search

terraform-aws-modules / terraform-aws-ecr

Terraform module to create AWS ECR resources πŸ‡ΊπŸ‡¦
https://registry.terraform.io/modules/terraform-aws-modules/ecr/aws
Apache License 2.0
52 stars 111 forks source link

Creating ECR Repository Policy: InvalidParameterException: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided' #19

Closed mr-scripting closed 10 months ago

mr-scripting commented 1 year ago

Description

Please provide a clear and concise description of the issue you are encountering, and a reproduction of your configuration (see the examples/* directory for references that you can copy+paste and tailor to match your configs if you are unable to copy your exact configuration). The reproduction MUST be executable by running terraform init && terraform apply without any further changes.

If your request is for a new feature, please use the Feature request template.

Versions

module "ecr" {
  source                            = "code.siemens.com/mc-gmc-deep/terraform-aws-ecr/aws"
  version                           = "1.6.0"
  for_each                          = toset(var.ecr-repositories)
  repository_name                   = each.key
  repository_encryption_type        = "KMS"
  repository_read_write_access_arns = [var.terraform_account_arn]
  repository_image_tag_mutability   = "MUTABLE"
  repository_lifecycle_policy = jsonencode({
    rules = [
      {
        rulePriority = 1,
        description  = "Keep last 30 images",
        selection = {
          tagStatus     = "tagged",
          tagPrefixList = ["v"],
          countType     = "imageCountMoreThan",
          countNumber   = 30
        },
        action = {
          type = "expire"
        }
      }
    ]
  })
  # Registry Policy
  create_registry_policy = false
}```

<!-- REQUIRED -->

Steps to reproduce the behavior:

<!-- Are you using workspaces? --> No
<!-- Have you cleared the local cache (see Notice section above)? --> We use gitlab runners that are destroyed after each execution
<!-- List steps in order that led up to the issue you encountered --> Was using the module for several runs, no error. Resource was unchanged. Then the plan started to show:

```hcl
# module.ecr["XXXXX"].aws_ecr_repository_policy.this[0] will be updated in-place
  ~ resource "aws_ecr_repository_policy" "this" {
        id          = "viewer-backend"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ AWS = "XXXXXX" -> "arn:aws:iam::[MASKED]:user/[MASKED]"
                        }
                        # (3 unchanged attributes hidden)
                    },
                  ~ {
                      ~ Principal = {
                          ~ AWS = "XXXXXX" -> "arn:aws:iam::[MASKED]:user/[MASKED]"
                        }
                        # (3 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (2 unchanged attributes hidden)
    }

Expected behavior

Resource should be unchanged after creation.

I have replaced the module with the code bellow just to be able to bypass the issues I'm having:

resource "aws_ecr_repository" "ecr" {
  for_each             = toset(var.ecr-repositories)
  name                 = each.key
  image_tag_mutability = "MUTABLE"
  encryption_configuration {
    encryption_type = "KMS"
  }

  image_scanning_configuration {
    scan_on_push = true
  }
  tags = local.tags
}
github-actions[bot] commented 11 months ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

iramello-latch commented 11 months ago

not solved

zizzencs commented 11 months ago

I was able to reproduce the issue. If repository_read_access_arns or repository_read_write_access_arns contains a seemingly valid, but non-existing ARN, then the AWS API call results in:

{"__type":"InvalidParameterException","message":"Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'"}

I don't think this is a bug with the terrafowm-aws-ecr module, and honestly, I'm not sure how it could be fixed.

github-actions[bot] commented 10 months ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] commented 10 months ago

This issue was automatically closed because of stale in 10 days

github-actions[bot] commented 9 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.