I am using terraform to create an ecs cluster backed by ec2 instance type c5.large. I need the container instances to have the awsvpctrunking option enabled to utilize the limit of 10 elastic network interfaces attached to each container instance instead of the limit of 3 when it is not enabled. In order to make my deployments as isolated as possible, I would like to only enable the awsvpctrunking option at the container instance level rather than changing the awsvpctrunking account setting that will possibly affect resources not managed by my terraform. The documentation states:
Your account or container instance IAM role must opt-in to the awsvpcTrunking account setting. This can be done in the following ways:
Any user can use the PutAccountSettingDefault API to opt-in all IAM users and roles on an account
A root user can use the PutAccountSetting API to opt-in the IAM user or container instance role that will register the instance with the cluster
A container instance role can opt itself in when the PutAccountSetting API is run on an instance prior to it being registered with a cluster
I am attempting to do the 3rd option (bolded above) by including a command in the user data for the launch configuration:
user_data = <<-EOF
#!/bin/bash
aws ecs put-account-setting --name awsvpcTrunking --value enabled --region ${var.region} --principal-arn ${aws_iam_role.container_instance_role.arn}
echo ECS_CLUSTER=${aws_ecs_cluster.api_cluster.name} >> /etc/ecs/ecs.config
EOF
The iam role referenced in the user data is being used by the iam instance profile attached to this launch configuration. However, this command is not working as expected, since the ENI limit is still 3. I verified that awsvpctrunking works in general by enabling it at the account level. Does anyone have an idea of why the setting is not being enabled?
Thanks
AWS OFFICIALUpdated a year ago
