First apply attempt of registry policy creation fails

[GiamPy5]

Description

I am trying to create a repository + registry configuration at the same time, and Terraform complains says "RegistryPolicyNotFoundException" when it tries to attach the policy to the registry.

• [X] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: 1.6.0
• Terraform version: 1.5.5
• Provider version(s):
  • provider registry.terraform.io/hashicorp/aws v5.31.0

Reproduction Code [Required]

code:

locals {
  registry_replication_rules = [for rule in var.ecr_registry.replication_rules : {
    destinations = [for destination in rule.destinations : {
      region      = destination
      registry_id = data.aws_caller_identity.current.account_id
    }]
    repository_filters = rule.repository_filters
  }]
}

data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}

module "ecr" {
  count   = var.ecr.create ? 1 : 0
  source  = "terraform-aws-modules/ecr/aws"
  version = "1.6.0"

  repository_name = var.ecr.name
  repository_type = var.ecr.type

  create_lifecycle_policy  = var.ecr.lifecycle_policy != null ? true : false
  create_repository_policy = var.ecr.policy != null ? true : false
  attach_repository_policy = var.ecr.policy != null ? true : false

  repository_read_write_access_arns = var.ecr.read_write_access_arns
  repository_policy                 = var.ecr.policy
  repository_lifecycle_policy       = var.ecr.lifecycle_policy
  repository_image_scan_on_push     = var.ecr.image_scan_on_push
  repository_image_tag_mutability   = var.ecr.image_tag_mutability
  repository_encryption_type        = var.ecr.kms_arn != null ? "KMS" : null
  repository_kms_key                = var.ecr.kms_arn

  tags = var.tags
}

data "aws_iam_policy_document" "registry" {
  statement {
    principals {
      type        = "AWS"
      identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"]
    }

    actions = [
      "ecr:ReplicateImage",
    ]

    resources = [
      module.ecr[0].repository_arn,
    ]
  }
}

module "ecr_registry" {
  count   = var.ecr_registry.create ? 1 : 0
  source  = "terraform-aws-modules/ecr/aws"
  version = "1.6.0"

  create_repository = false

  create_registry_policy = true
  registry_policy        = data.aws_iam_policy_document.registry.json

  manage_registry_scanning_configuration = length(var.ecr_registry.scan_rules) > 0 ? true : false
  registry_scan_type                     = var.ecr_registry.scan_type
  registry_scan_rules                    = var.ecr_registry.scan_rules

  create_registry_replication_configuration = length(var.ecr_registry.replication_rules) > 0 ? true : false
  registry_replication_rules                = local.registry_replication_rules

  tags = var.tags
}

variables:

ecr = {
  create = true
  name = "test-ecr-repo"
  type = "private"
  read_write_access_arns = ["arn-censored"]
  image_scan_on_push = true
  kms_arn = "kms-arn-censored"
}

ecr_registry = {
  create = true
  replication_rules = [{
    destinations = ["eu-west-2", "us-east-1"]
  }]
}

Steps to reproduce the behavior:

• Simply run terraform apply the first time and it will fail, the second time it will go through properly.

Expected behavior

The first apply should work immediatly.

Actual behavior

module.ecr_registry[0].aws_ecr_registry_policy.this[0]: Creating...
╷
│ Error: reading ECR Registry Policy (account-id-censored): RegistryPolicyNotFoundException: Registry policy does not exist in the registry with id 'account-id-censored'
│ 
│   with module.ecr_registry[0].aws_ecr_registry_policy.this[0],
│   on .terraform/modules/ecr_registry/main.tf line 218, in resource "aws_ecr_registry_policy" "this":
│  218: resource "aws_ecr_registry_policy" "this" {
│ 

Terminal Output Screenshot(s)

Additional context

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[bberzinskas-tw]

same issue here.

[bryantbiggs]

we'll need a minimal reproduction before we can investigate and triage this issue

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.