ecs service creation fails when using newly created iam policy #2869
Description
I have what appears to be a timing issue when attempting to create a iam role/security policy and immediately use it as the iam_role of a new ecs service.
I get the following aws error in terraform:
* InvalidParameterException: Unable to assume role and validate the listeners configured on your load balancer. Please verify the role being passed has the proper permissions. status code: 400, request id: [] If I specify a pre-existing iam role with an identical policy everything works fine.
I am using the following config:
provider "aws" { region = "${var.aws_region}" } resource "aws_ecs_cluster" "cluster" { name = "${var.exp_name}-${var.exp_version}" } resource "aws_ecs_service" "publicapi" { name = "publicapi" cluster = "${aws_ecs_cluster.cluster.id}" task_definition = "${aws_ecs_task_definition.publicapi.arn}" desired_count = 3 iam_role = "${aws_iam_role.ecs_servicerole.arn}" load_balancer { elb_name = "${aws_elb.adminapi_elb.id}" container_name = "publicapi" container_port = 8081 } } resource "template_file" "publicapi_task_definition" { filename = "${path.module}/task-definitions/publicapi.json.tpl" vars { version = "${var.exp_version}" } } resource "aws_ecs_task_definition" "publicapi" { family = "publicapi" container_definitions = "${template_file.publicapi_task_definition.rendered}" } resource "aws_iam_role_policy" "policy" { name = "policy" role = "${aws_iam_role.ecs_servicerole.id}" policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticloadbalancing:Describe*", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "ec2:Describe*", "ec2:AuthorizeSecurityGroupIngress" ], "Resource": [ "*" ] } ] } EOF } resource "aws_iam_role" "ecs_servicerole" { name = "ecs_servicerole" assume_role_policy = <<EOF { "Version": "2008-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ecs.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF } # Create a new load balancer resource "aws_elb" "adminapi_elb" { name = "adminapielb" availability_zones = ["us-east-1b", "us-east-1c"] listener { instance_port = 8081 instance_protocol = "http" lb_port = 80 lb_protocol = "http" } health_check { healthy_threshold = 2 unhealthy_threshold = 2 timeout = 3 target = "HTTP:8081/" interval = 30 } cross_zone_load_balancing = true idle_timeout = 400 connection_draining = true connection_draining_timeout = 400 tags { Name = "adminapi_elb" } }