0.6.12 "Unable to assume role and validate the listeners configured on your load balancer. Please verify the role being passed has the proper permissions."

[russmac]

Ive read:

#5079
#2869
#4375

Which seem to indicate the issue was resolved in 0.6.12 however despite multiple applies or destroy apply apply apply or destroy apply destroy apply the ECS resource is never created due to Terraform not being able to validate the credentials for it.

2016/03/03 18:23:02 [DEBUG] terraform-provider-aws: 2016/03/03 18:23:02 [DEBUG] Trying to create ECS service again: "Unable to assume role and validate the listeners configured on your load balancer.  Please verify the role being passed has the proper permissions."
2016/03/03 18:23:02 [DEBUG] terraform-provider-aws: 2016/03/03 18:23:02 [TRACE] Waiting 10s before next try
2016/03/03 18:23:05 [DEBUG] vertex root, waiting for: provider.aws (close)
2016/03/03 18:23:05 [DEBUG] vertex provider.aws (close), waiting for: aws_ecs_service.pdat-ecs-service
2016/03/03 18:23:10 [DEBUG] vertex root, waiting for: provider.aws (close)
2016/03/03 18:23:10 [DEBUG] vertex provider.aws (close), waiting for: aws_ecs_service.pdat-ecs-service
2016/03/03 18:23:10 [DEBUG] root: eval: *terraform.EvalWriteState
2016/03/03 18:23:10 [DEBUG] root: eval: *terraform.EvalApplyProvisioners
2016/03/03 18:23:10 [DEBUG] root: eval: *terraform.EvalIf
2016/03/03 18:23:10 [DEBUG] root: eval: *terraform.EvalWriteDiff
2016/03/03 18:23:10 [DEBUG] root: eval: *terraform.EvalIf
2016/03/03 18:23:10 [DEBUG] root: eval: *terraform.EvalWriteState
2016/03/03 18:23:10 [DEBUG] root: eval: *terraform.EvalApplyPost
2016/03/03 18:23:10 [ERROR] root: eval: *terraform.EvalApplyPost, err: 1 error(s) occurred:

* aws_ecs_service.pdat-ecs-service: timeout while waiting for state to become '[success]'
2016/03/03 18:23:10 [ERROR] root: eval: *terraform.EvalSequence, err: 1 error(s) occurred:

* aws_ecs_service.pdat-ecs-service: timeout while waiting for state to become '[success]'
2016/03/03 18:23:10 [ERROR] root: eval: *terraform.EvalOpFilter, err: 1 error(s) occurred:

* aws_ecs_service.pdat-ecs-service: timeout while waiting for state to become '[success]'
2016/03/03 18:23:10 [ERROR] root: eval: *terraform.EvalSequence, err: 1 error(s) occurred:

* aws_ecs_service.pdat-ecs-service: timeout while waiting for state to become '[success]'
2016/03/03 18:23:10 [TRACE] [walkApply] Exiting eval tree: aws_ecs_service.pdat-ecs-service
2016/03/03 18:23:10 [DEBUG] vertex provider.aws (close), got dep: aws_ecs_service.pdat-ecs-service
2016/03/03 18:23:10 [DEBUG] vertex root, got dep: provider.aws (close)
2016/03/03 18:23:10 [DEBUG] vertex root, got dep: var.route53_zoneid
2016/03/03 18:23:10 [DEBUG] waiting for all plugin processes to complete...
Error applying plan:

1 error(s) occurred:

* aws_ecs_service.pdat-ecs-service: timeout while waiting for state to become '[success]'

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

I've read all the linked associated issues and they describe either someone figuring out their policy was wrong or further applies creating the resource. The role exists visibly in IAM and is assigned as an instance profile to my ECS Instance which has joined the cluster correctly indicating the policy is correct.

// Create service
resource "aws_ecs_service" "pdat-ecs-service" {
  name = "pdat_ecs"
  cluster = "${aws_ecs_cluster.pdat-ecs-cluster.id}"
  task_definition = "${aws_ecs_task_definition.pdat-ecs-wordpress.arn}"
  desired_count = 1
  iam_role = "${aws_iam_role.pdat-ecs-role.id}"

  load_balancer {
    elb_name = "${aws_elb.pdat-elb.id}"
    container_name = "${var.container_name}"
    container_port = 80
  }

  depends_on = ["aws_iam_role.pdat-ecs-role","aws_instance.pdat-ecs-instance"]

}




  resource "aws_iam_role_policy" "pdat-ecs-policy" {
    name = "pdat-ecs-policy"
    role = "${aws_iam_role.pdat-ecs-role.id}"
    policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateCluster",
        "ecs:DeregisterContainerInstance",
        "ecs:DiscoverPollEndpoint",
        "ecs:Poll",
        "ecs:RegisterContainerInstance",
        "ecs:StartTelemetrySession",
        "ecs:Submit*",
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:Describe*",
        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
        "elasticloadbalancing:Describe*",
        "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
      ],
      "Resource": "*"
    }
  ]
}
EOF

  depends_on = ["aws_iam_role.pdat-ecs-role"]
}

resource "aws_iam_role" "pdat-ecs-role" {
  name = "pdat-ecs-role"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF

}

[russmac]

Hardcoding the ecs-service role attribute results in the same issue, I also switched off all dependency between iam/ecs to ensure no effect.

The IAM role is a poweruser/administrator which has elb*

// Create service
resource "aws_ecs_service" "pdat-ecs-service" {
  name = "pdat_ecs"
  cluster = "${aws_ecs_cluster.pdat-ecs-cluster.id}"
  task_definition = "${aws_ecs_task_definition.pdat-ecs-wordpress.arn}"
  desired_count = 1
  iam_role = "arn:aws:iam::0000000000:role/test"

  load_balancer {
    elb_name = "${aws_elb.pdat-elb.id}"
    container_name = "${var.container_name}"
    container_port = 80
  }

  // depends_on = ["aws_elb.pdat-elb","aws_iam_role.pdat-ecs-role","aws_iam_role_policy.pdat-ecs-policy","aws_instance.pdat-ecs-instance"]

}

[russmac]

Removing the elb resource, ecs-service elb sub-resource and the iam_role param allowed creation of ecs-service.

[jbryan]

@russmac I beat my head against this for a couple of hours and then realized my issue and it may be the same as yours. The iam role for the service needs to have an assume_rule_policy that allows the principle _ecs_.amazonaws.com rather than ec2.amazonaws.com. E.g.

resource "aws_iam_role" "pdat-ecs-role" {
  name = "pdat-ecs-role"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ecs.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF

}

[catsby]

Hey @russmac – I believe @jbryan is correct, the required Service there should be ecs.amazonaws.com, not ec2. I'm going to close this for now, but please let me know if you're still hitting this while using ecs. Thanks!

[russmac]

Sorry guys I was not subscribed, Thanks very much for explaining the issue, Easy to miss the /2/s/.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.