search

terraform-aws-modules / terraform-aws-ecr

Terraform module to create AWS ECR resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/ecr/aws
Apache License 2.0
52 stars 109 forks source link

Module version 1.3.0 no longer allows creating a custom repository policy for private repositories #6

Closed czyba closed 2 years ago

czyba commented 2 years ago

Description

The changes to version 1.3.0 result in private repository custom policies no longer working, though it worked in version 1.2.0.

Sample

The following sample code illustrates the issue. Module with version 1.2.0 creates 3 resources, module 1.3.0 only 2.

Sample Code ```tf data "aws_iam_policy_document" "repository_read_access_policy" { version = "2012-10-17" statement { sid = "OrgStuff" effect = "Allow" actions = [ "ecr:*", ] principals { type = "AWS" identifiers = ["*"] } condition { test = "StringEquals" values = ["o-dummy"] variable = "aws:PrincipalOrgID" } } } module "_1_2_0" { source = "registry.terraform.io/terraform-aws-modules/ecr/aws" version = "= 1.2.0" repository_name = "1_2_0" create_repository_policy = false repository_policy = data.aws_iam_policy_document.repository_read_access_policy.json repository_image_tag_mutability = "MUTABLE" repository_lifecycle_policy = jsonencode({ rules = [ { rulePriority = 1, description = "Keep last 10 images", selection = { tagStatus = "any", countType = "imageCountMoreThan", countNumber = 1000 }, action = { type = "expire" } } ] }) } module "_1_3_0" { source = "registry.terraform.io/terraform-aws-modules/ecr/aws" version = "= 1.3.0" repository_name = "1_3_0" create_repository_policy = false repository_policy = data.aws_iam_policy_document.repository_read_access_policy.json repository_image_tag_mutability = "MUTABLE" repository_lifecycle_policy = jsonencode({ rules = [ { rulePriority = 1, description = "Keep last 10 images", selection = { tagStatus = "any", countType = "imageCountMoreThan", countNumber = 1000 }, action = { type = "expire" } } ] }) } ```
Sample Plan ```tf # module._1_2_0.aws_ecr_lifecycle_policy.this[0] will be created + resource "aws_ecr_lifecycle_policy" "this" { + id = (known after apply) + policy = jsonencode( { + rules = [ + { + action = { + type = "expire" } + description = "Keep last 10 images" + rulePriority = 1 + selection = { + countNumber = 1000 + countType = "imageCountMoreThan" + tagStatus = "any" } }, ] } ) + registry_id = (known after apply) + repository = "1_2_0" } # module._1_2_0.aws_ecr_repository.this[0] will be created + resource "aws_ecr_repository" "this" { + arn = (known after apply) + id = (known after apply) + image_tag_mutability = "MUTABLE" + name = "1_2_0" + registry_id = (known after apply) + repository_url = (known after apply) + tags_all = (known after apply) + encryption_configuration { + encryption_type = "AES256" + kms_key = (known after apply) } + image_scanning_configuration { + scan_on_push = true } } # module._1_2_0.aws_ecr_repository_policy.this[0] will be created + resource "aws_ecr_repository_policy" "this" { + id = (known after apply) + policy = jsonencode( { + Statement = [ + { + Action = "ecr:*" + Condition = { + StringEquals = { + "aws:PrincipalOrgID" = "o-dummy" } } + Effect = "Allow" + Principal = { + AWS = "*" } + Sid = "PrivateReadOnly" }, ] + Version = "2012-10-17" } ) + registry_id = (known after apply) + repository = "1_2_0" } # module._1_3_0.aws_ecr_lifecycle_policy.this[0] will be created + resource "aws_ecr_lifecycle_policy" "this" { + id = (known after apply) + policy = jsonencode( { + rules = [ + { + action = { + type = "expire" } + description = "Keep last 10 images" + rulePriority = 1 + selection = { + countNumber = 1000 + countType = "imageCountMoreThan" + tagStatus = "any" } }, ] } ) + registry_id = (known after apply) + repository = "1_3_0" } # module._1_3_0.aws_ecr_repository.this[0] will be created + resource "aws_ecr_repository" "this" { + arn = (known after apply) + id = (known after apply) + image_tag_mutability = "MUTABLE" + name = "1_3_0" + registry_id = (known after apply) + repository_url = (known after apply) + tags_all = (known after apply) + encryption_configuration { + encryption_type = "AES256" + kms_key = (known after apply) } + image_scanning_configuration { + scan_on_push = true } } ```

Findings

The changes to the aws_ecr_repository_policy result in a user only being able to use the default policy or no policy at all but not a custom policy. The count expression enforces var.create_repository_policy being true and thus the policy can only be the new created policy.

resource "aws_ecr_repository_policy" "this" {
  count = local.create_private_repository && var.create_repository_policy ? 1 : 0

  repository = aws_ecr_repository.this[0].name
  policy     = var.create_repository_policy ? data.aws_iam_policy_document.repository[0].json : var.repository_policy
}

Source: https://github.com/terraform-aws-modules/terraform-aws-ecr/blob/be7fa430135a0df77c8ca74f50d29d0b936135d1/main.tf#L111

geoL86 commented 2 years ago

Hey, agree, it doesn't work anymore.

antonbabenko commented 2 years ago

This issue has been resolved in version 1.3.2 :tada:

github-actions[bot] commented 1 year ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.