`At least 1 "default_action" blocks are required.` after migration to v9

[Lonli-Lokli]

Description

Migration from v5 to v9 leads to errors with default action. I tried to migrate step by step but still error is not clear

• [x] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: 9.11.0

• Terraform version: v1.7.4

• Provider version(s): provider registry.terraform.io/hashicorp/aws v5.63.0 provider registry.terraform.io/hashicorp/random v3.6.2

  Reproduction Code [Required]

  
  provider "aws" {
  region = local.region
  }

module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "~> 5.13.0" name = local.resources_name

cidr = "10.1.0.0/16"

azs = ["${local.region}a", "${local.region}b"] public_subnets = ["10.1.11.0/24", "10.1.12.0/24"] enable_dns_support = true enable_dns_hostnames = true enable_nat_gateway = false create_egress_only_igw = true

public_subnet_ipv6_native = true public_subnet_ipv6_prefixes = [0, 1, 2] private_subnet_ipv6_native = true private_subnet_ipv6_prefixes = [3, 4, 5]

tags = { Terraform = "yes" Owner = local.owner Namespace = local.namespace Environment = local.stage Usage = local.usage }

vpc_tags = { Name = "ECS ${local.namespace} (${local.stage})" } }

module "security_group" { source = "terraform-aws-modules/security-group/aws" version = "~> 5.1.2"

name = "alb-sg-${random_pet.this.id}" description = "Security group for usage with ALB" vpc_id = module.vpc.vpc_id

ingress_cidr_blocks = ["0.0.0.0/0"] ingress_rules = ["http-80-tcp","https-443-tcp", "all-icmp"] egress_rules = ["all-all"] }

module "alb" { source = "terraform-aws-modules/alb/aws" version = "~> 9.11.0"

name = "cv-api-alb"

load_balancer_type = "application"

vpc_id = module.vpc.vpc_id subnets = module.vpc.public_subnets security_groups = [module.security_group.security_group_id]

target_groups = { instance = { name_prefix = "pref-" backend_protocol = "HTTP" backend_port = 8080 target_type = "instance", deregistration_delay = 10 health_check = { enabled = true interval = 30 path = "/healthcheck" port = "traffic-port" healthy_threshold = 3 unhealthy_threshold = 3 timeout = 6 protocol = "HTTP" matcher = "200-399" } } }

listeners = {

https = {
  port                 = 443
  protocol             = "HTTPS"
  ssl_policy                  = "ELBSecurityPolicy-2016-08"
  # API CERTIFICATE SHOULD BE UPDATED HERE
  certificate_arn      = "arn:aws:acm:eu-west-2:439736470179:certificate/ac2daf83-0887-4ccf-bb83-1af46a9b696f"
  target_group_key   = "instance"
}

http-https-redirect = {
  port = 80
  protocol    = "HTTP"
  target_group_key   = "instance"
  redirect = {
    port        = "443"
    protocol    = "HTTPS"
    status_code = "HTTP_301"
  }
}

}

tags = { Environment = "Test" } }

resource "random_pet" "this" { length = 2 }

--- Shared Resources ---

For now we only use the AWS ECS optimized ami https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html

data "aws_ami" "amazon_linux_ecs" {

most_recent = true owners = ["amazon"] filter { name = "name" values = ["amzn2-ami-ecs-hvm-*-x86_64-ebs"] } }

data "aws_iam_policy_document" "api_bucket_policy" { statement { principals { type = "AWS" identifiers = [aws_iam_role.ecs_service_role.arn] }

actions = [
  "s3:ListBucket",
  "s3:GetObject",
  "s3:GetBucketLocation",
]

resources = [
  "arn:aws:s3:::${local.api_env_s3_bucketname}",
  "arn:aws:s3:::${local.api_env_s3_bucketname}/*",
]

} }

----- ECS --------

module "ecs" { source = "terraform-aws-modules/ecs/aws" version = "~> 5.10.0" cluster_name = local.namespace }

----- ECS Services--------

module "ecs_service" { source = "./ecs_service" region = local.region service = local.ecs_service_name cluster_id = module.ecs.cluster_id cluster_name = local.namespace task_execution_role_arn = aws_iam_role.ecs_service_role.arn api_env_filename = "vo_api_env.env" api_env_s3_bucketname = local.api_env_s3_bucketname }

---- S3 Bucket --------

module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "~>4.1.1"

bucket = local.api_env_s3_bucketname acl = "private" policy = data.aws_iam_policy_document.api_bucket_policy.json force_destroy = true attach_policy = true

versioning = { enabled = true }

S3 bucket-level Public Access Block configuration

block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true }

----- ECS Resources -----

resource "aws_default_route_table" "default" { default_route_table_id = module.vpc.default_route_table_id

tags = { Name = "${local.resources_name}-private" Terraform = "yes" Owner = local.owner Namespace = local.namespace Environment = local.stage Usage = local.usage } }

resource "aws_default_network_acl" "default" { default_network_acl_id = module.vpc.default_network_acl_id

ingress { protocol = -1 rule_no = 100 action = "allow" cidr_block = "0.0.0.0/0" from_port = 0 to_port = 0 }

egress { protocol = -1 rule_no = 100 action = "allow" cidr_block = "0.0.0.0/0" from_port = 0 to_port = 0 }

tags = { Name = local.resources_name Terraform = "yes" Owner = local.owner Namespace = local.namespace Environment = local.stage Usage = local.usage }

lifecycle { ignore_changes = [subnet_ids] } }

resource "aws_default_security_group" "default" { vpc_id = module.vpc.vpc_id

ingress { from_port = 8080 to_port = 8080 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] }

egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] }

tags = { Name = local.resources_name Terraform = "yes" Owner = local.owner Namespace = local.namespace Environment = local.stage Usage = local.usage } }

resource "aws_iam_role" "ecs_service_role" { name = "ec2_iam_role" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow",
"Sid": "",
"Principal": { "Service": [ "ec2.amazonaws.com", "s3.amazonaws.com", "ecs-tasks.amazonaws.com" ] }, "Action": "sts:AssumeRole" }
] } EOF }

resource "aws_iam_policy" "ecs_service_logging" { name = "ecs_service_logging" path = "/" description = "IAM policy for logging from a ecs task"

policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": "arn:aws:logs:::*", "Effect": "Allow" } ] } EOF }

resource "aws_iam_role_policy_attachment" "ecs_service_logs" { role = "${aws_iam_role.ecs_service_role.name}" policy_arn = "${aws_iam_policy.ecs_service_logging.arn}" }

----- Service -----

module "this" { source = "terraform-aws-modules/autoscaling/aws" version = "~> 7.4.1"

name = local.resources_name

update_default_version = true

Launch template

launch_template_name = local.resources_name create_launch_template = true

image_id = data.aws_ami.amazon_linux_ecs.id instance_type = "t2.micro" security_groups = [module.vpc.default_security_group_id]
create_iam_instance_profile = true

iam_role_name = local.resources_name iam_role_description = "ECS role for ${local.resources_name}" iam_role_policies = { AmazonEC2ContainerServiceforEC2Role = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role" AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" }

user_data = base64encode(templatefile("${path.module}/templates/user-data.sh", {cluster_name = local.namespace})) target_group_arns = [for tg in module.alb.target_groups: tg.arn]

Auto scaling group

vpc_zone_identifier = module.vpc.public_subnets health_check_type = "EC2" min_size = 0 max_size = 1 desired_capacity = 1 wait_for_capacity_timeout = 0

tags = { Terraform = "yes" Owner = local.owner Cluster = local.namespace Namespace = local.namespace Environment = local.stage Usage = local.usage } }

## Expected behavior

No erorrs
## Actual behavior

│ Error: Insufficient default_action blocks
│
│   on .terraform\modules\alb\main.tf line 87, in resource "aws_lb_listener" "this":
│   87: resource "aws_lb_listener" "this" {
│
│ At least 1 "default_action" blocks are required.
╵
╷
│ Error: Unsupported attribute
│
│   on .terraform\modules\alb\main.tf line 594, in resource "aws_lb_target_group_attachment" "this":
│  594:   target_id         = each.value.target_id
│     ├────────────────
│     │ each.value is object with 6 attributes
│
│ This object does not have an attribute named "target_id".

### Terminal Output Screenshot(s)

<!-- Optional but helpful -->

## Additional context

Trying to migrate from v5 to v9

[bryantbiggs]

please see the docs and prior issues on this topic

[arditmorina]

@Lonli-Lokli to help you a bit, I had same issues, the example tell how to do but not very detailing, so finally after few hours, here is the working code, the problem is in the listeners part, here is my code, you should add there rules and actions:

  listeners = {
    app_http = {
      port     = var.api_container_port
      protocol = "HTTP"
      forward = {
        target_group_key = "ecs_api_target_group"
      }
    }
    app_https = {
      port            = 443
      protocol        = "HTTPS"
      ssl_policy      = "ELBSecurityPolicy-TLS13-1-2-2021-06"
      certificate_arn = module.acm_alb.acm_certificate_arn
      forward = {
        target_group_key = "ecs_api_target_group"
      }
      rules = {
        api = {
          priority = 2
          actions = [
            {
              type             = "forward"
              target_group_key = "ecs_api_target_group"
            }
          ]
          conditions = [{
            host_header = {
              values = ["${var.alb_api_subdomain_name}.${var.main_domain}"]
            }
          }]
        }
        keycloak = {
          priority = 3
          actions = [
            {
              type             = "forward"
              target_group_key = "ecs_keycloak_target_group"
            }
          ]
          conditions = [{
            host_header = {
              values = ["${var.alb_keycloak_subdomain_name}.${var.main_domain}"]
            }
          }]
        }
      }

    }
    keycloak_http = {
      port     = var.keycloak_container_port
      protocol = "HTTP"
      forward = {
        target_group_key = "ecs_keycloak_target_group"
      }
    }
  }

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.