ECR Repository Tags Support is Broken #8195
Labels
enhancement
Requests to existing resources that expand the functionality or scope.
service/ecr
Issues and PRs that pertain to the ecr service.
Milestone
Overview
The API request for CreateRepository should include the tags, otherwise you cannot use IAM policies which restrict the API operation based on tags.
Current behavior does a "CreateRepository" API request, followed by a "TagResource" API request (see https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_ecr_repository.go#L60-L73)
This means that a proper locked down policy like this cannot work:
instead, you would have to use the following policy, which means the user ends up with permission to run CreateRepository on any kind of repository name / tag, which is a security risk and defeats the whole purpose of conditions...
Terraform Version
0.11.13
provider: 2.4.0
Affected Resource(s)
Terraform Configuration Files
Debug Output
Expected Behavior
The creation succeeds
Actual Behavior
The creation fails due to permissions
Steps to Reproduce
terraform apply
References
The text was updated successfully, but these errors were encountered: