custom execution role cannot be set on module

[vtzan]

Describe the Bug

Dear Team,

When I define a custom task execution role. Terraform returns the error below

Logs

Releasing state lock. This may take a few moments...

╷
│ Error: Invalid count argument
│ 
│   on .terraform/modules/ecs_alb_service_task/main.tf line 225, in data "aws_iam_policy_document" "ecs_task_exec":
│  225:   count = local.create_exec_role ? 1 : 0
│ 
│ The "count" value depends on resource attributes that cannot be determined
│ until apply, so Terraform cannot predict how many instances will be
│ created. To work around this, use the -target argument to first apply only
│ the resources that the count depends on.
╵
╷
│ Error: Invalid count argument
│ 
│   on .terraform/modules/ecs_alb_service_task/main.tf line 246, in data "aws_iam_policy_document" "ecs_exec":
│  246:   count = local.create_exec_role ? 1 : 0
│ 
│ The "count" value depends on resource attributes that cannot be determined
│ until apply, so Terraform cannot predict how many instances will be
│ created. To work around this, use the -target argument to first apply only
│ the resources that the count depends on.

module example to reproduce the problem.

module "ecs_alb_service_task" {
source = "git::https://github.com/cloudposse/terraform-aws-ecs-alb-service-task.git?ref=tags/0.64.0"

enabled = true
environment = var.ecs_environment
namespace = var.namespace
name = var.name
task_cpu = var.ecs_task_cpu
task_memory = var.ecs_task_memory
launch_type = "FARGATE"
network_mode = "awsvpc"
vpc_id = var.vpc_id
platform_version = var.ecs_platform_version
scheduling_strategy = "REPLICA"
propagate_tags = "SERVICE"
assign_public_ip = "false"
task_exec_role_arn = aws_iam_role.fargate_execution.arn
subnet_ids = var.private_subnet_ids
security_group_ids = [aws_security_group.this.id]
alb_security_group = module.alb.security_group_id
tags = local.tags
attributes = local.attributes
container_port = var.container_port
delimiter = local.delimiter
deployment_controller_type = "ECS"
deployment_maximum_percent = var.deployment_maximum_percent
deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
desired_count = var.desired_count
ecs_cluster_arn = aws_ecs_cluster.cluster.arn
health_check_grace_period_seconds = 10
ignore_changes_task_definition = "false"

ecs_load_balancers = [{
"elb_name" = "",
"container_name" = var.name,
"container_port" = var.container_port,
"target_group_arn" = module.alb.default_target_group_arn,
}]

container_definition_json = jsonencode([
module.webportal_task_definition.json_map_object,
module.webportal_middleware_task_definition.json_map_object,
])

thank you in advance

Vasilios Tzanoudakis

[jonra1993]

Hello @vtzan did you were able to solve this problem? It appears when I try to use the load balancer in my case I tried to create an ec2 task. I read that service_role_arn is required by I am not able to make it work.

module "whoami_ecs_alb_service_task" {
  source = "cloudposse/ecs-alb-service-task/aws"
  version = "0.65.0"
  alb_security_group                = aws_security_group.ecs_alb_sg.id
  container_definition_json         = module.whoami_container_definition.json_map_encoded_list
  ecs_cluster_arn                   = aws_ecs_cluster.ecs.arn
  launch_type                       = "EC2"
  container_port = 80
  service_registries = [{
    container_name = "whoami",
    container_port = 80,
    registry_arn = aws_service_discovery_service.whoami.arn,
  }]

  ecs_load_balancers = [{
    container_name = "whoami",
    container_port = 80,
    elb_name = null,
    target_group_arn = aws_lb_target_group.ecs-whoami-ingress-http.arn
  }] 

  service_role_arn = aws_iam_service_linked_role.ecs_linked_role.arn
  attributes = var.attributes
  delimiter  = var.delimiter
  name       = "whoami"
  namespace  = var.namespace
  stage      = var.stage
  tags       = var.tags
  
  task_cpu                          = var.task_cpu
  task_memory                       = 128
  
  desired_count             = var.desired_count
  assign_public_ip          = false

  network_mode       = null
  vpc_id   = module.vpc.vpc_id
  security_group_ids                 = [aws_security_group.ecs_instance_sg.id]
  subnet_ids                         = [for subnet in data.aws_subnet_ids.public.ids : subnet]
  
  ignore_changes_task_definition     = false
  deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
  deployment_maximum_percent         = var.deployment_maximum_percent
  deployment_controller_type         = var.deployment_controller_type
}

The IAM role I tried

resource "aws_iam_service_linked_role" "ecs_linked_role" {
  aws_service_name = "ecs.amazonaws.com"
}

This is my error message

│ Error: Invalid count argument
│ 
│   on .terraform/modules/whoami_ecs_alb_service_task/main.tf line 190, in data "aws_iam_policy_document" "ecs_service_policy":
│  190:   count = local.enable_ecs_service_role && var.service_role_arn == null ? 1 : 0
│ 
│ The "count" value depends on resource attributes that cannot be determined
│ until apply, so Terraform cannot predict how many instances will be
│ created. To work around this, use the -target argument to first apply only
│ the resources that the count depends on.

[vtzan]

Hi @jonra1993,

No I didn't had the time to deal with it atm so Ieft it as is for now ....
Those type of errors can be fixed by changing the module code to use newer terraform functions or different approach on resource creation deps.

[jonra1993]

Thanks for your response @vtzan I see in other issues people suggest using the -target argument but I am not sure where it should be located.

[oded-e]

Setting -target is not a solution guys.
In a world of automation, we should be able to apply multiple Terraform resource groups, and adding exceptions like this is makes the code very 'ugly' and not robust.
I'll try to send a PR to try solving this.
Thanks!