Resource "aws_ecs_task_definition" shows as modified each time terraform is applied

[geeshans]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.7

• provider.aws v1.28.0

Affected Resource(s)

aws_ecs_task_definition

Terraform Configuration Files

resource "aws_ecs_task_definition" "web" {
  family                   = "web"
  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]
  cpu                      = "${var.web_fargate_cpu}"
  memory                   = "${var.web_fargate_memory}"
  container_definitions    = "${data.template_file.web_task_definition.rendered}"
  execution_role_arn       = "${aws_iam_role.ecs_execution_role.arn}"
  

}

resource "aws_ecs_task_definition" "app" {
  family                   = "app" 
  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]
  cpu                      = "${var.app_fargate_cpu}"
  memory                   = "${var.app_fargate_memory}"
  container_definitions    = "${data.template_file.app_task_definition.rendered}"
  execution_role_arn       = "${aws_iam_role.ecs_execution_role.arn}"
}

Debug Output

Expected Behavior

No resources should show as changed

Actual Behavior

aws_ecs_task_definition shows as modified which in turn rebuild that resource

-/+ aws_ecs_task_definition.app (new resource required)
      id:                                  "app" => <computed> (forces new resource)
      arn:                                 "arn:aws:ecs:us-east-1:496391058917:task-definition/app:38" => <computed>

Steps to Reproduce

1. terraform apply

References

• Task definitions continuously beening updated #2417

[bflad]

Hi @geeshans 👋 Sorry you are running into unexpected behavior.

It looks like the terraform plan output might be cutoff above. Can you please post the rest of it? The details (likely a change in container_definitions) are important for helping troubleshoot your issue. If it is container_definitions, it might be worthwhile to also see your configuration for data "template_file" "app_task_definition".

Thanks!

[geeshans]

Hi @bflad , Thanks for taking a look.

The full output.

[root@localhost ecs-cluster]#  terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

tls_private_key.example: Refreshing state... (ID: b308ba78e227e7636f9f3f4ee55014bf3f66d2f5)
tls_self_signed_cert.example: Refreshing state... (ID: 260557963492533435489839613927770558862)
aws_iam_role.ecs_execution_role: Refreshing state... (ID: tf_ecs_execution_role)
aws_ecs_cluster.main: Refreshing state... (ID: arn:aws:ecs:us-east-1:496***58917:cluster/tf-ecs-cluster)
aws_cloudwatch_log_group.web: Refreshing state... (ID: webserver)
aws_iam_server_certificate.test_cert: Refreshing state... (ID: ASCAJCKQ4TFX5NILPBBA2)
aws_vpc.main: Refreshing state... (ID: vpc-e5b5769f)
aws_cloudwatch_log_group.app: Refreshing state... (ID: appserver)
data.aws_availability_zones.available: Refreshing state...
aws_iam_role_policy.ecs_execution_policy: Refreshing state... (ID: tf_ecs_execution_role:ecs_execution_policy)
data.template_file.web_task_definition: Refreshing state...
aws_ecs_task_definition.web: Refreshing state... (ID: web)
data.template_file.app_task_definition: Refreshing state...
aws_ecs_task_definition.app: Refreshing state... (ID: app)
aws_subnet.private[0]: Refreshing state... (ID: subnet-dec679f0)
aws_service_discovery_private_dns_namespace.ecs_private_ns: Refreshing state... (ID: ns-i74ggxescttmdrev)
aws_subnet.private[1]: Refreshing state... (ID: subnet-3130707b)
aws_internet_gateway.gw: Refreshing state... (ID: igw-ac7446d4)
aws_subnet.public[1]: Refreshing state... (ID: subnet-f53272bf)
aws_alb_target_group.web: Refreshing state... (ID: arn:aws:elasticloadbalancing:us-east-1:...tgroup/tf-ecs-task-tg/94132627c57b374b)
aws_subnet.public[0]: Refreshing state... (ID: subnet-edb708c3)
aws_security_group.lb: Refreshing state... (ID: sg-2e600d64)
aws_eip.gw[1]: Refreshing state... (ID: eipalloc-f6e30cfd)
aws_eip.gw[0]: Refreshing state... (ID: eipalloc-bfe609b4)
aws_route.internet_access: Refreshing state... (ID: r-rtb-50a03a2f1080289494)
aws_security_group.ecs_web_sg: Refreshing state... (ID: sg-cd6a0787)
aws_alb.main: Refreshing state... (ID: arn:aws:elasticloadbalancing:us-east-1:...r/app/tf-ecs-task-alb/0b1ab237e48aa7e9)
aws_service_discovery_service.example: Refreshing state... (ID: srv-ymaechwgdy4jso5v)
aws_security_group.ecs_app_sg: Refreshing state... (ID: sg-7a127f30)
aws_nat_gateway.gw[1]: Refreshing state... (ID: nat-07fad67a8278960e3)
aws_nat_gateway.gw[0]: Refreshing state... (ID: nat-0b08b7eb53a89b078)
aws_ecs_service.app: Refreshing state... (ID: arn:aws:ecs:us-east-1:496***58917:service/tf-ecs-app-service)
aws_route_table.private[0]: Refreshing state... (ID: rtb-afac36d0)
aws_route_table.private[1]: Refreshing state... (ID: rtb-0aae3475)
aws_alb_listener.http: Refreshing state... (ID: arn:aws:elasticloadbalancing:us-east-1:...-alb/0b1ab237e48aa7e9/abc021668d91b595)
aws_alb_listener.https: Refreshing state... (ID: arn:aws:elasticloadbalancing:us-east-1:...-alb/0b1ab237e48aa7e9/75f033325ef20e35)
aws_route_table_association.private[0]: Refreshing state... (ID: rtbassoc-47d87639)
aws_route_table_association.private[1]: Refreshing state... (ID: rtbassoc-17c06e69)
aws_ecs_service.web: Refreshing state... (ID: arn:aws:ecs:us-east-1:496***58917:service/tf-ecs-web-service)

