fix(ecs): potential race condition on TaskRole default policy update with CfnService (#26070)

Prevents potential race conditions on TaskRole default policy update in EC2 and Fargate services by adding a dependency on the TaskRole.
This will update the TaskRole and its children first and the service after.

Closes #24880.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: lpizzinidev

packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-ecs-deploy.js.snapshot/aws-cdk-codepipeline-ecs-deploy.template.json

@@ -297,7 +297,8 @@
     "TaskDefinition": {
      "Ref": "TaskDef54694570"
     }
-   }
+   },
+   "DependsOn": ["TaskDefTaskRole1EDB4A67"]
   },
   "FargateServiceSecurityGroup0A0E79CB": {
    "Type": "AWS::EC2::SecurityGroup",
@@ -313,7 +314,8 @@
     "VpcId": {
      "Ref": "VPCB9E5F0B4"
     }
-   }
+   },
+   "DependsOn": ["TaskDefTaskRole1EDB4A67"]
   },
   "MyBucketF68F3FF0": {
    "Type": "AWS::S3::Bucket",

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/ec2/integ.alb-ecs-service-command-entry-point.js.snapshot/aws-ecs-integ-alb-ec2-cmd-entrypoint.template.json

@@ -868,7 +868,8 @@
    },
    "DependsOn": [
     "ALBECSServiceWithCommandEntryPointLBPublicListenerECSGroup7271102D",
-    "ALBECSServiceWithCommandEntryPointLBPublicListener1DCF0F84"
+    "ALBECSServiceWithCommandEntryPointLBPublicListener1DCF0F84",
+    "ALBECSServiceWithCommandEntryPointTaskDefTaskRoleD0EE621C"
    ]
   }
  },

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/ec2/integ.application-load-balanced-ecs-service.js.snapshot/aws-ecs-integ-alb.template.json

@@ -1065,7 +1065,8 @@
    },
    "DependsOn": [
     "myServiceLBPublicListenerECSGroup17E9BBC1",
-    "myServiceLBPublicListenerC78AE8A0"
+    "myServiceLBPublicListenerC78AE8A0",
+    "myServiceTaskDefTaskRole1C1DE6CC"
    ]
   }
  },

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/ec2/integ.healthchecks-multiple-application-load-balanced-ecs-service.js.snapshot/aws-ecs-integ-multiple-alb-healthchecks.template.json

@@ -1284,7 +1284,8 @@
     "myServicelb1listener1ECSTargetGroupweb80GroupC3F9339A",
     "myServicelb1listener15ED0E805",
     "myServicelb2listener2ECSTargetGroupweb90Group6841F924",
-    "myServicelb2listener2AA6970EB"
+    "myServicelb2listener2AA6970EB",
+    "myServiceTaskDefTaskRole1C1DE6CC"
    ]
   }
  },

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/ec2/integ.healthchecks-multiple-network-load-balanced-ecs-service.js.snapshot/aws-ecs-integ-nlb-healthchecks.template.json

@@ -1120,7 +1120,8 @@
     "myServicelb1listener1ECSTargetGroupweb80GroupC3F9339A",
     "myServicelb1listener15ED0E805",
     "myServicelb2listener2ECSTargetGroupweb90Group6841F924",
-    "myServicelb2listener2AA6970EB"
+    "myServicelb2listener2AA6970EB",
+    "myServiceTaskDefTaskRole1C1DE6CC"
    ]
   }
  },

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/ec2/integ.multiple-application-load-balanced-ecs-service-idle-timeout.js.snapshot/aws-ecs-integ-alb-idle-timeout.template.json

@@ -1500,7 +1500,9 @@
     "myServicelb2listener2ECSTargetGroupweb443Group8FAB1268",
     "myServicelb2listener2ECSTargetGroupweb80Group0590BDE6",
     "myServicelb2listener2ECSTargetGroupweb80Rule2490715C",
-    "myServicelb2listener2AA6970EB"
+    "myServicelb2listener2AA6970EB",
+    "myServiceTaskDefTaskRoleDefaultPolicyD48473C0",
+    "myServiceTaskDefTaskRole1C1DE6CC"
    ]
   }
  },

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/ec2/integ.multiple-application-load-balanced-ecs-service.js.snapshot/aws-ecs-integ-multiple-alb.template.json

@@ -1213,7 +1213,9 @@
     "myServiceLBPublicListenerECSTargetGroupweb80GroupCA306BD0",
     "myServiceLBPublicListenerECSTargetGroupweb90Group6388E5B5",
     "myServiceLBPublicListenerECSTargetGroupweb90Rule0CAA997D",
-    "myServiceLBPublicListenerC78AE8A0"
+    "myServiceLBPublicListenerC78AE8A0",
+    "myServiceTaskDefTaskRoleDefaultPolicyD48473C0",
+    "myServiceTaskDefTaskRole1C1DE6CC"
    ]
   }
  },

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/ec2/integ.network-load-balanced-ecs-service.js.snapshot/aws-ecs-integ-nlb.template.json

@@ -1024,7 +1024,8 @@
    },
    "DependsOn": [
     "myServiceLBPublicListenerECSGroup17E9BBC1",
-    "myServiceLBPublicListenerC78AE8A0"
+    "myServiceLBPublicListenerC78AE8A0",
+    "myServiceTaskDefTaskRole1C1DE6CC"
    ]
   }
  },

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.alb-fargate-service-command-entry-point.js.snapshot/aws-ecs-integ-lb-fargate-cmd-entrypoint-test.template.json

@@ -677,7 +677,8 @@
    },
    "DependsOn": [
     "ALBFargateServiceWithCommandAndEntryPointLBPublicListenerECSGroupBAD40305",
-    "ALBFargateServiceWithCommandAndEntryPointLBPublicListener6589DC80"
+    "ALBFargateServiceWithCommandAndEntryPointLBPublicListener6589DC80",
+    "ALBFargateServiceWithCommandAndEntryPointTaskDefTaskRole65CE9392"
    ]
   },
   "ALBFargateServiceWithCommandAndEntryPointServiceSecurityGroupD154E880": {
@@ -694,7 +695,8 @@
     "VpcId": {
      "Ref": "Vpc8378EB38"
     }
-   }
+   },
+   "DependsOn": ["ALBFargateServiceWithCommandAndEntryPointTaskDefTaskRole65CE9392"]
   },
   "ALBFargateServiceWithCommandAndEntryPointServiceSecurityGroupfromawsecsinteglbfargatecmdentrypointtestALBFargateServiceWithCommandAndEntryPointLBSecurityGroup886E70918046DDBFE6": {
    "Type": "AWS::EC2::SecurityGroupIngress",
@@ -715,7 +717,8 @@
      ]
     },
     "ToPort": 80
-   }
+   },
+   "DependsOn": ["ALBFargateServiceWithCommandAndEntryPointTaskDefTaskRole65CE9392"]
   }
  },
  "Outputs": {

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.alb-fargate-service-https-idle-timeout.js.snapshot/aws-ecs-integ-alb-fg-idletimeout.template.json

@@ -787,7 +787,9 @@
    },
    "DependsOn": [
     "myServiceLBPublicListenerECSGroup17E9BBC1",
-    "myServiceLBPublicListenerC78AE8A0"
+    "myServiceLBPublicListenerC78AE8A0",
+    "myServiceTaskDefTaskRoleDefaultPolicyD48473C0",
+    "myServiceTaskDefTaskRole1C1DE6CC"
    ]
   },
   "myServiceSecurityGroupC3B9D4E0": {
@@ -804,7 +806,11 @@
     "VpcId": {
      "Ref": "Vpc8378EB38"
     }
-   }
+   },
+   "DependsOn": [
+    "myServiceTaskDefTaskRoleDefaultPolicyD48473C0",
+    "myServiceTaskDefTaskRole1C1DE6CC"
+   ]
   },
   "myServiceSecurityGroupfromawsecsintegalbfgidletimeoutmyServiceLBSecurityGroup1B078E6280039B9A1C": {
    "Type": "AWS::EC2::SecurityGroupIngress",
@@ -825,7 +831,11 @@
      ]
     },
     "ToPort": 80
-   }
+   },
+   "DependsOn": [
+    "myServiceTaskDefTaskRoleDefaultPolicyD48473C0",
+    "myServiceTaskDefTaskRole1C1DE6CC"
+   ]
   }
  },
  "Outputs": {

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.alb-fargate-service-https.js.snapshot/aws-ecs-integ-alb-fg-https.template.json

@@ -783,7 +783,9 @@
    },
    "DependsOn": [
     "myServiceLBPublicListenerECSGroup17E9BBC1",
-    "myServiceLBPublicListenerC78AE8A0"
+    "myServiceLBPublicListenerC78AE8A0",
+    "myServiceTaskDefTaskRoleDefaultPolicyD48473C0",
+    "myServiceTaskDefTaskRole1C1DE6CC"
    ]
   },
   "myServiceSecurityGroupC3B9D4E0": {
@@ -800,7 +802,11 @@
     "VpcId": {
      "Ref": "Vpc8378EB38"
     }
-   }
+   },
+   "DependsOn": [
+    "myServiceTaskDefTaskRoleDefaultPolicyD48473C0",
+    "myServiceTaskDefTaskRole1C1DE6CC"
+   ]
   },
   "myServiceSecurityGroupfromawsecsintegalbfghttpsmyServiceLBSecurityGroupA934AF89808E9FB7A3": {
    "Type": "AWS::EC2::SecurityGroupIngress",
@@ -821,7 +827,11 @@
      ]
     },
     "ToPort": 80
-   }
+   },
+   "DependsOn": [
+    "myServiceTaskDefTaskRoleDefaultPolicyD48473C0",
+    "myServiceTaskDefTaskRole1C1DE6CC"
+   ]
   }
  },
  "Outputs": {

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.asset-image.js.snapshot/aws-ecs-integ-fargate-image.template.json

@@ -707,7 +707,8 @@
    },
    "DependsOn": [
     "FargateServiceLBPublicListenerECSGroupBE57E081",
-    "FargateServiceLBPublicListener4B4929CA"
+    "FargateServiceLBPublicListener4B4929CA",
+    "FargateServiceTaskDefTaskRole8CDCF85E"
    ]
   },
   "FargateServiceSecurityGroup262B61DD": {
@@ -724,7 +725,8 @@
     "VpcId": {
      "Ref": "Vpc8378EB38"
     }
-   }
+   },
+   "DependsOn": ["FargateServiceTaskDefTaskRole8CDCF85E"]
   },
   "FargateServiceSecurityGroupfromawsecsintegfargateimageFargateServiceLBSecurityGroup04156A428000D3E717F0": {
    "Type": "AWS::EC2::SecurityGroupIngress",
@@ -745,7 +747,8 @@
      ]
     },
     "ToPort": 8000
-   }
+   },
+   "DependsOn": ["FargateServiceTaskDefTaskRole8CDCF85E"]
   }
  },
  "Outputs": {

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.circuit-breaker-load-balanced-fargate-service.js.snapshot/aws-ecs-integ-circuit-breaker.template.json

@@ -676,7 +676,8 @@
    },
    "DependsOn": [
     "myServiceLBPublicListenerECSGroup17E9BBC1",
-    "myServiceLBPublicListenerC78AE8A0"
+    "myServiceLBPublicListenerC78AE8A0",
+    "myServiceTaskDefTaskRole1C1DE6CC"
    ]
   },
   "myServiceSecurityGroupC3B9D4E0": {
@@ -693,7 +694,8 @@
     "VpcId": {
      "Ref": "Vpc8378EB38"
     }
-   }
+   },
+   "DependsOn": ["myServiceTaskDefTaskRole1C1DE6CC"]
   },
   "myServiceSecurityGroupfromawsecsintegcircuitbreakermyServiceLBSecurityGroupB690840480BBFF8B33": {
    "Type": "AWS::EC2::SecurityGroupIngress",
@@ -714,7 +716,8 @@
      ]
     },
     "ToPort": 80
-   }
+   },
+   "DependsOn": ["myServiceTaskDefTaskRole1C1DE6CC"]
   }
  },
  "Outputs": {

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.circuit-breaker-no-deployment-controller-fargate-service.js.snapshot/aws-ecs-integ-circuit-breaker-no-dc.template.json

@@ -673,7 +673,8 @@
    },
    "DependsOn": [
     "myServiceLBPublicListenerECSGroup17E9BBC1",
-    "myServiceLBPublicListenerC78AE8A0"
+    "myServiceLBPublicListenerC78AE8A0",
+    "myServiceTaskDefTaskRole1C1DE6CC"
    ]
   },
   "myServiceSecurityGroupC3B9D4E0": {
@@ -690,7 +691,8 @@
     "VpcId": {
      "Ref": "Vpc8378EB38"
     }
-   }
+   },
+   "DependsOn": ["myServiceTaskDefTaskRole1C1DE6CC"]
   },
   "myServiceSecurityGroupfromawsecsintegcircuitbreakernodcmyServiceLBSecurityGroupBDCB2AE380B499F76F": {
    "Type": "AWS::EC2::SecurityGroupIngress",
@@ -711,7 +713,8 @@
      ]
     },
     "ToPort": 80
-   }
+   },
+   "DependsOn": ["myServiceTaskDefTaskRole1C1DE6CC"]
   }
  },
  "Outputs": {

packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.circuit-breaker-queue-processing-fargate-service.js.snapshot/aws-ecs-patterns-queue.template.json

