ECR:
ecr:DescribeImagesecr:BatchGetImage
Outputs
| Output | Description |
|---|---|
LambdaFunctionArn | ARN of the deployment tracker Lambda function |
LambdaFunctionName | Name of the Lambda function |
EventBridgeRuleArn | ARN of the EventBridge rule |
IAMRoleArn | ARN of the Lambda execution role |
Usage
Save this template as ecs-deployment-tracker-cfn.yaml and deploy using:
aws cloudformation deploy \
--template-file ecs-deployment-tracker-cfn.yaml \
--stack-name ecs-deployment-tracker \
--parameter-overrides \
DeploymentEndpointUrl=https://app.cardinalhq.io/_/chip/workloads \
ApiKey=your-cardinal-api-key \
--capabilities CAPABILITY_NAMED_IAMNote: The template includes placeholder Lambda code. You'll need to either:
- Replace the
ZipFilecontent with the actual Lambda code from the ECS guide, or - Upload your Lambda code to S3 and reference it using
S3BucketandS3Keyparameters
Related Pages
- ECS Deployment Tracking Guide - Complete setup guide
- Release Agent Overview - Learn about the Release Agent