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  ~ aws_ecs_service.app
      task_definition:                     "arn:aws:ecs:us-east-1:496***58917:task-definition/app:38" => "${aws_ecs_task_definition.app.arn}"

  ~ aws_ecs_service.web
      task_definition:                     "arn:aws:ecs:us-east-1:496***58917:task-definition/web:40" => "${aws_ecs_task_definition.web.arn}"

-/+ aws_ecs_task_definition.app (new resource required)
      id:                                  "app" => <computed> (forces new resource)
      arn:                                 "arn:aws:ecs:us-east-1:496***58917:task-definition/app:38" => <computed>
      container_definitions:               "[{\"cpu\":512,\"environment\":[],\"essential\":true,\"image\":\"496***58917.dkr.ecr.eu-central-1.amazonaws.co\"awslogs\",\"options\":{\"awslogs-group\":\"appserver\",\"awslogs-region\":\"us-east-1\",\"awslogs-stream-prefix\":\"helloworld\"}},\"memory\":1024,\"mous\":[{\"containerPort\":8080,\"hostPort\":8080,\"protocol\":\"tcp\"}],\"volumesFrom\":[]}]" => "[{\"cpu\":512,\"essential\":true,\"image\":\"496***58917.ogConfiguration\":{\"logDriver\":\"awslogs\",\"options\":{\"awslogs-group\":\"appserver\",\"awslogs-region\":\"us-east-1\",\"awslogs-stream-prefix\":\"hel,\"portMappings\":[{\"containerPort\":8080,\"protocol\":\"tcp\"}]}]" (forces new resource)
      cpu:                                 "512" => "512"
      execution_role_arn:                  "arn:aws:iam::496***58917:role/tf_ecs_execution_role" => "arn:aws:iam::496***58917:role/tf_ecs_execution_role
      family:                              "app" => "app"
      memory:                              "1024" => "1024"
      network_mode:                        "awsvpc" => "awsvpc"
      requires_compatibilities.#:          "1" => "1"
      requires_compatibilities.3072437307: "FARGATE" => "FARGATE"
      revision:                            "38" => <computed>

-/+ aws_ecs_task_definition.web (new resource required)
      id:                                  "web" => <computed> (forces new resource)
      arn:                                 "arn:aws:ecs:us-east-1:496***58917:task-definition/web:40" => <computed>
      container_definitions:               "[{\"cpu\":256,\"environment\":[],\"essential\":true,\"image\":\"496***58917.dkr.ecr.eu-central-1.amazonaws.co"awslogs\",\"options\":{\"awslogs-group\":\"webserver\",\"awslogs-region\":\"us-east-1\",\"awslogs-stream-prefix\":\"webserver\"}},\"memory\":256,\"mountP[{\"containerPort\":80,\"hostPort\":80,\"protocol\":\"tcp\"}],\"volumesFrom\":[]}]" => "[{\"cpu\":256,\"essential\":true,\"image\":\"496***58917.dkr.ecr.ration\":{\"logDriver\":\"awslogs\",\"options\":{\"awslogs-group\":\"webserver\",\"awslogs-region\":\"us-east-1\",\"awslogs-stream-prefix\":\"webserver\"}ngs\":[{\"containerPort\":80,\"protocol\":\"tcp\"}]}]" (forces new resource)
      cpu:                                 "256" => "256"
      execution_role_arn:                  "arn:aws:iam::496***58917:role/tf_ecs_execution_role" => "arn:aws:iam::496***58917:role/tf_ecs_execution_role
      family:                              "web" => "web"
      memory:                              "512" => "512"
      network_mode:                        "awsvpc" => "awsvpc"
      requires_compatibilities.#:          "1" => "1"
      requires_compatibilities.3072437307: "FARGATE" => "FARGATE"
      revision:                            "40" => <computed>


Plan: 2 to add, 2 to change, 2 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

The tf scripts can be accessed at https://github.com/geeshans/ecs-cluster

Cheers,
Geeshan

[fabian-dev]

Your container definitions' portMapping config misses the hostPort. This issue is a duplicate of #3401

[geeshans]

Yes adding a hostPort which needs to be same as the containerPort when using networkMode=awsvpc fixed the issue.

    "portMappings": [
      {
        "hostPort": 80,
        "containerPort": 80,
        "protocol": "tcp"
      }

Thank you!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!