Remove AmazonEC2ContainerServiceAutoscaleRole creation

[hectcastro]

When the role created with AmazonEC2ContainerServiceAutoscaleRole is associated with an application autoscaling target ARN, subsequent Terraform plan/apply cycles flap as AWS overrides the role association with arn:aws:iam::949413123864:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService.

Consider replacing role creation with something like:

data "aws_iam_role" "ecs_autoscale_role" {
  name = "AWSServiceRoleForApplicationAutoScaling_ECSService"
}

Then output the ARN with data.aws_iam_role.ecs_autoscale_role.arn.

[rbreslow]

I think I was able to replicate what you were experiencing:

-/+ module.app_web_service.aws_appautoscaling_target.main (new resource required)
      id: "service/ecsStagingCluster/StagingrockyTesting" => <computed> (forces new resource)
      max_capacity: "2" => "2"
      min_capacity: "1" => "1"
      resource_id: "service/ecsStagingCluster/StagingrockyTesting" => "service/ecsStagingCluster/StagingrockyTesting"
      role_arn: "arn:aws:iam::279682201306:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService" => "arn:aws:iam::279682201306:role/ecsStagingAutoscaleRole" (forces new resource)
      scalable_dimension: "ecs:service:DesiredCount" => "ecs:service:DesiredCount"
      service_namespace: "ecs" => "ecs"

Every Terraform plan/apply cycle attempts to change role_arn after AWS overrides it.

[rbreslow]

Context for why this is happening:

You don't need to manually create the service-linked roles for Application Auto Scaling. Application Auto Scaling creates the appropriate service-linked role for you when you call RegisterScalableTarget or PutScalingPolicy. For example, if you set up automatic scaling for an ECS service, Application Auto Scaling creates the AWSServiceRoleForApplicationAutoScaling_ECSService role.

See:

• https://forums.aws.amazon.com/thread.jspa?threadID=270113
• https://docs.aws.amazon.com/autoscaling/application/userguide/application-autoscaling-service-linked-roles.html

[rbreslow]

hashicorp/terraform-provider-aws#2750 explores this issue and references hashicorp/terraform-provider-aws#2889 which made role_arn optional for aws_appautoscaling_target.

It was introduced in 1.7.0 of the AWS Terraform provider.

@hectcastro, your fix looks like the way to go. I will work on a PR and connect this issue.

Additionally, I'm going to open an issue on azavea/terraform-aws-ecs-web-service to consider this:

diff --git a/main.tf b/main.tf
index 50f75c2..d9dd9ac 100755
--- a/main.tf
+++ b/main.tf
@@ -98,7 +98,6 @@ resource "aws_appautoscaling_target" "main" {
   service_namespace  = "ecs"
   resource_id        = "service/${var.cluster_name}/${aws_ecs_service.main.name}"
   scalable_dimension = "ecs:service:DesiredCount"
-  role_arn           = "${var.ecs_autoscale_role_arn}"
   min_capacity       = "${var.min_count}"
   max_capacity       = "${var.max_count}"

I think this change could be controversial because of the potential fallout from those using outdated AWS providers. We should also start a conversation about bumping the AWS provider version for azavea/operations-app-template.