additional regions and ecs-deploy-runner
We have been building out changes to the Ref Arch that we bought from you guys to get multi-region completed. One of the things we have left do is get the ecs-deploy-runner working on the second region in our setup. When ever we run the terragrunt apply on our secondary region we are getting the following error: ``` │ Error: failed creating IAM Role (ecs-deploy-runner-docker-image-builder): EntityAlreadyExists: Role with name ecs-deploy-runner-docker-image-builder already exists. │ status code: 409, request id: 14253fc0-149d-4d3a-b7ef-94990075f050 │ │ with module.ecs_deploy_runner.aws_iam_role.ecs_task["docker-image-builder"], │ on .terraform/modules/ecs_deploy_runner/modules/ecs-deploy-runner/main_ecs.tf line 139, in resource "aws_iam_role" "ecs_task": │ 139: resource "aws_iam_role" "ecs_task" { │ ╵ ╷ │ Error: failed creating IAM Role (ecs-deploy-runner-task-execution-role): EntityAlreadyExists: Role with name ecs-deploy-runner-task-execution-role already exists. │ status code: 409, request id: c223b48c-1695-4edd-b937-5771203dc0d9 │ │ with module.ecs_deploy_runner.aws_iam_role.ecs_task_execution_role, │ on .terraform/modules/ecs_deploy_runner/modules/ecs-deploy-runner/main_ecs.tf line 183, in resource "aws_iam_role" "ecs_task_execution_role": │ 183: resource "aws_iam_role" "ecs_task_execution_role" { │``` Why does it try to remake that role given? It should already know that role exists. --- <ins datetime="2022-07-13T17:33:57Z"> <p><a href="https://support.gruntwork.io/hc/requests/108974">Tracked in ticket #108974</a></p> </ins>
This is because the design is for each ECS Deploy Runner deployment to have different permission sets so that you can properly account for the ACLs and authorization policies of your CI/CD workflows. Since there is no performance advantage to having multiple regional ECS Deploy Runners, the advantage of another ECS Deploy Runner is segregating the permission set for the deployment. As such, it doesn't make much sense to deploy another ECS Deploy Runner if you find yourself wanting to reuse the IAM Role and permissions - it gives you no advantage operationally, and only adds overhead to the process. In general, we recommend having a single ECS Deploy Runner per account, instead of one per region. This manages the right sweet spot between access control and operational overhead. Deploying more than that usually leads to diminishing returns unless you have strict access control policies such as ensuring a team only has access to a single VPC in the account. --- With that said, if you would like to operate another ECS Deploy Runner in the secondary region, you can do so by selecting a different name for the deploy runner (using the `name` input variable), so that all the IAM Roles and Policies will use a different name that doesn't clash with the existing deploy runner.