[Bug]: aws_ecs_service ingressPortOverride defaults to 0

[shawncdavies]

Terraform Core Version

1.3.3

AWS Provider Version

4.46.0, 4.45.0

Affected Resource(s)

aws_ecs_service
service_connect_configuration
service

Expected Behavior

IngressPortOverride not to be passed to aws unless ingress_port_override has been set in the service block.

Actual Behavior

0 is passed and can be seen when debug is on
"services":[{"clientAliases":[{"port":8080}],"ingressPortOverride":0,"portName":"portname"}]

Relevant Error/Panic Output Snippet

InvalidParameterException: IngressPortOverride cannot use ports <= 1024.

Terraform Configuration Files

resource "aws_ecs_task_definition" "nginx" {
  family                   = nginx
  task_role_arn            = <role arn>
  execution_role_arn       = <role arn>
  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]
  cpu                      = 1024
  memory                   = 2048
  runtime_platform {
    operating_system_family = "LINUX"
    cpu_architecture        = "X86_64"
  }

  container_definitions = jsonencode([
    {
      name      = test-nginx
      image     = nginx
      cpu       = 10
      memory    = 512
      essential = true
      portMappings = [
        {
          name          = nginx-http
          containerPort = 8080
          protocol      = "tcp"
          appProtocol   = "http"
        }
      ]
    }

  ])

}
resource "aws_ecs_service" "test" {
  name    = test-nginx
  cluster = <cluster arn>

  # Track the latest ACTIVE revision
  task_definition         = aws_ecs_task_definition.task-definition1.arn
  desired_count           = 1
  enable_ecs_managed_tags = true
  enable_execute_command  = true
  launch_type             = "FARGATE"
  scheduling_strategy     = "REPLICA"

  load_balancer {
    target_group_arn = <target_group_arn>
    container_name   = test-nginx
    container_port   = nginx-http
  }

  network_configuration {
    subnets = [
      <subnets>
    ]
    security_groups  = <security_groups>
    assign_public_ip = false
  }

  deployment_controller {
    type = "ECS"
  }

  service_connect_configuration {
    enabled   = true
    namespace = <namespace arn>
    log_configuration {

      log_driver = "awslogs"
      options = {
        awslogs-group         = <log group>
        awslogs-region        = <region>
        awslogs-stream-prefix = <prefix>
        awslogs-create-group  = true
      }

    }

    service {
      client_alias {
        port = 8080
      }
      port_name = nginx-http
    }
    

  }

}

Steps to Reproduce

replace < > values and apply or try to enable service_connect_configuration and define a service block without ingress_port_override being set

Debug Output

2022-12-12T19:18:26.512+1100 [DEBUG] provider.terraform-provider-aws_v4.46.0_x5: {"cluster":"arn:aws:ecs:ap-southeast-2:awsaccountid:cluster/community-system-20","forceNewDeployment":false,"service":"arn:aws:ecs:ap-southeast-2:awsaccountid:service/community-system-20/community-system-fe-ui-srv-20","serviceConnectConfiguration":{"enabled":true,"logConfiguration":{"logDriver":"awslogs","options":{"awslogs-create-group":"true","awslogs-group":"/ecs/service-connect-proxy-20","awslogs-region":"ap-southeast-2","awslogs-stream-prefix":"service-connect-proxy-20"}},"namespace":"arn:aws:servicediscovery:ap-southeast-2:awsaccountid:namespace/ns-l6krywaqvokiox5z","services":[{"clientAliases":[{"port":8080}],"ingressPortOverride":0,"portName":"feuiport"}]}}
2022-12-12T19:18:26.512+1100 [DEBUG] provider.terraform-provider-aws_v4.46.0_x5: -----------------------------------------------------
2022-12-12T19:18:26.798+1100 [DEBUG] provider.terraform-provider-aws_v4.46.0_x5: [DEBUG] [aws-sdk-go] DEBUG: Response ecs/UpdateService Details:
2022-12-12T19:18:26.798+1100 [DEBUG] provider.terraform-provider-aws_v4.46.0_x5: ---[ RESPONSE ]--------------------------------------
2022-12-12T19:18:26.798+1100 [DEBUG] provider.terraform-provider-aws_v4.46.0_x5: HTTP/1.1 400 Bad Request
2022-12-12T19:18:26.798+1100 [DEBUG] provider.terraform-provider-aws_v4.46.0_x5: Connection: close
2022-12-12T19:18:26.798+1100 [DEBUG] provider.terraform-provider-aws_v4.46.0_x5: Content-Length: 96
2022-12-12T19:18:26.798+1100 [DEBUG] provider.terraform-provider-aws_v4.46.0_x5: Content-Type: application/x-amz-json-1.1
2022-12-12T19:18:26.798+1100 [DEBUG] provider.terraform-provider-aws_v4.46.0_x5: Date: Mon, 12 Dec 2022 08:18:28 GMT
2022-12-12T19:18:26.798+1100 [DEBUG] provider.terraform-provider-aws_v4.46.0_x5: X-Amzn-Requestid: requestid
2022-12-12T19:18:26.798+1100 [DEBUG] provider.terraform-provider-aws_v4.46.0_x5: 
2022-12-12T19:18:26.798+1100 [DEBUG] provider.terraform-provider-aws_v4.46.0_x5: 
2022-12-12T19:18:26.798+1100 [DEBUG] provider.terraform-provider-aws_v4.46.0_x5: -----------------------------------------------------
2022-12-12T19:18:26.798+1100 [DEBUG] provider.terraform-provider-aws_v4.46.0_x5: [DEBUG] [aws-sdk-go] {"__type":"InvalidParameterException","message":"IngressPortOverride cannot use ports <= 1024."}
2022-12-12T19:18:26.799+1100 [DEBUG] provider.terraform-provider-aws_v4.46.0_x5: [DEBUG] [aws-sdk-go] DEBUG: Validate Response ecs/UpdateService failed, attempt 0/25, error InvalidParameterException: IngressPortOverride cannot use ports <= 1024.

