ECS cluster configuration not applied despite correct cluster_configuration parameter in v6.2.2 #348
Description
Bug Description
The main ECS module accepts cluster_configuration parameter but fails to apply the
executeCommandConfiguration to the actual ECS cluster resource, despite Terraform state showing the
configuration is present.
Module Version
- Module:
terraform-aws-modules/ecs/aws - Version:
~> 6.2.2 - AWS Provider:
~> 6.8 - Terraform: OpenTofu 1.10.0 (Terraform-compatible)
Expected Behavior
When cluster_configuration is provided with execute_command_configuration, the ECS cluster should be
created with ECS Exec enabled.
Actual Behavior
- Terraform plan shows correct
execute_command_configurationblock - Terraform state contains the correct configuration
- Supporting resources (CloudWatch log group, IAM policies) are created correctly
- But AWS ECS cluster has no
configurationblock - ECS Exec is not enabled
Configuration
module "ecs_cluster" {
source = "terraform-aws-modules/ecs/aws"
version = "~> 6.2.2"
cluster_name = "stage-cluster"
# Cluster Configuration - THIS DOESN'T GET APPLIED
cluster_configuration = {
execute_command_configuration = {
kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
logging = "OVERRIDE"
log_configuration = {
cloud_watch_encryption_enabled = true
cloud_watch_log_group_name = "/aws/ecs/stage-cluster/exec"
}
}
}
# Other configuration...
}
Evidence
Terraform Plan (shows correct config):
# aws_ecs_cluster.this[0] will be created
+ resource "aws_ecs_cluster" "this" {
+ configuration {
+ execute_command_configuration {
+ kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/..."
+ logging = "OVERRIDE"
+ log_configuration {
+ cloud_watch_encryption_enabled = true
+ cloud_watch_log_group_name = "/aws/ecs/stage-cluster/exec"
}
}
}
}
Terraform State (shows correct config):
configuration {
execute_command_configuration {
kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/..."
logging = "OVERRIDE"
log_configuration {
cloud_watch_encryption_enabled = true
cloud_watch_log_group_name = "/aws/ecs/stage-cluster/exec"
}
}
}
AWS Reality (missing configuration):
$ aws ecs describe-clusters --cluster stage-cluster --query 'clusters[0]'
{
"clusterName": "stage-cluster",
"status": "ACTIVE",
# NO configuration block - ECS Exec not enabled
}
Reproduction Steps
1. Use the main ECS module with cluster_configuration parameter
2. Run terraform plan - shows correct configuration
3. Run terraform apply - completes successfully
4. Check actual cluster: aws ecs describe-clusters --cluster <name>
5. Observe missing configuration block
Workaround
Manual fix after Terraform apply:
aws ecs update-cluster --cluster stage-cluster --configuration '{
"executeCommandConfiguration": {
"kmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/...",
"logging": "OVERRIDE",
"logConfiguration": {
"cloudWatchLogGroupName": "/aws/ecs/stage-cluster/exec",
"cloudWatchEncryptionEnabled": true
}
}
}'
Root Cause Analysis
The issue appears to be that the main ECS module (terraform-aws-modules/ecs/aws) accepts
cluster_configuration but doesn't properly pass it as configuration to the cluster submodule
(terraform-aws-modules/ecs/aws//modules/cluster).
Impact
- ECS Exec functionality is not available despite correct Terraform configuration
- Creates security compliance issues as audit logging is not enabled
- Causes confusion as Terraform state doesn't match AWS reality
---
Environment:
- AWS Region: us-east-1
- Infrastructure: EC2-backed ECS cluster with Auto Scaling capacity provider