aws-ecs: Race condition in Ec2Service & FargateService between updating the TaskRole default policy and the CfnService

[iancaffey]

Describe the bug

Within Ec2Service and FargateService, there is no dependency added between the TaskRole default policy and the CfnService.

If updates are made to the TaskRole default policy (e.g. adding new inline policies), CloudFormation will update both the CfnService and the TaskRole default policy at the same time, and this can result in ECS tasks spinning up without the proper permissions being updated in IAM for the task role yet.

Expected Behavior

The TaskRole and its children (e.g. the default policy) should always deploy first within a CloudFormation stack before the ECS service.

Current Behavior

The TaskRole default policy and the ECS service deploy at the same time.

Reproduction Steps

Every usage of Ec2Service and FargateService is vulnerable to this deployment race condition risk, if they ever make edits to the task role default policy.

Possible Solution

this.node.addDependency(this.taskDefinition.taskRole);

within the BaseService constructor.

Lambda L2 Function construct does this already (see here).

Additional Information/Context

No response

CDK CLI Version

2.72.0

Framework Version

No response

Node.js Version

v16.9.1

OS

Mac OSX

Language

Typescript

Language Version

TypeScript 4.9.5

Other information

No response

[peterwoodworth]

Thanks for reporting, this makes sense!

We could probably add this in the base service class to cover both of these constructs, just right after the CfnService is created

aws-cdk/packages/@aws-cdk/aws-ecs/lib/base/base-service.ts

Line 538 in 397e46c

this.resource = new CfnService(this, 'Service', {