Replace Lambda fulfill step with ECS Fargate task via Step Functions

- services/fulfillment/: new Docker container — reads order from DynamoDB,
  sets fulfilled status, writes S3 receipt
- terraform: ECR repo, ECS cluster, task definition, IAM execution+task roles;
  FulfillOrder state now uses ecs:runTask.sync:2 instead of Lambda
- order_processor: remove fulfill step and s3/RECEIPTS_BUCKET dependency
- Makefile: add `build` target (ECR push); `deploy` runs build first

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: whummer

01-serverless-app/lambdas/order_processor/handler.py

@@ -6,15 +6,11 @@
 import boto3
 
 dynamodb = boto3.resource("dynamodb")
-s3 = boto3.client("s3")
 sfn = boto3.client("stepfunctions")
 
-TABLE_NAME = os.environ["ORDERS_TABLE"]
-RECEIPTS_BUCKET = os.environ["RECEIPTS_BUCKET"]
+TABLE_NAME        = os.environ["ORDERS_TABLE"]
 STATE_MACHINE_ARN = os.environ["STATE_MACHINE_ARN"]
 
-TERMINAL_STATUSES = {"fulfilled", "failed"}
-
 
 def now():
     return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
@@ -64,7 +60,6 @@ def handler(event, context):
 
     if step == "validate":        return validate(order)
     if step == "process_payment": return process_payment(order)
-    if step == "fulfill":         return fulfill(order)
     if step == "handle_failure":  return handle_failure(order)
 
     raise ValueError(f"Unknown step: {step}")
@@ -82,20 +77,6 @@ def process_payment(order):
     return order
 
 
-def fulfill(order):
-    time.sleep(2)
-    set_status(order["order_id"], "fulfilled")
-    receipt = {k: order[k] for k in ("order_id", "item", "quantity")}
-    receipt["status"] = "fulfilled"
-    s3.put_object(
-        Bucket=RECEIPTS_BUCKET,
-        Key=f"receipts/{order['order_id']}.json",
-        Body=json.dumps(receipt),
-        ContentType="application/json",
-    )
-    return order
-
-
 def handle_failure(order):
     set_status(order["order_id"], "failed")
     return order

01-serverless-app/services/fulfillment/Dockerfile

@@ -0,0 +1,5 @@
+FROM python:3.12-slim
+WORKDIR /app
+RUN pip install --no-cache-dir boto3
+COPY fulfill.py .
+CMD ["python", "fulfill.py"]

01-serverless-app/services/fulfillment/fulfill.py

@@ -0,0 +1,47 @@
+"""ECS task: fulfill an order — update DynamoDB status and write S3 receipt."""
+import json
+import os
+from datetime import datetime, timezone
+
+import boto3
+
+ORDER_ID        = os.environ["ORDER_ID"]
+TABLE_NAME      = os.environ["ORDERS_TABLE"]
+RECEIPTS_BUCKET = os.environ["RECEIPTS_BUCKET"]
+
+# LocalStack injects AWS_ENDPOINT_URL automatically into ECS task containers.
+dynamodb = boto3.resource("dynamodb")
+s3       = boto3.client("s3")
+
+
+def now():
+    return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+
+
+table = dynamodb.Table(TABLE_NAME)
+
+resp  = table.get_item(Key={"order_id": ORDER_ID})
+order = resp["Item"]
+
+table.update_item(
+    Key={"order_id": ORDER_ID},
+    UpdateExpression="SET #s = :s, fulfilled_at = :ts",
+    ExpressionAttributeNames={"#s": "status"},
+    ExpressionAttributeValues={":s": "fulfilled", ":ts": now()},
+)
+
+receipt = {
+    "order_id": ORDER_ID,
+    "item":     order["item"],
+    "quantity": int(order["quantity"]),
+    "status":   "fulfilled",
+    "fulfilled_at": now(),
+}
+s3.put_object(
+    Bucket=RECEIPTS_BUCKET,
+    Key=f"receipts/{ORDER_ID}.json",
+    Body=json.dumps(receipt),
+    ContentType="application/json",
+)
+
+print(f"Order {ORDER_ID} fulfilled: {order['item']} x{order['quantity']}")

01-serverless-app/terraform/main.tf

@@ -64,6 +64,88 @@ resource "aws_dynamodb_table" "orders" {
   }
 }
 
+# ── ECR ───────────────────────────────────────────────────────────────────────
+
+resource "aws_ecr_repository" "fulfillment" {
+  name = "fulfillment"
+}
+
+# ── ECS ───────────────────────────────────────────────────────────────────────
+
+resource "aws_ecs_cluster" "main" {
+  name = "workshop"
+}
+
+resource "aws_iam_role" "ecs_execution" {
+  name = "ecs-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action    = "sts:AssumeRole"
+      Effect    = "Allow"
+      Principal = { Service = "ecs-tasks.amazonaws.com" }
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_execution" {
+  role       = aws_iam_role.ecs_execution.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+resource "aws_iam_role" "ecs_task" {
+  name = "ecs-task-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action    = "sts:AssumeRole"
+      Effect    = "Allow"
+      Principal = { Service = "ecs-tasks.amazonaws.com" }
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "ecs_task" {
+  role = aws_iam_role.ecs_task.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = ["dynamodb:GetItem", "dynamodb:UpdateItem"]
+        Resource = aws_dynamodb_table.orders.arn
+      },
+      {
+        Effect   = "Allow"
+        Action   = ["s3:PutObject"]
+        Resource = "${aws_s3_bucket.receipts.arn}/*"
+      }
+    ]
+  })
+}
+
+resource "aws_ecs_task_definition" "fulfillment" {
+  family                   = "fulfillment"
+  requires_compatibilities = ["FARGATE"]
+  network_mode             = "awsvpc"
+  cpu                      = 256
+  memory                   = 512
+  execution_role_arn       = aws_iam_role.ecs_execution.arn
+  task_role_arn            = aws_iam_role.ecs_task.arn
+
+  container_definitions = jsonencode([{
+    name  = "fulfillment"
+    image = "${aws_ecr_repository.fulfillment.repository_url}:latest"
+    environment = [
+      { name = "ORDERS_TABLE",    value = aws_dynamodb_table.orders.name },
+      { name = "RECEIPTS_BUCKET", value = aws_s3_bucket.receipts.bucket },
+    ]
+  }])
+}
+
 # ── S3 ────────────────────────────────────────────────────────────────────────
 
