diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2262d8c..dcd5314 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [3.3.9] - 2021-010-27
+### Fixed
+- Fix to create ECS aws_iam_role_policy only when deploying on ECS.
+
 ## [3.3.8] - 2021-010-18
 ### Fixed
 - Fix kubernetes serviceaccount reference.
diff --git a/iam-ecs.tf b/iam-ecs.tf
index 74da2d3..707dfa6 100644
--- a/iam-ecs.tf
+++ b/iam-ecs.tf
@@ -34,7 +34,7 @@ resource "aws_iam_role_policy_attachment" "task_exec_managed" {
 }
 
 resource "aws_iam_role_policy" "secretsmanager_for_ecs_task_exec" {
-  count = var.docker_registry_auth_secret_name == "" ? 0 : 1
+  count = var.wd_instance_type == "ecs" && var.docker_registry_auth_secret_name != "" ? 1 : 0
   name  = "secretsmanager-exec"
   role  = aws_iam_role.waggledance_task_exec[0].id
 
@@ -74,7 +74,7 @@ EOF
 }
 
 resource "aws_iam_role_policy" "secretsmanager_for_waggledance_task" {
-  count = var.bastion_ssh_key_secret_name == "" ? 0 : 1
+  count = var.wd_instance_type == "ecs" && var.bastion_ssh_key_secret_name != "" ? 1 : 0
   name  = "secretsmanager"
   role  = aws_iam_role.waggledance_task[0].id