aws_ecr_repository_policy tries to enforce order of principals when AWS insists on a different random ordering.

[blongman-snapdocs]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.14.6
hashicorp/aws v3.39.0 (self-signed, key ID 34365D9472D7468F)

Affected Resource(s)

aws_ecr_repository_policy.policy ( multiple in a for_each )

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_ecr_repository_policy" "policy" {
  for_each   = var.repos
  repository = aws_ecr_repository.repo[each.key].name
  policy     = file(each.value["policyfile"])
}

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "Add-staging-right",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789101:role/staging-eks-3-fst8Xewx20190926190216685400000005",
          "arn:aws:iam::123456789101:user/infra-ops",
          "arn:aws:iam::123459876427:role/platform-buildkite-Role",
          "arn:aws:iam::123459876532:user/infra-ops",
          "arn:aws:iam::123459876532:role/infrastructure_admin_sts",
          "arn:aws:iam::123459876532:role/infra-cicd-cluster-202011172021011317574827370000000b",
          "arn:aws:sts::123459853958:role/staging-evault2021020120091196250000000a",
          "arn:aws:sts::123459851758:role/prod-west-2021030620210301211834878800000009",
          "arn:aws:iam::123459851758:role/prod-east-2021040820210409155604198000000009"
        ]
      },
      "Action": "ecr:*"
    },
    {
      "Sid": "ecr-readonly",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789101:root"
      },
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability"
      ]
    },
    {
      "Sid": "full-ecr-readonly",
      "Principal": {
        "AWS": "arn:aws:iam::123456789101:root"
      },
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:DescribeRepositories",
        "ecr:ListImages",
        "ecr:DescribeImages",
        "ecr:BatchGetImage",
        "ecr:GetLifecyclePolicy",
        "ecr:GetLifecyclePolicyPreview",
        "ecr:ListTagsForResource",
        "ecr:DescribeImageScanFindings"
      ]
    },
    {
      "Sid": "AllowPushPull",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789101:root"
      },
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability",
        "ecr:PutImage",
        "ecr:InitiateLayerUpload",
        "ecr:UploadLayerPart",
        "ecr:CompleteLayerUpload"
      ]
    }
  ]
}

Expected Behavior

We should see no changes.

Actual Behavior

Tries to shuffle the principals for every resource. Each resource starts with a different ordering of principals, but the endpoint is always the same order. Looks like this.

  # aws_ecr_repository_policy.policy["tracky"] will be updated in-place
  ~ resource "aws_ecr_repository_policy" "policy" {
        id          = "tracky"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ AWS = [
                                "arn:aws:iam::123456789101:role/staging-eks-3-fst8Xewx20190926190216685400000005",
                              + "arn:aws:iam::123456789101:user/infra-ops",
                                "arn:aws:iam::123459876427:role/platform-buildkite-Role",
                              - "arn:aws:iam::123459876532:role/infra-cicd-cluster-202011172021011317574827370000000b",
                              + "arn:aws:iam::123459876532:user/infra-ops",
                                "arn:aws:iam::123459876532:role/infrastructure_admin_sts",
                              - "arn:aws:iam::123456789101:user/infra-ops",
                              - "arn:aws:iam::123459851758:role/prod-west-2021030620210301211834878800000009",
                              + "arn:aws:iam::123459876532:role/infra-cicd-cluster-202011172021011317574827370000000b",
                              + "arn:aws:sts::123459853958:role/staging-evault2021020120091196250000000a",
                              + "arn:aws:sts::123459851758:role/prod-west-2021030620210301211834878800000009",
                                "arn:aws:iam::123459851758:role/prod-east-2021040820210409155604198000000009",
                              - "arn:aws:iam::123459853958:role/staging-evault2021020120091196250000000a",
                              - "arn:aws:iam::123459876532:user/infra-ops",
                            ]
                        }
                        # (3 unchanged elements hidden)
                    },
                    {
                        Action    = [
                            "ecr:GetDownloadUrlForLayer",
                            "ecr:BatchGetImage",
                            "ecr:BatchCheckLayerAvailability",
                        ]
                        Effect    = "Allow"
                        Principal = {
                            AWS = "arn:aws:iam::123456789101:root"
                        }
                        Sid       = "ecr-readonly"
                    },
                    # (2 unchanged elements hidden)
                ]
                # (1 unchanged element hidden)
            }
        )
        # (2 unchanged attributes hidden)
    }

  # aws_ecr_repository_policy.policy["twistcli"] will be updated in-place
  ~ resource "aws_ecr_repository_policy" "policy" {
        id          = "twistcli"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ AWS = [
                              - "arn:aws:iam::123459876532:role/infra-cicd-cluster-202011172021011317574827370000000b",
                              - "arn:aws:iam::123459851758:role/prod-west-2021030620210301211834878800000009",
                              - "arn:aws:iam::123459853958:role/staging-evault2021020120091196250000000a",
                              - "arn:aws:iam::123459876532:role/infrastructure_admin_sts",
                                "arn:aws:iam::123456789101:role/staging-eks-3-fst8Xewx20190926190216685400000005",
                              - "arn:aws:iam::123459851758:role/prod-east-2021040820210409155604198000000009",
                              - "arn:aws:iam::123459876532:user/infra-ops",
                              - "arn:aws:iam::123459876427:role/platform-buildkite-Role",
                                "arn:aws:iam::123456789101:user/infra-ops",
                              + "arn:aws:iam::123459876427:role/platform-buildkite-Role",
                              + "arn:aws:iam::123459876532:user/infra-ops",
                              + "arn:aws:iam::123459876532:role/infrastructure_admin_sts",
                              + "arn:aws:iam::123459876532:role/infra-cicd-cluster-202011172021011317574827370000000b",
                              + "arn:aws:sts::123459853958:role/staging-evault2021020120091196250000000a",
                              + "arn:aws:sts::123459851758:role/prod-west-2021030620210301211834878800000009",
                              + "arn:aws:iam::123459851758:role/prod-east-2021040820210409155604198000000009",
                            ]
                        }
                        # (3 unchanged elements hidden)
                    },
                    {
                        Action    = [
                            "ecr:GetDownloadUrlForLayer",
                            "ecr:BatchGetImage",
                            "ecr:BatchCheckLayerAvailability",
                        ]
                        Effect    = "Allow"
                        Principal = {
                            AWS = "arn:aws:iam::123456789101:root"
                        }
                        Sid       = "ecr-readonly"
                    },
                    # (2 unchanged elements hidden)
                ]
                # (1 unchanged element hidden)
            }
        )
        # (2 unchanged attributes hidden)
    }

Steps to Reproduce

Create a ecr repo with a policy that has multiple varied principals.

1. terraform apply (will show the changes)
2. terraform apply (will show the changes again)

Important Factoids

Tried removing and reapplying all policies. It didn't help.

References

[tzahari]

Maybe it is the same issue like #17024 ?

[blongman-snapdocs]

Right. It's at least the same at the surface level. There are places where this persists (aws_ecr_repository_policy is a place where it's a pain point for us), and places where it's resolved (aws_iam_policy iirc). I think the general tact to take to solve this would be to sort both what AWS says is there and what Terraform wants to apply, and then do the comparison. Or find the code that deals with aws_iam_policy, and adjust to match that. [image: Ben Longman] Ben Longman Senior DevOps Engineer (925) 548-3649 <+19255483649> [image: Snapdocs] <http://www.snapdocs.com/> ------------------------------ *The information transmitted by this email is intended only for the person or entity to which it is addressed. This email may contain proprietary, business-confidential and/or privileged material. If you are not the intended recipient of this message, be aware that any use, review, retransmission, distribution, reproduction or any action taken in reliance upon this message is strictly prohibited. If you received this in error, please contact the sender and delete the material from all computers.*

…

On Thu, Aug 5, 2021 at 11:53 PM Thomas Zahari ***@***.***> wrote: Maybe it is the same issue like #17024 <#17024> ? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#19365 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANHE76IWMAZTM7C363R4ZADT3OBFNANCNFSM4425UQJA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .

[NiklasWagner]

Potentially related: jen20/awspolicyequivalence#10.

[github-actions]

This functionality has been released in v3.69.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.