v1.10.0: Possible false-positive for E3054: 'RequiresCompatibilities' is a required property

[r-heimann]

CloudFormation Lint Version

1.10.0

What operating system are you using?

Windows 11

Describe the bug

After updating to 1.10.0 i get the following error for AWS::ECS::TaskDefinition:

[cfn-lint] E3054: 'RequiresCompatibilities' is a required property
Registers a new task definition from the supplied ``family`` and ``containerDefinitions``.
Optionally, you can add data volumes to your containers with the ``volumes`` parameter.
For more information about task definition parameters and defaults, see [Amazon ECS Task Definitions]([https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_defintions.html\](vscode-file://vscode-app/d:/Programme/VSCode/resources/app/out/vs/code/electron-sandbox/workbench/workbench.html)) in the *Amazon Elastic Container Service Developer Guide*.

You can specify a role for your task with the ``taskRoleArn`` parameter.
When you specify a role for a task, its containers can then use the latest versions of the CLI or SDKs to make API requests to the AWS services that are specified in the policy that's associated with the role.
For more information, see [IAM Roles for Tasks]([https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html\](vscode-file://vscode-app/d:/Programme/VSCode/resources/app/out/vs/code/electron-sandbox/workbench/workbench.html)) in the *Amazon Elastic Container Service Developer Guide*.....

Expected behavior

cfn-lint doesn't give that error, since i can deploy the stack.

Reproduction template

  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      NetworkMode: awsvpc
      TaskRoleArn: !GetAtt TaskRole.Arn
      ExecutionRoleArn: !GetAtt ExecutionRole.Arn
      Cpu: 512
      Memory: 1024
      RuntimePlatform:
        CpuArchitecture: ARM64
      ContainerDefinitions:
        - Name: ContainerName
          Image: <IMAGE>
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-region: !Ref AWS::Region
              awslogs-group: !Ref LogGroup
              awslogs-stream-prefix: !Ref AWS::StackName

[kddejong]

This rule crosses into the AWS::ECS::Service definition as well. Can you provide that resource as well? We should be triggering this only when the service has a LaunchType of Fargate.

ECSService:
    Type: AWS::ECS::Service
    Properties:
      LaunchType: FARGATE

as part of this comment and replicated through some testing.

[r-heimann]

Here you go:

  ECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterSettings:
        - Name: containerInsights
          Value: enabled
      CapacityProviders:
        - FARGATE

  ECSService:
    Type: AWS::ECS::Service
    Properties:
      Cluster: !Ref ECSCluster
      TaskDefinition: !GetAtt ECSTaskDefinition.TaskDefinitionArn
      DesiredCount: 1
      LaunchType: FARGATE
      PropagateTags: SERVICE
      NetworkConfiguration:
        AwsvpcConfiguration:
          SecurityGroups:
            - !GetAtt SecurityGroup.GroupId
          Subnets:
            - <Subnet>
      EnableExecuteCommand: true

  ECSTaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      NetworkMode: awsvpc
      TaskRoleArn: !GetAtt TaskRole.Arn
      ExecutionRoleArn: !GetAtt ExecutionRole.Arn
      Cpu: 512
      Memory: 1024
      RuntimePlatform:
        CpuArchitecture: ARM64
      ContainerDefinitions:
        - Name: ContainerName
          Image: <IMAGE>
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-region: !Ref AWS::Region
              awslogs-group: !Ref LogGroup
              awslogs-stream-prefix: !Ref AWS::StackName

[r-heimann]

According to https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html#cfn-ecs-taskdefinition-requirescompatibilities, you do not need RequiresCompatibilities:

RequiresCompatibilities
The task launch types the task definition was validated against.
The valid values are EC2, FARGATE, and EXTERNAL.
For more information, see Amazon ECS launch types in the Amazon Elastic Container Service Developer Guide.

Required: No

Type: Array of String

Update requires: Replacement

[kddejong]

Looks like NetworkMode: awsvpc will drop the need of RequiresCompatibilities: [FARGATE]

This will succeed without RequiresCompatibilities specified. Dropping NetworkMode property will again require the RequiresCompatibilities

ECSTaskDefinition:
    Type: 'AWS::ECS::TaskDefinition'
    Properties:
      NetworkMode: awsvpc

When removing NetworkMode you will get the error Invalid request provided: CreateService error: Task definition does not support launch_type FARGATE.

[kddejong]

This caveat only seems to apply to NetworkMode: awsvpc other network modes still require FARGATE to specified.

[kddejong]

This PR will remove this error when NetworkMode is awsvpc or an object (Function to some possibly dynamic value)

[r-heimann]

Thank you!