Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ECS: Task role default policies race condition #18675

Open
automartin5000 opened this issue Jan 27, 2022 · 3 comments
Open

ECS: Task role default policies race condition #18675

automartin5000 opened this issue Jan 27, 2022 · 3 comments
Labels
@aws-cdk/aws-ecs Related to Amazon Elastic Container bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@automartin5000
Copy link

What is the problem?

The "Default" task role policy for an ECS Task Definition is automatically created separately from the actual IAM Role. However, there's no explicit "DependsOn" so that the creation of the Task Definition has to wait for the inline policy to be added to the role. Under normal circumstances, this might be fine for Fargate Services, as the inline policy appears to "beat" the Fargate services to creation. However, in my case, I'm trying to execute the Task Definition as soon as it's created (via a Custom Resource and Step Functions) and my execution start of my state machine keeps beating the inline policy :)

There's also no way to reference the inline policy resource that's created to add an explicit dependency to the task definition on the policy.

Reproduction Steps

Try to run a task definition before the CloudFormation Stack has a chance to complete

What did you expect to happen?

Task execution completes successfully

What actually happened?

Task execution fails due to missing policies

CDK CLI Version

2.8.0 (build 8a5eb49)

Framework Version

No response

Node.js Version

v16.13.2

OS

Mac OS 12.1

Language

Python

Language Version

No response

Other information

I don't see why the L2 Task Definition Construct wouldn't always just have an explicit dependency on its managed policy. In the absence of that, allowing grants to a managed policy would also solve this.
@automartin5000 automartin5000 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 27, 2022
@github-actions github-actions bot added the @aws-cdk/aws-ecs Related to Amazon Elastic Container label Jan 27, 2022
@automartin5000
Copy link
Author

automartin5000 commented Jan 27, 2022
edited

Solved with .add_dependency(task_role.node.find_child("DefaultPolicy")), but I still think this is a bug. Just kidding, circular dependency error. The circular dependency was on my side, this workaround did fix it.

@ryparker ryparker added the p2 label Jan 31, 2022
@madeline-k
Copy link
Contributor

Thanks for opening this detailed issue and providing a workaround, @automartin5000! I agree with you, we should fix this. But triaging it as a p2 for now, which means we will not be able to prioritize implementation right now.

We are always open to contributions! If you are interested, check out the guide to get started.

@madeline-k madeline-k added effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jan 31, 2022
@NGL321 NGL321 mentioned this issue Mar 8, 2022
Closed
@madeline-k madeline-k removed their assignment Mar 22, 2022
@github-actions
Copy link

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Mar 23, 2023
@peterwoodworth peterwoodworth removed the closing-soon This issue will automatically close in 4 days unless further comments are made. label Mar 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ecs Related to Amazon Elastic Container bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@automartin5000 @ryparker @peterwoodworth @madeline-k