terraform-provider-docker
terraform-provider-docker copied to clipboard
Published
20 hours ago •
kreuzwerker
kreuzwerker
Build docker_image resource based on an image from private ECR ends in 401 unauthorized
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and docker Provider) Version
Terraform v1.3.6
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v4.50.0
+ provider registry.terraform.io/kreuzwerker/docker v3.0.1
Affected Resource(s)
docker_image
Terraform Configuration Files
locals {
registry_id = XXX
}
data "aws_ecr_authorization_token" "token" {
registry_id = local.registry_id
}
data "aws_caller_identity" "current" {}
provider "docker" {
registry_auth {
address = data.aws_ecr_authorization_token.token.proxy_endpoint
username = data.aws_ecr_authorization_token.token.user_name
password = data.aws_ecr_authorization_token.token.password
}
}
resource "docker_registry_image" "this" {
name = docker_image.this.name
}
resource "docker_image" "this" {
name = "${local.registry_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/myapp:latest"
build {
context = "${path.cwd}/../../backend/"
}
}
With Dockerfile:
FROM 123456789012.dkr.ecr.eu-west-1.amazonaws.com/mybaseimage:latest
[...]
Debug Output
2023-01-20T14:04:08.222+0100 [DEBUG] created provider logger: level=debug
2023-01-20T14:04:08.223+0100 [INFO] provider: configuring client automatic mTLS
2023-01-20T14:04:08.226+0100 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/kreuzwerker/docker/3.0.1/darwin_arm64/terraform-provider-docker_v3.0.1 args=[.terraform/providers/registry.terraform.io/kreuzwerker/docker/3.0.1/darwin_arm64/terraform-provider-docker_v3.0.1]
2023-01-20T14:04:08.229+0100 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/kreuzwerker/docker/3.0.1/darwin_arm64/terraform-provider-docker_v3.0.1 pid=30410
2023-01-20T14:04:08.230+0100 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/kreuzwerker/docker/3.0.1/darwin_arm64/terraform-provider-docker_v3.0.1
2023-01-20T14:04:08.238+0100 [INFO] provider.terraform-provider-docker_v3.0.1: configuring server automatic mTLS: timestamp=2023-01-20T14:04:08.238+0100
2023-01-20T14:04:08.248+0100 [DEBUG] provider: using plugin: version=5
2023-01-20T14:04:08.248+0100 [DEBUG] provider.terraform-provider-docker_v3.0.1: plugin address: network=unix address=/var/folders/rj/sc3fpwts0vs1r87ncg_65zph0000gn/T/plugin387263099 timestamp=2023-01-20T14:04:08.248+0100
2023-01-20T14:04:08.258+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2023-01-20T14:04:08.262+0100 [WARN] ValidateProviderConfig from "provider[\"registry.terraform.io/kreuzwerker/docker\"]" changed the config value, but that value is unused
2023-01-20T14:04:08.263+0100 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/4.50.0/darwin_arm64/terraform-provider-aws_v4.50.0_x5 pid=30409
2023-01-20T14:04:08.263+0100 [DEBUG] provider: plugin exited
2023-01-20T14:04:08.271+0100 [INFO] provider.terraform-provider-docker_v3.0.1: 2023/01/20 14:04:08 [DEBUG] Using username for registry auths: AWS: timestamp=2023-01-20T14:04:08.271+0100
docker_image.this: Creating...
2023-01-20T14:04:08.277+0100 [INFO] Starting apply for docker_image.this
2023-01-20T14:04:08.277+0100 [DEBUG] docker_image.this: applying the planned Create change
2023-01-20T14:04:08.279+0100 [INFO] provider.terraform-provider-docker_v3.0.1: 2023/01/20 14:04:08 [DEBUG] Building docker image: timestamp=2023-01-20T14:04:08.279+0100
2023-01-20T14:04:08.279+0100 [INFO] provider.terraform-provider-docker_v3.0.1: 2023/01/20 14:04:08 [DEBUG] DockerClientVersion: 1.41, minBuildKitDockerVersion: 1.39: timestamp=2023-01-20T14:04:08.279+0100
2023-01-20T14:04:08.279+0100 [INFO] provider.terraform-provider-docker_v3.0.1: 2023/01/20 14:04:08 [DEBUG] Enabling BuildKit: timestamp=2023-01-20T14:04:08.279+0100
2023-01-20T14:04:08.279+0100 [INFO] provider.terraform-provider-docker_v3.0.1: 2023/01/20 14:04:08 [DEBUG] contextDir /Users/maxime/Documents/Agorapulse/tools-barometer/backend: timestamp=2023-01-20T14:04:08.279+0100
2023-01-20T14:04:08.279+0100 [INFO] provider.terraform-provider-docker_v3.0.1: 2023/01/20 14:04:08 [DEBUG] relDockerfile: timestamp=2023-01-20T14:04:08.279+0100
2023-01-20T14:04:08.279+0100 [INFO] provider.terraform-provider-docker_v3.0.1: 2023/01/20 14:04:08 [DEBUG] Excludes: []: timestamp=2023-01-20T14:04:08.279+0100
2023-01-20T14:04:14.505+0100 [ERROR] provider.terraform-provider-docker_v3.0.1: Response contains error diagnostic: tf_rpc=ApplyResourceChange @module=sdk.proto diagnostic_detail= diagnostic_summary="failed to solve with frontend dockerfile.v0: failed to create LLB definition: unexpected status code [manifests latest]: 401 Unauthorized
Expected Behaviour
Docker pull the base image, build the image and push it to ECR.
Actual Behaviour
Docker fails pulling the base image with a 401 unauthorized error.
When using a public image as a base image for my Dockerfile, the image is build and pushed without any issue.
I tried to add the build.auth_config block to my docker_image resource, but it didn't do anything:
auth_config {
host_name = data.aws_ecr_authorization_token.token.proxy_endpoint
user_name = data.aws_ecr_authorization_token.token.user_name
password = data.aws_ecr_authorization_token.token.password
}
The only way to make it works is by having a dedicated docker_image resource to pull the image. But I'd like Docker to pull this image during build to avoid managing this image version both in the Dockerfile and in TF.
resource "docker_image" "base_image" {
name = "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mybaseimage:latest"
}
Steps to Reproduce
- Create a private ECR repository and pull an image on it
- Define a Dockerfile using this image as base image
terraform applythe code above to build the new image
References
- I did read https://github.com/kreuzwerker/terraform-provider-docker/issues/460 but according to it, using
docker_imageinstead ofdocker_registry_imageshould work.
