runtime_platform forces replacement with each apply.

[mdgreenwald]

Description

Each time I run terraform apply I see a new block in the output:

module.ecs_service.aws_ecs_task_definition.this[0] must be replaced
+/- resource "aws_ecs_task_definition" "this" {
      + runtime_platform { # forces replacement
          + cpu_architecture        = "X86_64" # forces replacement
          + operating_system_family = "LINUX" # forces replacement
        }
}

This forces my task to be replaced even if there are no other changes. I also am not able to workaround this issue by adding this block to my configuration.

I am not able to share the complete configuration in this issue report, however I could send it via other means if required.

• [✅] ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
2. Re-initialize the project root to pull down modules: terraform init
3. Re-attempt your terraform plan or apply and check if the issue still persists ✅

   Versions

• Module version [Required]:

{
  "Modules": [
    {
      "Key": "",
      "Source": "",
      "Dir": "."
    },
    {
      "Key": "ecs_cluster",
      "Source": "registry.terraform.io/terraform-aws-modules/ecs/aws//modules/cluster",
      "Version": "5.2.1",
      "Dir": ".terraform/modules/ecs_cluster/modules/cluster"
    },
    {
      "Key": "ecs_service",
      "Source": "registry.terraform.io/terraform-aws-modules/ecs/aws//modules/service",
      "Version": "5.2.1",
      "Dir": ".terraform/modules/ecs_service/modules/service"
    },
    {
      "Key": "ecs_service.container_definition",
      "Source": "../container-definition",
      "Dir": ".terraform/modules/ecs_service/modules/container-definition"
    },
    {
      "Key": "efs",
      "Source": "registry.terraform.io/terraform-aws-modules/efs/aws",
      "Version": "1.2.0",
      "Dir": ".terraform/modules/efs"
    }
  ]
}

• Terraform version: Terraform v1.5.3
• Provider version(s): Terraform v1.5.3 on darwin_amd64
• provider registry.terraform.io/hashicorp/aws v5.9.0

Reproduction Code [Required]

data "aws_availability_zones" "available" {}

locals {
  region       = "region-1"
  cluster_name = "region-1-cluster"
  name         = "matomo"

  vpc_cidr = "172.16.0.0/18"

  container_name = "matomo"
  container_port = 80

  tags = {
    Name       = local.name
    Repository = "https://github.com/terraform-aws-modules/terraform-aws-ecs"
  }
}

module "ecs_cluster" {
  source = "terraform-aws-modules/ecs/aws//modules/cluster"

  cluster_name = local.cluster_name

  # Capacity provider
  fargate_capacity_providers = {
    FARGATE = {
      default_capacity_provider_strategy = {
        weight = 50
        base   = 20
      }
    }
    FARGATE_SPOT = {
      default_capacity_provider_strategy = {
        weight = 50
      }
    }
  }

  tags = local.tags
}

module "ecs_service" {
  source = "terraform-aws-modules/ecs/aws//modules/service"

  name        = local.name
  cluster_arn = module.ecs_cluster.arn

  cpu    = 512
  memory = 2048

  create_task_exec_iam_role = false
  create_tasks_iam_role     = false
  task_exec_iam_role_arn    = aws_iam_role.ecs_execution_role.arn
  tasks_iam_role_arn        = aws_iam_role.ecs_generic_task_role.arn
  create_security_group     = false
  security_group_ids        = ["${aws_security_group.matomo_task_sg.id}"]

  # Container definition(s)
  container_definitions = {

    fluent-bit = {
      essential = true
      image     = "public.ecr.aws/aws-observability/aws-for-fluent-bit:stable"
      name      = "log_router"
      firelens_configuration = {
        type = "fluentbit"
      }
      health_check = {
        command      = ["CMD-SHELL", "echo '{\"health\": \"check\"}' | nc 127.0.0.1 8877 || exit 1"]
        interval     = 10
        retries      = 2
        start_period = 30
        timeout      = 5
      }
      log_configuration = {
        logDriver = "awslogs"
        options = {
          awslogs-group         = "firelens-container"
          awslogs-region        = local.region
          awslogs-create-group  = "true"
          awslogs-stream-prefix = "firelens"
        }
      }
      memory_reservation = 50
      user               = "0"
    }

    (local.container_name) = {
      cpu       = 256
      memory    = 1024
      essential = true
      image     = "matomo:4.12.1-apache"
      port_mappings = [
        {
          name          = local.container_name
          containerPort = local.container_port
          hostPort      = local.container_port
          protocol      = "tcp"
        }
      ]
      health_check = {
        command      = ["CMD-SHELL", "curl -f http://localhost/ || exit 1"]
        interval     = 10
        retries      = 3
        start_period = 60
        timeout      = 5
      }

      mount_points = [
        {
          containerPath = "/var/www/html"
          sourceVolume  = "matomo-efs"
        }
      ]
      environment = [
        {
          name  = "MATOMO_DATABASE_HOST",
          value = "murasites.craf0zdipzos.us-east-1.rds.amazonaws.com"
        },
        {
          name  = "MATOMO_DATABASE_ADAPTER",
          value = "mysql"
        },
        {
          name  = "MATOMO_DATABASE_DBNAME",
          value = "matomo"
        },
      ]
      #   secrets = [
      #     {
      #       name      = "MATOMO_DATABASE_USERNAME"
      #       valueFrom = data.aws_secretsmanager_secret.matomo_db_username.arn
      #     },
      #     {
      #       name      = "MATOMO_DATABASE_PASSWORD"
      #       valueFrom = data.aws_secretsmanager_secret.matomo_db_password.arn
      #     },
      #   ]
      # Example image used requires access to write to root filesystem
      readonly_root_filesystem = false

      dependencies = [{
        containerName = "log_router"
        condition     = "START"
      }]

      #   enable_cloudwatch_logging = true
      log_configuration = {
        logDriver = "awsfirelens"
        options = {
          Name              = "cloudwatch"
          region            = local.region
          log_group_name    = format("/aws/ecs/containerinsights/%s/application", local.cluster_name)
          auto_create_group = "true"
          log_stream_name   = local.container_name
          retry_limit       = "2"
        }
      }

      memory_reservation = 100
    }
  }

  volume = {
    matomo-efs = {
      name = "matomo-efs"
      efs_volume_configuration = {
        file_system_id          = "fs-1234abcd"
        root_directory          = "/matomo"
        transit_encryption      = "ENABLED"
        transit_encryption_port = 2049
      }
    }
  }

  load_balancer = {
    service = {
      target_group_arn = aws_lb_target_group.target_group.arn
      container_name   = local.container_name
      container_port   = 80
    }
  }

  subnet_ids = [aws_subnet.public1.id, aws_subnet.public2.id, aws_subnet.public3.id, aws_subnet.private1.id, aws_subnet.private2.id, aws_subnet.private3.id]

  depends_on = [module.ecs_cluster, aws_iam_role.ecs_execution_role, aws_iam_role.ecs_generic_task_role, aws_security_group.matomo_alb_sg, aws_security_group.matomo_task_sg]

  tags = local.tags

}

Steps to reproduce the behavior:

1. Run: terraform apply
2. Immediately re-run terraform plan OR terraform apply
3. You should see the service/task being replaced with the output:

      + runtime_platform { # forces replacement
          + cpu_architecture        = "X86_64" # forces replacement
          + operating_system_family = "LINUX" # forces replacement
        }

No

Yes ✅

N/A

Expected behavior

I expect to see no changes immediately after applying and when I have not made any changes to the configuration.

Actual behavior

After applying and making no changes I see forced replacement on the service/task resource.

Terminal Output Screenshot(s)

Additional context

[mdgreenwald]

@bryantbiggs Have you been able to reproduce this bug?

[mdgreenwald]

@bryantbiggs Sorry to be persistent, but I am still seeing this issue in my configuration despite trying to find a workaround.

[bryantbiggs]

I have not - the code provided is not deployable unfortunately

[iycbell]

I get this issue as well, it feels like it could be related to this issue somehow. Will write back if I find anything.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.