Cannot Apply ECR Policy When Source is File (or Template)

[rcuza]

Terraform Version

Terraform v0.9.11

Affected Resource(s)

Please list the resources as a list, for example:

• aws_ecr_repository
• aws_ecr_repository_policy

Terraform Configuration Files

module:

provider "aws" {
  region  = "${var.aws_region}"
  profile = "${var.environment}"
}

variable "aws_region" {
  description = "aws region in which to build each ecr"
  type        = "string"
}

variable "aws_profile" {
  description = "aws profile for building"
  type        = "string"
}

variable "environment" {
  description = "environment being built"
  type        = "string"
}

variable "count" {
  default = "0"
  type    = "string"
}

variable "ecr_names" {
  default     = []
  description = "list of ecr repositories to build"
  type        = "list"
}

resource "aws_ecr_repository" "ecr" {
  count = "${length(var.ecr_names)}"
  name  = "${var.ecr_names[count.index]}"
}

resource "aws_ecr_repository_policy" "ecr_policy" {
  count      = "${length(var.ecr_names)}"
  policy     = "${path.module}/files/ecr-poweruser.json"
  repository = "${aws_ecr_repository.ecr.*.name[count.index]}"
}

The policy file is from the terraform example: https://www.terraform.io/docs/providers/aws/r/ecr_repository_policy.html.

Module applied:

module "dev-ecrs" {
  source      = "../../../../modules/storage/ecr-uw2"
  aws_region  = "us-west-2"
  aws_profile = "vault-dev"
  environment = "ci"

  ecr_names = [
    "app1-ecr-uw2",
    "app2-ecr-uw2",
    "app3-ecr-uw2",
  ]
}

Debug Output

https://gist.github.com/rcuza/401dac7e10214ccb2baa4377c484c5de

Panic Output

n/a

Expected Behavior

When I run this code, I expect three ECRs to be created and that the policy from the json file is applied to it.

Actual Behavior

The ECRs are created successfully but the policies are not applied because the following error is returned:

Error applying plan:

3 error(s) occurred:

* module.dev-ecrs.aws_ecr_repository_policy.ecr_policy[0]: 1 error(s) occurred:

* aws_ecr_repository_policy.ecr_policy.0: InvalidParameterException: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
	status code: 400, request id: 09803600-7545-11e7-b589-41f5bbdba210
* module.dev-ecrs.aws_ecr_repository_policy.ecr_policy[2]: 1 error(s) occurred:

* aws_ecr_repository_policy.ecr_policy.2: InvalidParameterException: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
	status code: 400, request id: 09800eef-7545-11e7-b589-41f5bbdba210
* module.dev-ecrs.aws_ecr_repository_policy.ecr_policy[1]: 1 error(s) occurred:

* aws_ecr_repository_policy.ecr_policy.1: InvalidParameterException: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
	status code: 400, request id: 097f7277-7545-11e7-804b-9770e497500d

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

If I do as the example code does and put the policy inline using policy = << EOF... then it works.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

Important Factoids

Following the example code and putting adding the policy inline this module works. When I try to use a file it does not work. This is true for making 3 ECRs and for making 1 (I tried both). I also tried using data_resource and importing it as a template.

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

• AWS ECR Policy - need to run terraform apply twice #545 (might be related, but running terraform apply a second time does not work for me)

[radeksimko]

Hi @rcuza
in order to load policy from an external file as is you need to use file() function:

resource "aws_ecr_repository_policy" "ecr_policy" {
  count      = "${length(var.ecr_names)}"
  policy     = "${file("${path.module}/files/ecr-poweruser.json")}"
  repository = "${aws_ecr_repository.ecr.*.name[count.index]}"
}

Let me know if that helps and if we can close this issue.

Thanks.

[rcuza]

doh! I will refrain from using the egg on face emoji.

@radeksimko - thank you. Everything works when used correctly.

For others who have this problem, the clue I missed is in the TD_LOG=DEBUG output at the lines that say "policyText" (2221, 2237 and 2252). Without file() these lines show the file's path. With the file() function, they should show the contents of the file.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!