ECR creation sometimes fails with Resource '...' does not have attribute 'repository_url' for variable '...'

[mildred]

We have a problem with the resource aws_ecr_repository and by looking at the debug log and the terraform code, we found what the problem was. The problem comes from the fact that when creating an ECR repository, terraform is executing two API requests:

• CreateRepository in function resourceAwsEcrRepositoryCreate line 47 of resource_aws_ecr_repository.go
• DescribeRepositories in function resourceAwsEcrRepositoryRead line 71 of the same file

The first request succeeds with AWS, but the second, for reasons not yet understood (we have a support request opened with AWS) returns with a 400 error RepositoryNotFoundException.

Thus, the resourceAwsEcrRepositoryRead function fails and the attribute repository_url is never set on the resource state.

Moreover, in the tfstate, the ECR resource is marked as not existing (while it has in fact been created by AWS) and a subsequent terraform apply will try to create the ECR repository, and failing because a repository of the same name already exists.

As I see it, it is primarily a problem of the AWS API not returning the correct response (it says the repository does not exists while in fact it has been created). Perhaps this has to do with a consistency model of the AWS API not fully detailed on their API docs. In which case, we might need to be prepared to handle stale data in API responses.

I'll keep you updated with the replies from the AWS support regarding this issue.

In the meantime, perhaps the provider code can be simplified. After a successful CreateRepository I do not see the necessity to run DescribeRepositories. perhaps we could omit the second call completely and this would work around the API inconsistency.

Terraform Version

• terraform 0.11.2
• provider.aws = 1.7.1

Affected Resource(s)

• aws_ecr_repository

Terraform Configuration Files

resource "aws_ecr_repository" "client-registry-984561098034cf1a7ba7d64b520feaf7aeed7a81" {
  name  = "client-${var.sqsc_project_name}-${var.environment}-squarescale-machine-sqsc-demo"
}

output "ECR" {
  value = "${list(aws_ecr_repository.client-registry-984561098034cf1a7ba7d64b520feaf7aeed7a81.repository_url)}"
}

We have much more terraform resources, but the problems happens when adding the above snippet to an up to date infrastructure and we run terraform apply. Only the ECR resource is being created.

Output

This is our full output of terraform apply of a pre-computed terraform plan file:

 �[0m�[1maws_ecr_repository.client-registry-984561098034cf1a7ba7d64b520feaf7aeed7a81: Creating...�[0m
arn: "" => "<computed>"
name: "" => "client-qa-staging-20180320110104-9-staging-squarescale-machine-sqsc-demo"
registry_id: "" => "<computed>"
repository_url: "" => "<computed>"�[0m
�[0m�[1maws_ecr_repository.client-registry-984561098034cf1a7ba7d64b520feaf7aeed7a81: Creation complete after 1s�[0m�[0m
�[31m
�[1m�[31mError: �[0m�[0m�[1mError applying plan:

1 error(s) occurred:

* output.ECR: Resource 'aws_ecr_repository.client-registry-984561098034cf1a7ba7d64b520feaf7aeed7a81' does not have attribute 'repository_url' for variable 'aws_ecr_repository.client-registry-984561098034cf1a7ba7d64b520feaf7aeed7a81.repository_url'

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.�[0m

Debug Output

Relevant part of the debug output:

