is there any way to provide a dynamic value to

execution_role

in

awsx.ecs.EC2ServiceTaskDefinitionArgs

?

Can you share the code you are trying to make work?

sure - it looks something like this (with a bunch of irrelevant params removed) -

ecs_service = awsx.ecs.FargateService(f"service-{app}",
    task_definition_args=awsx.ecs.FargateServiceTaskDefinitionArgs(
        execution_role=awsx.awsx.DefaultRoleWithPolicyArgs(
            args=awsx.awsx.RoleWithPolicyArgs(
                managed_policy_arns=infra_stack.get_output('strata_db_asm_policy_arn').apply(lambda arn: [ 
                    "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
                    arn
                ]),
            ),
        ),
    )
)

Right. So you should use

managed_policy_arns

. That’s an (the?) intent of

managed_policy_arns

vs

policy_arns

- to allow for dynamic values (i.e. Output<T>). Or is that not working?

managed_policy_arns

is working, but the doc suggests it's deprecated

Yeah. And it looks like

awsx

doesn’t take that

managed_policy_arns

and turn it into

RolePolicyAttachments

and instead does use the deprecated

managed_policy_arns

property on the execution role. So, the right answer for now is to not set

managed_policy_arns

and let the taskdefinition get created without the policy arns attached to the execution role. Then you can use

RolePolicyAttachment

or

RolePolicyAttachmentsExclusive

and specify the execution role that was created -

task_definition.execution_role.arn

i tried that - but pulumi hangs because the container fails to start since it's missing access to secrets

the awsx resource is lagging the aws provider resource. So it still has the deprecated policy_arns that doesn’t take input. I’m afk right now, but you may need to use the base aws provider resources for this use-case.

understood. is there any downside to using

managed_policy_arns

if i don't fiddle with that role/policies anywhere else?

Another option is to create the task definition and assign the role(s) and the fargate service separately. Something like:

# Simple EC2 Task Definition
task_definition = awsx.ecs.EC2TaskDefinition("my-task",
    containers={
        "nginx": awsx.ecs.TaskDefinitionContainerDefinitionArgs(
            name="nginx",  # Container name is required
            image="nginx:latest",
            memory=512,
            cpu=256,
            port_mappings=[
                awsx.ecs.TaskDefinitionPortMappingArgs(
                    container_port=8080,
                    host_port=8080,  # EC2 tasks can map to specific host ports
                    protocol="tcp",
                )
            ],
            # Optional: Add environment variables
            environment=[
                awsx.ecs.TaskDefinitionKeyValuePairArgs(
                    name="ENV",
                    value="production"
                )
            ],
        )
    },
    cpu="512",
    memory="1024"
)

roleattachment = aws.iam.RolePolicyAttachment("my-role-attachment",
    role=task_definition.execution_role.name,
    policy_arn="arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"
)

# Fargate Service using AWSX with existing task definition
fargate_service = awsx.ecs.FargateService("my-fargate-service",
    task_definition=task_definition.task_definition,  # Use the existing task definition
   .....
)