 resource "aws_s3_bucket" "receipts" {
@@ -148,11 +230,28 @@ resource "aws_iam_role_policy" "sfn_policy" {
 
   policy = jsonencode({
     Version = "2012-10-17"
-    Statement = [{
-      Effect   = "Allow"
-      Action   = "lambda:InvokeFunction"
-      Resource = aws_lambda_function.order_processor.arn
-    }]
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = "lambda:InvokeFunction"
+        Resource = aws_lambda_function.order_processor.arn
+      },
+      {
+        Effect   = "Allow"
+        Action   = ["ecs:RunTask", "ecs:StopTask", "ecs:DescribeTasks"]
+        Resource = "*"
+      },
+      {
+        Effect   = "Allow"
+        Action   = "iam:PassRole"
+        Resource = [aws_iam_role.ecs_execution.arn, aws_iam_role.ecs_task.arn]
+      },
+      {
+        Effect   = "Allow"
+        Action   = ["events:PutTargets", "events:PutRule", "events:DescribeRule"]
+        Resource = "*"
+      }
+    ]
   })
 }
 
@@ -202,7 +301,6 @@ resource "aws_lambda_function" "order_processor" {
   environment {
     variables = {
       ORDERS_TABLE      = aws_dynamodb_table.orders.name
-      RECEIPTS_BUCKET   = aws_s3_bucket.receipts.bucket
       STATE_MACHINE_ARN = local.state_machine_arn
     }
   }
@@ -251,12 +349,21 @@ resource "aws_sfn_state_machine" "order_processing" {
       }
       FulfillOrder = {
         Type     = "Task"
-        Resource = aws_lambda_function.order_processor.arn
+        Resource = "arn:aws:states:::ecs:runTask.sync:2"
         Parameters = {
-          "step"    = "fulfill"
-          "order.$" = "$.order"
+          LaunchType     = "FARGATE"
+          Cluster        = aws_ecs_cluster.main.arn
+          TaskDefinition = aws_ecs_task_definition.fulfillment.arn
+          Overrides = {
+            ContainerOverrides = [{
+              Name = "fulfillment"
+              Environment = [
+                { "Name" = "ORDER_ID", "Value.$" = "$.order.order_id" }
+              ]
+            }]
+          }
         }
-        ResultPath = "$.order"
+        ResultPath = null
         Catch = [{ ErrorEquals = ["States.ALL"], Next = "HandleFailure", ResultPath = "$.error" }]
         End = true
       }

Makefile

@@ -1,5 +1,7 @@
 .DEFAULT_GOAL := help
-TERRAFORM_DIR := 01-serverless-app/terraform
+TERRAFORM_DIR  := 01-serverless-app/terraform
+ECR_REGISTRY   := 000000000000.dkr.ecr.us-east-1.localhost.localstack.cloud:4566
+FULFILLMENT_DIR := 01-serverless-app/services/fulfillment
 
 help: ## Show this help
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage: make \033[36m<target>\033[0m\n\nTargets:\n"} \
@@ -27,7 +29,14 @@ setup: ## Fetch auth token and start LocalStack (runs 00-setup/setup.sh)
 init: ## Initialise Terraform (only needed once)
 	cd $(TERRAFORM_DIR) && tflocal init
 
-deploy: ## Deploy the full app to LocalStack via Terraform
+build: ## Build and push the fulfillment service image to local ECR
+	awslocal ecr create-repository --repository-name fulfillment 2>/dev/null || true
+	awslocal ecr get-login-password | \
+	  docker login --username AWS --password-stdin $(ECR_REGISTRY)
+	docker build -t $(ECR_REGISTRY)/fulfillment:latest $(FULFILLMENT_DIR)
+	docker push $(ECR_REGISTRY)/fulfillment:latest
+
+deploy: build ## Build fulfillment image then deploy the full app via Terraform
 	@[ -d $(TERRAFORM_DIR)/.terraform ] || (cd $(TERRAFORM_DIR) && tflocal init)
 	cd $(TERRAFORM_DIR) && tflocal apply -auto-approve
 
@@ -77,6 +86,6 @@ replay-dlq: ## Replay messages from the DLQ back to the main queue
 publish-token: ## Upload LOCALSTACK_AUTH_TOKEN to S3 for workshop participants
 	bash scripts/publish-workshop-token.sh
 
-.PHONY: help start stop status logs setup init deploy destroy redeploy outputs \
+.PHONY: help start stop status logs setup init build deploy destroy redeploy outputs \
         test test-fast open-ui api-endpoint inject-fault remove-fault replay-dlq \
         publish-token