'ECS Service can't attach target group from different region

I have an ECS Service to which I want to attach two load balancers, and one of those load balancers is in a different region of the ECS Cluster. When I try to apply changes I get the following error.

 InvalidParameterException: Unable to assume role and validate the specified targetGroupArn. Please verify that the ECS service role being passed has the proper permissions.

Here is terraform code I'm using and the output of the terraform plan:

resource "aws_ecs_service" "monitoring_grafana_service" {
  name            = "grafana"
  cluster         = module.ecs.ecs_cluster_arn  
  task_definition = aws_ecs_task_definition.monitoring_grafana_task.arn
  desired_count   = 1

  network_configuration{
    subnets = module.monitoring_vpc.private_subnets  
    security_groups = [ module.grafana_sg.security_group_id ]
  }

  load_balancer {
    target_group_arn = module.frontend_alb.target_group_arns[0]
    container_name   = "grafana"
    container_port   = 3000
  }


  load_balancer {
    target_group_arn = data.terraform_remote_state.ireland_vpc.outputs.oss_target_group_arns[0]
    container_name   = "grafana"
    container_port   = 3000
  }
  
  lifecycle {
    ignore_changes = [
      capacity_provider_strategy
    ]
  }
}

Output:

      + load_balancer {
      + container_name   = "grafana"
      + container_port   = 3000
      + target_group_arn = "arn:aws:elasticloadbalancing:eu-central-1:myAcc:targetgroup/grafna20220202125410761200000016/1cdafdd8e73c1d9a"
    }
  + load_balancer {
      + container_name   = "grafana"
      + container_port   = 3000
      + target_group_arn = "arn:aws:elasticloadbalancing:eu-west-1:myAcc:targetgroup/grafna20220203130531009700000004/ff91959dcf50287e"
    }

The Service Role used by ECS is the "default" one, created by AWS. It has the AWS managed policy: AmazonECSServiceRolePolicy

terraformamazon-iamamazon-ecs


Solution 1:[1]

Clusters are Region-specific. that could be the reason.

Network Load Balancers now support connections from clients to IP-based targets in peered VPCs across different AWS Regions.

Make sure your VPC has peered connection to target resource

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/service-load-balancing.html

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Lukas Liesis

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function