aws_ecs_task_definition not setting root_directory for efs_volume_configuration correctly

[bfutterleib]

Terraform CLI and Terraform AWS Provider Version

Terraform v0.14.5
AWS provider version ~> 3.0

Affected Resource(s)

• aws_ecs_task_definition
• efs_volume_configuration

Terraform Configuration Files

Simple exerpt that shows the task definition to be created. Nothing special going on here, everything creates and runs except the root_directory does not get updated in AWS correclty

resource "aws_ecs_task_definition" "task_def" {
  family                = var.name
  network_mode = "bridge"
  execution_role_arn = var.task_role

  volume {
    name = "uploads"
    efs_volume_configuration {
      file_system_id          = var.efs_fs_id
      root_directory          = var.efs_path
      transit_encryption      = "DISABLED"
    }
  }

  container_definitions = templatefile("${path.module}/service.json.tpl", {
    image         = aws_ecr_repository.repo.repository_url
    name          = var.name
    port             = var.port
    softLimit      = var.soft_limit
    cont_vol_path = var.vol_path
    vol_name      = "uploads"
    secrets       = jsonencode(var.secrets)
  })

  tags = merge(var.tags, {
    "Name" = var.name
  })
}

Debug Output

Running terraform apply shows the correct path to be updated for the root directory

- volume { # forces replacement
          - name = "uploads" -> null

          - efs_volume_configuration {
              - file_system_id          = "fs-blahblahblah" -> null
              - root_directory          = "/" -> null
              - transit_encryption      = "DISABLED" -> null
              - transit_encryption_port = 0 -> null

              - authorization_config {
                  - iam = "DISABLED" -> null
                }
            }
        }
      + volume { # forces replacement
          + name = "uploads"

          + efs_volume_configuration {
              + file_system_id     = "fs-blahblahblah"
              + root_directory     = "/some/directory"
              + transit_encryption = "DISABLED"

              + authorization_config {
                  + iam = "DISABLED"
                }
            }
        }

Actual Behavior

After running apply and terraform running its updates without error.

The root_directory in the newly created task definition is "/". I have run some sanity checks on other parts of the efs_volume_configuration and they update as expected, it is only the root_directory that seems immutable

[wichert]

#19549 might be related to this one.

[wichert]

One thing I noticed is that if you set authorization_config the root_directory setting is cleared:

terraform-provider-aws/aws/resource_aws_ecs_task_definition.go

Lines 878 to 881 in 12d5302

	if v, ok := config["authorization_config"].([]interface{}); ok && len(v) > 0 {
	efsVol.RootDirectory = nil
	efsVol.AuthorizationConfig = expandEcsVolumesEFSVolumeAuthorizationConfig(v)
	}

This makes sense if you use an access point since they already have a root directory. But if you only set iam that should imho not happen.

[ewbankkit]

@zebirdman Thanks for raising this issue.
It has already been noticed in #19549. I'm going to close this one as a duplicate so that we can concentrate discussion in the linked issue.
Please add any additional comments there.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.