Module 'docker-build' does not remove resources in reverse order on 'terraform destroy'

[stephanpelikan]

Description

After successfully building a Docker image and ECR repository using module 'docker-build' running terraform destroy returns:

2022-07-19T11:39:03.434+0200 [DEBUG] [aws-sdk-go] {}
╷
│ Error: ECR Repository (myimage) not empty, consider using force_delete: RepositoryNotEmptyException: The repository with name 'myimage' in registry with id 'XXXXXXXXXXXX' cannot be deleted because it still contains images
│ 
│ 
╵

The default-value of keep_remotely is false so it should be deleted. Additionally it seems to delete image resource and repository in parallel. But even after extending resource "docker_registry_image" "this" by depends_on = [ aws_ecr_repository.this ] it did work although now they were not deleted in parallel.

• [x] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version of 'docker-build': 3.3.1
• Terraform v1.2.5 on linux_amd64
• Provider version(s):
  • provider registry.terraform.io/hashicorp/aws v4.22.0
  • provider registry.terraform.io/kreuzwerker/docker v2.18.1

Reproduction Code [Required]

locals {
  repo_name = "myimage"
  image_tag = "47.11"
}
module "myimage_image" {
  source          = "terraform-aws-modules/lambda/aws//modules/docker-build"

  create_ecr_repo = true
  ecr_repo        = local.repo_name
  ecr_repo_lifecycle_policy = jsonencode({
    "rules" : [
      {
        "rulePriority" : 1,
        "description" : "Keep only the last 2 images",
        "selection" : {
          "tagStatus" : "any",
          "countType" : "imageCountMoreThan",
          "countNumber" : 2
        },
        "action" : {
          "type" : "expire"
        }
      }
    ]
  })
  image_tag   = local.image_tag
  source_path = "context"
}

Steps to reproduce the behavior:

1. Use the given script with a Dockerfile of your choise in the subdirectory "context"
2. build docker and upload image running terraform apply
3. run terraform destroy

Expected behavior

No errors on terraform destroy and all resources are removed.

Actual behavior

Running terraform destroy aborts. One needs to remove the image manually and do another attempt of terraform destroy.

Additional context

This is the output of plan:

  # module.myimage_image.aws_ecr_lifecycle_policy.this[0] will be destroyed
  - resource "aws_ecr_lifecycle_policy" "this" {
      - id          = "myimage" -> null
      - policy      = jsonencode(
            {
              - rules = [
                  - {
                      - action       = {
                          - type = "expire"
                        }
                      - description  = "Keep only the last 2 images"
                      - rulePriority = 1
                      - selection    = {
                          - countNumber = 2
                          - countType   = "imageCountMoreThan"
                          - tagStatus   = "any"
                        }
                    },
                ]
            }
        ) -> null
      - registry_id = "XXXXXXXXXXXX" -> null
      - repository  = "myimage" -> null
    }
  # module.myimage_image.aws_ecr_repository.this[0] will be destroyed
  - resource "aws_ecr_repository" "this" {
      - arn                  = "arn:aws:ecr:eu-central-1:XXXXXXXXXXXX:repository/myimage" -> null
      - id                   = "myimage" -> null
      - image_tag_mutability = "MUTABLE" -> null
      - name                 = "myimage" -> null
      - registry_id          = "XXXXXXXXXXXX" -> null
      - repository_url       = "XXXXXXXXXXXX.dkr.ecr.eu-central-1.amazonaws.com/myimage" -> null
      - tags                 = {} -> null
      - tags_all             = {} -> null
      - encryption_configuration {
          - encryption_type = "AES256" -> null
        }
      - image_scanning_configuration {
          - scan_on_push = false -> null
        }
    }
  # module.myimage_image.docker_registry_image.this will be destroyed
  - resource "docker_registry_image" "this" {
      - id                   = "sha256:b53e32b895afab386cca8538fd71ef592577644da2dc7bfb3215165dea553c6c" -> null
      - insecure_skip_verify = false -> null
      - keep_remotely        = false -> null
      - name                 = "XXXXXXXXXXXX.dkr.ecr.eu-central-1.amazonaws.com/myimage:47.11" -> null
      - sha256_digest        = "sha256:b53e32b895afab386cca8538fd71ef592577644da2dc7bfb3215165dea553c6c" -> null
      - build {
          - build_args      = {} -> null
          - cache_from      = [] -> null
          - context         = "context" -> null
          - cpu_period      = 0 -> null
          - cpu_quota       = 0 -> null
          - cpu_shares      = 0 -> null
          - dockerfile      = "Dockerfile" -> null
          - extra_hosts     = [] -> null
          - force_remove    = false -> null
          - labels          = {} -> null
          - memory          = 0 -> null
          - memory_swap     = 0 -> null
          - no_cache        = false -> null
          - pull_parent     = false -> null
          - remove          = false -> null
          - security_opt    = [] -> null
          - shm_size        = 0 -> null
          - squash          = false -> null
          - suppress_output = false -> null
        }
    }

[aalloul]

+1 I see the same behaviour. Basically, we'd need this PR https://github.com/terraform-aws-modules/terraform-aws-lambda/pull/337 approved

[1Mill]

Using

terraform {
	required_providers {
		aws = {
			source = "hashicorp/aws"
			version = "< 4.22"
		}
	}
}

is a workaround for the time being.

[antonbabenko]

Fixed in #337

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.