Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ECR Repository Tags Support is Broken #8195

Closed
eedwards-sk opened this issue Apr 4, 2019 · 5 comments · Fixed by #8198
Closed

ECR Repository Tags Support is Broken #8195

eedwards-sk opened this issue Apr 4, 2019 · 5 comments · Fixed by #8198
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/ecr Issues and PRs that pertain to the ecr service.
Milestone

Comments

@eedwards-sk
Copy link

Overview

The API request for CreateRepository should include the tags, otherwise you cannot use IAM policies which restrict the API operation based on tags.

Current behavior does a "CreateRepository" API request, followed by a "TagResource" API request (see https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_ecr_repository.go#L60-L73)

This means that a proper locked down policy like this cannot work:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CreateRepo",
      "Effect": "Allow",
      "Action": [
        "ecr:CreateRepository",
        "ecr:TagResource"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/foo": "foo"
        },
        "ForAllValues:StringEquals": {
          "aws:TagKeys": [
            "foo"
          ]
        }
      }
    }
  ]
}

instead, you would have to use the following policy, which means the user ends up with permission to run CreateRepository on any kind of repository name / tag, which is a security risk and defeats the whole purpose of conditions...

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CreateRepo",
      "Effect": "Allow",
      "Action": [
        "ecr:CreateRepository"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "SetRepoTags",
      "Effect": "Allow",
      "Action": [
        "ecr:TagResource"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/foo": "foo"
        },
        "ForAllValues:StringEquals": {
          "aws:TagKeys": [
            "foo"
          ]
        }
      }
    }
  ]
}

Terraform Version

0.11.13
provider: 2.4.0

Affected Resource(s)

  • aws_ecr_repository

Terraform Configuration Files

resource "aws_ecr_repository" "foo" {
  name = "foo"
  tags = {
    foo = "foo"
  }
}

Debug Output

2019-04-04T20:02:21.247Z [DEBUG] plugin.terraform-provider-aws_v2.4.0_x4: 2019/04/04 20:02:21 [DEBUG] [aws-sdk-go] {"__type":"AccessDeniedException","Message":"User: <SNIPPED> is not authorized to perform: ecr:CreateRepository on resource: *"}
2019-04-04T20:02:21.247Z [DEBUG] plugin.terraform-provider-aws_v2.4.0_x4: 2019/04/04 20:02:21 [DEBUG] [aws-sdk-go] DEBUG: Validate Response ecr/CreateRepository failed, not retrying, error AccessDeniedException: User: <SNIPPED> is not authorized to perform: ecr:CreateRepository on resource: *

Expected Behavior

The creation succeeds

Actual Behavior

The creation fails due to permissions

Steps to Reproduce

  1. terraform apply

References

@ewbankkit
Copy link
Contributor

@bflad bflad added enhancement Requests to existing resources that expand the functionality or scope. service/ecr Issues and PRs that pertain to the ecr service. labels Apr 4, 2019
@bflad bflad added this to the v2.5.0 milestone Apr 4, 2019
@bflad
Copy link
Contributor

bflad commented Apr 4, 2019

Support for tagging on create has been merged and will release with version 2.5.0 of the Terraform AWS Provider, likely later today. 👍

@eedwards-sk
Copy link
Author

wow, I think I heard the sonic boom from how fast that turnaround was 💥 😎

@bflad
Copy link
Contributor

bflad commented Apr 5, 2019

This has been released in version 2.5.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@ghost
Copy link

ghost commented Mar 30, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/ecr Issues and PRs that pertain to the ecr service.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants