enableExecuteCommand not propagated to Tasks

[kristianbb]

Describe the bug

I am unable to successfully set enableExecuteCommand=true to my Tasks in my ECS Cluster.

Expected Behavior

The Tasks started from Force new deployment should be able to be placed on the existing Container Instances after updating the service with --enable-execute-command. The Tasks started by Code Pipeline also should be successfully placed.

Current Behavior

I am successfully executing:
aws ecs update-service --cluster <my-cluster> --service <my-service> --region us-west-2 --enable-execute-command
But when I Force new deployment from the AWS Console I get:
service <my-service> was unable to place a task because no container instance met all of its requirements. The closest matching container-instance <my-instance> is missing an attribute required by your task.
I tried running
ecs-cli check-attributes --task-def <my-task-def>:<latest-revision> --container-instances <my-container-inst> --cluster <my-cluster> but it returns "None" for missing attributes.
Since I am running Blue/Green deployment I decided to try to update the Tasks with Code Pipeline, but after building the container the Deployment gets stuck - the newly created Task is in state PROVISIONING, more EC2 instances get spawned by my ASG but the Task never gets deployed. When I do
aws ecs describe-tasks --cluster <my-cluster> --tasks <newly-started-task-from-code-pipeline>
I get
"enableExecuteCommand": false,
which make me think that there is a bug somewhere in --enable-execute-command for Blue/Green Deployments.
The moment I turn back enableExecuteCommand to false in my Service the Tasks (in both cases I describe) get immediately placed on the cluster.
I also tried running this tool amazon-ecs-exec-checker but everything else but "Exec Enabled for Task" is green.
I also tried manually to compare the attributes required by my Task Definition and the ones I have on my Container Instance and everything seems to be present.

Reproduction Steps

• Create a Blue/Green Deployment ECS Service.
• Use Custom Image Anitian PCI Hardened Amazon Linux 2
• Use the following User Data:

#!/bin/bash

sudo yum update -y

sudo yum install -y awslogs
sudo sed -i "s@us-east-1@us-west-2@g" /etc/awslogs/awscli.conf
sudo systemctl stop awslogsd
sudo systemctl start awslogsd

sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm

mkdir -p /etc/ecs
echo ECS_CLUSTER=<my-cluster> >> /etc/ecs/ecs.config
echo ECS_LOGFILE=/log/$(hostname)-ecs-agent.log >> /etc/ecs/ecs.config
echo ECS_ENABLE_TASK_IAM_ROLE=true >> /etc/ecs/ecs.config
echo ECS_AVAILABLE_LOGGING_DRIVERS='["json-file","awslogs"]' >> /etc/ecs/ecs.config
echo ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE=true >> /etc/ecs/ecs.config
amazon-linux-extras disable docker
amazon-linux-extras install -y ecs
systemctl enable --now --no-block ecs.service

• Use the following taskdef.json:

{
  "containerDefinitions": [
    {
      "name": "<PROJECT_NAME>",
      "image": "<IMAGE>",
      "essential": true,
      "portMappings": [
        {
          "hostPort": 0,
          "containerPort": 80
        }
      ],
      "logConfiguration": {
        "logDriver": "awslogs",
        "options": {
          "awslogs-group": "/ecs/<PROJECT_NAME-ENV_NAME>",
          "awslogs-region": "<REGION>",
          "awslogs-stream-prefix": "ecs"
        }
      },
      "linuxParameters": {
        "initProcessEnabled": true
      }
    }
  ],
  "networkMode": "bridge",
  "memory": "8000",
  "family": "<PROJECT_NAME-ENV_NAME-td>",
  "enableECSManagedTags": true,
  "executionRoleArn": "arn:aws:iam::<UID>:role/ecsTaskExecutionRole",
  "taskRoleArn": "arn:aws:iam::<UID>:role/ecsTaskExecutionRole"
}

• Use the follwoing appspec.yaml:

version: 0.0
Resources:
  - TargetService:
      Type: AWS::ECS::Service
      Properties:
        TaskDefinition: <TASK_DEFINITION>
        LoadBalancerInfo:
          ContainerName: <PROJECT_NAME>
          ContainerPort: 80
        CapacityProviderStrategy:
          - Base: 1
            CapacityProvider: <CAPACITY_PROVIDER>
            Weight: 2

• Enable enableExecuteCommand as described in the previous section.
• Try to redeploy the tasks.

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.4.15 Python/3.8.8 Linux/5.15.0-56-generic exe/x86_64.ubuntu.20 prompt/off

Environment details (OS name and version, etc.)

Ubuntu 20.04

[aBurmeseDev]

Hi @kristianbb - thanks for reaching out.

After investigation, I found a few possibilities that might cause this missing attribute error:

• I would double check the passing parameter values when you run the command ecs-cli check-attributes. There's a chance it's not getting the task and/or cluster you're trying to run.
• I would also double check your task definition specifically in RuntimePlatform properties.
• Lastly, I would update CLI version to the latest since you're running on 2.4.15. The latest version, as of today, is 2.9.10.

If none of those works out, here's a list of troubleshooting guide from AWS Support you could take a look.

Hope it helps,
John~

[github-actions]

Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.