ECS Fargate task definition ignores task/execution roles provided

[howdy10]

task_role = iam.Role.from_role_name(
            self, "shared-stack-task-role", "app-task-role"
        )
execution_role = iam.Role(
            self,
            "task-definition-execution-role",
            assumed_by=iam.ServicePrincipal("ecs-tasks.amazonaws.com"),
            role_name="task-execution-role",
            managed_policies=[
                iam.ManagedPolicy.from_aws_managed_policy_name(
                    "service-role/AmazonECSTaskExecutionRolePolicy"
                )
            ],
        )
ecs_datadog = DatadogECSFargate(
            api_key=os.getenv("DD_API_KEY"),
            site="datadoghq.com",
            dogstatsd={
                "is_enabled": True,
                "is_origin_detection_enabled": True,
            },
            log_colletion={
                "is_enabled":True
            }
        )

self.task_definition = ecs_datadog.fargate_task_definition(
            self,
            "definition-main",
            props={
                "memory_limit_mib": 512,
                "cpu": 256,
                "family": "task-def-family",
                "execution_role": execution_role,
                "task_role": task_role,
            },
        )

Expected Behavior

I expect to use the provided roles in props when ecs_datadog.fargate_task_definition() is called

Actual Behavior

New roles are created and assigned to the task definition.

Steps to Reproduce the Problem

1. Using python cdk create two IAM roles
2. Initiate DatadogECSFargate construct
3. Call fargate_task_definition providing the roles in props
4. run a cdk deploy

Specifications

• Datadog Lambda Layer version: "datadog-cdk-constructs-v2>=3.2.0"
• Python version: 3.13

Stacktrace

Paste here

[avangelillo]

Hi, thanks for reaching out. Could you provide the CDK version you are on?

Also, can you confirm that you are looking at the most recent version of the Fargate task definition? In the AWS Console refreshing the task definition page after deploying a change does not necessarily bring you to the most recent version, I have to go back to the more general task definition page and select the newest version.

[howdy10]

The CDK version we have set is "aws-cdk-lib>=2.206.0,<3.0.0" which comes out to 2.214.0

I've verified we are using the latest task definition. I can confirm that since if I don't use the DatadogECSFargate construct the task definition has the appropriate roles, and when I use it they are not there.

Here is the code using the Datados ECS fargate

task_role = iam.Role.from_role_name(
            self, "blacktop-app-task-role", "blacktop-app-task-role"
        )
execution_role = iam.Role(
            self,
            "blacktop-task-definition-execution-role",
            assumed_by=iam.ServicePrincipal("ecs-tasks.amazonaws.com"),
            role_name="task-execution-role",
            managed_policies=[
                iam.ManagedPolicy.from_aws_managed_policy_name(
                    "service-role/AmazonECSTaskExecutionRolePolicy"
                )
            ],
        )
ecs_datadog = DatadogECSFargate(
            api_key=os.getenv("DD_API_KEY"),
            site="datadoghq.com",
            dogstatsd={
                "is_enabled": True,
                "is_origin_detection_enabled": True,
            },
            env=dd_env,
            log_collection={"is_enabled": True},
            service="blacktop-api",
            is_datadog_essential=False,
        )

self.task_definition = ecs_datadog.fargate_task_definition(
            self,
            "definition-main",
            props={
                "memory_limit_mib": 512,
                "cpu": 256,
                "family": "blacktop-app-task-def-family",
                "execution_role": execution_role, <--------- Passing roles
                "task_role": task_role, <--------- Passing roles
            },
        )

But as you see in the task definition You see new roles that were created

Now if I don't use Datados ECS fargate construct

task_role = iam.Role.from_role_name(
            self, "blacktop-app-task-role", "blacktop-app-task-role"
        )
execution_role = iam.Role(
            self,
            "blacktop-task-definition-execution-role",
            assumed_by=iam.ServicePrincipal("ecs-tasks.amazonaws.com"),
            role_name="task-execution-role",
            managed_policies=[
                iam.ManagedPolicy.from_aws_managed_policy_name(
                    "service-role/AmazonECSTaskExecutionRolePolicy"
                )
            ],
        )
self.task_definition = ecs.FargateTaskDefinition(
        self,
        "blacktop-task-definition-main",
        memory_limit_mib=512,
        cpu=256,
        family="blacktop-app-task-def-family",
        execution_role=execution_role,   <--------- Passing roles
        task_role=task_role, <--------- Passing roles
    )
self.task_definition.add_container(
            "datadog-agent",
            image=ecs.ContainerImage.from_registry(
                "public.ecr.aws/datadog/agent:latest"
            ),
            memory_reservation_mib=256,
            essential=False,
            environment={
                "DD_API_KEY": os.getenv("DD_API_KEY"),
                "DD_SITE": "datadoghq.com",
                "ECS_FARGATE": "true",
                "DD_ENV": dd_env,
                "DD_DOGSTATSD_NON_LOCAL_TRAFFIC": "true",
                "DD_APM_ENABLED": "true",
                "DD_APM_NON_LOCAL_TRAFFIC": "true",
                "DD_ECS_TASK_COLLECTION_ENABLED": "true",
                "DD_DOGSTATSD_ORIGIN_DETECTION": "false",
                "DD_ORIGIN_DETECTION_ENABLED": "false",
                "DD_SERVICE": "blacktop-api",
                "DD_ECS_COLLECT_RESOURCE_TAGS_EC2": "false",
                "DD_TAGS": f"env:{dd_env}",
            },
            port_mappings=[
                ecs.PortMapping(
                    container_port=8125, protocol=ecs.Protocol.UDP
                ),  # DogStatsD
                ecs.PortMapping(
                    container_port=8126, protocol=ecs.Protocol.TCP
                ),  # APM
            ],
            logging=ecs.LogDriver.aws_logs(stream_prefix="datadog-agent"),
        )

Now you see the roles that are passed in

[howdy10]

Now that I'm looking at it side by side seems that the construct DatadogECSFargate should have input to set the task and task execution role. So this might be new functionality?

[avangelillo]

I believe this is a bug in how the camelCase naming is converted to snake_case for Python, I was able to reproduce this issue but changing the parameter names from execution_role to executionRole seemed to fix the issue. This appears to be the case for all of the props passed here. I'm going to start on a fix for this, but if you need an immediate workaround then you can define it like the following:

self.task_definition = ecs_datadog.fargate_task_definition(
    self,
    "definition-main",
    props={
        "memoryLimitMiB": 1024,
        "cpu": 256,
        "family": "blacktop-app-task-def-family",
        "executionRole": execution_role,# <--------- Passing roles
        "taskRole": task_role, #<--------- Passing roles
    },
)

Just note that if you do this, you will need to switch back (or define both) when you upgrade versions of the datadog-cdk-constructs library

[avangelillo]

Hi again, to follow up on this it looks like jsii won't convert dictionaries automatically and that the props have to be passed in as a FargateTaskDefinitionProps object. I'd recommend doing something like the following to use the Python snake_case naming conventions:

self.task_definition = ecs_datadog.fargate_task_definition(
    self,
    "definition-main",
    props=ecs.FargateTaskDefinitionProps(
        memory_limit_mib=512,
        cpu=256,
        family="task-def-family",
        execution_role=execution_role,
        task_role=task_role,
    ),
)

I'm going to update our example python stack to include props passed in this way to make this clearer.