ECS: Task role default policies race condition #18675
Labels
@aws-cdk/aws-ecs
Related to Amazon Elastic Container
bug
This issue is a bug.
effort/small
Small work item – less than a day of effort
p2
What is the problem?
The "Default" task role policy for an ECS Task Definition is automatically created separately from the actual IAM Role. However, there's no explicit "DependsOn" so that the creation of the Task Definition has to wait for the inline policy to be added to the role. Under normal circumstances, this might be fine for Fargate Services, as the inline policy appears to "beat" the Fargate services to creation. However, in my case, I'm trying to execute the Task Definition as soon as it's created (via a Custom Resource and Step Functions) and my execution start of my state machine keeps beating the inline policy :)
There's also no way to reference the inline policy resource that's created to add an explicit dependency to the task definition on the policy.
Reproduction Steps
Try to run a task definition before the CloudFormation Stack has a chance to complete
What did you expect to happen?
Task execution completes successfully
What actually happened?
Task execution fails due to missing policies
CDK CLI Version
2.8.0 (build 8a5eb49)
Framework Version
No response
Node.js Version
v16.13.2
OS
Mac OS 12.1
Language
Python
Language Version
No response
Other information
I don't see why the L2 Task Definition Construct wouldn't always just have an explicit dependency on its managed policy. In the absence of that, allowing grants to a managed policy would also solve this.
The text was updated successfully, but these errors were encountered: