It would be powerful if Bitbucket would allow Pipelines to be executed as a task in a customer's EC2 Container Service (ECS) cluster. This would allow customers to:
- Access private resources in their VPC such as a private package repository.
- Use IAM roles (e.g. not disclose their AWS secret keys to you).
- Scale their own build fleets.
I would imagine the flow would go something like this:
- The customer creates a predefined IAM role (copy and paste from the documentation) that allows the following permissions: RegisterTaskDefinition, RunTask, StopTask, and ListTasks (possibly more).
- The Customer than grants the Bitbucket AWS account the STS AssumeRole permission.
- The Customer configures their ECS Integration by specifying the cluster name, CPU/memory limits, etc...
- When starting a pipeline you would call the RegisterTaskDefinition API (if the TaskDefinition doesn't already exist) and run the task.