Image argument after v2.6.0 always replaces resources (mismatch between image name vs sha image id)

[mavogel]

This issue was originally opened by @johnlane as hashicorp/terraform-provider-docker#294. It was migrated here as a result of the community provider takeover from @kreuzwerker. The original body of the issue is below.

---

There is a difference between the handling of the image argument of v2.6.0 and v2.7.2.

The image specification shown below works with the 2.6.0 Docker provider but not with version 2.7.2.

resource "docker_container" "portainer" {
  image   = "portainer/portainer:1.23.0"
  ...

The documentation now shows having a reference to an image resource:

   image = "${docker_image.ubuntu.latest}"

and configuring that image resource to specify the image name.

With 2.7.2 there is a perpetual mismatch between the image name spcified in the config and the image id that terraform plan and apply identifies.

I can't find any documentation covering this breaking change between versions, I don't know if this break is intentional or something that would be fixed. I see many examples illustrating the succinct way of referencing an image that works in version 2.6.0. It would be good if specifying the image directly in image continued to work rather than requiring an additional image resource block containing the image name.

If the form that worked in 2.6.0 is not supported any more than an error during plan or apply to prevent its use would make this clear. Currently it's accepted as valid but causes resource replacement on every apply.

Terraform Version

Terraform 0.13.3 with Docker provider 2.6.0 and 2.7.2

Affected Resource(s)

docker_container

Expected Behavior

The resource should be matched with previous state so unnecessary changes are not made.

Actual Behavior

The resource is detected as a change because the given image value is matched against SHA and therefore is always detected as a change, requiring replacement of the resource.

Steps to Reproduce

1. terraform apply

References

hashicorp/terraform#26382

Also hashicorp/terraform-provider-docker#291 is similar.

[github-actions]

This issue is stale because it has been open 60 days with no activity.
Remove stale label or comment or this will be closed in 7 days.
If you don't want this issue to be closed, please set the label pinned.

[johnlane]

remove stale

[suzuki-shunsuke]

I checked the document of v2.6.0. image is not name but id.

https://github.com/hashicorp/terraform-provider-docker/blob/v2.6.0/website/docs/r/container.html.markdown

resource "docker_container" "ubuntu" {
  name  = "foo"
  image = "${docker_image.ubuntu.latest}"
}

image - (Required, string) The ID of the image to back this container. The easiest way to get this value is to use the docker_image resource as is shown in the example above.

[suzuki-shunsuke]

Same as v2.0.0 .

https://github.com/hashicorp/terraform-provider-docker/blob/v2.0.0/website/docs/r/container.html.markdown

[suzuki-shunsuke]

Please use the latest version and check the problem occurs.
If the problem occurs, please tell us how to reproduce.

https://github.com/kreuzwerker/terraform-provider-docker/blob/master/CONTRIBUTING.md#write-issue

[johnlane]

I've just tried 2.11.0 of this provider

-      source  = "terraform-providers/docker"
-      version = "~> 2.6.0"
+      source = "kreuzwerker/docker"
+      version = "~> 2.11.0"

I still get a plan change:

~ image             = "sha256:ca5e0e73a5ed5ca74e5a71bc4cee02365ad92d0ba38dc446d5dc0cc61b697e0f" -> "images.example.com/myimage:latest" # forces replacement

If I revert to 2.6.0 this does not happen, instead I get

No changes. Infrastructure is up-to-date.

The configuration of images is like this

resource "docker_container" "myimage" {
  image    = "images.example.com/myimage:latest"
  ...
}

I'll try and find some time to make a stand-alone example for you.

[mavogel]

Related to #161

[github-actions]

This issue is stale because it has been open 60 days with no activity.
Remove stale label or comment or this will be closed in 7 days.
If you don't want this issue to be closed, please set the label pinned.

[kphunter]

This still appears to be an issue with the current version.

main.tf:

terraform {
  backend "http" {
  }
  required_providers {
    docker = {
      source = "kreuzwerker/docker"
      version = "~> 2.17.0"
    }
  }
}
resource "docker_image" "traefik_prod" {
  name         = "registry...traefik-docker:0.3"
  keep_locally = true
}
resource "docker_container" "traefik_prod" {
  name  = "traefik_prod"
  image = "registry...traefik-docker:0.3"
  restart = "always"

terraform plan output:

...
      ~ id                = "12f79ea293..." -> (known after apply)
      ~ image             = "sha256:7c752b98f2..." -> "registry...traefik-docker:0.3" # forces replacement
...

[kphunter]

After trying a couple of different things it seems like an interplay between docker_image.name and docker_container.image...

If docker_container.image is not a string but set to docker_image.name.latest, the terraform apply produces no reported change.