Table: aws_ecs_task_definition - Query AWS ECS Task Definitions using SQL
The AWS ECS Task Definition is a blueprint that describes how a Docker container should launch. It specifies the Docker image to use for the container, the required resources, and other configurations. Task Definitions are used in conjunction with the Amazon Elastic Container Service (ECS) to run containers reliably on AWS.
Table Usage Guide
The aws_ecs_task_definition
table in Steampipe provides you with information about the task definitions within AWS Elastic Container Service (ECS). This table allows you, as a DevOps engineer, to query task-specific details, including the task definition ARN, family, network mode, revision, and status. You can utilize this table to gather insights on task definitions, such as their configuration, associated IAM roles, container definitions, volumes, and more. The schema outlines the various attributes of the ECS task definition for you, including the task definition ARN, family, requires compatibility, and associated tags.
Examples
Basic info
Explore the configuration and status of task definitions in AWS ECS to understand their processing power and network configuration. This can be useful for optimizing resource allocation and network settings for better system performance.
select task_definition_arn, cpu, network_mode, title, status, tagsfrom aws_ecs_task_definition;
select task_definition_arn, cpu, network_mode, title, status, tagsfrom aws_ecs_task_definition;
Count the number of containers attached to each task definitions
Explore the distribution of containers across various task definitions to better manage and optimize the use of resources in an AWS ECS environment.
select task_definition_arn, jsonb_array_length(container_definitions) as num_of_conatinersfrom aws_ecs_task_definition;
select task_definition_arn, json_array_length(container_definitions) as num_of_conatinersfrom aws_ecs_task_definition;
List containers with elevated privileges on the host container instance
Determine the areas in which containers are operating with elevated privileges within your host container instance. This is useful to identify potential security risks and ensure secure configuration of your container infrastructure.
select task_definition_arn, cd ->> 'Privileged' as privileged, cd ->> 'Name' as container_namefrom aws_ecs_task_definition, jsonb_array_elements(container_definitions) as cdwhere cd ->> 'Privileged' = 'true';
select task_definition_arn, json_extract(cd.value, '$.Privileged') as privileged, json_extract(cd.value, '$.Name') as container_namefrom aws_ecs_task_definition, json_each(container_definitions) as cdwhere json_extract(cd.value, '$.Privileged') = 'true';
List task definitions with containers where logging is disabled
This query is useful in identifying all task definitions with containers where logging has been disabled in the AWS ECS system. This can aid in improving security and compliance by enabling you to quickly pinpoint areas where logging should be enabled for better tracking and auditing.
select task_definition_arn, cd ->> 'Name' as container_name, cd ->> 'LogConfiguration' as log_configurationfrom aws_ecs_task_definition, jsonb_array_elements(container_definitions) as cdwhere cd ->> 'LogConfiguration' is null;
select task_definition_arn, json_extract(cd.value, '$.Name') as container_name, json_extract(cd.value, '$.LogConfiguration') as log_configurationfrom aws_ecs_task_definition, json_each(container_definitions) as cdwhere json_extract(cd.value, '$.LogConfiguration') is null;
Schema for aws_ecs_task_definition
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
compatibilities | jsonb | The launch type to use with your task. | |
container_definitions | jsonb | A list of container definitions in JSON format that describe the different containers that make up your task. | |
cpu | bigint | The number of cpu units used by the task. | |
deregistered_at | timestamp with time zone | The Unix timestamp for the time when the task definition was deregistered. | |
ephemeral_storage_size_in_gib | bigint | The total amount, in GiB, of ephemeral storage to set for the task. The minimum supported value is 21 GiB and the maximum supported value is 200 GiB. | |
execution_role_arn | text | The Amazon Resource Name (ARN) of the task execution role that grants the Amazon ECS container agent permission to make AWS API calls on your behalf. | |
family | text | = | The name of a family that this task definition is registered to. |
inference_accelerators | jsonb | The Elastic Inference accelerator associated with the task. | |
ipc_mode | text | The IPC resource namespace to use for the containers in the task. | |
memory | bigint | The amount (in MiB) of memory used by the task. | |
network_mode | text | The Docker networking mode to use for the containers in the task. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
pid_mode | text | The process namespace to use for the containers in the task. | |
placement_constraints | jsonb | An array of placement constraint objects to use for tasks. | |
proxy_configuration | jsonb | The configuration details for the App Mesh proxy. | |
region | text | The AWS Region in which the resource is located. | |
registered_at | text | The Unix timestamp for when the task definition was registered. | |
registered_by | text | The principal that registered the task definition. | |
requires_attributes | jsonb | The container instance attributes required by your task. | |
requires_compatibilities | jsonb | The launch type the task requires. If no value is specified, it will default to EC2. Valid values include EC2 and FARGATE. | |
revision | bigint | The revision of the task in a particular family. | |
runtime_platform | jsonb | The operating system that your task definitions are running on. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
status | text | = | The status of the task definition. |
tags | jsonb | A map of tags for the resource. | |
tags_src | jsonb | A list of tags associated with task. | |
task_definition_arn | text | = | The Amazon Resource Name (ARN) that identifies the task definition. |
task_role_arn | text | The short name or full Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that grants containers in the task permission to call AWS APIs on your behalf. | |
title | text | Title of the resource. | |
volumes | jsonb | The list of volume definitions for the task. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_ecs_task_definition