chore: Fix example after another round of validation

terraform-aws-modules · Sep 4, 2024 · 795b8b0 · 795b8b0
1 parent 108c20c
commit 795b8b0
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 16 deletions.
diff --git a/examples/repository-template/README.md b/examples/repository-template/README.md
@@ -10,21 +10,12 @@ $ terraform plan
 $ terraform apply
 ```
 
-You can validate this example by running the following commands:
-
-```bash
-# Ensure your local CLI is authenticated with ECR
-aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin <account-id>.dkr.ecr.us-east-1.amazonaws.com
-
-# Dockerhub pull through cache and repo creation
-docker pull <account-id>.dkr.ecr.us-east-1.amazonaws.com/dockerhub/library/nginx:latest
-
-# Public ECR pull through cache and repo creation
-docker pull <account-id>.dkr.ecr.us-east-1.amazonaws.com/public-ecr/docker/library/nginx:latest
-```
+You can validate this example by running the commands generated in the `example_docker_pull_commands` output value.
 
 Note that this example may create resources which will incur monetary charges on your AWS bill. Run `terraform destroy` when you no longer need these resources.
 
+If you validate the example by using the pull-through cache, you will need to manually clean up these repositories within ECR since they are not manage by Terraform.
+
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
@@ -60,7 +51,12 @@ No inputs.
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_example_docker_pull_commands"></a> [example\_docker\_pull\_commands](#output\_example\_docker\_pull\_commands) | Example docker pull commands to test and validate the example |
+| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | IAM role ARN |
+| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | IAM role name |
+| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
 <!-- END_TF_DOCS -->
 
 Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-ecr/blob/master/LICENSE).
diff --git a/examples/repository-template/main.tf b/examples/repository-template/main.tf
@@ -26,7 +26,7 @@ module "public_ecr_pull_through_cache_repository_template" {
 
   # Template
   description   = "Pull through cache repository template for Public ECR artifacts"
-  prefix        = "public-ecr"
+  prefix        = "ecr-public"
   resource_tags = local.tags
   lifecycle_policy = jsonencode({
     rules = [
@@ -58,7 +58,7 @@ module "dockerhub_pull_through_cache_repository_template" {
 
   # Template
   description   = "Pull through cache repository template for Dockerhub artifacts"
-  prefix        = "dockerhub"
+  prefix        = "docker-hub"
   resource_tags = local.tags
 
   # Pull through cache rule

diff --git a/examples/repository-template/outputs.tf b/examples/repository-template/outputs.tf
@@ -0,0 +1,28 @@
+output "iam_role_name" {
+  description = "IAM role name"
+  value       = module.dockerhub_pull_through_cache_repository_template.iam_role_name
+}
+
+output "iam_role_arn" {
+  description = "IAM role ARN"
+  value       = module.dockerhub_pull_through_cache_repository_template.iam_role_arn
+}
+
+output "iam_role_unique_id" {
+  description = "Stable and unique string identifying the IAM role"
+  value       = module.public_ecr_pull_through_cache_repository_template.iam_role_unique_id
+}
+
+output "example_docker_pull_commands" {
+  description = "Example docker pull commands to test and validate the example"
+  value       = <<-EOT
+    # Ensure your local CLI is authenticated with ECR
+    aws ecr get-login-password --region ${local.region} | docker login --username AWS --password-stdin ${local.account_id}.dkr.ecr.${local.region}.amazonaws.com
+
+    # Dockerhub pull through cache and repo creation
+    docker pull ${local.account_id}.dkr.ecr.${local.region}.amazonaws.com/docker-hub/library/nginx:latest
+
+    # Public ECR pull through cache and repo creation
+    docker pull ${local.account_id}.dkr.ecr.${local.region}.amazonaws.com/ecr-public/docker/library/nginx:latest
+  EOT
+}
diff --git a/modules/repository-template/main.tf b/modules/repository-template/main.tf
@@ -243,7 +243,7 @@ data "aws_iam_policy_document" "this" {
       "ecr:TagResource"
     ]
     resources = [
-      "arn:${data.aws_partition.current[0].partition}:ecr::${data.aws_caller_identity.current[0].account_id}:repository/${local.perm_prefix}"
+      "arn:${data.aws_partition.current[0].partition}:ecr:*:${data.aws_caller_identity.current[0].account_id}:repository/${local.perm_prefix}"
     ]
   }