InvalidParameterException: The new ARN and resource ID format must be enabled to propagate tags. Opt in to the new format and try again.

[archenroot]

I am getting this error with latest Terraform 0.12:

module.ecs_alb_service_task.aws_security_group_rule.allow_all_egress[0]: Creation complete after 8s [id=sgrule-3293011397]

Error: InvalidParameterException: The new ARN and resource ID format must be enabled to propagate tags. Opt in to the new format and try again.
        status code: 400, request id: ea7d2db5-1a84-4932-a4ad-89f5a826085b "eg-test-ecs-alb-service-task"

  on ..\..\..\modules\services\aws_ecs_alb_service_task\main.tf line 235, in resource "aws_ecs_service" "ignore_changes_task_definition":
 235: resource "aws_ecs_service" "ignore_changes_task_definition" {

[archenroot]

Please note that I use AWS account with precreated VPC and Subnets (I cannot recreate these as per security here.

Also I followed this guide and make changes by enabling checkboxes as per image:
hashicorp/terraform-provider-aws#7373

I deleted manually the cluster an d trying again, but same error. Not sure what is or not wrong here.

[aknysh]

@archenroot
this is not an issue with the new version of the module. It was like that all the time.
It's ECS 'issue'.
You have to opt-in to the new format, manually in AWS console, or using AWS CLI (you can't do it in terraform).

https://aws.amazon.com/blogs/compute/migrating-your-amazon-ecs-deployment-to-the-new-arn-and-resource-id-format-2/

[archenroot]

@aknysh - I see, thing is I don't have root account, so I used my own which is admin, but has some restrictions, and I enabled new format as per guide, but after creating new cluster same error occurs. I am on our dev environment, so no need for migration here, I just play around here...

[archenroot]

@aknysh - do you know how to switch via aws cli? I didn't find it. Actually problem is that for console I have other user than for terraform, so will need to configure it via cli.

My domain account is integrate3d with AWS for console access, while for non-console access we use IAM users.

[archenroot]

sry - found it : https://docs.aws.amazon.com/cli/latest/reference/ecs/put-account-setting.html

Thx for feedback.

[archenroot]

Actually I tried following:

$ aws ecs put-account-setting --name serviceLongArnFormat --value enabled --profile dip2-devops-dev
{
    "setting": {
        "name": "serviceLongArnFormat",
        "value": "enabled",
        "principalArn": "arn:aws:iam::387170473300:user/dip2-devops-dev"
    }
}

After terraform destroy and terraform apply the issue still persist...

The profile is the same as I use with terraform.

[archenroot]

@aknysh - Can I temporarily disable this resource from your module? or is it some dependency for other functionality?

[archenroot]

Ok, I am waiting for migration, I analyzed module and this tagging is core requirement for module as how it is designed, anyway, thx for response again.

[archenroot]

Hi, so we turned on this new ARN format on root account globally, but I still face the exception, I am going to turn on debug file.

Does it need time to propagate this setting?

[archenroot]

Ok, so there is bad request issue:

2019-11-06T10:54:13.906+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: </DescribeAccountAttributesResponse>
ate)
2019/11/06 10:54:13 [WARN] Provider "aws" produced an invalid plan for module.ecs_alb_service_task.aws_ecs_service.ignore_changes_task_definition[0], but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .enable_ecs_managed_tags: planned value cty.False does not match config value cty.NullVal(cty.Bool)
      - .placement_strategy: attribute representing nested block must not be unknown itself; set nested attribute values to unknown instead
2019/11/06 10:54:13 [DEBUG] module.ecs_alb_service_task.aws_ecs_service.ignore_changes_task_definition[0]: applying the planned Create change
2019-11-06T10:54:13.963+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: 2019/11/06 10:54:13 [DEBUG] setting computed for "placement_strategy" from ComputedKeys
2019-11-06T10:54:13.966+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: 2019/11/06 10:54:13 [DEBUG] Matching ^aws: with Namespace
2019-11-06T10:54:13.966+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: 2019/11/06 10:54:13 [DEBUG] Matching ^aws: with Stage
2019-11-06T10:54:13.966+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: 2019/11/06 10:54:13 [DEBUG] Matching ^aws: with Name
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: 2019/11/06 10:54:13 [DEBUG] Creating ECS service: {
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   ClientToken: "terraform-20191106095413964800000001",
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   Cluster: "arn:aws:ecs:eu-west-1:387170473300:cluster/eg-dev-dip2admin-portalapi",
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   DeploymentConfiguration: {
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:     MaximumPercent: 200,
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:     MinimumHealthyPercent: 100
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   },
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   DeploymentController: {
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:     Type: "ECS"
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   },
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   DesiredCount: 1,
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   EnableECSManagedTags: false,
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   LaunchType: "FARGATE",
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   NetworkConfiguration: {
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:     AwsvpcConfiguration: {
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       AssignPublicIp: "DISABLED",
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       SecurityGroups: ["sg-0e8365420840416ed","sg-0b7d3dc8e95996474"],
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       Subnets: ["subnet-0b0c4ed65f2f0d8b0","subnet-0c035f33548d0fc58"]
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:     }
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   },
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   PlatformVersion: "LATEST",
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   PropagateTags: "TASK_DEFINITION",
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   SchedulingStrategy: "REPLICA",
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   ServiceName: "eg-dev-dip2admin-portalapi",
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   Tags: [{
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       Key: "Namespace",
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       Value: "eg"
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:     },{
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       Key: "Stage",
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       Value: "dev"
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:     },{
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       Key: "Name",
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       Value: "eg-dev-dip2admin-portalapi"
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:     }],
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   TaskDefinition: "eg-dev-dip2admin-portalapi:2"
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: }
2019-11-06T10:54:13.972+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: 2019/11/06 10:54:13 [DEBUG] Waiting for state to become: [success]
2019-11-06T10:54:13.976+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: 2019/11/06 10:54:13 [DEBUG] [aws-sdk-go] DEBUG: Request ecs/CreateService Details:
2019-11-06T10:54:13.976+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: ---[ REQUEST POST-SIGN ]-----------------------------
2019-11-06T10:54:13.976+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: POST / HTTP/1.1
2019-11-06T10:54:13.976+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: Host: ecs.eu-west-1.amazonaws.com
2019-11-06T10:54:13.976+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: User-Agent: aws-sdk-go/1.25.22 (go1.13.3; windows; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.12.10 (+https://www.terraform.io)
2019-11-06T10:54:13.976+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: Content-Length: 835
2019-11-06T10:54:13.976+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: Authorization: AWS4-HMAC-SHA256 Credential=AKIAVUJJISVKB7LH3HPM/20191106/eu-west-1/ecs/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-target, Signature=ae12e3ea3edc2991840962eceffb010402fff32193dbff39fb840dd6fe95054c
2019-11-06T10:54:13.976+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: Content-Type: application/x-amz-json-1.1
2019-11-06T10:54:13.976+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: X-Amz-Date: 20191106T095413Z
2019-11-06T10:54:13.976+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: X-Amz-Target: AmazonEC2ContainerServiceV20141113.CreateService
2019-11-06T10:54:13.976+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: Accept-Encoding: gzip
2019-11-06T10:54:13.976+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:
2019-11-06T10:54:13.977+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: {"clientToken":"terraform-20191106095413964800000001","cluster":"arn:aws:ecs:eu-west-1:387170473300:cluster/eg-dev-dip2admin-portalapi","deploymentConfiguration":{"maximumPercent":200,"minimumHealthyPercent":100},"deploymentController":{"type":"ECS"},"desiredCount":1,"enableECSManagedTags":false,"launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"DISABLED","securityGroups":["sg-0e8365420840416ed","sg-0b7d3dc8e95996474"],"subnets":["subnet-0b0c4ed65f2f0d8b0","subnet-0c035f33548d0fc58"]}},"platformVersion":"LATEST","propagateTags":"TASK_DEFINITION","schedulingStrategy":"REPLICA","serviceName":"eg-dev-dip2admin-portalapi","tags":[{"key":"Namespace","value":"eg"},{"key":"Stage","value":"dev"},{"key":"Name","value":"eg-dev-dip2admin-portalapi"}],"taskDefinition":"eg-dev-dip2admin-portalapi:2"}
2019-11-06T10:54:13.977+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: -----------------------------------------------------
2019-11-06T10:54:14.927+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: 2019/11/06 10:54:14 [DEBUG] [aws-sdk-go] DEBUG: Response ecs/CreateService Details:
2019-11-06T10:54:14.927+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: ---[ RESPONSE ]--------------------------------------
2019-11-06T10:54:14.927+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: HTTP/1.1 400 Bad Request
2019-11-06T10:54:14.927+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: Connection: close
2019-11-06T10:54:14.927+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: Content-Length: 160
2019-11-06T10:54:14.927+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: Content-Type: application/x-amz-json-1.1
2019-11-06T10:54:14.927+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: Date: Wed, 06 Nov 2019 09:58:20 GMT
2019-11-06T10:54:14.927+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: X-Amzn-Requestid: 90ec008f-5870-4430-933d-b21876a88e92
2019-11-06T10:54:14.927+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:
2019-11-06T10:54:14.927+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:
2019-11-06T10:54:14.927+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: -----------------------------------------------------
2019-11-06T10:54:14.927+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: 2019/11/06 10:54:14 [DEBUG] [aws-sdk-go] {"__type":"InvalidParameterException","message":"The new ARN and resource ID format must be enabled to propagate tags. Opt in to the new format and try again."}
2019-11-06T10:54:14.927+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: 2019/11/06 10:54:14 [DEBUG] [aws-sdk-go] DEBUG: Validate Response ecs/CreateService failed, attempt 0/25, error InvalidParameterException: The new ARN and resource ID format must be enabled to propagate tags. Opt in to the new format and try again.
2019-11-06T10:54:14.927+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:      status code: 400, request id: 90ec008f-5870-4430-933d-b21876a88e92
2019/11/06 10:54:14 [DEBUG] module.ecs_alb_service_task.aws_ecs_service.ignore_changes_task_definition[0]: apply errored, but we're indicating that via the Error pointer rather than returning it: InvalidParameterException: The new ARN and resource ID format must be enabled to propagate tags. Opt in to the new format and try again.
        status code: 400, request id: 90ec008f-5870-4430-933d-b21876a88e92 "eg-dev-dip2admin-portalapi"
2019-11-06T10:54:15.373+0100 [DEBUG] plugin: plugin process exited: path=F:\proj\alpiq\dip2-environment-tf\environments\dev\dip2_admin_portal_be\.terraform\plugins\windows_amd64\terraform-provider-aws_v2.34.0_x4.exe pid=16476
2019-11-06T10:54:15.373+0100 [DEBUG] plugin: plugin exited

