Docker authentication configurations without explicit registry addresses and credentials aren't parsed properly

[rolandcrosby]

Terraform Version

Terraform v0.12.26
+ provider.docker v2.7.1

Affected Resource(s)

Docker provider

Terraform Configuration Files

locals {
    docker_registry_url = "example.com"
}

provider "docker" {
    registry_auth {
        address = local.docker_registry_url
        config_file_content = jsonencode({
            "credsStore" = "ecr-login"
        })
    }
}

resource "docker_image" "hello_world" {
    name = "${local.docker_registry_url}/hello_world:latest"
}

Debug Output

Gist here

Panic Output

n/a

Expected Behavior

The Docker provider should parse the Docker auth config file and fetch the appropriate credentials the same way the native Docker CLI does. Specifically:

• If a global credsStore helper is set in the config file contents, the provider should use that creds store to fetch authentication data for the registry address specified in the configuration, regardless of whether there is anything in the auths key in the config file contents.
• If specific per-registry credHelpers are specified as described in the Docker documentation here, the appropriate helper should be detected and used to fetch credentials for the specified registry, again without regard to whether the registry is present in auths.

Actual Behavior

If a configuration like the above one is passed (where credsStore is present but auths is empty or not present), the provider does not do anything with the credsStore property (see lines 295-303 of provider.go). Instead, if the provider sees no auths, it will attempt to parse the configuration as if it were in the following legacy format:

{
    "some-registry-url": {"auth": "some credential", "email": "some credential here"}
}

When this fails, the user is presented with the following confusing and misleading error: json: cannot unmarshal string into Go value of type docker.dockerConfig (see #273).

(The credHelpers section of Docker's config.json doesn't work at all with this provider and also leads to the same misleading error; this fact is not documented anywhere.)

Steps to Reproduce

In a directory with the above Terraform file present, run terraform init to download the Docker provider, then terraform apply.

Important Factoids

• This issue surfaced for me when attempting to use the AWS ECR credential helper, but based on the source code the issue doesn't appear to be specific to that helper.

References

• Pull an image on a remote host using credentials helper #273 is another instance of this issue.
• The registry_auth section of the Docker provider documentation doesn't say anything one way or the other about which fields and settings in the config.json file are supported or unsupported.