aws_apprunner_service is unable to deploy public images

[eduard93]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.0.0
on windows_amd64
+ provider registry.terraform.io/hashicorp/aws v3.44.0

Affected Resource(s)

• aws_apprunner_service

Terraform Configuration Files

provider "aws" {
  region = "us-east-2"
  profile = "ABC"
}

resource "aws_apprunner_service" "nginx" {
  service_name = "nginx"

  source_configuration {
    image_repository {
      image_configuration {
        port = "80"
      }
      image_identifier      = "public.ecr.aws/nginx/nginx:latest"
      image_repository_type = "ECR_PUBLIC"
    }
  }

  tags = {
    Name = "nginx-apprunner-service"
  }
}

Alternatively, I have also tried to provide authentication_configuration (note that <account> is edited due to the security considerations):

provider "aws" {
  region = "us-east-2"
  profile = "ed"
}

resource "aws_apprunner_service" "nginx" {
  service_name = "nginx"

  source_configuration {
    authentication_configuration {
      access_role_arn = "arn:aws:iam::<account>:role/service-role/AppRunnerECRAccessRole"
    }
    image_repository {
      image_configuration {
        port = "80"
      }
      image_identifier      = "public.ecr.aws/nginx/nginx:latest"
      image_repository_type = "ECR_PUBLIC"
    }
  }

  tags = {
    Name = "nginx-apprunner-service"
  }
}

With AppRunnerECRAccessRole giving a full ECR access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:DescribeImages",
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "*"
        }
    ]
}

Debug Output

• init
• apply
• apply with authentication_configuration

Expected Behavior

AppRunner Service is created.

Actual Behavior

AppRunner Service is NOT created. I'm getting this error:

╷
│ Error: error waiting for App Runner Service (arn:aws:apprunner:us-east-2:<account>:service/nginx/09b59a5258af40afb9d49835533fa800) creation: unexpected state 'CREATE_FAILED', wanted target 'RUNNING'. last error: %!s(<nil>)
│
│   with aws_apprunner_service.nginx,
│   on main.tf line 6, in resource "aws_apprunner_service" "nginx":
│    6: resource "aws_apprunner_service" "nginx" {
│

Deploy logs in CloudWatch:

06-10-2021 11:03 PM [AppRunner] Starting to pull your application image.

Steps to Reproduce

1. terraform apply

Important Factoids

• Config is taken from the docs as is, except I'm using public.ecr.aws/nginx/nginx:latest instead of public.ecr.aws/jg/hello:latest because public.ecr.aws/jg/hello:latest does not exist.
• I'm able to deploy private images by providing authentication_configuration.
• Deploying AppRunner service with a public.ecr.aws/nginx/nginx:latest image from AWS Console also works.

References

• aws_apprunner_service
• nginx on Public ECR Gallery

[anGie44]

Hi @eduard93, thank you for raising this issue. I gave this a try in the AWS console (using the same image/port number without specifying an authentication configuration ) and realized that the console greys-out "automatic deployments", meaning that the auto_deployments_enabled needs to be configured to false in your resource. I believe that's whats causing the creation to fail..Unfortunately, I don't see this documented in the AWS API docs (and I omitted this in the terraform docs as well), but it's something that can definitely be added as it seems specific to using a public ECR image.

Let me know if adding the above configuration (auto_deployments_enabled = false) works for you!

Here's what I'm seeing after a successful deployment in the aws cli:

{
    "Service": {
        "ServiceName": "test2",
        "ServiceId": "ac472521e814462f84b0dedc0a671f1e",
        "ServiceArn": "arn:aws:apprunner:us-east-2:XXXXXXXXX:service/test2/ac472521e814462f84b0dedc0a671f1e",
        "ServiceUrl": "cv8mfdmu4j.us-east-2.awsapprunner.com",
        "CreatedAt": "2021-06-11T11:37:25-04:00",
        "UpdatedAt": "2021-06-11T11:37:25-04:00",
        "Status": "RUNNING",
        "SourceConfiguration": {
            "ImageRepository": {
                "ImageIdentifier": "public.ecr.aws/nginx/nginx:latest",
                "ImageConfiguration": {
                    "Port": "80"
                },
                "ImageRepositoryType": "ECR_PUBLIC"
            },
            "AutoDeploymentsEnabled": false
        },
        "InstanceConfiguration": {
            "Cpu": "1024",
            "Memory": "2048"
        },
        "HealthCheckConfiguration": {
            "Protocol": "TCP",
            "Path": "/",
            "Interval": 10,
            "Timeout": 5,
            "HealthyThreshold": 1,
            "UnhealthyThreshold": 5
        },
        "AutoScalingConfigurationSummary": {
            "AutoScalingConfigurationArn": "arn:aws:apprunner:us-east-2:XXXXXXXXX:autoscalingconfiguration/DefaultConfiguration/1/00000000000000000000000000000001",
            "AutoScalingConfigurationName": "DefaultConfiguration",
            "AutoScalingConfigurationRevision": 1
        }
    }
}

[eduard93]

@anGie44 adding auto_deployments_enabled = false worked for me! Thank you!

Adding docs that auto_deployments_enabled = false property must be specified for public images would be nice.

I'm also now able to report original issue I wanted to report: https://github.com/hashicorp/terraform-provider-aws/issues/19776

[anGie44]

Awesome, we'll use this issue then to track that documentation change 👍

[pako-grape]

It would be also nice to fix last error: %!s(<nil>) part 🙂 I have a similar problem with private image and I have no idea what is wrong yet 😄