If I wanted to validate that that an ECS service is running the latest image for a tag, how would I do that?
I can:
describe_services to get the task definitiondescribe_task_definition to get the image associatedBut that image is in whatever form that's in the task definition. If the task definition says service:1.1, that's a good start, but what if a new image has been pushed that is tagged service:1.1 since deployment? There's no way to tell from looking at the image in the task definition.
Maybe that makes sense because it is, after all, the definition, not the task itself. So what about describe_tasks? Looks promising. Except describe_tasks doesn't talk about the image at all. It does have a container ARN, but what good is that? I can't find any API call that uses container ARNs at all -- am I missing something?
Basically -- is there any way to identify the specific image down to the digest level that is running for each task on an ECS service so that you can tell if you should force a new deployment?
Confirmed by Amazon Support, there isn't currently a good way to validate that the image deployed on a given task is the same as the latest image pushed with the tag specified in the task definition.
It's not ideal, but I could compare the deployment's updatedAt and the task definition's image with the image's pushedAt, I suppose. That won't give me an explicit "which image am I using", but it will tell me "has the image tag been pushed since the service was updated?"