resource/aws_ecr_repository_policy: Update policy in state on read

[chrisdcmoore]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Description

Whilst using terraform to manage ECR repositories and their policies, I noticed that changing the policy directly in the AWS Console didn't cause my terraform plan to show any changes required. Running terraform refresh with debugging turned on showed that the modified version of the policy was being returned by the AWS API, but doing a subsequent terraform state pull and inspecting the state showed that the policy in the state hadn't been updated.

Changes proposed in this pull request:

• In aws_ecr_repository_policy, update the policy property on the schema when pulling the policy from the AWS API.
• In aws_ecr_repository_policy, suppress diffs between equivalent policies via the JSON diff suppressor

[bflad]

Hi @chrisdcmoore 👋 Thank you so much for finding this and providing a fix. I hope you don't mind if I make one very minor adjustment in a commit after yours on merge (79e0160) to switch from using the suppressEquivalentJsonDiffs function to the suppressEquivalentAwsPolicyDiffs as it is more suited for ignoring equivalent IAM policy JSON documents and fixes these acceptance testing errors I received:

--- FAIL: TestAccAWSEcrRepositoryPolicy_basic (6.20s)
    testing.go:538: Step 0 error: After applying this step, the plan was not empty:

        DIFF:

        UPDATE: aws_ecr_repository_policy.default
          policy: "{\n  \"Version\" : \"2008-10-17\",\n  \"Statement\" : [ {\n    \"Sid\" : \"testpolicy\",\n    \"Effect\" : \"Allow\",\n    \"Principal\" : \"*\",\n    \"Action\" : \"ecr:ListImages\"\n  } ]\n}" => "{\n    \"Version\": \"2008-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"testpolicy\",\n            \"Effect\": \"Allow\",\n            \"Principal\": \"*\",\n            \"Action\": [\n                \"ecr:ListImages\"\n            ]\n        }\n    ]\n}\n"

--- FAIL: TestAccAWSEcrRepositoryPolicy_iam (14.04s)
    testing.go:538: Step 0 error: After applying this step, the plan was not empty:

        DIFF:

        UPDATE: aws_ecr_repository_policy.default
          policy: "{\n  \"Version\" : \"2008-10-17\",\n  \"Statement\" : [ {\n    \"Sid\" : \"testpolicy\",\n    \"Effect\" : \"Allow\",\n    \"Principal\" : {\n      \"AWS\" : \"arn:aws:iam::--OMITTED--:role/tf-acc-test-ecr-o2wwkel9us\"\n    },\n    \"Action\" : \"ecr:ListImages\"\n  } ]\n}" => "{\n    \"Version\": \"2008-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"testpolicy\",\n            \"Effect\": \"Allow\",\n            \"Principal\": {\n              \"AWS\": \"arn:aws:iam::--OMITTED--:role/tf-acc-test-ecr-o2wwkel9us\"\n            },\n            \"Action\": [\n                \"ecr:ListImages\"\n            ]\n        }\n    ]\n}\n"

Output from acceptance testing after DiffSuppressFunc adjustment:

--- PASS: TestAccAWSEcrRepositoryPolicy_basic (6.18s)
--- PASS: TestAccAWSEcrRepositoryPolicy_iam (13.31s)

[bflad]

This has been released in version 2.2.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[chrisdcmoore]

Hi @bflad

Much appreciated, sorry I didn't run the acceptance tests - first time contributing and wasn't sure what resources the acceptance tests would create in our AWS account - I'll get a new, isolated account set up for running them next time!

Thanks for the awesome work you all do!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!