feat: lambda cross account policy added

terraform-aws-modules · Dec 29, 2023 · 0ead8e0 · 0ead8e0
1 parent 0498b47
commit 0ead8e0
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -215,6 +215,9 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="allow_cross_account_lambda_read_access"></a> [allow\_cross\_account\_lambda\_read\_access](#input\_cross\_account\_lambda\_read\_access) | Determines whether the repository policy will allow cross account lambda read access. Required `cross_account_ids`, `cross_account_read_access_lambda_arns` | `bool` | `false` | no |
+| <a name="cross_account_account_ids"></a> [cross\_account\_ids](#input\_cross\_account\_ids) | Cross account ids. Required `allow_cross_account_lambda_read_access`, `cross_account_read_access_lambda_arns` | `list(str)` | `[]` | no |
+| <a name="cross_account_read_access_lambda_arns"></a> [cross\_account\_read\_access\_lambda\_arns](#input\_cross\_account\_read\_access\_lambda\_arns) | Cross account lambda function arns. Required `allow_cross_account_lambda_read_access`, `cross_account_ids` | `list(str)` | `[]` | no |
 | <a name="input_attach_repository_policy"></a> [attach\_repository\_policy](#input\_attach\_repository\_policy) | Determines whether a repository policy will be attached to the repository | `bool` | `true` | no |
 | <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_create_lifecycle_policy"></a> [create\_lifecycle\_policy](#input\_create\_lifecycle\_policy) | Determines whether a lifecycle policy will be created | `bool` | `true` | no |

diff --git a/main.tf b/main.tf
@@ -81,6 +81,66 @@ data "aws_iam_policy_document" "repository" {
 
     }
   }
+  dynamic "statement" {
+    for_each = var.repository_type == "private" && (var.repository_lambda_read_access || length(var.repository_lambda_read_access_arns) > 0) ? [1] : []
+
+    content {
+      sid = "PrivateLambdaReadOnly"
+
+      principals {
+        type        = "Service"
+        identifiers = ["lambda.amazonaws.com"]
+      }
+
+      actions = [
+        "ecr:BatchGetImage",
+        "ecr:GetDownloadUrlForLayer",
+      ]
+
+    }
+  }
+  dynamic "statement" {
+    for_each = var.repository_type == "private" && (var.allow_cross_account_lambda_read_access || length(var.cross_account_ids) > 0) ? [1] : []
+
+    content {
+      sid    = "CrossAccountPermission"
+      effect = "Allow"
+
+      actions = [
+        "ecr:BatchGetImage",
+        "ecr:GetDownloadUrlForLayer",
+      ]
+
+      principals {
+        type        = "AWS"
+        identifiers = [for s in var.cross_account_ids : "arn:aws:iam::${s}:root"]
+      }
+    }
+  }
+  dynamic "statement" {
+    for_each = var.repository_type == "private" && (var.allow_cross_account_lambda_read_access || length(var.cross_account_read_access_lambda_arns) > 0) ? [1] : []
+
+    content {
+      sid    = "LambdaECRImageCrossAccountRetrievalPolicy"
+      effect = "Allow"
+
+      actions = [
+        "ecr:BatchGetImage",
+        "ecr:GetDownloadUrlForLayer",
+      ]
+
+      condition {
+        test     = "StringLike"
+        variable = "aws:sourceARN"
+        values   = var.cross_account_read_access_lambda_arns
+      }
+
+      principals {
+        type        = "Service"
+        identifiers = ["lambda.amazonaws.com"]
+      }
+    }
+  }
 
   dynamic "statement" {
     for_each = length(var.repository_read_write_access_arns) > 0 && var.repository_type == "private" ? [var.repository_read_write_access_arns] : []

diff --git a/variables.tf b/variables.tf
@@ -95,6 +95,21 @@ variable "repository_lambda_read_access" {
   type        = bool
   default     = false
 }
+variable "allow_cross_account_lambda_read_access" {
+  description = "Determines whether the repository policy will allow cross account lambda read access. Required `cross_account_ids`, `cross_account_read_access_lambda_arns`"
+  type        = bool
+  default     = false
+}
+variable "cross_account_ids" {
+  description = "Cross account ids. Required `allow_cross_account_lambda_read_access`, `cross_account_read_access_lambda_arns`"
+  type        = list(string)
+  default     = []
+}
+variable "cross_account_read_access_lambda_arns" {
+  description = "Cross account lambda function arns. Required `allow_cross_account_lambda_read_access`, `cross_account_ids`"
+  type        = list(string)
+  default     = []
+}
 variable "repository_lambda_read_access_arns" {
   description = "Deprecated. Use `repository_lambda_read_access` instead"
   type        = []