chore(ecs-patterns): fix aws-ecs-patterns integration tests

[aemada-aws]

Issue # (if applicable)

Related: #19275 (ECS capacity provider deletion)

Reason for this change

20 integration tests in aws-ecs-patterns were failing. This PR fixes 16 of them. 4 require external resources (certificates, hosted zones) and cannot be fixed without pre-existing AWS resources.

Description of changes

Fixed Tests

ec2/integ.alb-ecs-service-command-entry-point

• Original error: DELETE_FAILED: The specified capacity provider is in use and cannot be removed (ResourceInUseException)
• Fix: Removed capacityProviderName: 'test-capacity-provider' — hardcoded names collide when tests run in parallel in the same region. Added destroy: { expectError: true } for known teardown issue (aws-ecs): Deleting a stack with a Cluster and an ASG capacity provider fails #19275.

ec2/integ.application-load-balanced-ecs-service

• Original error: DELETE_FAILED: The specified capacity provider is in use and cannot be removed (ResourceInUseException)
• Fix: Removed capacityProviderName: 'first-capacity-provider' and 'second-capacity-provider'. Added destroy: { expectError: true }.

ec2/integ.healthchecks-multiple-application-load-balanced-ecs-service

• Original error: DELETE_FAILED: Resource timed out waiting for completion, Group did not stabilize (NotStabilized)
• Fix: Removed capacityProviderName: 'my-capacity-provider'. Added destroy: { expectError: true }.

ec2/integ.healthchecks-multiple-network-load-balanced-ecs-service

• Original error: DELETE_FAILED: Resource timed out waiting for completion, Group did not stabilize (NotStabilized)
• Fix: Removed capacityProviderName: 'my-capacity-provider'. Added explicit NLB security group with egress scoped to instance SG on ephemeral ports (see NLB SG fix below). Added destroy: { expectError: true }.

ec2/integ.network-load-balanced-ecs-service

• Original error: DELETE_FAILED: The specified capacity provider is in use and cannot be removed (ResourceInUseException)
• Fix: Removed capacityProviderName: 'first-capacity-provider' and 'second-capacity-provider'. Added explicit NLB SG. Added destroy: { expectError: true }.

fargate/integ.asset-image

• Original error: ROLLBACK_COMPLETE: Exceeded attempts to wait (NotStabilized) — container exiting with code 142 (SIGALRM)
• Root cause: demo-image/Dockerfile used FROM public.ecr.aws/lambda/python:3.6 which has a Lambda-specific entrypoint that expects a handler argument. When used as a regular ECS service the container exits immediately.
• Fix: Changed to FROM public.ecr.aws/docker/library/python:3.12-slim with exec-form CMD.

fargate/integ.healthchecks-multiple-application-load-balanced-fargate-service

• Original error: ROLLBACK_COMPLETE: Exceeded attempts to wait (NotStabilized) — ALB health check on port 90 failing
• Root cause: Second target group used containerPort: 90 but amazon/amazon-ecs-sample only listens on port 80.
• Fix: Changed containerPort: 90 → containerPort: 80.

fargate/integ.healthchecks-multiple-network-load-balanced-fargate-service

• Original error: ROLLBACK_COMPLETE: Exceeded attempts to wait (NotStabilized) — NLB health check failing
• Root cause: Same port 90 issue + NLB SG blocking health checks (see NLB SG fix below).
• Fix: Changed containerPort: 90 → 80. Added service.connections.allowFrom(lb, Port.allTcp()) for each NLB.

fargate/integ.l3

• Original error: ROLLBACK_COMPLETE: Exceeded attempts to wait (NotStabilized) — NLB health check failing
• Root cause: networkLoadBalancerWithSecurityGroupByDefault feature flag creates an NLB SG with "Disallow all traffic" egress. The NLB patterns don't automatically create ingress/egress rules between the NLB SG and service SG (unlike ALB patterns).
• Fix: nlbFargateService.service.connections.allowFrom(nlbFargateService.loadBalancer, ec2.Port.tcp(80))

fargate/integ.l3-autocreate

• Original error: ROLLBACK_COMPLETE: Exceeded attempts to wait (NotStabilized) — NLB health check failing
• Fix: Same NLB SG fix as integ.l3.

fargate/integ.l3-capacity-provider-strategies

• Original error: ROLLBACK_FAILED: Exceeded attempts to wait (NotStabilized), The specified capacity provider is in use
• Fix: NLB SG fix + destroy: { expectError: true } for capacity provider teardown.

fargate/integ.l3-vpconly

• Original error: ROLLBACK_COMPLETE: Exceeded attempts to wait (NotStabilized) — NLB health check failing
• Fix: Same NLB SG fix as integ.l3.

fargate/integ.multiple-network-load-balanced-fargate-service

• Original error: ROLLBACK_COMPLETE: Exceeded attempts to wait (NotStabilized) — NLB health check failing on port 90
• Fix: Changed containerPort: 90 → 80. Added service.connections.allowFrom for each NLB.

