rendered template file unexpected behaviour (2 subsequent plan-apply needed instead of 1)

[elodani]

Terraform Version

v0.9.11

Affected Resource(s)

• template_file

Terraform Configuration Files

provider "aws" {
  region     = "eu-central-1"
  #access and secret key is in ~/.aws/credentials
}

resource "aws_ecr_repository" "ecr_repo" {
  name = "ecr-repo"
}
data "template_file" "ecr_pol_inst_tmpl" {
  template = "${file("ECRPolicy_InstancePull.tpl")}"
  vars {
    instance_role = "${aws_iam_role.instance_role.arn}"
  }
}
resource "aws_ecr_repository_policy" "ecr_policy_instance_pull" {
  repository = "${aws_ecr_repository.ecr_repo.name}"
  policy = "${data.template_file.ecr_pol_inst_tmpl.rendered}"
}

resource "aws_iam_role" "instance_role" {
    name = "instance-role"
    assume_role_policy = "${file("AssumeRolePolicy.json")}"
}

Template file (ECRPolicy_InstancePull.tpl)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "InstancePull",
            "Effect": "Allow",
            "Principal": {
                "AWS": "${instance_role}"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ]
        }
    ]
}

AssumeRolePolicy.json for the IAM role

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}

Expected Behavior

With a terraform plan -out plan.tfplan and a terraform apply plan.tfplan all the resources should be created.

Actual Behavior

If I call plan, it looks good. When I apply that plan, it also seems like the dependencies are right, It wants to create the ECR repository policy with the rendered file (correct instance role ARN is in place in output). But AWS sends back InvalidParameterException: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided' . The interesting part is if I call another plan + apply now, it creates the remaining resource (the ECR policy, what is using the template, also listing the right ARN in place) correctly. and in AWS console I see the wanted results.

I tried the same configuration with hardcoded (pre-existent ARN) without the template file data soruce, and it worked like a charm for the first try, but I need to be able to parameterize my policies, that's why I choose template files, (the IAM policy_document data source format is far less convenient format for me, I prefer providing the JSON for these things)

Steps to Reproduce

1. terraform plan -out plan.tfplan
2. terraform apply plan.tfplan
3. AWS rejection happens, don't change anything
4. terraform plan -out plan.tfplan
5. terraform apply plan.tfplan
6. It works just fine... ?!

[elodani]

Update:

I tried providing an existent ARN (hardcoded string instead of interpolation) for the variable in the template, and it worked just fine. My guess is now, that the template rendering does not wait for other resources it depends on. Maybe a core issue? and not provider related?

data "template_file" "ecr_pol_inst_tmpl" {
  template = "${file("../aws_policies/ECRPolicy_InstancePull.tpl")}"
  vars {
    instance_role = "valid-pre-existing-ARN"
  }
}

[elodani]

Sorry, after some additional digging, I think it is not a template file provider issue, closing...