-
Notifications
You must be signed in to change notification settings - Fork 165
Description
Description
When creating an ECS Target for an EventBridge pipe, the correct policy does not seem to be attached to the execution role for the pipe.
The role created has RunTask permissions but the target ARN for these is the cluster itself. An additional role is created that does have the required policies but this is not attached to the pipe.
- ✋ I have searched the open/closed issues and my issue is not listed.
⚠️ Note
Before you submit an issue, please perform the following first:
- Remove the local
.terraform
directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!):rm -rf .terraform/
- Re-initialize the project root to pull down modules:
terraform init
- Re-attempt your terraform plan or apply and check if the issue still persists
Versions
-
Module version [Required]:
-
Terraform version: 1.11.4
-
Provider version(s):
provider registry.terraform.io/hashicorp/aws v5.100.0
provider registry.terraform.io/hashicorp/random v3.7.2
Reproduction Code [Required]
provider "aws" {
region = "eu-west-1"
skip_metadata_api_check = true
skip_region_validation = true
skip_credentials_validation = true
}
data "aws_vpc" "default" {
default = true
}
data "aws_security_group" "default" {
name = "default"
vpc_id = data.aws_vpc.default.id
}
data "aws_subnets" "default" {
filter {
name = "vpc-id"
values = [data.aws_vpc.default.id]
}
}
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
resource "aws_sqs_queue" "source" {
name = "${random_pet.this.id}-source"
}
module "eventbridge" {
source = "../../"
create_bus = false
create_role = true
role_name = "ecs-eventbridge-${random_pet.this.id}"
attach_ecs_policy = true
ecs_target_arns = [
module.ecs_cluster.services["hello-world"].task_definition_arn,
"arn:aws:ecs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:task/${random_pet.this.id}/*"
]
ecs_pass_role_resources = [module.ecs_cluster.services["hello-world"].task_exec_iam_role_arn]
pipes = {
test_ecs_pipe = {
source = aws_sqs_queue.source.arn
target = module.ecs_cluster.cluster_arn
target_parameters = {
ecs_task_parameters = {
task_count = 1
launch_type = "FARGATE"
task_definition_arn = module.ecs_cluster.services["hello-world"].task_definition_arn
container_name = "hello-world"
security_groups = [module.ecs_cluster.services["hello-world"].security_group_id]
subnets = data.aws_subnets.default.ids
enable_ecs_managed_tags = true
}
}
}
}
}
module "ecs_cluster" {
source = "terraform-aws-modules/ecs/aws"
version = "~> 5.0"
cluster_name = random_pet.this.id
fargate_capacity_providers = {
FARGATE = {
default_capacity_provider_strategy = {
weight = 100
}
}
FARGATE_SPOT = {
default_capacity_provider_strategy = {
weight = 100
}
}
}
services = {
hello-world = {
subnet_ids = data.aws_subnets.default.ids
desired_count = 1
deployment_maximum_percent = 100
deployment_minimum_healthy_percent = 0
container_definitions = {
hello-world = {
image = "hello-world",
cpu = 0,
memory = 128
}
}
}
}
}
resource "random_pet" "this" {
length = 2
}
Steps to reproduce the behavior:
Create additional test case with code supplied.
Send a test message to the SQS queue.
Observe CloudTrail error:
"errorMessage": "User: arn:aws:sts::<REDACTED>:assumed-role/test_ecs_pipe20250616091644966000000007/ace581dadff23b9783e90fd42507dab6 is not authorized to perform: ecs:RunTask on resource: arn:aws:ecs:eu-west-1:<REDACTED>:task-definition/hello-world:1 because no identity-based policy allows the ecs:RunTask action",
Observe role attached to task has this policy:
{ "Statement": [ { "Action": [ "ecs:TagResource", "ecs:RunTask" ], "Effect": "Allow", "Resource": "arn:aws:ecs:eu-west-1:<REDACTED>:cluster/valid-bee", "Sid": "TestEcsPipeEcs" }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": "arn:aws:ecs:eu-west-1:<REDACTED>:cluster/valid-bee", "Sid": "TestEcsPipeEcsIamPassrole" }, { "Action": [ "sqs:ReceiveMessage", "sqs:GetQueueAttributes", "sqs:DeleteMessage" ], "Effect": "Allow", "Resource": "arn:aws:sqs:eu-west-1:<REDACTED>:valid-bee-source", "Sid": "TestEcsPipeSqsSource" } ], "Version": "2012-10-17" }
Observe additional Policy "ecs-eventbridge-<random_pet>" is created with correct ECS permissions but this is not attached to the Pipe Execution role
Expected behavior
The ECS permissions attached to the orphaned ecs-eventbridge-<random_pet> policy are attached to the EventBridge pipe execution role
Actual behavior
See above