Add Secrets Manager policy and improve ECS deployment stability checks

- Introduce a new IAM policy for Secrets Manager access in container.ts to enhance security for task execution roles.
- Update buildspec.yml to include error handling for ECS service updates, ensuring deployment failures are logged and handled gracefully.
- Enhance deploy.sh with a timeout for ECS service stabilization and detailed logging for debugging failed deployments.

Author: Marfuen

apps/infra/modules/container.ts

@@ -144,6 +144,29 @@ export function createContainer(
     }
   );
 
+  // Add policy for Secrets Manager access to task execution role
+  const taskExecutionSecretsPolicy = new aws.iam.RolePolicy(
+    "pathfinder-task-execution-secrets-policy",
+    {
+      role: taskExecutionRole.id,
+      policy: database.secretArn.apply((secretArn) =>
+        JSON.stringify({
+          Version: "2012-10-17",
+          Statement: [
+            {
+              Effect: "Allow",
+              Action: [
+                "secretsmanager:GetSecretValue",
+                "secretsmanager:DescribeSecret",
+              ],
+              Resource: secretArn,
+            },
+          ],
+        })
+      ),
+    }
+  );
+
   // ECS Task Role for application permissions
   const taskRole = new aws.iam.Role("pathfinder-task-role", {
     name: "pathfinder-ecs-task-role",

apps/web/buildspec.yml

@@ -92,10 +92,15 @@ phases:
 
   post_build:
     commands:
+      - echo "Pushing images to ECR..."
       - docker push $REPOSITORY_URI:$IMAGE_TAG
       - docker push $REPOSITORY_URI:latest
       - echo "Updating ECS service to deploy new image..."
-      - aws ecs update-service --cluster $ECS_CLUSTER_NAME --service $ECS_SERVICE_NAME --force-new-deployment
+      - |
+        if ! aws ecs update-service --cluster $ECS_CLUSTER_NAME --service $ECS_SERVICE_NAME --force-new-deployment; then
+          echo "❌ Failed to update ECS service"
+          exit 1
+        fi
       - echo "Writing image definitions file..."
       - 'printf "[{\"name\":\"pathfinder-app\",\"imageUri\":\"%s\"}]" $REPOSITORY_URI:$IMAGE_TAG > imagedefinitions.json'
 

scripts/deploy.sh

@@ -67,9 +67,52 @@ echo -e "${YELLOW}🔍 Step 3: Verifying deployment...${NC}"
 
 # Wait for ECS service to stabilize after the build updated it
 echo -e "${YELLOW}⏳ Waiting for ECS deployment to stabilize...${NC}"
-aws ecs wait services-stable \
+
+# Set a timeout of 10 minutes (600 seconds) for the wait
+if ! timeout 600 aws ecs wait services-stable \
     --cluster "$CLUSTER_NAME" \
-    --services pathfinder
+    --services pathfinder; then
+    
+    echo -e "${RED}❌ ECS service failed to stabilize within 10 minutes${NC}"
+    
+    # Get the current service status for debugging
+    echo -e "${RED}Current service status:${NC}"
+    aws ecs describe-services \
+        --cluster "$CLUSTER_NAME" \
+        --services pathfinder \
+        --query 'services[0].{desired:desiredCount,running:runningCount,pending:pendingCount,status:status}' \
+        --output table
+    
+    # Get recent events
+    echo -e "${RED}Recent service events:${NC}"
+    aws ecs describe-services \
+        --cluster "$CLUSTER_NAME" \
+        --services pathfinder \
+        --query 'services[0].events[0:5]' \
+        --output json
+    
+    # Check for failed tasks
+    echo -e "${RED}Checking for task failures:${NC}"
+    TASK_ARNS=$(aws ecs list-tasks \
+        --cluster "$CLUSTER_NAME" \
+        --service-name pathfinder \
+        --desired-status STOPPED \
+        --query 'taskArns[0:3]' \
+        --output json)
+    
+    if [ "$TASK_ARNS" != "[]" ] && [ -n "$TASK_ARNS" ]; then
+        aws ecs describe-tasks \
+            --cluster "$CLUSTER_NAME" \
+            --tasks $TASK_ARNS \
+            --query 'tasks[*].{taskArn:taskArn,stoppedReason:stoppedReason}' \
+            --output table
+    fi
+    
+    echo -e "${RED}❌ Deployment failed - ECS service is not stable${NC}"
+    exit 1
+fi
+
+echo -e "${GREEN}✅ ECS service is stable${NC}"
 
 # Get ALB DNS name
 alb_dns=$(aws elbv2 describe-load-balancers \