Panic Output

No response

Important Factoids

No response

References

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service_definition_parameters.html

ingressPortOverride
Type: Integer

Required: No

(Optional) The port number for the Service Connect proxy to listen on.

Use the value of this field to bypass the proxy for traffic on the port number that's specified in the named portMapping in the task definition of this application, and then use it in your Amazon VPC security groups to allow traffic into the proxy for this Amazon ECS service.

In awsvpc mode, the default value is the container port number that's specified in the named portMapping in the task definition of this application. In bridge mode, the default value is the dynamic ephemeral port of the Service Connect proxy.

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[daywaycassica]

Same thing happening here, running on:

Terraform v1.3.6
on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v4.46.0

I'm getting: InvalidParameterException: IngressPortOverride cannot use ports <= 1024.

Also: I was obliged to add the
client_alias {
port = 80
}
block even though it's optional on the docs:

client_alias - (Optional) The list of client aliases for this Service Connect service. You use these to assign names that can be used by client applications. The maximum number of client aliases that you can have in this list is 1. See below.

But i was getting:

Error: Insufficient client_alias blocks
│
│ on ECS_service_definition.tf line 11, in resource "aws_ecs_service" "ecs_api_service":
│ 11: service {
│
│ At least 1 "client_alias" blocks are required.

Here's my conf file:

resource "aws_ecs_service" "ecs_api_service" {
  name             = var.product_name
  cluster          = var.cluster_arn
  task_definition  = aws_ecs_task_definition.api_taskdef.arn
  launch_type      = "FARGATE"
  platform_version = "LATEST"
  desired_count    = 1
  service_connect_configuration {
    enabled   = true
    namespace = var.cloudmap_namespace
    service {
      discovery_name = var.product_name
      port_name      = "nginx:80:80"
      client_alias {
        port = 80
      }
    }
  }
  lifecycle {
    ignore_changes = [desired_count]
  }
  deployment_circuit_breaker {
    enable   = true
    rollback = true
  }
  deployment_controller {
    type = "ECS"
  }
  deployment_maximum_percent         = 200
  deployment_minimum_healthy_percent = 100
  health_check_grace_period_seconds  = 10
  enable_ecs_managed_tags            = true
  force_new_deployment               = true
  enable_execute_command             = true
  load_balancer {
    target_group_arn = aws_lb_target_group.ecs_target_group.arn
    container_name   = "nginx"
    container_port   = 80
  }
  network_configuration {
    subnets          = var.vpc_subnets
    security_groups  = [aws_security_group.sg.id]
    assign_public_ip = var.assign_public_ip
  }
}`

[github-actions]

This functionality has been released in v4.47.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.