Terraform Launch Type Fargate for windows container Error:- You do not have authorization to access the specified platform

Question

Description

Terraform: For Launch type, Fargate with windows container getting below error after running terraform apply Error:

error creating app-name service: error waiting for ECS service (app-name) creation: AccessDeniedException: You do not have authorization to access the specified platform.

Below Terraform and AWS provider version used:

Terraform CLI and Terraform AWS Provider Version User-Agent: APN/1.0 HashiCorp/1.0 Terraform/0.12.31 (+https://www.terraform.io) terraform-provider-aws/3.70.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.42.23 (go1.16; linux; amd64)

Affected Resource(s):- aws_ecs_service

Terraform Configuration Files

resource "aws_ecs_task_definition" "app_task" {
  family                = "${var.tags["environment"]}-app"
  container_definitions = data.template_file.app_task_definition.rendered
  requires_compatibilities = ["FARGATE"]
  network_mode             = "awsvpc"
  task_role_arn      = aws_iam_role.ecs_role.arn
  execution_role_arn = aws_iam_role.ecs_role.arn
  memory             = var.fargate_memory
  cpu                = var.fargate_cpu

  runtime_platform {
      operating_system_family = "WINDOWS_SERVER_2019_CORE"
      cpu_architecture = "X86_64"
    }

  depends_on = [null_resource.confd_cluster_values]
}
resource "aws_ecs_service" "app" {
  name                               = "${var.tags["environment"]}-app"
  cluster                            = data.terraform_remote_state.fargate_cluster.outputs.cluster.id
  task_definition                    = aws_ecs_task_definition.app_task.arn
  desired_count                      = var.ecs_app_desired_count
  health_check_grace_period_seconds  = 2147483647
  deployment_minimum_healthy_percent = 0
  deployment_maximum_percent         = 100
  launch_type                        = "FARGATE"
  enable_execute_command             = true

  network_configuration {
    security_groups = [data.terraform_remote_state.fargate_cluster.outputs.cluster_security_group]
    subnets = data.aws_subnet_ids.private.ids
  }

  load_balancer {
    target_group_arn = aws_alb_target_group.app.arn
    container_name   = var.alb_target_container_name
    container_port   = 8097
  }
  lifecycle {
    ignore_changes = [desired_count]
  }

  depends_on = [aws_ecs_task_definition.app_task]
}

Debug Output

-----------------------------------------------------: timestamp=2022-01-01T16:30:06.055+0530 2022-01-01T16:30:06.055+0530 [INFO] plugin.terraform-provider-aws_v3.70.0_x5: 2022/01/01 16:30:06 [DEBUG] [aws-sdk-go] {"__type":"AccessDeniedException","message":"You do not have authorization to access the specified platform."}: timestamp=2022-01-01T16:30:06.055+0530 2022-01-01T16:30:06.055+0530 [INFO] plugin.terraform-provider-aws_v3.70.0_x5: 2022/01/01 16:30:06 [DEBUG] [aws-sdk-go] DEBUG: Validate Response ecs/CreateService failed, attempt 0/25, error AccessDeniedException: You do not have authorization to access the specified platform.: timestamp=2022-01-01T16:30:06.055+0530

Answer 1

After reading this https://aws.amazon.com/blogs/containers/running-windows-containers-with-amazon-ecs-on-aws-fargate/ came to know that Amazon ECS Exec feature is unsupported in Fargate for Windows tasks and therefore the error occurred.

Disabling below in aws_ecs_service resolved the issue.

enable_execute_command = true

It would be helpful if terraform can show users an appropriate message saying the above feature is not available for windows instead of throwing an error "You do not have authorization to access the specified platform."

Answer 2

The issue is not due to your TF code, but due to your IAM permissions that you use to run the code. You have to verity your permissions. You may also be limited at the AWS Organization level if your account is part of a group of accounts.