From be2edd1b481e14e45d5d548ca47e04c41dce2058 Mon Sep 17 00:00:00 2001 From: Poh Peng Ric Wang <7760361+thepoppingone@users.noreply.github.com> Date: Thu, 16 Feb 2023 19:02:54 +0800 Subject: [PATCH] feat: Add new variable for allowing ECR image sharing to lambda service in external account (#16) Co-authored-by: Bryant Biggs Co-authored-by: Poh Peng --- README.md | 1 + main.tf | 27 +++++++++++++++++++++++++++ variables.tf | 6 ++++++ wrappers/main.tf | 1 + 4 files changed, 35 insertions(+) diff --git a/README.md b/README.md index 7991160..f0bbb49 100644 --- a/README.md +++ b/README.md @@ -234,6 +234,7 @@ No modules. | [repository\_image\_scan\_on\_push](#input\_repository\_image\_scan\_on\_push) | Indicates whether images are scanned after being pushed to the repository (`true`) or not scanned (`false`) | `bool` | `true` | no | | [repository\_image\_tag\_mutability](#input\_repository\_image\_tag\_mutability) | The tag mutability setting for the repository. Must be one of: `MUTABLE` or `IMMUTABLE`. Defaults to `IMMUTABLE` | `string` | `"IMMUTABLE"` | no | | [repository\_kms\_key](#input\_repository\_kms\_key) | The ARN of the KMS key to use when encryption\_type is `KMS`. If not specified, uses the default AWS managed key for ECR | `string` | `null` | no | +| [repository\_lambda\_read\_access\_arns](#input\_repository\_lambda\_read\_access\_arns) | The ARNs of the Lambda service roles that have read access to the repository | `list(string)` | `[]` | no | | [repository\_lifecycle\_policy](#input\_repository\_lifecycle\_policy) | The policy document. This is a JSON formatted string. See more details about [Policy Parameters](http://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html#lifecycle_policy_parameters) in the official AWS docs | `string` | `""` | no | | [repository\_name](#input\_repository\_name) | The name of the repository | `string` | `""` | no | | [repository\_policy](#input\_repository\_policy) | The JSON policy to apply to the repository. If not specified, uses the default policy | `string` | `null` | no | diff --git a/main.tf b/main.tf index 04ceb42..2b707d5 100644 --- a/main.tf +++ b/main.tf @@ -62,6 +62,33 @@ data "aws_iam_policy_document" "repository" { } } + + dynamic "statement" { + for_each = var.repository_type == "private" && length(var.repository_lambda_read_access_arns) > 0 ? [1] : [] + + content { + sid = "PrivateLambdaReadOnly" + + principals { + type = "Service" + identifiers = ["lambda.amazonaws.com"] + } + + actions = [ + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer", + ] + + condition { + test = "StringLike" + variable = "aws:sourceArn" + + values = var.repository_lambda_read_access_arns + } + + } + } + dynamic "statement" { for_each = length(var.repository_read_write_access_arns) > 0 && var.repository_type == "private" ? [var.repository_read_write_access_arns] : [] diff --git a/variables.tf b/variables.tf index 6f233f5..f3eb525 100644 --- a/variables.tf +++ b/variables.tf @@ -90,6 +90,12 @@ variable "repository_read_access_arns" { default = [] } +variable "repository_lambda_read_access_arns" { + description = "The ARNs of the Lambda service roles that have read access to the repository" + type = list(string) + default = [] +} + variable "repository_read_write_access_arns" { description = "The ARNs of the IAM users/roles that have read/write access to the repository" type = list(string) diff --git a/wrappers/main.tf b/wrappers/main.tf index 80f3a2e..1359698 100644 --- a/wrappers/main.tf +++ b/wrappers/main.tf @@ -17,6 +17,7 @@ module "wrapper" { attach_repository_policy = try(each.value.attach_repository_policy, var.defaults.attach_repository_policy, true) create_repository_policy = try(each.value.create_repository_policy, var.defaults.create_repository_policy, true) repository_read_access_arns = try(each.value.repository_read_access_arns, var.defaults.repository_read_access_arns, []) + repository_lambda_read_access_arns = try(each.value.repository_lambda_read_access_arns, var.defaults.repository_lambda_read_access_arns, []) repository_read_write_access_arns = try(each.value.repository_read_write_access_arns, var.defaults.repository_read_write_access_arns, []) create_lifecycle_policy = try(each.value.create_lifecycle_policy, var.defaults.create_lifecycle_policy, true) repository_lifecycle_policy = try(each.value.repository_lifecycle_policy, var.defaults.repository_lifecycle_policy, "")