/ 
App-FargateStack-1.0.43
/ App::FargateStack::Checker

NAME

app-FargateStack-env.pl - Preflight checker for ECS Fargate environments

USAGE

app-FargateStack-env.pl [options]

DESCRIPTION

Runs read-only checks against the target AWS account and region to verify that common ECS Fargate deployment scenarios are feasible. Produces an ASCII table with PASS/WARN/FAIL rows and a capabilities summary for:

- HTTP services
- HTTPS service
- Scheduled tasks
- One-shot tasks
- Daemon services

No resources are created or modified. Intended as a fast “can I deploy here?” probe for humans and CI.

Options

--profile STR

AWS config/credentials profile to use. Defaults to $ENV{AWS_PROFILE} or the SDK’s default behavior if unset.

--region STR

AWS region to target (e.g. us-east-1). Defaults to $ENV{AWS_REGION} if set.

--dns | --no-dns

Enable or disable Route 53 checks. Default: enabled. Use --no-dns (or --nodns) to skip DNS checks.

--dns-profile STR

Alternate AWS profile for Route 53 lookups. Useful when DNS is managed in a separate account. Falls back to --profile if not provided.

--https | --no-https

Enable or disable ACM certificate checks (same region as the load balancer). Default: disabled. Turn on if you plan to deploy HTTPS.

--secrets | --no-secrets

Enable or disable Secrets Manager reachability checks. Default: disabled. When enabled, the checker verifies control-plane reachability (e.g., VPC endpoint present or NAT available). It does not validate individual GetSecretValue permissions for task roles.

OUTPUT

The main table includes rows like:

Credentials
Service-linked roles
VPC/Subnets
Egress
ECS perms
ELBv2 perms
CloudWatch Logs perms
ECR
Events perms
iam:PassRole
Route 53
ACM
Secrets Manager

Each row has a Status of PASS, WARN, or FAIL and a Detail string. Typical examples:

- Egress: PASS with NAT present; missing VPC endpoints are called out as optional.
- Events perms: PASS when EventBridge APIs are readable (e.g., list-event-buses).
- iam:PassRole: PASS when simulation allows passing target roles to
  C<ecs-tasks.amazonaws.com> and C<events.amazonaws.com>.

CAPABILITIES SUMMARY

After the table, a summary lists readiness for common Fargate scenarios:

YES   = all required checks PASS
MAYBE = at least one required check WARN (no FAILs)
NO    = at least one required check FAIL or a required check is missing

The gates for each capability are:

HTTP services    : Credentials, VPC/Subnets, Egress, ECS perms,
                   ELBv2 perms, CloudWatch Logs perms, iam:PassRole
HTTPS service    : HTTP services + ACM
Scheduled tasks  : Credentials, VPC/Subnets, Egress, ECS perms,
                   Events perms, CloudWatch Logs perms, iam:PassRole
One-shot tasks   : Credentials, VPC/Subnets, Egress, ECS perms,
                   CloudWatch Logs perms, iam:PassRole
Daemon services  : Credentials, VPC/Subnets, Egress, ECS perms,
                   CloudWatch Logs perms, iam:PassRole

EXIT STATUS

0  All checks PASS
1  One or more checks WARN (no FAILs)
2  One or more checks FAIL

These exit codes are designed for CI gating.

NOTES

  • Read-only

    The checker performs only Describe*/List* calls and IAM simulation where available. It does not create, update, or delete resources.

  • Service-linked roles (SLRs)

    The checker reports on SLRs relevant to ECS/ELB. EventBridge does not have a single generic “AWSServiceRoleForEvents”; feature-specific SLRs are outside the default scope.

  • Egress semantics

    For private subnets, NAT is sufficient for pulling images and writing logs. VPC endpoints for ECR (api+dkr) and Logs are recommended in restricted/air-gapped environments; missing endpoints are reported as optional when NAT is present.

  • iam:PassRole simulation

    When role names are known or derivable, the checker simulates iam:PassRole for each target role against ecs-tasks.amazonaws.com and events.amazonaws.com. If role names are not available, the tool may WARN and capabilities depending on PassRole may degrade to MAYBE.

  • Separate DNS account

    If Route 53 is managed in another account, use --dns-profile. The header will display the active “Route53 profile” for clarity.

EXAMPLES

Minimal, default profile/region:

app-FargateStack-env.pl

Explicit profile/region:

app-FargateStack-env.pl --profile sandbox --region us-east-1

Skip DNS checks entirely:

app-FargateStack-env.pl --no-dns

Use a separate Route 53 account, and enable HTTPS + Secrets checks:

app-FargateStack-env.pl --profile sandbox --region us-east-1 \
  --dns-profile prod --https --secrets

SEE ALSO

ECS, Fargate, ELBv2, EventBridge, Route 53, ACM, CloudWatch Logs, ECR.

1 POD Error

The following errors were encountered while parsing the POD:

Around line 771:

Non-ASCII character seen before =encoding in '“can'. Assuming UTF-8