Terraform-provider-aws: aws_ecr_repository_policy swallows InvalidParameterException

Created on 27 Mar 2018  路  5Comments  路  Source: hashicorp/terraform-provider-aws

Terraform Version

Terraform v0.11.5
+ provider.aws v1.10.0

Affected Resource(s)

Please list the resources as a list, for example:

  • aws_ecr_repository_policy

Terraform Configuration Files

The following config results in an invalid policy :flushed: 

variable "projects" {
  type = "list"

  default = [
    "alpha",
    "beta",
    "gamma",
    "delta",
  ]
}

variable "account_arns" {
  type = "map"
  # <ids> here are actual AWS account ids.
  # the :* portion is invalid and should be :root
  default = {
    test       = "arn:aws:iam::<id1>:*"
    staging    = "arn:aws:iam::<id2>:*"
    production = "arn:aws:iam::<id3>:*"
  }
}
data aws_iam_policy_document "ecr_policy" {
  statement {
    sid = "ECROrgReadAccess"

    actions = [
      "ecr:BatchCheckLayerAvailability",
      "ecr:GetDownloadUrlForLayer",
      "ecr:GetRepositoryPolicy",
      "ecr:DescribeRepositories",
      "ecr:ListImages",
      "ecr:DescribeImages",
      "ecr:BatchGetImage"
    ]

    principals {
      identifiers = ["${values(var.account_arns)}"]
      type        = "AWS"
    }
  }
}

resource aws_ecr_repository_policy "ecr_policy" {
  count = "${length(var.projects)}"
  repository = "${element(var.projects, count.index)}"
  policy = "${data.aws_iam_policy_document.ecr_policy.json}"
}

Debug Output

* aws_ecr_repository_policy.ecr_policy.0: InvalidParameterException: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'

If needed I can pull the full log - can't include the full debug log at the moment.

Expected Behavior

Terraform should error with the exception message.

Actual Behavior

Terraform continually "retries" waiting for the resource to be created.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply

Important Factoids

Nothing special.

References

None.

bug servicecr
Source
picture jeffnappi
👍11

Most helpful comment

I still consider this a bug since the user is unaware that they have an invalid policy. It should fail as described in the issue. I may tackle this myself and put up a PR if there's enough interest.

picture jeffnappi on 20 Mar 2019
👍2

All 5 comments

Does anyone know that there are any updates on this?
I am having same issue and can not perform terraform apply to AWS.馃槩

yusuken-freee picture yusuken-freee on 20 Mar 2019

@yusuken-freee normally this error mean that you have malformed or invalid json policy. I've fixed mine, so issue anymore. (use to have invalid account id)

FelikZ picture FelikZ on 20 Mar 2019

I still consider this a bug since the user is unaware that they have an invalid policy. It should fail as described in the issue. I may tackle this myself and put up a PR if there's enough interest.

jeffnappi picture jeffnappi on 20 Mar 2019
👍2

@FelikZ

normally this error mean that you have malformed or invalid json policy.

as you said, yes, it should be triggered by malformed(invalid) json, but I haven't changed on aws_ecr_repository_policy resource definition or related resources at all馃

yusuken-freee picture yusuken-freee on 1 Apr 2019

hi guys, any plan to fix this soon ?

TF plan parses the JSON policy as pretty valid. At this point we are left with no automation way to 'templatize' any policy users. Even the default empty policy fails.

 # aws_ecr_repository_policy.this will be created
  + resource "aws_ecr_repository_policy" "this" {
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = [
                          + "ecr:GetDownloadUrlForLayer",
                          + "ecr:BatchGetImage",
                          + "ecr:BatchCheckLayerAvailability",
                          + "ecr:PutImage",
                          + "ecr:InitiateLayerUpload",
                          + "ecr:UploadLayerPart",
                          + "ecr:CompleteLayerUpload",
                        ]
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS = [
                              + "arn:aws:iam::123:user/peshko",
                            ]
                        }
                      + Sid       = "AllowPushPull"
                    },
                ]
              + Version   = "2008-10-17"
            }
        )
    }`

Code

resource "aws_ecr_repository_policy" "this" {
  repository = aws_ecr_repository.this.name
  policy = try(data.template_file.this.rendered, jsonencode(
    {
      "Version" : "2008-10-17",
      "Statement" : []
    }
  ))
}

Error: Error creating ECR Repository Policy: InvalidParameterException: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'

  on main.tf line 30, in resource "aws_ecr_repository_policy" "this":
  30: resource "aws_ecr_repository_policy" "this" {
bgvladedivac picture bgvladedivac on 24 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  路  45Comments
hashibot picture hashibot  路  58Comments
jckuester picture jckuester  路  53Comments
darrenhaken picture darrenhaken  路  36Comments
oarmstrong picture oarmstrong  路  44Comments