Terraform-provider-aws: AWS ECR Policy - need to run terraform apply twice
_This issue was originally opened by @vikas027 as hashicorp/terraform#12108. It was migrated here as part of the provider split. The original body of the issue is below._
Terraform Version
~$ terraform -v
Terraform v0.8.7
Affected Resource(s)
- aws_ecr_repository
- aws_ecr_repository_policy
Terraform Configuration Files
resource "aws_iam_role_policy" "ecr_admin_policy" {
name = "ecr_admin_policy"
role = "${aws_iam_role.ecr_admin_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role" "ecr_admin_role" {
name = "${var.iam_role}"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_ecr_repository" "images" {
depends_on = [ "aws_iam_role_policy.ecr_admin_policy", "aws_iam_role.ecr_admin_role" ]
count = "${length(var.list_of_images)}",
name = "${element(var.list_of_images, count.index)}"
}
resource "aws_ecr_repository_policy" "repo_policy" {
count = "${length(var.list_of_images)}"
repository = "${element(aws_ecr_repository.images.*.id, count.index)}"
policy = <<POLICY
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "repo_policy",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::11111111111111:root",
"arn:aws:iam::11111111111111:role/ecr_admin"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy"
]
}
]
}
POLICY
}
Debug Output
First Run terraform apply (fails)
Second Run terraform apply (succeeds)
Expected Behavior
terraform apply should not complain about the policy.
Actual Behavior
terraform apply complains about invalid policy on the first run. And then creates ECR policy in the second run.
I have tried to set resource dependencies using depends_on in vain, behavior is same without this parameter.
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform apply(throws an error)terraform apply(run okay this time)
References
Few other similar issues where terraform does not wait for enough time or AWS reports that the resource creation is complete (a false positive)
- GH-2136
- GH-2349
- GH-5862
hashibot
All 2 comments
The same also happens for a aws_cloudformation_stack depending on aws_iam_role that assume's a role (in this case cloudformation.amazonaws.com)
Error:
Creating CloudFormation stack failed: ValidationError: Role arn:aws:iam::* is invalid or cannot be assumed
- on a re run it works fine.
Terraform v0.11.7
+ provider.aws v1.29.0
jasonmc86
on 31 Jul 2018
@jasonmc86 Do you have a workaround until this gets fixed?
knservis
on 21 Feb 2019
Related issues
andywirv
路
3Comments
hashibot
路
3Comments
EmmN
路
3Comments
hazmeister
路
3Comments
hashibot
路
3Comments
Most helpful comment
The same also happens for a
aws_cloudformation_stackdepending onaws_iam_rolethat assume's a role (in this case cloudformation.amazonaws.com)Error: