Closed czyba closed 2 years ago
Hey, agree, it doesn't work anymore.
This issue has been resolved in version 1.3.2 :tada:
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Description
The changes to version 1.3.0 result in private repository custom policies no longer working, though it worked in version 1.2.0.
Sample
The following sample code illustrates the issue. Module with version 1.2.0 creates 3 resources, module 1.3.0 only 2.
Sample Code
```tf data "aws_iam_policy_document" "repository_read_access_policy" { version = "2012-10-17" statement { sid = "OrgStuff" effect = "Allow" actions = [ "ecr:*", ] principals { type = "AWS" identifiers = ["*"] } condition { test = "StringEquals" values = ["o-dummy"] variable = "aws:PrincipalOrgID" } } } module "_1_2_0" { source = "registry.terraform.io/terraform-aws-modules/ecr/aws" version = "= 1.2.0" repository_name = "1_2_0" create_repository_policy = false repository_policy = data.aws_iam_policy_document.repository_read_access_policy.json repository_image_tag_mutability = "MUTABLE" repository_lifecycle_policy = jsonencode({ rules = [ { rulePriority = 1, description = "Keep last 10 images", selection = { tagStatus = "any", countType = "imageCountMoreThan", countNumber = 1000 }, action = { type = "expire" } } ] }) } module "_1_3_0" { source = "registry.terraform.io/terraform-aws-modules/ecr/aws" version = "= 1.3.0" repository_name = "1_3_0" create_repository_policy = false repository_policy = data.aws_iam_policy_document.repository_read_access_policy.json repository_image_tag_mutability = "MUTABLE" repository_lifecycle_policy = jsonencode({ rules = [ { rulePriority = 1, description = "Keep last 10 images", selection = { tagStatus = "any", countType = "imageCountMoreThan", countNumber = 1000 }, action = { type = "expire" } } ] }) } ```Sample Plan
```tf # module._1_2_0.aws_ecr_lifecycle_policy.this[0] will be created + resource "aws_ecr_lifecycle_policy" "this" { + id = (known after apply) + policy = jsonencode( { + rules = [ + { + action = { + type = "expire" } + description = "Keep last 10 images" + rulePriority = 1 + selection = { + countNumber = 1000 + countType = "imageCountMoreThan" + tagStatus = "any" } }, ] } ) + registry_id = (known after apply) + repository = "1_2_0" } # module._1_2_0.aws_ecr_repository.this[0] will be created + resource "aws_ecr_repository" "this" { + arn = (known after apply) + id = (known after apply) + image_tag_mutability = "MUTABLE" + name = "1_2_0" + registry_id = (known after apply) + repository_url = (known after apply) + tags_all = (known after apply) + encryption_configuration { + encryption_type = "AES256" + kms_key = (known after apply) } + image_scanning_configuration { + scan_on_push = true } } # module._1_2_0.aws_ecr_repository_policy.this[0] will be created + resource "aws_ecr_repository_policy" "this" { + id = (known after apply) + policy = jsonencode( { + Statement = [ + { + Action = "ecr:*" + Condition = { + StringEquals = { + "aws:PrincipalOrgID" = "o-dummy" } } + Effect = "Allow" + Principal = { + AWS = "*" } + Sid = "PrivateReadOnly" }, ] + Version = "2012-10-17" } ) + registry_id = (known after apply) + repository = "1_2_0" } # module._1_3_0.aws_ecr_lifecycle_policy.this[0] will be created + resource "aws_ecr_lifecycle_policy" "this" { + id = (known after apply) + policy = jsonencode( { + rules = [ + { + action = { + type = "expire" } + description = "Keep last 10 images" + rulePriority = 1 + selection = { + countNumber = 1000 + countType = "imageCountMoreThan" + tagStatus = "any" } }, ] } ) + registry_id = (known after apply) + repository = "1_3_0" } # module._1_3_0.aws_ecr_repository.this[0] will be created + resource "aws_ecr_repository" "this" { + arn = (known after apply) + id = (known after apply) + image_tag_mutability = "MUTABLE" + name = "1_3_0" + registry_id = (known after apply) + repository_url = (known after apply) + tags_all = (known after apply) + encryption_configuration { + encryption_type = "AES256" + kms_key = (known after apply) } + image_scanning_configuration { + scan_on_push = true } } ```Findings
The changes to the aws_ecr_repository_policy result in a user only being able to use the default policy or no policy at all but not a custom policy. The
count
expression enforcesvar.create_repository_policy
beingtrue
and thus the policy can only be the new created policy.Source: https://github.com/terraform-aws-modules/terraform-aws-ecr/blob/be7fa430135a0df77c8ca74f50d29d0b936135d1/main.tf#L111