AWS ECR Policy - need to run terraform apply twice

[hashibot]

This issue was originally opened by @vikas027 as hashicorp/terraform#12108. It was migrated here as part of the provider split. The original body of the issue is below.

---

Terraform Version

~$ terraform -v
Terraform v0.8.7

Affected Resource(s)

• aws_ecr_repository
• aws_ecr_repository_policy

Terraform Configuration Files

resource "aws_iam_role_policy" "ecr_admin_policy" {
    name = "ecr_admin_policy"
    role = "${aws_iam_role.ecr_admin_role.id}"
    policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ecr:*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

resource "aws_iam_role" "ecr_admin_role" {
  name = "${var.iam_role}"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ecs.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_ecr_repository" "images" {
  depends_on = [ "aws_iam_role_policy.ecr_admin_policy", "aws_iam_role.ecr_admin_role" ]
  count = "${length(var.list_of_images)}",
  name  = "${element(var.list_of_images, count.index)}"
}

resource "aws_ecr_repository_policy" "repo_policy" {
  count = "${length(var.list_of_images)}"
  repository = "${element(aws_ecr_repository.images.*.id, count.index)}"
  policy = <<POLICY
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "repo_policy",
            "Effect": "Allow",
            "Principal": {
              "AWS": [
                "arn:aws:iam::11111111111111:root",
                "arn:aws:iam::11111111111111:role/ecr_admin"
              ]
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "ecr:DeleteRepository",
                "ecr:BatchDeleteImage",
                "ecr:SetRepositoryPolicy",
                "ecr:DeleteRepositoryPolicy"
            ]
        }
    ]
}
POLICY
}

Debug Output

First Run terraform apply (fails)
Second Run terraform apply (succeeds)

Expected Behavior

terraform apply should not complain about the policy.

Actual Behavior

terraform apply complains about invalid policy on the first run. And then creates ECR policy in the second run.
I have tried to set resource dependencies using depends_on in vain, behavior is same without this parameter.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply (throws an error)
2. terraform apply (run okay this time)

References

Few other similar issues where terraform does not wait for enough time or AWS reports that the resource creation is complete (a false positive)

• Adding ES domain to VPC should force a new resource #2136
• resource/aws_sfn_state_machine: Support Update State machine call #2349
• [WIP] Add initial container definitions data source. #5862

[jasonmc86]

The same also happens for a aws_cloudformation_stack depending on aws_iam_role that assume's a role (in this case cloudformation.amazonaws.com)

Error:

Creating CloudFormation stack failed: ValidationError: Role arn:aws:iam::* is invalid or cannot be assumed

• on a re run it works fine.

Terraform v0.11.7
+ provider.aws v1.29.0

[knservis]

@jasonmc86 Do you have a workaround until this gets fixed?

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[ghost]

This has been released in version 3.34.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!