fargate/integ.network-load-balanced-fargate-service-custom-health

• Original error: ROLLBACK_COMPLETE: Exceeded attempts to wait (NotStabilized) — NLB health check failing
• Fix: NLB SG fix.

fargate/integ.runtime-platform-application-load-balanced-fargate-service

• Original error: DELETE_FAILED: The Cluster cannot be deleted while Tasks are active (ClusterContainsTasksException)
• Root cause: ScheduledFargateTask keeps tasks running during stack deletion. Same demo-image Dockerfile issue.
• Fix: Fixed Dockerfile. Added destroy: { expectError: true }.

fargate/integ.special-listener

• Original error: ROLLBACK_COMPLETE: Exceeded attempts to wait (NotStabilized) — container not starting
• Root cause: abiosoft/caddy (Docker Hub, last updated 2019) is unreliable. Container port 2015 not matching.
• Fix: Replaced with amazon/amazon-ecs-sample (ECR-hosted). Changed containerPort: 2015 → 80 (image listens on 80). Kept listenerPort: 2015 to preserve test intent. Added NLB SG fix.

NLB Security Group Fix (detail)

When @aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault is enabled, NLBs get a security group with "Disallow all traffic" egress. The NetworkLoadBalancedFargateService and NetworkMultipleTargetGroupsFargateService constructs don't automatically create the necessary SG rules (unlike ALB patterns).

For Fargate (awsvpc networking):

nlbService.service.connections.allowFrom(nlbService.loadBalancer, ec2.Port.tcp(80));

For EC2 (bridge networking — service.connections has no SG):

const nlbSg = new SecurityGroup(stack, 'NlbSecurityGroup', { vpc, allowAllOutbound: false });
nlbSg.addEgressRule(securityGroup, Port.tcpRange(32768, 65535), 'NLB health checks to targets');
myService.loadBalancer.connections.addSecurityGroup(nlbSg);

Skipped Tests (4) — require external resources

Test	Original Error	Reason Skipped
ec2/integ.tls-network-load-balanced-ecs-service	AssemblyError: Subprocess exited with error 1 — throws at synth if CERT_ARN not set	Requires pre-existing ACM certificate
fargate/integ.tls-network-load-balanced-fargate-service	AssemblyError: Subprocess exited with error 1 — throws at synth if CERT_ARN not set	Requires pre-existing ACM certificate
fargate/integ.alb-fargate-service-https	DNS Record Set is not available. Certificate is in FAILED status	Uses fromHostedZoneAttributes with fake ID — requires real Route53 hosted zone
ec2/integ.multiple-application-load-balanced-ecs-service-idle-timeout	InvalidDomainNameException - example.com. is reserved by AWS!	Creates PublicHostedZone with example.com which is reserved by AWS

Describe any new or updated permissions being added

None.

Description of how you validated changes

All 16 fixed tests deployed and validated on AWS account 325066840661 across 16 regions:

yarn integ \
  test/aws-ecs-patterns/test/ec2/integ.alb-ecs-service-command-entry-point.js \
  test/aws-ecs-patterns/test/ec2/integ.application-load-balanced-ecs-service.js \
  test/aws-ecs-patterns/test/ec2/integ.healthchecks-multiple-application-load-balanced-ecs-service.js \
  test/aws-ecs-patterns/test/ec2/integ.healthchecks-multiple-network-load-balanced-ecs-service.js \
  test/aws-ecs-patterns/test/ec2/integ.network-load-balanced-ecs-service.js \
  test/aws-ecs-patterns/test/fargate/integ.asset-image.js \
  test/aws-ecs-patterns/test/fargate/integ.healthchecks-multiple-application-load-balanced-fargate-service.js \
  test/aws-ecs-patterns/test/fargate/integ.healthchecks-multiple-network-load-balanced-fargate-service.js \
  test/aws-ecs-patterns/test/fargate/integ.l3-autocreate.js \
  test/aws-ecs-patterns/test/fargate/integ.l3-capacity-provider-strategies.js \
  test/aws-ecs-patterns/test/fargate/integ.l3.js \
  test/aws-ecs-patterns/test/fargate/integ.l3-vpconly.js \
  test/aws-ecs-patterns/test/fargate/integ.multiple-network-load-balanced-fargate-service.js \
  test/aws-ecs-patterns/test/fargate/integ.network-load-balanced-fargate-service-custom-health.js \
  test/aws-ecs-patterns/test/fargate/integ.runtime-platform-application-load-balanced-fargate-service.js \
  test/aws-ecs-patterns/test/fargate/integ.special-listener.js \
  --disable-update-workflow --update-on-failed --force \
  --parallel-regions us-west-2 --parallel-regions eu-west-2 --parallel-regions eu-west-3 \
  --parallel-regions eu-north-1 --parallel-regions ap-northeast-2 --parallel-regions ap-southeast-1 \
  --parallel-regions ap-southeast-2 --parallel-regions ap-south-1 --parallel-regions ca-central-1 \
  --parallel-regions sa-east-1 --parallel-regions us-east-1 --parallel-regions eu-central-1 \
  --parallel-regions ap-northeast-1 --parallel-regions us-east-2 --parallel-regions eu-west-1 \
  --parallel-regions us-west-1

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.
To suppress a specific rule, see Suppressing Rules.

---

	Tests	Passed ☑️	Skipped	Failed ❌️
Security Guardian Results	384 ran	376 passed		8 failed

Test	Result
Security Guardian Results
packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.asset-image.js.snapshot/aws-ecs-integ-fargate-image.template.json
ec2-no-open-security-groups.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.healthchecks-multiple-application-load-balanced-fargate-service.js.snapshot/aws-ecs-integ-fargate-multi-alb-health.template.json
ec2-no-open-security-groups.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.l3-autocreate.js.snapshot/aws-ecs-integ-l3-autocreate.template.json
ec2-no-open-security-groups.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.l3-capacity-provider-strategies.js.snapshot/aws-ecs-integ-lb-fargate.template.json
ec2-no-open-security-groups.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.l3-vpconly.js.snapshot/aws-ecs-integ-l3-vpconly.template.json
ec2-no-open-security-groups.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.l3.js.snapshot/aws-ecs-integ-lb-fargate.template.json
ec2-no-open-security-groups.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.runtime-platform-application-load-balanced-fargate-service.js.snapshot/aws-ecs-runtime-integ.template.json
iam-no-overly-permissive-passrole.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.special-listener.js.snapshot/aws-ecs-integ-fargate-special-listener.template.json
ec2-no-open-security-groups.guard	❌ failure

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.
To suppress a specific rule, see Suppressing Rules.

---

	Tests	Passed ☑️	Skipped	Failed ❌️
Security Guardian Results with resolved templates	384 ran	377 passed		7 failed

Test	Result
Security Guardian Results with resolved templates
packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.asset-image.js.snapshot/aws-ecs-integ-fargate-image.template.json
ec2-no-open-security-groups.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.healthchecks-multiple-application-load-balanced-fargate-service.js.snapshot/aws-ecs-integ-fargate-multi-alb-health.template.json
ec2-no-open-security-groups.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.l3-autocreate.js.snapshot/aws-ecs-integ-l3-autocreate.template.json
ec2-no-open-security-groups.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.l3-capacity-provider-strategies.js.snapshot/aws-ecs-integ-lb-fargate.template.json
ec2-no-open-security-groups.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.l3-vpconly.js.snapshot/aws-ecs-integ-l3-vpconly.template.json
ec2-no-open-security-groups.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.l3.js.snapshot/aws-ecs-integ-lb-fargate.template.json
ec2-no-open-security-groups.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.special-listener.js.snapshot/aws-ecs-integ-fargate-special-listener.template.json
ec2-no-open-security-groups.guard	❌ failure

• View Security Guardian Results with resolved templates

[Abogical]

A linting error will need to be fixed: https://github.com/aws/aws-cdk/actions/runs/22499907090/job/65184032622?pr=37106#step:9:5082

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-05-07 13:22 UTC · Rule: default-squash
• ✅ Checks started · in-place
• 🚫 Left the queue — 2026-05-07 20:21 UTC · at e1268696a7b38c621e576f2f9010a7c9392e010d

This pull request spent 6 hours 58 minutes 57 seconds in the queue, including 4 hours 1 minute 23 seconds running CI.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • chore(ecs-patterns): fix aws-ecs-patterns integration tests #37106
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • chore(ecs-patterns): fix aws-ecs-patterns integration tests #37106
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

Reason

The merge conditions cannot be satisfied due to failing checks

Hint

You may have to fix your CI before adding the pull request to the queue again.
If you update this pull request, to fix the CI, it will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue instead, you can requeue the pull request, without updating it, by posting a @mergifyio queue comment.

[aemada-aws]

@Mergifyio queue

[mergify]

Merge Queue Status

🛑 Queue command has been cancelled

[aemada-aws]

@Mergifyio refresh

[mergify]

refresh

✅ Pull request refreshed

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-05-08 08:53 UTC · Rule: default-squash
• 🚫 Left the queue — 2026-05-08 08:53 UTC · at e1268696a7b38c621e576f2f9010a7c9392e010d

This pull request spent 12 seconds in the queue, with no time running CI.

Reason

The pull request can't be updated

expected head sha didn’t match current head ref.

Hint

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio queue comment.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-05-08 09:27 UTC · Rule: default-squash
• ✅ Checks passed · in-place
• ✅ Merged — 2026-05-08 10:28 UTC · at 96c68594ccb98b410ee099aa7156ee4cdaf3ae90 · squash

This pull request spent 1 hour 48 seconds in the queue, including 32 minutes 35 seconds running CI.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • chore(ecs-patterns): fix aws-ecs-patterns integration tests #37106
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • chore(ecs-patterns): fix aws-ecs-patterns integration tests #37106
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.