Skip to content

AWS ECR Policy - need to run terraform apply twice #545

Closed
#14193
Closed
AWS ECR Policy - need to run terraform apply twice#545
#14193
Labels
bugAddresses a defect in current functionality.service/ecrIssues and PRs that pertain to the ecr service.staleOld or inactive issues managed by automation, if no further action taken these will get closed.
Milestone
v3.34.0
@hashibot

Description

@hashibot
hashibot
opened on Jun 13, 2017

This issue was originally opened by @vikas027 as hashicorp/terraform#12108. It was migrated here as part of the provider split. The original body of the issue is below.

Terraform Version

~$ terraform -v
Terraform v0.8.7

Affected Resource(s)

  • aws_ecr_repository
  • aws_ecr_repository_policy

Terraform Configuration Files

resource "aws_iam_role_policy" "ecr_admin_policy" {
    name = "ecr_admin_policy"
    role = "${aws_iam_role.ecr_admin_role.id}"
    policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ecr:*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

resource "aws_iam_role" "ecr_admin_role" {
  name = "${var.iam_role}"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ecs.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_ecr_repository" "images" {
  depends_on = [ "aws_iam_role_policy.ecr_admin_policy", "aws_iam_role.ecr_admin_role" ]
  count = "${length(var.list_of_images)}",
  name  = "${element(var.list_of_images, count.index)}"
}

resource "aws_ecr_repository_policy" "repo_policy" {
  count = "${length(var.list_of_images)}"
  repository = "${element(aws_ecr_repository.images.*.id, count.index)}"
  policy = <<POLICY
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "repo_policy",
            "Effect": "Allow",
            "Principal": {
              "AWS": [
                "arn:aws:iam::11111111111111:root",
                "arn:aws:iam::11111111111111:role/ecr_admin"
              ]
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "ecr:DeleteRepository",
                "ecr:BatchDeleteImage",
                "ecr:SetRepositoryPolicy",
                "ecr:DeleteRepositoryPolicy"
            ]
        }
    ]
}
POLICY
}

Debug Output

First Run terraform apply (fails)
Second Run terraform apply (succeeds)

Expected Behavior

terraform apply should not complain about the policy.

Actual Behavior

terraform apply complains about invalid policy on the first run. And then creates ECR policy in the second run.
I have tried to set resource dependencies using depends_on in vain, behavior is same without this parameter.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply (throws an error)
  2. terraform apply (run okay this time)

References

Few other similar issues where terraform does not wait for enough time or AWS reports that the resource creation is complete (a false positive)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugAddresses a defect in current functionality.service/ecrIssues and PRs that pertain to the ecr service.staleOld or inactive issues managed by automation, if no further action taken these will get closed.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions