search

terraform-aws-modules / terraform-aws-ecr

Terraform module to create AWS ECR resources πŸ‡ΊπŸ‡¦
https://registry.terraform.io/modules/terraform-aws-modules/ecr/aws
Apache License 2.0
52 stars 109 forks source link

Policy changes on every plan #26

Closed ScubaDrew closed 6 months ago

ScubaDrew commented 6 months ago

Description

Every time I plan with this module, the policy block has pending changes. I apply them, and then the next plan, still has changes pending.

I've tried removing the policy and creating it again. Still, pending changes.

Versions

Reproduction Code [Required]

module "gsal_proxy" {
  source = "terraform-aws-modules/ecr/aws"
  version = "1.6.0"

  repository_name = "gs/al-proxy"

  repository_read_write_access_arns = var.read_write_arns
  repository_read_access_arns       = var.read_only_arns
  create_lifecycle_policy           = false
}

vars:
  "read_only_arns": [
    "arn:aws-us-gov:iam::xxx:role/prd-1-20231005055232381500000001",
    "arn:aws-us-gov:sts::xxx:assumed-role/prd-1-20231005055232381500000001/i-zzz",
    "arn:aws-us-gov:sts::xxx:assumed-role/prd-1-20231206195128453200000003/i-zzz",
    "arn:aws-us-gov:sts::xxx:assumed-role/test-1-20231015185902248100000003/i-zzz",
    "arn:aws-us-gov:iam::xxx:role/dev-01-1-20230526030206003600000002",
    "arn:aws-us-gov:sts::xxx:assumed-role/stg-01-1-20231102031159343200000001/i-zzz",
    "arn:aws-us-gov:iam::xxx:assumed-role/stg-01-1-20231122212759304500000001/i-zzz"
  ],
  "read_write_arns": [
    "arn:aws-us-gov:iam::xxx:role/gitlab_runner_role"
  ]

Expected behavior

After applying this, a plan results in 0 changes detected.

Actual behavior

After applying, a subsequent plan results in changes It seems like it just wants to re-order them, removing and adding the same entries:

 # module.gsal.proxy.aws_ecr_repository_policy.this[0] will be updated in-place
  ~ resource "aws_ecr_repository_policy" "this" {
        id          = "gs/al-proxy"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ AWS = [
                              - "arn:aws-us-gov:iam::xxx:role/dev-01-1-20230526030206003600000002",
                              + "arn:aws-us-gov:sts::xxx:assumed-role/test-01-test-1-20231015185902248100000003/i-zzz",
                              + "arn:aws-us-gov:sts::xxx:assumed-role/prd-1-20231005055232381500000001/i-zzz",
                              + "arn:aws-us-gov:sts::xxx:assumed-role/prd-1-20231206195128453200000003/i-zzz",
                                "arn:aws-us-gov:sts::xxx:assumed-role/stg-01-1-20231102031159343200000001/i-zzz",
                                "arn:aws-us-gov:iam::xxx:role/prd-1-20231005055232381500000001",
                              - "arn:aws-us-gov:sts::xxx:assumed-role/prd-1-20231206195128453200000003/i-zzz",
                              - "arn:aws-us-gov:sts::xxx:assumed-role/prd-1-20231005055232381500000001/i-zzz",
                              + "arn:aws-us-gov:iam::xxx:role/dev-01-20230526030206003600000002",
                                "arn:aws-us-gov:iam::xxx:role/gitlab_runner_role",
                              - "arn:aws-us-gov:sts::xxx:assumed-role/test-01-test-1-20231015185902248100000003/i-zzz",
                              - "arn:aws-us-gov:sts::xxx:assumed-role/stg-01-1-20231122212759304500000001/i-zzz",
                              + "arn:aws-us-gov:iam::xxx:assumed-role/stg-01-1-20231122212759304500000001/i-zzz",
                            ]
                        }
                        # (3 unchanged attributes hidden)
                    },
                    {
                        Action    = [
                            "ecr:UploadLayerPart",
                            "ecr:PutImage",
                            "ecr:InitiateLayerUpload",
                            "ecr:CompleteLayerUpload",
                        ]
                        Effect    = "Allow"
                        Principal = {
                            AWS = "arn:aws-us-gov:iam::xxx:role/gitlab_runner_role"
                        }
                        Sid       = "ReadWrite"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.
antonbabenko commented 6 months ago

This looks like an issue in the Terraform AWS provider - https://github.com/hashicorp/terraform-provider-aws/issues/22274 . I am unsure why it was closed and whether it was fixed. Please follow up in that repository since there is nothing we can do in this module.

ScubaDrew commented 6 months ago

Thanks @antonbabenko -- sorry for the incorrect issue here

github-actions[bot] commented 5 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.