2018/03/20 11:10:53 [DEBUG] apply: aws_ecr_repository.client-registry-984561098034cf1a7ba7d64b520feaf7aeed7a81: executing Apply
2018-03-20T11:10:53.481Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 2018/03/20 11:10:53 [DEBUG] Creating ECR resository: {
2018-03-20T11:10:53.481Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4:   RepositoryName: "client-qa-staging-20180320110104-9-staging-squarescale-machine-sqsc-demo"
2018-03-20T11:10:53.481Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: }
2018-03-20T11:10:53.481Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 2018/03/20 11:10:53 [DEBUG] [aws-sdk-go] DEBUG: Request ecr/CreateRepository Details:
2018-03-20T11:10:53.481Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: ---[ REQUEST POST-SIGN ]-----------------------------
2018-03-20T11:10:53.481Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: POST / HTTP/1.1
2018-03-20T11:10:53.481Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Host: ecr.eu-west-1.amazonaws.com
2018-03-20T11:10:53.481Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: User-Agent: aws-sdk-go/1.12.62 (go1.9.2; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11.2
2018-03-20T11:10:53.481Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Content-Length: 93
2018-03-20T11:10:53.481Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Authorization: AWS4-HMAC-SHA256 Credential=AKIAJFFXLZ4RQ2TJYFSQ/20180320/eu-west-1/ecr/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-target, Signature=5eca2993db2e7ca69a17f9940ea8b39905ebf722637b612e5460facb89973777
2018-03-20T11:10:53.481Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Content-Type: application/x-amz-json-1.1
2018-03-20T11:10:53.481Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: X-Amz-Date: 20180320T111053Z
2018-03-20T11:10:53.481Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: X-Amz-Target: AmazonEC2ContainerRegistry_V20150921.CreateRepository
2018-03-20T11:10:53.481Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Accept-Encoding: gzip
2018-03-20T11:10:53.481Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 
2018-03-20T11:10:53.481Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: -----------------------------------------------------
2018-03-20T11:10:53.545Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 2018/03/20 11:10:53 [DEBUG] [aws-sdk-go] DEBUG: Response ecr/CreateRepository Details:
2018-03-20T11:10:53.545Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: ---[ RESPONSE ]--------------------------------------
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: HTTP/1.1 200 OK
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Connection: close
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Content-Length: 435
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Content-Type: application/x-amz-json-1.1
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Date: Tue, 20 Mar 2018 11:10:53 GMT
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Server: Server
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: X-Amzn-Requestid: 5ae45b1d-2c2f-11e8-abca-7de3b5a68f01
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: -----------------------------------------------------
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 2018/03/20 11:10:53 [DEBUG] [aws-sdk-go] {"repository":{"createdAt":1.521544254E9,"registryId":"095348363195","repositoryArn":"arn:aws:ecr:eu-west-1:095348363195:repository/client-qa-staging-20180320110104-9-staging-squarescale-machine-sqsc-demo","repositoryName":"client-qa-staging-20180320110104-9-staging-squarescale-machine-sqsc-demo","repositoryUri":"095348363195.dkr.ecr.eu-west-1.amazonaws.com/client-qa-staging-20180320110104-9-staging-squarescale-machine-sqsc-demo"}}
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 2018/03/20 11:10:53 [DEBUG] ECR repository created: "arn:aws:ecr:eu-west-1:095348363195:repository/client-qa-staging-20180320110104-9-staging-squarescale-machine-sqsc-demo"
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 2018/03/20 11:10:53 [DEBUG] Reading repository client-qa-staging-20180320110104-9-staging-squarescale-machine-sqsc-demo
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 2018/03/20 11:10:53 [DEBUG] [aws-sdk-go] DEBUG: Request ecr/DescribeRepositories Details:
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: ---[ REQUEST POST-SIGN ]-----------------------------
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: POST / HTTP/1.1
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Host: ecr.eu-west-1.amazonaws.com
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: User-Agent: aws-sdk-go/1.12.62 (go1.9.2; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.11.2
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Content-Length: 96
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Authorization: AWS4-HMAC-SHA256 Credential=AKIAJFFXLZ4RQ2TJYFSQ/20180320/eu-west-1/ecr/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-target, Signature=54de8ad6253cfb001e9499169eaac99e10a4e46296ba127b8582fb1991f9fd90
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Content-Type: application/x-amz-json-1.1
