Adding tags to ECS Service - InvalidParameterException

Question

I have a fully working Fargate application up and running in AWS. I went back to add tags to all my resources to better monitor costs in a microservice architecture. Upon adding tags to my aws_ecs_service resource, I got the following exception when running terraform apply:

aws_ecs_service.main: error tagging ECS Cluster (arn:aws:ecs:*region*:*account_number*:service/*service_name*): InvalidParameterException: Long arn format must be used for tagging operations

After some research, I found that on November 15, AWS introduced a new ARN and ID format: https://aws.amazon.com/ecs/faqs/#Transition_to_new_ARN_and_ID_format

I know that I need to apply the settings to the IAM Role that I have assigned to my service, but I can't figure out how. Here is a link to the AWS docs for account settings: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_Setting.html

Below is a snippet of the ecs service resource as well as the task definition:

resource "aws_ecs_task_definition" "app" {
  family                   = "${var.app_name}"
  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]
  cpu                      = "${var.app_cpu}"
  memory                   = "${var.app_memory}"
  execution_role_arn       = "${var.execution_role_arn}"
  task_role_arn            = "${var.task_role_arn}"

  tags {
    Name        = "${var.app_name}-ecs-task-definition-${var.environment}"
    Service     = "${var.app_name}"
    Environment = "${var.environment}"
    Cost_Center = "${var.tag_cost_center}"
    Cost_Code   = "${var.tag_cost_code}"
  }

  container_definitions = <<DEFINITION
[
  {
    "cpu": ${var.app_cpu},
    "image": "${var.app_image}",
    "memory": ${var.app_memory},
    "name": "${var.app_name}",
    "networkMode": "awsvpc",
    "logConfiguration": {
      "logDriver": "awslogs",
      "options": {
        "awslogs-group": "stash-${var.app_name}",
        "awslogs-region": "${var.aws_region}",
        "awslogs-stream-prefix": "${var.app_name}"
      }
    },
    "portMappings": [
      {
        "containerPort": ${var.app_port},
        "hostPort": ${var.app_port}
      }
    ]
  }
]
DEFINITION
}

resource "aws_ecs_service" "main" {
  name            = "${var.app_name}-service"
  cluster         = "${var.cluster_id}"
  task_definition = "${aws_ecs_task_definition.app.arn}"
  desired_count   = "1"
  launch_type     = "FARGATE"

  network_configuration {
    security_groups = ["${var.security_groups}"]
    subnets         = ["${var.subnets}"]
  }

  load_balancer {
    target_group_arn = "${var.target_group_arn}"
    container_name   = "${var.app_name}"
    container_port   = "${var.app_port}"
  }

  lifecycle {
    ignore_changes = ["desired_count"]
  }

  tags {
    Name        = "${var.app_name}-ecs-service-${var.environment}"
    Service     = "${var.app_name}"
    Environment = "${var.environment}"
    Cost_Center = "${var.tag_cost_center}"
    Cost_Code   = "${var.tag_cost_code}"
  }
}

Here is a look into my security resource:

resource "aws_iam_role" "task_role" {
  name = "${var.app_name}-task-${var.environment}"

  assume_role_policy = <<END
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
END
}

I am using terraform version 0.11.8.

Answer 1

Since you mentioned terraform, let me add this (I am also using terraform and hit a very similar problem). You can use AWS CLI, with the ECS subcommand put-account-setting to set the three LongArnFormat's

aws ecs put-account-setting --name containerInstanceLongArnFormat --value enabled --region _yourRegion_
aws ecs put-account-setting --name serviceLongArnFormat           --value enabled --region _yourRegion_
aws ecs put-account-setting --name taskLongArnFormat              --value enabled --region _yourRegion_

Reference: AWS Doc