For some reason, when I run

pulumi up

on a stack that includes a ecr Repository and a RepositoryPolicy, it thinks the policy is different every run:

# Allow app subaccounts to pull from image repository
repository_policy = aws.ecr.RepositoryPolicy(
    "repository-policy",
    repository=repository.name,
    policy={
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowCrossAccountPull",
                "Effect": "Allow",
                "Principal": {
                    "AWS": [
                        f"arn:aws:iam::{account_id}:root"
                        for account_id in ALLOWED_ACCOUNT_IDS
                    ]
                },
                "Action": [
                    "ecr:BatchCheckLayerAvailability",
                    "ecr:BatchGetImage",
                    "ecr:GetDownloadUrlForLayer",
                ],
            }
        ],
    },
)

That’s potentially a bug. Could you file an issue, either in pulumi-aws for the classic provider or pulumi-aws-native for the native provider? Ideally with a complete program to reproduce, but we can figure it out if that’s difficult to extract. Thanks!

Ah interesting, will do, thank you!

thank you!

Does the use of

awsx

raise any flags for you?

awsx

seems unrelated at first glance. We actually have a small number of similar issues open where Pulumi thinks unchanged resources have changed. That suggests an underlying bug. I’m compiling these at the moment so we can track this down. Sorry for the trouble!

Should I open an issue for the

aws:cloudformation:Stack

one as well?

Hmm, yes I think that would be good to have a full picture, if you don’t mind