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: X-Amz-Date: 20180320T111053Z
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: X-Amz-Target: AmazonEC2ContainerRegistry_V20150921.DescribeRepositories
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Accept-Encoding: gzip
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 
2018-03-20T11:10:53.546Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: -----------------------------------------------------
2018-03-20T11:10:53.583Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 2018/03/20 11:10:53 [DEBUG] [aws-sdk-go] DEBUG: Response ecr/DescribeRepositories Details:
2018-03-20T11:10:53.583Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: ---[ RESPONSE ]--------------------------------------
2018-03-20T11:10:53.583Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: HTTP/1.1 400 Bad Request
2018-03-20T11:10:53.583Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Connection: close
2018-03-20T11:10:53.583Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Content-Length: 206
2018-03-20T11:10:53.583Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Content-Type: application/x-amz-json-1.1
2018-03-20T11:10:53.583Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Date: Tue, 20 Mar 2018 11:10:53 GMT
2018-03-20T11:10:53.583Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: Server: Server
2018-03-20T11:10:53.583Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: X-Amzn-Requestid: 5aee45de-2c2f-11e8-968c-a7257c03e0a2
2018-03-20T11:10:53.583Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 
2018-03-20T11:10:53.583Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 
2018-03-20T11:10:53.583Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: -----------------------------------------------------
2018-03-20T11:10:53.583Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 2018/03/20 11:10:53 [DEBUG] [aws-sdk-go] {"__type":"RepositoryNotFoundException","message":"The repository with name 'client-qa-staging-20180320110104-9-staging-squarescale-machine-sqsc-demo' does not exist in the registry with id '095348363195'"}
2018-03-20T11:10:53.583Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 2018/03/20 11:10:53 [DEBUG] [aws-sdk-go] DEBUG: Validate Response ecr/DescribeRepositories failed, not retrying, error RepositoryNotFoundException: The repository with name 'client-qa-staging-20180320110104-9-staging-squarescale-machine-sqsc-demo' does not exist in the registry with id '095348363195'
2018-03-20T11:10:53.583Z [DEBUG] plugin.terraform-provider-aws_v1.7.1_x4: 	status code: 400, request id: 5aee45de-2c2f-11e8-968c-a7257c03e0a2
2018/03/20 11:10:53 [TRACE] root: eval: *terraform.EvalWriteState
2018/03/20 11:10:53 [TRACE] root: eval: *terraform.EvalApplyProvisioners
2018/03/20 11:10:53 [TRACE] root: eval: *terraform.EvalIf
2018/03/20 11:10:53 [TRACE] root: eval: *terraform.EvalWriteState
2018/03/20 11:10:53 [TRACE] root: eval: *terraform.EvalWriteDiff
2018/03/20 11:10:53 [TRACE] root: eval: *terraform.EvalApplyPost
2018/03/20 11:10:53 [TRACE] root: eval: *terraform.EvalUpdateStateHook
2018/03/20 11:10:53 [TRACE] [walkApply] Exiting eval tree: aws_ecr_repository.client-registry-984561098034cf1a7ba7d64b520feaf7aeed7a81
2018/03/20 11:10:53 [TRACE] dag/walk: walking "output.ECR"
2018/03/20 11:10:53 [TRACE] vertex 'root.output.ECR': walking
2018/03/20 11:10:53 [TRACE] vertex 'root.output.ECR': evaluating
2018/03/20 11:10:53 [TRACE] dag/walk: walking "provider.aws (close)"
2018/03/20 11:10:53 [TRACE] vertex 'root.provider.aws (close)': walking
2018/03/20 11:10:53 [TRACE] [walkApply] Entering eval tree: output.ECR
2018/03/20 11:10:53 [TRACE] root: eval: *terraform.EvalSequence
2018/03/20 11:10:53 [TRACE] root: eval: terraform.EvalNoop
2018/03/20 11:10:53 [TRACE] root: eval: *terraform.EvalOpFilter
2018/03/20 11:10:53 [TRACE] root: eval: *terraform.EvalWriteOutput
2018/03/20 11:10:53 [TRACE] vertex 'root.provider.aws (close)': evaluating
2018/03/20 11:10:53 [TRACE] [walkApply] Entering eval tree: provider.aws (close)
2018/03/20 11:10:53 [TRACE] root: eval: *terraform.EvalCloseProvider
2018/03/20 11:10:53 [TRACE] [walkApply] Exiting eval tree: provider.aws (close)
2018/03/20 11:10:53 [ERROR] root: eval: *terraform.EvalWriteOutput, err: Resource 'aws_ecr_repository.client-registry-984561098034cf1a7ba7d64b520feaf7aeed7a81' does not have attribute 'repository_url' for variable 'aws_ecr_repository.client-registry-984561098034cf1a7ba7d64b520feaf7aeed7a81.repository_url'
2018/03/20 11:10:53 [ERROR] root: eval: *terraform.EvalOpFilter, err: Resource 'aws_ecr_repository.client-registry-984561098034cf1a7ba7d64b520feaf7aeed7a81' does not have attribute 'repository_url' for variable 'aws_ecr_repository.client-registry-984561098034cf1a7ba7d64b520feaf7aeed7a81.repository_url'
2018/03/20 11:10:53 [ERROR] root: eval: *terraform.EvalSequence, err: Resource 'aws_ecr_repository.client-registry-984561098034cf1a7ba7d64b520feaf7aeed7a81' does not have attribute 'repository_url' for variable 'aws_ecr_repository.client-registry-984561098034cf1a7ba7d64b520feaf7aeed7a81.repository_url'
2018/03/20 11:10:53 [TRACE] [walkApply] Exiting eval tree: output.ECR

