CI/CD Pipeline for Fargate

End-to-end pipeline for containerized workloads: build a Docker image, push to ECR, and roll out a new ECS Fargate task definition on every push to main.

Overview

Fargate removes the need to manage EC2 instances for containers. The pipeline focuses on repeatable image builds and controlled ECS service updates with health checks before traffic shifts.

Pipeline stages

Build — docker build with immutable tags (git sha + latest)
Push — authenticate to ECR, push image layers
Deploy — register new task definition, update ECS service, wait for steady state

ECS configuration

Task definitions pin CPU, memory, container image URI, logging (CloudWatch), and environment secrets from SSM or Secrets Manager. The service uses a target group behind an ALB for HTTP health checks.

Rollback strategy

Keep previous task definition revisions. If deployment fails health checks, ECS circuit breaker or a manual rollback reverts to the last known-good revision without rebuilding the image.

Security

OIDC to AWS — no long-lived keys in CI
ECR image scanning on push
Task role vs execution role separated for least privilege