feat(ecs): automatically create ec2InstanceProfile for ManagedInstancesCapacityProvider

[aemada-aws]

Issue # (if applicable)

Related to #35742

Reason for this change

The ManagedInstancesCapacityProvider construct was requiring users to pass ec2InstanceProfile. This PR makes this optional and automatically creates one.

Note that the role name must be prefixed with "ecsInstanceRole". This is a restriction from the managed policy on the infrastructure role https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonECSInfrastructureRolePolicyForManagedInstances.html
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/managed-instances-instance-profile.html

Description of changes

ec2InstanceProfile is now optional

Describe any new or updated permissions being added

• A default role is created with a scoped down version of AmazonECSInstanceRolePolicyForManagedInstances - AWS managed policy attached to the EC2 instance profile role that provides necessary permissions for ECS managed instances to register with ecs clusters, pull from ECR, send logs to CW and access ECS agent endpoint.

Description of how you validated changes

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[kg-aws]

Thank you!

[gael-ft]

Correct me if I'm wrong, but as long as this._hasEc2Capacity = true; link is not set when adding a ManagedInstancesCapacityProvider link, then the issue #35742 is not fixed.

This is due to the fact that, Ec2Service validatation link

[isker]

You're correct that it still doesn't work with Ec2Service, which is why they are changing all the examples to use FargateService.

[gael-ft]

Ah ok missed that info sorry ...

It raise some questions about some Ec2Service feature such as daemon services.
I'll asked them directly on the main issue

[kg-aws]

Thank you @gael-ft. Would you mind creating a new feature request for the daemon service use case with ECS Managed Instances through a dedicated GitHub issue?

[isker]

@aemada-aws what’s blocking this from being merged?

[Abogical]

@isker Not sure if you noticed, but we were waiting for your response to this question: #35796 (comment)

[isker]

I don't know the answer to that question. I didn't write this PR.

[Abogical]

@isker Oh sorry, I misread the author. @aemada-aws can you answer the question for reference?

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	50 ran	50 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	50 ran	50 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates

[aemada-aws]

Integ test is failing because deletion fails because of a separate issue: #36071

[aemada-aws]

Correct me if I'm wrong, but as long as this._hasEc2Capacity = true; link is not set when adding a ManagedInstancesCapacityProvider link, then the issue #35742 is not fixed.

This is due to the fact that, Ec2Service validatation link

you are correct, this doesn't fix the issue of using the managed capacity provider with the ec2service construct.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

🚫 The pull request has left the queue (rule: default-squash) at b1e1db9

This pull request spent 4 seconds in the queue, with no time running CI.

Reason

The pull request can't be updated

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/security-report.yml without workflows permission

Hint

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

✅ The pull request has been merged at 0e880e8

This pull request spent 5 seconds in the queue, with no time running CI.
The checks were run in-place.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • feat(ecs): automatically create ec2InstanceProfile for ManagedInstancesCapacityProvider #35796
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • feat(ecs): automatically create ec2InstanceProfile for ManagedInstancesCapacityProvider #35796
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.