This message was deleted.
# generals
sparse-intern-71089
10/23/2018, 2:37 PMThis message was deleted.
b
big-piano-35669
10/23/2018, 2:39 PM
The resources providers themselves generally handle this automatically with retries, etc. Are you seeing otherwise? We've certainly seen bugs in the past around this behavior.
(*assuming, by the way, that permissions in this case are IAM permissions?)
q
quick-action-34599
10/23/2018, 2:40 PMWell I'm getting this error and am trying to track down the cause:
Unable to assume role and validate the listeners configured on your load balancer. Please verify that the ECS service role being passed has the proper permissions.quick-action-34599
10/23/2018, 2:40 PMyea, IAM
quick-action-34599
10/23/2018, 2:40 PMI'm assuming I've misconfigured something because I keep getting it
quick-action-34599
10/23/2018, 2:41 PMbut the ecsServiceRole looks right
quick-action-34599
10/23/2018, 2:46 PMfrustrating thing is I had it working at some point but tried to genericize to add more services and somehow busted it
b
big-piano-35669
10/23/2018, 2:59 PM
It's possible this is a bug in the provider, where it isn't waiting/retrying properly. (The AWS errors aren't always so good here so it's hard to tell.) That might explain why it used to work but now doesn't. Curious if @stocky-spoon-28903 or @white-balloon-205 have any thoughts on this.
big-piano-35669
10/23/2018, 3:00 PM
For instance, I know the AWS Lambda resource retries on a similar error: https://github.com/terraform-providers/terraform-provider-aws/blob/72e8bb4fc26feac0f06860453e931972d6eb2528/aws/resource_aws_lambda_function.go#L377
s
stocky-spoon-28903
10/23/2018, 3:01 PMLikely we should retry there
stocky-spoon-28903
10/23/2018, 3:03 PMOr it may already retry but need a bump in the timeout.
stocky-spoon-28903
10/23/2018, 3:04 PMIn the very short term setTimeout may be a workable solution, but we’ll look to see if that can be integrated into the provider
w
white-balloon-205
10/23/2018, 3:05 PM
Which resource is failing? An ECS
Servicewhite-balloon-205
10/23/2018, 3:07 PM
If you retry the
pulumi updates
stocky-spoon-28903
10/23/2018, 3:10 PMRight, the above is all predicated on the service role being correct and the deployment eventually succeeding
stocky-spoon-28903
10/23/2018, 3:12 PMIt turns out it already does get retried for a while: https://github.com/pulumi/terraform-provider-aws/blob/pulumi-master/aws/resource_aws_ecs_service.go#L443-L457
stocky-spoon-28903
10/23/2018, 3:12 PMIf the deployment eventually succceds (wait a few mins and then run
pulumi updateq
quick-action-34599
10/23/2018, 3:15 PM@white-balloon-205 no, it continually fails. And no, I'm not 100% sure that it's configured correctly but I've migrated my working terraform config so I believe it should
quick-action-34599
10/23/2018, 3:16 PMHowever I'm kind of a newbie when it comes to AWS so I've probably done something wrong
quick-action-34599
10/23/2018, 3:17 PMThe AWS docs are really unclear about what roles and policy attachment needs to be on the instance profile for your autoscaling group
quick-action-34599
10/23/2018, 3:17 PMI've tried it both ways that appear in the docs and neither is working atm
quick-action-34599
10/23/2018, 3:23 PMfeel like I need to rip the guts out and start over, which is a bummer
quick-action-34599
10/23/2018, 3:43 PMGot it! I was assigning the ec2 instance IAM role to the ecs service
s
stocky-spoon-28903
10/23/2018, 4:24 PMAh! I guess the error message here could be made clearer
stocky-spoon-28903
10/23/2018, 4:25 PMHmm, maybe not. Can you think of any wording that might have made the issue more diagnosable?
q
quick-action-34599
10/23/2018, 4:43 PMGreat question, not sure either
quick-action-34599
10/23/2018, 4:43 PMThe error makes sense for what I did