hashicorp
[Bug]: d/aws_ecr_image regression in cross-account access
Terraform Core Version
1.6.6
AWS Provider Version
5.32.0
Affected Resource(s)
data "aws_ecr_image" "image"
Expected Behavior
in aws provider v5.31.0 and earlier, the code below works fine - the image is found and returned to the calling terraform
Actual Behavior
in provider v5.32.0 , during plan the code below throws
│ Error: reading ECR Images: AccessDeniedException: User: somerole is not authorized to perform: ecr:DescribeRepositories on resource: arn:aws:ecr:us-east-1:123412341234:repository/reponame because no resource-based policy allows the ecr:DescribeRepositories action
This is presumably a result of the change in https://github.com/hashicorp/terraform-provider-aws/pull/24526 which adds a call to ecr:DescribeRepositories.
Other than pinning to 5.31.0, I'm not aware of a tidy workaround - as ecr:DescribeRepositories is at the registry level rather than the repo level, the only mechanism to grant that action to a caller is to create a role in the repo account that the caller can assume, which requires reasonably extensive code changes on the calling side.
Hard to see how my usage is unique - feels like this will be a breaking change for a lot of folks doing cross account ECR access. Maybe this change should be reverted and punted to provider v6?
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
data "aws_ecr_image" "image" {
registry_id = "123412341234"
repository_name = "reponame"
image_tag = "foo"
}
where the role running the above code is in a different account (from the repo account), and the registry config grants only
ecr:BatchCheckLayerAvailability
ecr:BatchGetImage
ecr:DescribeImages
ecr:GetDownloadUrlForLayer
on specific repo "reponame" to the calling account.
Steps to Reproduce
terraform plan
Debug Output
n/a
Panic Output
n/a
Important Factoids
no
References
https://github.com/hashicorp/terraform-provider-aws/pull/24526
Would you like to implement a fix?
None
Community Note
Voting for Prioritization
- Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
- Please see our prioritization guide for information on how we prioritize.
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
- If you are interested in working on this issue, please leave a comment.
- If this would be your first contribution, please review the contribution guide.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Retracting what I said above, turns out you can add ecr:DescribeRepositories to the permission policy of a single ECR repo, and that fixes the issue.
As we're now several months downstream of the change in 24526 and reverting it would break anyone who has come to rely on the new functionality, I'd say this is a no-op - just add the extra permission and move on.
As per comment above this is the action we took as well adding ecr:DescribeRepositories to the ECR resource policy associated which each repo.
[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.
Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.