[archenroot]

I think when we opted in on global level via ROOT, something is running in background and need to recreate all roles in IAM, etc. so maybe the task need some time for propagation.

[archenroot]

I think I found the issue, I can tag the ECS itself, but the issue happens (after we enabled opt-in from root account globally) with ECS service creation. Following is resosource to be created:

2019/11/06 11:41:10 [DEBUG] Creating ECS service: {
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   ClientToken: "terraform-20191106104110540300000001",
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   Cluster: "arn:aws:ecs:eu-west-1:387170473300:cluster/eg-dev-dip2admin-portalapi",
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   DeploymentConfiguration: {
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:     MaximumPercent: 200,
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:     MinimumHealthyPercent: 100
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   },
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   DeploymentController: {
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:     Type: "ECS"
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   },
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   DesiredCount: 1,
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   EnableECSManagedTags: false,
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   LaunchType: "FARGATE",
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   NetworkConfiguration: {
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:     AwsvpcConfiguration: {
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       AssignPublicIp: "DISABLED",
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       SecurityGroups: ["sg-0628e82ea377bd126","sg-0cc84edf0f85b1338"],
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       Subnets: ["subnet-0b1d7c83ae0a15608"]
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:     }
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   },
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   PlatformVersion: "LATEST",
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   PropagateTags: "TASK_DEFINITION",
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   SchedulingStrategy: "REPLICA",
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   ServiceName: "eg-dev-dip2admin-portalapi",
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   Tags: [{
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       Key: "Stage",
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       Value: "dev"
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:     },{
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       Key: "Namespace",
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       Value: "eg"
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:     },{
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       Key: "Name",
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:       Value: "eg-dev-dip2admin-portalapi"
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:     }],
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:   TaskDefinition: "eg-dev-dip2admin-portalapi:3"
2019-11-06T11:41:10.542+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: }