@@ -650,7 +650,11 @@
     "TaskDefinition": {
      "Ref": "QueueProcessingServiceQueueProcessingTaskDef4982F68B"
     }
-   }
+   },
+   "DependsOn": [
+    "QueueProcessingServiceQueueProcessingTaskDefTaskRoleDefaultPolicyAE808B19",
+    "QueueProcessingServiceQueueProcessingTaskDefTaskRole782B79A6"
+   ]
   },
   "QueueProcessingServiceQueueProcessingFargateServiceSecurityGroup8FDF413D": {
    "Type": "AWS::EC2::SecurityGroup",
@@ -666,7 +670,11 @@
     "VpcId": {
      "Ref": "VPCB9E5F0B4"
     }
-   }
+   },
+   "DependsOn": [
+    "QueueProcessingServiceQueueProcessingTaskDefTaskRoleDefaultPolicyAE808B19",
+    "QueueProcessingServiceQueueProcessingTaskDefTaskRole782B79A6"
+   ]
   },
   "QueueProcessingServiceQueueProcessingFargateServiceTaskCountTargetA9D54444": {
    "Type": "AWS::ApplicationAutoScaling::ScalableTarget",
@@ -709,7 +717,11 @@
     },
     "ScalableDimension": "ecs:service:DesiredCount",
     "ServiceNamespace": "ecs"
-   }
+   },
+   "DependsOn": [
+    "QueueProcessingServiceQueueProcessingTaskDefTaskRoleDefaultPolicyAE808B19",
+    "QueueProcessingServiceQueueProcessingTaskDefTaskRole782B79A6"
+   ]
   },
   "QueueProcessingServiceQueueProcessingFargateServiceTaskCountTargetCpuScaling330150E9": {
    "Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
@@ -725,7 +737,11 @@
      },
      "TargetValue": 50
     }
-   }
+   },
+   "DependsOn": [
+    "QueueProcessingServiceQueueProcessingTaskDefTaskRoleDefaultPolicyAE808B19",
+    "QueueProcessingServiceQueueProcessingTaskDefTaskRole782B79A6"
+   ]
   },
   "QueueProcessingServiceQueueProcessingFargateServiceTaskCountTargetQueueMessagesVisibleScalingLowerPolicy332E2644": {
    "Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
@@ -745,7 +761,11 @@
       }
      ]
     }
-   }
+   },
+   "DependsOn": [
+    "QueueProcessingServiceQueueProcessingTaskDefTaskRoleDefaultPolicyAE808B19",
+    "QueueProcessingServiceQueueProcessingTaskDefTaskRole782B79A6"
+   ]
   },
   "QueueProcessingServiceQueueProcessingFargateServiceTaskCountTargetQueueMessagesVisibleScalingLowerAlarm20C30A06": {
    "Type": "AWS::CloudWatch::Alarm",
@@ -774,7 +794,11 @@
     "Period": 300,
     "Statistic": "Maximum",
     "Threshold": 0
-   }
+   },
+   "DependsOn": [
+    "QueueProcessingServiceQueueProcessingTaskDefTaskRoleDefaultPolicyAE808B19",
+    "QueueProcessingServiceQueueProcessingTaskDefTaskRole782B79A6"
+   ]
   },
   "QueueProcessingServiceQueueProcessingFargateServiceTaskCountTargetQueueMessagesVisibleScalingUpperPolicy84DD739A": {
    "Type": "AWS::ApplicationAutoScaling::ScalingPolicy",
@@ -799,7 +823,11 @@
       }
      ]
     }
-   }
+   },
+   "DependsOn": [
+    "QueueProcessingServiceQueueProcessingTaskDefTaskRoleDefaultPolicyAE808B19",
+    "QueueProcessingServiceQueueProcessingTaskDefTaskRole782B79A6"
+   ]
   },
   "QueueProcessingServiceQueueProcessingFargateServiceTaskCountTargetQueueMessagesVisibleScalingUpperAlarm2660BEDF": {
    "Type": "AWS::CloudWatch::Alarm",
@@ -828,7 +856,11 @@
     "Period": 300,
     "Statistic": "Maximum",
     "Threshold": 100
-   }
+   },
+   "DependsOn": [
+    "QueueProcessingServiceQueueProcessingTaskDefTaskRoleDefaultPolicyAE808B19",
+    "QueueProcessingServiceQueueProcessingTaskDefTaskRole782B79A6"
+   ]
   },
   "EcsDefaultClusterMnL3mNNYNVPC9C1EC7A3": {
    "Type": "AWS::ECS::Cluster"