Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ECR repository policy creation fails when using newly created IAM policy #1164

Closed
frncmx opened this issue Jul 16, 2017 · 1 comment · Fixed by #1165
Closed

ECR repository policy creation fails when using newly created IAM policy #1164

frncmx opened this issue Jul 16, 2017 · 1 comment · Fixed by #1165

Comments

@frncmx
Copy link
Contributor

frncmx commented Jul 16, 2017
edited
Loading 

aws_ecr_repository_policy.test: InvalidParameterException: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
	status code: 400, request id: <req-id>

That happens because the IAM entity just has been created and IAM changes require time to propagate to other services.

See: https://forums.aws.amazon.com/thread.jspa?messageID=195539#195539

The issue was exactly the same in hashicorp/terraform#2869 and I'm going to address the problem in a similar manner. A PR is coming soon.

Terraform Version

Terraform v0.9.11

Affected Resource(s)

  • aws_ecr_repository_policy
  • aws_iam_role

Terraform Configuration Files

resource "aws_ecr_repository" "test" {
  name = "test-ecr-attach-policy-bug"
}

resource "aws_ecr_repository_policy" "test" {
  repository = "${aws_ecr_repository.test.name}"
  policy     = "${data.aws_iam_policy_document.describe_ecr_images.json}"
}

data "aws_iam_policy_document" "describe_ecr_images" {
  statement {
    sid    = "DescribeImages"
    effect = "Allow"

    principals {
      type        = "AWS"
      identifiers = ["${aws_iam_role.test.arn}"]
    }

    actions = [
      "ecr:DescribeImages"
    ]
  }
}

resource "aws_iam_role" "test" {
  name = "test-ecr-attach-policy-bug"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      }
    }
  ]
}
EOF
}

Debug Output

https://gist.github.com/frncmx/4016347c801357e5f255526ebac8f325

Expected Behavior

1st terraform apply call should succeed.

Actual Behavior

Only the 2nd terraform apply call succeed.

Steps to Reproduce

  1. terraform apply

References
@frncmx frncmx mentioned this issue Jul 16, 2017
Merged
@ghost
Copy link

ghost commented Apr 11, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 11, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Invalid repo policy due to IAM eventual consistency
1 participant
@frncmx