search

terraform-aws-modules / terraform-aws-ecs

Terraform module to create AWS ECS resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/ecs/aws
Apache License 2.0
573 stars 542 forks source link

Race condition for aws_iam_role_policy.tasks #200

Closed marqueurs404 closed 6 months ago

marqueurs404 commented 6 months ago

Description

There appears to be a race condition (probably a depends_on required somewhere?) when I use tasks_iam_role_statements.

Versions

Reproduction Code [Required]

module "example" {
  source  = "terraform-aws-modules/ecs/aws//modules/service"
  version = "~> 5.11"

  name                     = "example"
  cluster_arn              = module.example.cluster_arn
  desired_count            = 1
  cpu                      = 2048
  memory                   = 4096
  launch_type              = "FARGATE"
  requires_compatibilities = ["FARGATE"]
  subnet_ids               = module.vpc.private_subnets

  tasks_iam_role_statements = {
    ssm_get_parameter_kms = {
        effect = "Allow"

        actions = [
          "ssm:GetParameter",
          "kms:Decrypt"
        ]

        resources = ["*"]
      }
  }
...

Expected behavior

Order of creation should be:

Actual behavior

But order of creation became:

As a result, the ecs task actually started up before the policy was created.

Additional context

This is problematic for a service that I have in particular as it requires the ssm permissions to run the task successfully.

bryantbiggs commented 6 months ago

can you provide the full reproduction configuration? tasks_iam_role_statements are permissions added to the tasks IAM role - these are permissions used by your container at runtime. task_exec_iam_statements are permissions added to the task execution IAM role - these are permissions used to collect SSM parameter values and SecretsManager values when EC2 deploys your task

marqueurs404 commented 6 months ago

Hi @bryantbiggs , thank you for the reply. I am aware of the difference between the task / task exec roles, in this case our service does not reference ssm values in the task definition, but rather in the application layer i.e. python boto3.

This was just an example to highlight the potential for a race condition where the task began running before policies are applied to the task role.

antonbabenko commented 6 months ago

This issue has been resolved in version 5.11.2 :tada:

github-actions[bot] commented 5 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.