From d03ba779f1f40d1b144800575c7e51ed2c54d4ae Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Thu, 12 Mar 2026 16:50:47 +0100
Subject: [PATCH] Fix task def drift: let Terraform own revisions, deploy just
 restarts

ecs-deploy was creating new task def revisions from the latest family
revision, which lost Terraform's structural changes (readonlyRootFilesystem,
user, volumes). Now:

- ecs-deploy uses --force-new-deployment (no new revisions)
- Remove ignore_changes = [task_definition] from ECS service module
- Remove update-task-def.sh (no longer needed)

Terraform owns the task definition structure. Docker build pushes :latest.
Deploy just forces ECS to pull the new :latest image.
---
 .github/workflows/ecs-deploy.yml      |  8 ++------
 scripts/ecs-deploy.sh                 | 25 ++++++++-----------------
 scripts/update-task-def.sh            | 24 ------------------------
 terraform/modules/ecs-service/main.tf |  4 ----
 4 files changed, 10 insertions(+), 51 deletions(-)
 delete mode 100644 scripts/update-task-def.sh

diff --git a/.github/workflows/ecs-deploy.yml b/.github/workflows/ecs-deploy.yml
index 9a25b64..2adce74 100644
--- a/.github/workflows/ecs-deploy.yml
+++ b/.github/workflows/ecs-deploy.yml
@@ -4,9 +4,9 @@ on:
   workflow_call:
     inputs:
       image_tag:
-        description: "Container image tag to deploy"
+        description: "Container image tag (unused — kept for workflow_call compat)"
         type: string
-        required: true
+        default: ""
       service_name:
         description: "ECS service name (defaults to repo name)"
         type: string
@@ -59,8 +59,4 @@ jobs:
         env:
           SERVICE: ${{ inputs.service_name || github.event.repository.name }}
           CLUSTER: ${{ inputs.cluster_name }}
-          IMAGE_TAG: ${{ inputs.image_tag }}
-          ECR_REPO: ${{ github.event.repository.name }}
-          ACCOUNT_ID: ${{ inputs.aws_account_id }}
-          REGION: ${{ inputs.aws_region }}
         run: sh .platform/scripts/ecs-deploy.sh
diff --git a/scripts/ecs-deploy.sh b/scripts/ecs-deploy.sh
index f39fd44..12bbad3 100644
--- a/scripts/ecs-deploy.sh
+++ b/scripts/ecs-deploy.sh
@@ -1,30 +1,21 @@
 #!/bin/sh
 # Deploy a new container image to an ECS service.
 #
+# Forces a new deployment so ECS pulls the latest image for the current
+# task definition. Does NOT create new task definition revisions — that's
+# Terraform's job. This avoids drift between TF-managed task defs
+# (with security hardening, volumes, etc.) and deploy-time revisions.
+#
 # Usage: ecs-deploy.sh
 #
-# Env: CLUSTER, SERVICE, ECR_REPO, IMAGE_TAG, ACCOUNT_ID, REGION
+# Env: CLUSTER, SERVICE
 
 set -e
 
-SCRIPT_DIR=$(dirname "$0")
-export ECR_URI="${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com/${ECR_REPO}:${IMAGE_TAG}"
-
-# Use the latest family revision (includes structural changes from Terraform)
-# rather than the revision currently running on the service.
-aws ecs describe-task-definition --task-definition "$SERVICE" \
-  --query 'taskDefinition' > task-def.json
-
-sh "$SCRIPT_DIR/update-task-def.sh" task-def.json task-def-new.json
-
-NEW_ARN=$(aws ecs register-task-definition \
-  --cli-input-json file://task-def-new.json \
-  --query 'taskDefinition.taskDefinitionArn' --output text)
-echo "New task definition: $NEW_ARN"
-
+echo "Forcing new deployment for ${SERVICE} on ${CLUSTER}..."
 aws ecs update-service \
   --cluster "$CLUSTER" --service "$SERVICE" \
-  --task-definition "$NEW_ARN" > /dev/null
+  --force-new-deployment > /dev/null
 
 echo "Waiting for service to stabilize..."
 aws ecs wait services-stable --cluster "$CLUSTER" --services "$SERVICE"
diff --git a/scripts/update-task-def.sh b/scripts/update-task-def.sh
deleted file mode 100644
index 137a924..0000000
--- a/scripts/update-task-def.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/sh
-# Update an ECS task definition with a new container image.
-#
-# Usage: update-task-def.sh <input.json> <output.json>
-#
-# Env: ECR_URI — full image URI with tag
-
-set -e
-
-INPUT="$1"
-OUTPUT="$2"
-
-if [ -z "$ECR_URI" ]; then
-  echo "ECR_URI is required" >&2
-  exit 1
-fi
-
-jq --arg uri "$ECR_URI" '
-  .containerDefinitions[0].image = $uri |
-  del(.taskDefinitionArn, .revision, .status, .requiresAttributes,
-      .compatibilities, .registeredAt, .registeredBy, .deregisteredAt)
-' "$INPUT" > "$OUTPUT"
-
-echo "Updated task definition: $OUTPUT"
diff --git a/terraform/modules/ecs-service/main.tf b/terraform/modules/ecs-service/main.tf
index 604132c..eb197ba 100644
--- a/terraform/modules/ecs-service/main.tf
+++ b/terraform/modules/ecs-service/main.tf
@@ -97,9 +97,5 @@ resource "aws_ecs_service" "this" {
     container_port   = var.port
   }
 
-  lifecycle {
-    ignore_changes = [task_definition]
-  }
-
   depends_on = [aws_ecs_task_definition.this]
 }