Expected Behavior

The error output.ECR: Resource 'aws_ecr_repository.client-registry-984561098034cf1a7ba7d64b520feaf7aeed7a81' does not have attribute 'repository_url' for variable 'aws_ecr_repository.client-registry-984561098034cf1a7ba7d64b520feaf7aeed7a81.repository_url' should not happen

Actual Behavior

A terraform error for perfectly valid code

Steps to Reproduce

This is really difficult to reproduce, and it doesn't happen every time on out environment. Basically, it cannot be reproduced easily.

Important Factoids

We have a support request with AWS and we asked them why the DescribeRepositories API request is returning with an error 400 telling the ECR does not exist

References

None public

[mildred]

I believe the workaround to be really simple:

diff --git a/aws/resource_aws_ecr_repository.go b/aws/resource_aws_ecr_repository.go
index 3a244743..92ca0b2a 100644
--- a/aws/resource_aws_ecr_repository.go
+++ b/aws/resource_aws_ecr_repository.go
@@ -65,7 +65,13 @@ func resourceAwsEcrRepositoryCreate(d *schema.ResourceData, meta interface{}) er
        d.Set("arn", repository.RepositoryArn)
        d.Set("registry_id", repository.RegistryId)
 
-       return resourceAwsEcrRepositoryRead(d, meta)
+       d.Set("name", repository.RepositoryName)
+
+       repositoryUrl := buildRepositoryUrl(repository, meta.(*AWSClient).region)
+       log.Printf("[INFO] Setting the repository url to be %s", repositoryUrl)
+       d.Set("repository_url", repositoryUrl)
+
+       return nil
 }
 
 func resourceAwsEcrRepositoryRead(d *schema.ResourceData, meta interface{}) error {

[mildred]

Will be testing the following change and report back: v1.7.1...squarescale:v1.7.1-squarescale

[bflad]

@mildred thanks for the report. We currently handle situations like these in other resources, like aws_ecs_service, which is also eventually consistent on creation. Here is a snippet of that code (most importantly the d.IsNewResource() returning resource.RetryableError:

https://github.com/terraform-providers/terraform-provider-aws/blob/0a40a3742459fa038f47329d064ebd9104bf3c44/aws/resource_aws_ecs_service.go#L350-L376

[mildred]

The response from AWS tells us that it is possible that DescribeRepositories does not always return up to date answers:

Yes, it is expected behavior that ECR repos are created asynchronously from API call. When the CreateRepository returns, it just implies ECR had finished sanity check and is working on repo creation. If you call DescribeRepositories right after CreateRepository, it is possible to get RepositoryNotFoundException. It is not really stale data, but just the repo is still being created.

For workaround, you may add retry mechanism to DescribeRepositories, or add e.g. 1 second delay before calling it. I noticed you are using third party tool Terraform, you may also raise an issue to their developers with the above information.

I don't think ECR developers will ever change this behavior. Instead, I have raised your concern to AWS documentation team to reflect the consistency model in the API document. AWS values customers' voice highly and thank you for your feedback!

[mildred]

@bflad in the code you linked, there is a hardcoded timeout of two minutes. I believe this is not correct because AWS can rate limit any API request, especially when we perform many reads (the reads are the most throttled) and it can lead to strange failures.

See #3128 for an example of issue regarding timeouts

[mildred]

@bflad Added pull request #3859 with the mechanism you suggest.

[rrey]

Hi there,

I have some ECR creation/deletion in a CI Pipeline (with an s3 backend) and I face the some job failure because of "RepositoryAlreadyExistsException" during the terraform apply.
It's pretty random, and the behaviour describe in this issue could be the explanation.

[bflad]

The fix for this has been merged and will release with version 1.40.0 of the AWS provider, likely middle of this week. 👍

[bflad]

This has been released in version 1.40.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!