Update the ECS worker to:

• Configure an EventBridge rule targeting ECS task state changes on startup.
• Set up an SQS queue on startup to receive events from EventBridge.

Relates to PrefectHQ/prefect#18508

Policy for worker to read from SQS

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sqs:ReceiveMessage",
        "sqs:DeleteMessage",
        "sqs:ChangeMessageVisibility",
        "sqs:GetQueueUrl"
      ],
      "Resource": "arn:aws:sqs:us‑east‑1:123456789012:YourQueueName*"
    }
  ]
}

YourQueueName would be the name of the SQS queue to ECS events.

Policy for worker to set up event bridge and SQS

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":[
        "events:PutRule",
        "events:PutTargets",
      ],
      "Resource":"arn:aws:events:us‑east‑1:123456789012:rule/YourRuleName"
    },
    {
      "Effect":"Allow",
      "Action":"iam:PassRole",
      "Resource":"arn:aws:iam::123456789012:role/YourEventRole"
    }
  ]
}

YourRuleName is the name of the event bridge rule to send events to SQS and YourEventRole is a role with the policy below.

Policy for event bridge to send event to SQS

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Principal":{"Service":"events.amazonaws.com"},
      "Action":[
        "sqs:SendMessage",
        "sqs:SendMessageBatch"
      ],
      "Resource":"arn:aws:sqs:us‑east‑1:123456789012:YourQueueName",
      "Condition":{
        "ArnEquals":{
          "aws:SourceArn":"arn:aws:events:us‑east‑1:123456789012:rule/YourRuleName"
        }
      }
    }
  ]
}