Connect Fargate instance to SSM Session Manager

docker-entrypoint.sh

#!/bin/bash

INSTANCE_NAME=acme-development
AWS_REGION="$(aws configure get region)"

################################################################################
# The section below obtains an activation code and ID from SSM, and then uses it
# to register the current agent. _This should only be done on the basis of
# tightly controlled roles granted to ECS._ Note that it is registered with two 
# tags:
#
#     Name:    While the name is set via --default-instance-name, the name will
#              only show up when queries are performed in the CLI. The "Name"
#              tag is required for the name to be visible in the AWS console.
#     Type:    This acts a flag, so that only offline Fargate instances get 
#              cleaned up.
#
# The SSM agent is then started. Output is redirected to STDOUT and the process
# is sent to the background. Both of these actions are require to prevent the
# agent from blocking the script.
################################################################################
read -r ACTIVATION_CODE ACTIVATION_ID <<< $(aws ssm create-activation --default-instance-name "${INSTANCE_NAME}" --iam-role "SSMServiceRole" --registration-limit 1 --tags "Key=Name,Value=${INSTANCE_NAME}" "Key=Type,Value=fargate" --query "join(' ', [ActivationCode, ActivationId])" --output text)
amazon-ssm-agent -register -code "${ACTIVATION_CODE}" -id "${ACTIVATION_ID}" -region "${AWS_REGION}" -clear -y
amazon-ssm-agent >&1 &

# Manage the logs by redirecting output to CloudWatch log groups...

Dockerfile

FROM debian:10-slim

RUN apt-get update -y && \
  apt-get install -y awscli curl gnupg && \
  apt-key adv --fetch-keys "https://nginx.org/keys/nginx_signing.key" && \
  echo "deb http://nginx.org/packages/debian buster nginx" > /etc/apt/sources.list.d/nginx.list

RUN curl --silent --show-error --location --output /tmp/amazon-ssm-agent.deb "https://s3.us-east-1.amazonaws.com/amazon-ssm-us-east-1/latest/debian_amd64/amazon-ssm-agent.deb" && \
  dpkg -i /tmp/amazon-ssm-agent.deb

COPY docker-entrypoint.sh /

EXPOSE 80
ENTRYPOINT [ "/docker-entrypoint.sh" ]
CMD [ "nginx" ]

index.js

const { SSM } = require('aws-sdk');
const ssm = new SSM();

exports.handler = async (event, context, callback) => {
    const { InstanceInformationList } = await ssm.describeInstanceInformation({
        Filters: [
            { Key: 'tag:Type', Values: [ 'fargate' ] },
        ]
    }).promise();
    
    const offlineInstanceIds = InstanceInformationList.reduce(( accumulator, { InstanceId, PingStatus } ) => {
        if(PingStatus != 'Online') accumulator.push(InstanceId);
        
        return accumulator;
    }, []);
    
    const totalOfflineInstances = offlineInstanceIds.length;
    const deregisteredOfflineInstances = 0;
    
    for (var offlineInstanceId of offlineInstanceIds) {
        try {
            await ssm.deregisterManagedInstance({ InstanceId: offlineInstanceId }).promise()
            deregisteredOfflineInstances++;
        } catch (e) {}
    }
    
    console.log(`Deregistered ${ deregisteredOfflineInstances } of ${ totalOfflineInstances } offline Fargate instances`);
    callback(null);
};

awesome work above!! AWS must have read this and taken note!

https://aws.amazon.com/blogs/containers/new-using-amazon-ecs-exec-access-your-containers-fargate-ec2/