Skip to content

Incorrect IAM Policy when using ECS Target for Pipe #169

@oli-pr

Description

@oli-pr

Description

When creating an ECS Target for an EventBridge pipe, the correct policy does not seem to be attached to the execution role for the pipe.

The role created has RunTask permissions but the target ARN for these is the cluster itself. An additional role is created that does have the required policies but this is not attached to the pipe.

  • ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

  1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
  2. Re-initialize the project root to pull down modules: terraform init
  3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

  • Module version [Required]:

  • Terraform version: 1.11.4

  • Provider version(s):
    provider registry.terraform.io/hashicorp/aws v5.100.0
    provider registry.terraform.io/hashicorp/random v3.7.2

Reproduction Code [Required]

provider "aws" {
  region = "eu-west-1"

  skip_metadata_api_check     = true
  skip_region_validation      = true
  skip_credentials_validation = true
}

data "aws_vpc" "default" {
  default = true
}

data "aws_security_group" "default" {
  name   = "default"
  vpc_id = data.aws_vpc.default.id
}

data "aws_subnets" "default" {
  filter {
    name   = "vpc-id"
    values = [data.aws_vpc.default.id]
  }
}

data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

resource "aws_sqs_queue" "source" {
  name = "${random_pet.this.id}-source"
}

module "eventbridge" {
  source = "../../"

  create_bus = false

  create_role       = true
  role_name         = "ecs-eventbridge-${random_pet.this.id}"
  attach_ecs_policy = true
  ecs_target_arns = [
    module.ecs_cluster.services["hello-world"].task_definition_arn,
    "arn:aws:ecs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:task/${random_pet.this.id}/*"
  ]

  ecs_pass_role_resources = [module.ecs_cluster.services["hello-world"].task_exec_iam_role_arn]

  pipes = {
    test_ecs_pipe = {
      source = aws_sqs_queue.source.arn
      target = module.ecs_cluster.cluster_arn

      target_parameters = {
        ecs_task_parameters = {
          task_count          = 1
          launch_type         = "FARGATE"
          task_definition_arn = module.ecs_cluster.services["hello-world"].task_definition_arn
          container_name      = "hello-world"

          security_groups = [module.ecs_cluster.services["hello-world"].security_group_id]
          subnets         = data.aws_subnets.default.ids

          enable_ecs_managed_tags = true
        }
      }
    }
  }
}

module "ecs_cluster" {
  source  = "terraform-aws-modules/ecs/aws"
  version = "~> 5.0"

  cluster_name = random_pet.this.id

  fargate_capacity_providers = {
    FARGATE = {
      default_capacity_provider_strategy = {
        weight = 100
      }
    }
    FARGATE_SPOT = {
      default_capacity_provider_strategy = {
        weight = 100
      }
    }
  }

  services = {
    hello-world = {
      subnet_ids                         = data.aws_subnets.default.ids
      desired_count                      = 1
      deployment_maximum_percent         = 100
      deployment_minimum_healthy_percent = 0

      container_definitions = {
        hello-world = {
          image  = "hello-world",
          cpu    = 0,
          memory = 128
        }
      }
    }
  }
}

resource "random_pet" "this" {
  length = 2
}

Steps to reproduce the behavior:

Create additional test case with code supplied.
Send a test message to the SQS queue.
Observe CloudTrail error:

"errorMessage": "User: arn:aws:sts::<REDACTED>:assumed-role/test_ecs_pipe20250616091644966000000007/ace581dadff23b9783e90fd42507dab6 is not authorized to perform: ecs:RunTask on resource: arn:aws:ecs:eu-west-1:<REDACTED>:task-definition/hello-world:1 because no identity-based policy allows the ecs:RunTask action",

Observe role attached to task has this policy:

{ "Statement": [ { "Action": [ "ecs:TagResource", "ecs:RunTask" ], "Effect": "Allow", "Resource": "arn:aws:ecs:eu-west-1:<REDACTED>:cluster/valid-bee", "Sid": "TestEcsPipeEcs" }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": "arn:aws:ecs:eu-west-1:<REDACTED>:cluster/valid-bee", "Sid": "TestEcsPipeEcsIamPassrole" }, { "Action": [ "sqs:ReceiveMessage", "sqs:GetQueueAttributes", "sqs:DeleteMessage" ], "Effect": "Allow", "Resource": "arn:aws:sqs:eu-west-1:<REDACTED>:valid-bee-source", "Sid": "TestEcsPipeSqsSource" } ], "Version": "2012-10-17" }

Observe additional Policy "ecs-eventbridge-<random_pet>" is created with correct ECS permissions but this is not attached to the Pipe Execution role

Expected behavior

The ECS permissions attached to the orphaned ecs-eventbridge-<random_pet> policy are attached to the EventBridge pipe execution role

Actual behavior

See above

Terminal Output Screenshot(s)

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions