4 files changed, 15 insertions, 57 deletions

diff --git a/hacking/aws_config/testing_policies/compute-policy.json b/hacking/aws_config/testing_policies/compute-policy.json
index c9f31a4062..be4c4d0d51 100644
--- a/hacking/aws_config/testing_policies/compute-policy.json
+++ b/hacking/aws_config/testing_policies/compute-policy.json
@@ -109,29 +109,6 @@
                 "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
             ]
         },
-        {
-            "Sid": "UnspecifiedCodeRepositories",
-            "Effect": "Allow",
-            "Action": [
-                "ecr:DescribeRepositories",
-                "ecr:CreateRepository"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Sid": "SpecifiedCodeRepositories",
-            "Effect": "Allow",
-            "Action": [
-                "ecr:GetRepositoryPolicy",
-                "ecr:SetRepositoryPolicy",
-                "ecr:DeleteRepository",
-                "ecr:DeleteRepositoryPolicy",
-                "ecr:DeleteRepositoryPolicy"
-            ],
-            "Resource": [
-                "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*"
-            ]
-        },
 {# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #}
 {# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #}
 {# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #}
@@ -239,29 +216,6 @@
             ]
         },
         {
-          "Sid": "AllowECSManagement",
-          "Effect": "Allow",
-          "Action": [
-            "application-autoscaling:Describe*",
-            "application-autoscaling:PutScalingPolicy",
-            "application-autoscaling:RegisterScalableTarget",
-            "cloudwatch:DescribeAlarms",
-            "cloudwatch:PutMetricAlarm",
-            "ecs:CreateCluster",
-            "ecs:CreateService",
-            "ecs:DeleteCluster",
-            "ecs:DeleteService",
-            "ecs:Describe*",
-            "ecs:DeregisterTaskDefinition",
-            "ecs:List*",
-            "ecs:RegisterTaskDefinition",
-            "ecs:UpdateService"
-          ],
-          "Resource": [
-            "*"
-          ]
-        },
-        {
           "Sid": "AllowSESManagement",
           "Effect": "Allow",
           "Action": [
diff --git a/lib/ansible/modules/cloud/amazon/ecs_service.py b/lib/ansible/modules/cloud/amazon/ecs_service.py
index 3aada5d26d..7047cba965 100644
--- a/lib/ansible/modules/cloud/amazon/ecs_service.py
+++ b/lib/ansible/modules/cloud/amazon/ecs_service.py
@@ -523,7 +523,7 @@ def main():
                                                               network_configuration,
                                                               module.params['launch_type'])
                     except botocore.exceptions.ClientError as e:
-                        module.fail_json(msg=e.message)
+                        module.fail_json_aws(e, msg="Couldn't create service")
 
                 results['service'] = response
 
@@ -548,7 +548,7 @@ def main():
                             module.params['cluster']
                         )
                     except botocore.exceptions.ClientError as e:
-                        module.fail_json(msg=e.message)
+                        module.fail_json_aws(e, msg="Couldn't delete service")
                 results['changed'] = True
 
     elif module.params['state'] == 'deleting':
diff --git a/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/defaults/main.yml b/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/defaults/main.yml
index 335faf99d4..288f531f95 100644
--- a/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/defaults/main.yml
+++ b/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/defaults/main.yml
@@ -1,11 +1,3 @@
-# http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html
-# amzn-ami-2017.09.b-amazon-ecs-optimized
-ecs_agent_images:
-  us-east-1: ami-71ef560b
-  us-east-2: ami-1b8ca37e
-  us-west-2: ami-d2f489aa
-  us-west-1: ami-6b81980b
-
 ecs_cluster_name: "{{ resource_prefix }}"
 user_data: |
   #!/bin/bash
diff --git a/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/tasks/main.yml b/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/tasks/main.yml
index 490033538a..ccb23deb3f 100644
--- a/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/tasks/main.yml
+++ b/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/tasks/main.yml
@@ -123,12 +123,24 @@
         <<: *aws_connection_info
       register: setup_sg
 
+    - name: find a suitable AMI
+      ec2_ami_facts:
+        owner: amazon
+        filters:
+          description: "Amazon Linux AMI* ECS *"
+        <<: *aws_connection_info
+      register: ec2_ami_facts
+
+    - name: set image id fact
+      set_fact:
+        ecs_image_id: "{{ (ec2_ami_facts.images|first).image_id }}"
+
     - name: provision ec2 instance to create an image
       ec2:
         key_name: '{{ ec2_keypair|default(setup_key.key.name) }}'
         instance_type: t2.micro
         state: present
-        image: '{{ ecs_agent_images[aws_region] }}'
+        image: '{{ ecs_image_id }}'
         wait: yes
         user_data: "{{ user_data }}"
         instance_profile_name: ecsInstanceRole