parameterizing linux_capabilities in ecs task definition

Question

I have a terraform configuration to create task definition in ECS Fargate.

The main.tf file looks like this:

...

data "template_file" "td_template" {
  template = td.tpl")
  vars = {   
    linux_capabilities = ""
  }
}

resource "aws_ecs_task_definition" "fargate" {
  family                   = "mytd"
  container_definitions    = data.template_file.td_template.rendered
  network_mode             = "awsvpc"
  cpu                      = "1024"
  memory                   = "2048"
  execution_role_arn       = "arn:aws:iam::xxxxx:role/ecs"
  task_role_arn            = "arn:aws:iam::xxxxx:role/ecs"
}

...

And, the td.tpl file looks like this:

[
  {
    "image": "xxxxx.dkr.ecr.eu-west-1.amazonaws.com/myserv:latest",
    "name": "myserv",
    "linuxParameters": {
      "capabilities": {
        "add": ["${linux_capabilities}"]
        }
      },
    "cpu": 1024,
    "memory": 2048
  }
]

I wanted to parameterize that linux capabilities thing. If I add some values(for eg: below snippet) to that linux_capabilities parameter in data statement, It works.

linux_capabilities = "SYS_PTRACE"

But, with empty "" doesn't work. It shows this error:

Error: error creating ECS Task Definition (missing-back-svc): ClientException: Unrecognized Linux capabilities in add: []

Does anyone has any idea about parameterizing(set and unset) those linux capabilities settings?

Any suggestions are appreciated.

Answer 1

The problem is the double quotes in the template. You have no way of creating the JSON "add": [] the best you can do is "add": [""] which is invalid. Passing null would give you "add": ["null"]

Also, you are using the deprecated template_file resource, instead of the newer built-in templatefile function.

I suggest switching to templatefile , and then adding a conditional directive in your template that completely removes the "capabilities": {} block if there is an empty string or null passed in.