More than 2 ECR lifecycle policies can't be defined for one ECR repository

[RomTin]

Terraform Version

v0.11.7

Affected Resource(s)

• aws_ecr_lifecycle_policy

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
resource "aws_ecr_repository" "sample" {
  name = "${format("%s-api",lookup(var.default, "name"))}"
}

resource "aws_ecr_lifecycle_policy" "sample_policy_1" {
  repository = "${aws_ecr_repository.sample.name}"

  policy = <<EOF
{
    "rules": [
        {
            "rulePriority": 1,
            "description": "sample policy 1",
            "selection": {
                "tagStatus": "tagged",
                "tagPrefixList": ["sample_tag_1"],
                "countType": "imageCountMoreThan",
                "countNumber": 10
            },
            "action": {
                "type": "expire"
            }
        }
    ]
}
EOF
}

resource "aws_ecr_lifecycle_policy" "sample_policy_2" {
  repository = "${aws_ecr_repository.sample.name}"

  policy = <<EOF
{
    "rules": [
        {
            "rulePriority": 2,
            "description": "sample policy 2",
            "selection": {
                "tagStatus": "tagged",
                "tagPrefixList": ["sample_tag_2"],
                "countType": "imageCountMoreThan",
                "countNumber": 10
            },
            "action": {
                "type": "expire"
            }
        }
    ]
}
EOF
}

Expected Behavior

For multiple ECR lifecycle policies in the same single .tfstafe file

All of the ECR lifecycle policies which were defined in a single .tf file shoud be attached to the specified ECR repository.

For multiple ECR lifecycle policies in multiple .tfstafe files

When I prepared two .tfstate files, which include ECR lifecycle policiy definitions for a single ECR repository, All of the ECR lifecycle policies are attached to the specified ECR repository, and all .tfstate files should keep them.

Actual Behavior

For multiple ECR lifecycle policies in the same single .tfstafe file

Just one ECR lifecycle policy that was applied at last was attached to the ECR repository. All of the other ECR lifecycle policies were once created, and overwritten by following ECR lifecycle policy deifnitions.

e.g.)

1. I defined ECR lifecycle policy A and B for ECR repository a.
2. When I applied the .tf file, policy A was attached to the repository a.
3. After that, policy A was overwritten by B, thus policy A was destroyed.
4. In the end, just only policy B was attached to the repository a.

For multiple ECR lifecycle policies in multiple .tfstafe files

e.g.)
ECR lifecycle policy A is defined in sample_a.tf and sample_a.tfstate for ECR repository a.
Also, ECR lifecycle policy B is defined in sample_b.tf and sample_b.tfstafe for ECR repository a, too.
When I applied sample_a.tf, ECR lifecycle policy A was correctly attached to ECR repository a . After that, I applied sample_b.tf and found that ECR lifecycle policy A was unexpectedly deleted and ECR lifecycle policy B was attached to ECR repository a .

Steps to Reproduce

1. terraform apply

Important Factoids

Nothing

References

• https://www.terraform.io/docs/providers/aws/r/ecr_lifecycle_policy.html

[RomTin]

I'm sorry.
I accidentally released and closed this issue.
I reponed. Thank you.

[bflad]

Hi @RomTin 👋 Sorry you are running into trouble here.

While the documentation doesn't note it, using two of the aws_ecr_lifecycle_policy resource against the same ECR repository is not supported. As you found, the policies will overwrite each other. I will submit a documentation pull request to note that at the top of the resource documentation page.

Currently you must combine the rules together in the policy JSON to add multiple rules, e.g.

resource "aws_ecr_lifecycle_policy" "sample_policy_1" {
  repository = "${aws_ecr_repository.sample.name}"

  policy = <<EOF
{
    "rules": [
        {
            "rulePriority": 1,
            "description": "sample policy 1",
            "selection": {
                "tagStatus": "tagged",
                "tagPrefixList": ["sample_tag_1"],
                "countType": "imageCountMoreThan",
                "countNumber": 10
            },
            "action": {
                "type": "expire"
            }
        },
        {
            "rulePriority": 2,
            "description": "sample policy 2",
            "selection": {
                "tagStatus": "tagged",
                "tagPrefixList": ["sample_tag_2"],
                "countType": "imageCountMoreThan",
                "countNumber": 10
            },
            "action": {
                "type": "expire"
            }
        }
    ]
}
EOF
}

How you accomplish combining the JSON is currently outside the scope of the AWS provider, however, there have been some thoughts/contributions about implementing an ECR lifecycle policy data source in Terraform (#6133), similar to the aws_iam_policy_document data source, which would allow you to accomplish something more like you're looking for, e.g.

# Quick design sketch - not currently implemented and may change during development
data "aws_ecr_repository_lifecycle_policy" "rule1" {
  rule {
    priority = 1 # potentially optional
    # ... other configuration ...
  }
}

data "aws_ecr_repository_lifecycle_policy" "rule2" {
  rule {
    priority = 2 # potentially optional
    # ... other configuration ...
  }
}

data "aws_ecr_repository_lifecycle_policy" "combined" {
  source_jsons = [
    "${data.aws_ecr_repository_lifecycle_policy.rule1.json}",
    "${data.aws_ecr_repository_lifecycle_policy.rule2.json}",
  ]
}

resource "aws_ecr_lifecycle_policy" "sample_policy_1" {
  repository = "${aws_ecr_repository.sample.name}"
  policy = "${data.aws_ecr_repository_lifecycle_policy.combined.json}"
}

This can have the same benefits we get with the IAM data source where we can support combining rules, provide validation within Terraform, and allow for reusability of these configurations across multiple policies.

We'll use this ticket for tracking the issue since there currently doesn't appear to be one except for the fairly new pull request. 👍

[RomTin]

Hi @bflad, it's my pleasure receiving a comment from the contributor of Terraform.
I understood the reason why I couldn't define multiple lifecycle policies for a single ECR repository.

I'll try the solution which you advised.
Thank you very much :)

[bflad]

Hi folks 👋 Thanks for submitting this.

We would certainly like to address this problem, likely more generically for all Terraform resources that could be potentially duplicated by same dimension (such as per-region and per-name). The enhancement that would be available to all Terraform resources, which we could then implement the Terraform AWS Provider, can be tracked upstream in the Terraform Plugin SDK: hashicorp/terraform-plugin-sdk#224.

[bflad]

Hi folks 👋 Thank you for submitting this and this is an excellent use case of somewhere that Terraform and the Terraform AWS Provider could be much more helpful since in many cases they have enough information to return an error upfront during planning instead of unexpected behavior during apply.

I believe this falls under the provider-wide enhancement proposal of #14394, so by adding this link here it will add a reference to that issue so we can include it as a use case when thinking about the implementation details. Since this is likely something we will want more broadly across many resources, I'm going to close this particular issue to consolidate discussions, efforts, and prioritization on the topic while the reference would serve as the cue to make this specific resource one of the initial implementations. I would suggest those 👍 upvoting and subscribing here to do so on #14394 so we can appropriately gauge interest. Please feel free to provide feedback there.

Thanks again!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!