add ECS Exec support with Docker fallback by ntner · Pull Request #3798 · convox/rack

ntner · 2026-05-24T20:13:33Z

Summary

Add ECSExec rack parameter (Yes/No, default No) to enable ECS Exec for interactive container shell access via SSM Session Manager
convox exec uses ECS Exec when enabled (gen2 apps only), with automatic fallback to Docker exec for pre-enable tasks, gen1 apps, and disabled racks
Session credentials are passed to the CLI, which launches session-manager-plugin locally (same approach as aws ecs execute-command)

Parameter	Scope	Type	Default	Effect
`ECSExec`	Rack	Yes/No	No	Enable ECS Exec on all gen2 app services

File	Change
`formation/rack.json`	Add `ECSExec` parameter + docker labels on 4 task definitions
`formation/app.json.tmpl`	Add `ECSExec` param/condition, conditional SSM perms on ServiceRole, passthrough to service stacks
`formation/service.json.tmpl`	Add `ECSExec` param/condition, `EnableExecuteCommand` on ECS Service, conditional SSM perms on DedicatedRole
`provider/aws/aws.go`	Add `ECSExec` bool field + `loadParams` label read
`provider/aws/processes.go`	ECS Exec path in `ProcessExec`, `EnableExecuteCommand` in `ProcessRun`, Docker fallback
`provider/aws/releases.go`	Read `ECSExec` rack param and pass to app stacks
`sdk/sdk.go`	`runSessionManagerPlugin` function, session struct
`sdk/methods.go`	First-byte discriminator protocol for ECS Exec vs Docker exec sessions
`pkg/cli/rack.go`	Add `ECSExec` to `security` param group
`pkg/cli/rack_group_test.go`	Bump param count 110 to 111
`provider/aws/processes_test.go`	Reorder test cycles for moved AppGet call

Upgrading to this version triggers a rack API rolling restart (new docker labels on task definitions)
After setting ECSExec=Yes, existing running tasks use Docker exec until redeployed (CloudTrail gap during transition)
Users must install session-manager-plugin on their machine for ECS Exec sessions
Racks in fully private VPCs without NAT may need VPC endpoints for ssmmessages and ssm
Downgrade to a pre-ECSExec rack version requires first setting ECSExec=No

New parameter ECSExec (Default: No) added to rack, app, and service templates
New condition ECSExecEnabled in app and service templates
EnableExecuteCommand property added to ECS Service resource (conditional)
Conditional ssm-exec inline policy on ServiceRole (app.json.tmpl) and DedicatedRole (service.json.tmpl)
No resource renames, no Output changes, no Fn::ImportValue changes
UPDATE behavior only (no REPLACE)

add ECS Exec support with Docker fallback

07cab23

ntner added the status/6-merge label May 28, 2026

ntner mentioned this pull request May 28, 2026

[RELEASE] 20260527232200 #3801

Open