chore(ecs): fix failing ECS integration tests

[aemada-aws]

Issue # (if applicable)

Reason for this change

10 ECS integration tests were failing due to various issues:

• Teardown failures from capacity providers / managed instances still in use during stack deletion
• Cross-stack export deletion ordering when IntegTest is scoped to the stack
• t2.micro instance type unavailability in certain AZs
• Container health check targeting wrong port (8000 instead of 80)
• Missing NLB-to-service security group ingress rule with networkLoadBalancerWithSecurityGroupByDefault feature flag
• Managed instances tests using incorrect instance profile naming (missing ecsInstanceRole prefix required by AmazonECSInfrastructureRolePolicyForManagedInstances) and overly restrictive instance requirements (NVIDIA GPU + Intel CPU only)
• EBS volume initialization rate test requiring an external EBS snapshot that does not exist

Description of changes

10 tests fixed across the aws-ecs module:

1. fargate/integ.capacity-providers — Wrapped in IntegTest with destroy.expectError: true (#19275).

2. external/integ.daemon-service — Changed IntegTest scope from stack to app to fix cross-stack export deletion ordering. When scoped to the stack, the deploy-assert stack holds a reference to the main stack exports, preventing deletion.

3. ec2/integ.capacity-provider — Wrapped in IntegTest with destroy.expectError: true (#19275).

4. ec2/integ.pseudo-terminal — Changed instance type from t2.micro to t3.micro. t2.micro is not available in all AZs, causing ASG launch failures.

5. fargate/integ.exec-command — Fixed container health check from curl localhost:8000 to curl localhost:80. The amazon/amazon-ecs-sample image serves on port 80; port 8000 always fails, preventing service stabilization.

6. fargate/integ.enable-execute-command — Same health check port fix (8000 → 80).

7. fargate/integ.nlb-awsvpc-nw — Added service.connections.allowFrom(lb, ec2.Port.tcp(80)). With the networkLoadBalancerWithSecurityGroupByDefault feature flag, the NLB gets a security group but no ingress rules were created on the service SG, so NLB health checks always failed. Also wrapped in IntegTest.

8. fargate/integ.ebs-volume-initialization-rate — Replaced external SNAPSHOT_ID env var dependency with an in-stack EBS volume + snapshot created via a NodejsFunction-backed custom resource that waits for snapshot completion before returning.

9. integ.managedinstances-no-default-capacity-provider — Removed custom IAM roles/instance profile with hardcoded names. The AmazonECSInfrastructureRolePolicyForManagedInstances managed policy requires instance profiles prefixed with ecsInstanceRole; the test used InstanceProfile which does not match. Now lets the construct create defaults with the correct prefix. Removed NVIDIA accelerator and Intel CPU manufacturer constraints. Removed hardcoded regions: ['us-west-2'] since FMI is available in all commercial regions. Added destroy.expectError: true (#36071).

10. integ.managedinstances-capacity-provider — Same fixes as above. Added destroy.expectError: true (#36071).

Describe any new or updated permissions being added

No new IAM permissions. The NLB fix adds a security group ingress rule (port 80 TCP) to the Fargate service security group to allow traffic from the NLB — required for health checks and traffic routing to function correctly.

Description of how you validated changes

All 10 fixed tests were deployed and validated via integ-runner with --update-on-failed across multiple regions (us-east-1, us-west-2, eu-west-1, eu-central-1, ap-northeast-1):

yarn integ \
  test/aws-ecs/test/fargate/integ.capacity-providers.js \
  test/aws-ecs/test/external/integ.daemon-service.js \
  test/aws-ecs/test/ec2/integ.capacity-provider.js \
  test/aws-ecs/test/ec2/integ.pseudo-terminal.js \
  test/aws-ecs/test/fargate/integ.nlb-awsvpc-nw.js \
  test/aws-ecs/test/fargate/integ.exec-command.js \
  test/aws-ecs/test/fargate/integ.enable-execute-command.js \
  test/aws-ecs/test/fargate/integ.ebs-volume-initialization-rate.js \
  test/aws-ecs/test/integ.managedinstances-no-default-capacity-provider.js \
  test/aws-ecs/test/integ.managedinstances-capacity-provider.js \
  --disable-update-workflow \
  --update-on-failed \
  --force \
  --parallel-regions us-east-1 us-west-2

Destructive changes (expected):

• integ.exec-command and integ.enable-execute-command: TaskDef replaced (health check change)
• integ.managedinstances-*: IAM roles/instance profiles replaced (removed hardcoded names, switched to construct defaults)

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ☑️	Skipped	Failed ❌️
Security Guardian Results	264 ran	262 passed		2 failed

Test	Result
Security Guardian Results
packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.ebs-volume-initialization-rate.js.snapshot/integ-aws-ecs-ebs-volume-initialization-rate.template.json
ec2-ebs-encryption-enabled.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/integ.managedinstances-capacity-provider.js.snapshot/integ-managedinstances-capacity-provider.template.json
ec2-no-open-security-groups.guard	❌ failure

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ☑️	Skipped	Failed ❌️
Security Guardian Results with resolved templates	264 ran	263 passed		1 failed

Test	Result
Security Guardian Results with resolved templates
packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/fargate/integ.ebs-volume-initialization-rate.js.snapshot/integ-aws-ecs-ebs-volume-initialization-rate.template.json
ec2-ebs-encryption-enabled.guard	❌ failure

• View Security Guardian Results with resolved templates

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-03-18 09:42 UTC · Rule: default-squash
• ✅ Checks passed · in-place
• ✅ Merged — 2026-03-18 10:24 UTC · at 69a35255c121069f9540d7ea90b69b6b273df9b2

This pull request spent 42 minutes 30 seconds in the queue, including 42 minutes 17 seconds running CI.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • chore(ecs): fix failing ECS integration tests #36968
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • chore(ecs): fix failing ECS integration tests #36968
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.