Then SDK use this object to call:
{"clientToken":"terraform-20191106104110540300000001","cluster":"arn:aws:ecs:eu-west-1:387170473300:cluster/eg-dev-dip2admin-portalapi","deploymentConfiguration":{"maximumPercent":200,"minimumHealthyPercent":100},"deploymentController":{"type":"ECS"},"desiredCount":1,"enableECSManagedTags":false,"launchType":"FARGATE","networkConfiguration":{"awsvpcConfiguration":{"assignPublicIp":"DISABLED","securityGroups":["sg-0628e82ea377bd126","sg-0cc84edf0f85b1338"],"subnets":["subnet-0b1d7c83ae0a15608"]}},"platformVersion":"LATEST","propagateTags":"TASK_DEFINITION","schedulingStrategy":"REPLICA","serviceName":"eg-dev-dip2admin-portalapi","tags":[{"key":"Stage","value":"dev"},{"key":"Namespace","value":"eg"},{"key":"Name","value":"eg-dev-dip2admin-portalapi"}],"taskDefinition":"eg-dev-dip2admin-portalapi:3"}
And then follows this issue:

2019-11-06T11:41:10.544+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: -----------------------------------------------------
2019-11-06T11:41:10.901+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: 2019/11/06 11:41:10 [DEBUG] [aws-sdk-go] DEBUG: Response ecs/CreateService Details:
2019-11-06T11:41:10.901+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: ---[ RESPONSE ]--------------------------------------
2019-11-06T11:41:10.901+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: HTTP/1.1 400 Bad Request
2019-11-06T11:41:10.901+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: Connection: close
2019-11-06T11:41:10.901+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: Content-Length: 160
2019-11-06T11:41:10.901+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: Content-Type: application/x-amz-json-1.1
2019-11-06T11:41:10.901+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: Date: Wed, 06 Nov 2019 10:43:00 GMT
2019-11-06T11:41:10.901+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: X-Amzn-Requestid: 05865e43-4b5d-43d4-b4e9-bc16ca492f2d
2019-11-06T11:41:10.901+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:
2019-11-06T11:41:10.901+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:
2019-11-06T11:41:10.901+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: -----------------------------------------------------
2019-11-06T11:41:10.901+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: 2019/11/06 11:41:10 [DEBUG] [aws-sdk-go] {"__type":"InvalidParameterException","message":"The new ARN and resource ID format must be enabled to propagate tags. Opt in to the new format and try again."}
2019-11-06T11:41:10.901+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe: 2019/11/06 11:41:10 [DEBUG] [aws-sdk-go] DEBUG: Validate Response ecs/CreateService failed, attempt 0/25, error InvalidParameterException: The new ARN and resource ID format must be enabled to propagate tags. Opt in to the new format and try again.
2019-11-06T11:41:10.901+0100 [DEBUG] plugin.terraform-provider-aws_v2.34.0_x4.exe:      status code: 400, request id: 05865e43-4b5d-43d4-b4e9-bc16ca492f2d
2019/11/06 11:41:10 [DEBUG] module.ecs_alb_service_task.aws_ecs_service.ignore_changes_task_definition[0]: apply errored, but we're indicating that via the Error pointer rather than returning it: InvalidParameterException: The new ARN and resource ID format must be enabled to propagate tags. Opt in to the new format and try again.

So actually ECS is created with Tags without issue, but ECS Service cannot be tagged

I think I will report this to Terraform AWS provider.

[archenroot]

So as stated on above linked issue, we had to update user which was created before root account opted-in with long arns. After change it works as expected.