Lambda consistently fails the FIRST pull from ECR after `docker_image_registry` completed uploading `docker_image`

[garysassano]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and docker Provider) Version

Affected Resource(s)

• docker_XXXXX

Terraform Configuration Files

// Configure AWS provider
new AwsProvider(this, "aws");

// Get ECR authorization token
const token = new DataAwsEcrAuthorizationToken(this, "token");

// Configure Docker provider
new DockerProvider(this, "docker", {
  registryAuth: [
    {
      address: token.proxyEndpoint,
      password: token.password,
      username: token.userName,
    },
  ],
});

// Create ECR repos
const backRepo = new EcrRepository(this, "BackRepo", {
  name: "back-repo",
});
const frontRepo = new EcrRepository(this, "FrontRepo", {
  name: "front-repo",
});

// Calculate the SHA256 digests for the Dockerfiles
const backDockerfileDigest = Fn.filesha256(
  path.join(__dirname, "back/Dockerfile"),
);
const frontDockerfileDigest = Fn.filesha256(
  path.join(__dirname, "front/Dockerfile"),
);

// Build Docker images
const backImage = new Image(this, "BackImage", {
  buildAttribute: {
    context: path.join(__dirname, "back"),
    platform: "linux/amd64",
  },
  name: `${backRepo.repositoryUrl}:latest`,
  triggers: { filesha256: backDockerfileDigest },
});
const frontImage = new Image(this, "FrontImage", {
  buildAttribute: {
    context: path.join(__dirname, "front"),
    platform: "linux/amd64",
  },
  name: `${frontRepo.repositoryUrl}:latest`,
  triggers: { filesha256: frontDockerfileDigest },
});

// Push Docker images to ECR
new RegistryImage(this, "BackPush", {
  name: backImage.name,
  triggers: { filesha256: backDockerfileDigest },
});
new RegistryImage(this, "FrontPush", {
  name: frontImage.name,
  triggers: { filesha256: frontDockerfileDigest },
});

Debug Output

Panic Output

Expected Behaviour

Actual Behaviour

Steps to Reproduce

1. The TF provider builds the docker_image locally, then pushes it to ECR using docker_image_registry
2. Lambda tries to pull the docker_image from ECR and it fails at first try
3. Running tf apply a second time fixes the issue

It looks like the Docker image isn't yet available in ECR when the Lambda function tries to pull it soon after it has been pushed.

Important Factoids

References

• 0000

[garysassano]

Fixed by referencering docker_image_registry.name instead of docker_image.name (even though they are the same) in the AWS Lambda function image_uri.