diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 314c02b..9de9608 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.76.0
+ rev: v1.88.0
hooks:
- id: terraform_fmt
- id: terraform_wrapper_module_for_each
@@ -24,7 +24,7 @@ repos:
- '--args=--only=terraform_standard_module_structure'
- '--args=--only=terraform_workspace_remote'
- repo: https://github.com/pre-commit/pre-commit-hooks
- rev: v4.3.0
+ rev: v4.5.0
hooks:
- id: check-merge-conflict
- id: end-of-file-fixer
diff --git a/README.md b/README.md
index f0bbb49..7f2c1e2 100644
--- a/README.md
+++ b/README.md
@@ -238,6 +238,7 @@ No modules.
| [repository\_lifecycle\_policy](#input\_repository\_lifecycle\_policy) | The policy document. This is a JSON formatted string. See more details about [Policy Parameters](http://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html#lifecycle_policy_parameters) in the official AWS docs | `string` | `""` | no |
| [repository\_name](#input\_repository\_name) | The name of the repository | `string` | `""` | no |
| [repository\_policy](#input\_repository\_policy) | The JSON policy to apply to the repository. If not specified, uses the default policy | `string` | `null` | no |
+| [repository\_policy\_statements](#input\_repository\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `any` | `{}` | no |
| [repository\_read\_access\_arns](#input\_repository\_read\_access\_arns) | The ARNs of the IAM users/roles that have read access to the repository | `list(string)` | `[]` | no |
| [repository\_read\_write\_access\_arns](#input\_repository\_read\_write\_access\_arns) | The ARNs of the IAM users/roles that have read/write access to the repository | `list(string)` | `[]` | no |
| [repository\_type](#input\_repository\_type) | The type of repository to create. Either `public` or `private` | `string` | `"private"` | no |
diff --git a/main.tf b/main.tf
index 2b707d5..3dc21cd 100644
--- a/main.tf
+++ b/main.tf
@@ -62,7 +62,6 @@ data "aws_iam_policy_document" "repository" {
}
}
-
dynamic "statement" {
for_each = var.repository_type == "private" && length(var.repository_lambda_read_access_arns) > 0 ? [1] : []
@@ -129,6 +128,47 @@ data "aws_iam_policy_document" "repository" {
]
}
}
+
+ dynamic "statement" {
+ for_each = var.repository_policy_statements
+
+ content {
+ sid = try(statement.value.sid, null)
+ actions = try(statement.value.actions, null)
+ not_actions = try(statement.value.not_actions, null)
+ effect = try(statement.value.effect, null)
+ resources = try(statement.value.resources, null)
+ not_resources = try(statement.value.not_resources, null)
+
+ dynamic "principals" {
+ for_each = try(statement.value.principals, [])
+
+ content {
+ type = principals.value.type
+ identifiers = principals.value.identifiers
+ }
+ }
+
+ dynamic "not_principals" {
+ for_each = try(statement.value.not_principals, [])
+
+ content {
+ type = not_principals.value.type
+ identifiers = not_principals.value.identifiers
+ }
+ }
+
+ dynamic "condition" {
+ for_each = try(statement.value.conditions, [])
+
+ content {
+ test = condition.value.test
+ values = condition.value.values
+ variable = condition.value.variable
+ }
+ }
+ }
+ }
}
################################################################################
diff --git a/variables.tf b/variables.tf
index f3eb525..965a5c8 100644
--- a/variables.tf
+++ b/variables.tf
@@ -102,6 +102,12 @@ variable "repository_read_write_access_arns" {
default = []
}
+variable "repository_policy_statements" {
+ description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage"
+ type = any
+ default = {}
+}
+
################################################################################
# Lifecycle Policy
################################################################################
diff --git a/wrappers/main.tf b/wrappers/main.tf
index 1359698..2c48b6e 100644
--- a/wrappers/main.tf
+++ b/wrappers/main.tf
@@ -3,31 +3,32 @@ module "wrapper" {
for_each = var.items
+ attach_repository_policy = try(each.value.attach_repository_policy, var.defaults.attach_repository_policy, true)
create = try(each.value.create, var.defaults.create, true)
- tags = try(each.value.tags, var.defaults.tags, {})
- repository_type = try(each.value.repository_type, var.defaults.repository_type, "private")
+ create_lifecycle_policy = try(each.value.create_lifecycle_policy, var.defaults.create_lifecycle_policy, true)
+ create_registry_policy = try(each.value.create_registry_policy, var.defaults.create_registry_policy, false)
+ create_registry_replication_configuration = try(each.value.create_registry_replication_configuration, var.defaults.create_registry_replication_configuration, false)
create_repository = try(each.value.create_repository, var.defaults.create_repository, true)
- repository_name = try(each.value.repository_name, var.defaults.repository_name, "")
- repository_image_tag_mutability = try(each.value.repository_image_tag_mutability, var.defaults.repository_image_tag_mutability, "IMMUTABLE")
- repository_encryption_type = try(each.value.repository_encryption_type, var.defaults.repository_encryption_type, null)
- repository_kms_key = try(each.value.repository_kms_key, var.defaults.repository_kms_key, null)
- repository_image_scan_on_push = try(each.value.repository_image_scan_on_push, var.defaults.repository_image_scan_on_push, true)
- repository_policy = try(each.value.repository_policy, var.defaults.repository_policy, null)
- repository_force_delete = try(each.value.repository_force_delete, var.defaults.repository_force_delete, null)
- attach_repository_policy = try(each.value.attach_repository_policy, var.defaults.attach_repository_policy, true)
create_repository_policy = try(each.value.create_repository_policy, var.defaults.create_repository_policy, true)
- repository_read_access_arns = try(each.value.repository_read_access_arns, var.defaults.repository_read_access_arns, [])
- repository_lambda_read_access_arns = try(each.value.repository_lambda_read_access_arns, var.defaults.repository_lambda_read_access_arns, [])
- repository_read_write_access_arns = try(each.value.repository_read_write_access_arns, var.defaults.repository_read_write_access_arns, [])
- create_lifecycle_policy = try(each.value.create_lifecycle_policy, var.defaults.create_lifecycle_policy, true)
- repository_lifecycle_policy = try(each.value.repository_lifecycle_policy, var.defaults.repository_lifecycle_policy, "")
+ manage_registry_scanning_configuration = try(each.value.manage_registry_scanning_configuration, var.defaults.manage_registry_scanning_configuration, false)
public_repository_catalog_data = try(each.value.public_repository_catalog_data, var.defaults.public_repository_catalog_data, {})
- create_registry_policy = try(each.value.create_registry_policy, var.defaults.create_registry_policy, false)
registry_policy = try(each.value.registry_policy, var.defaults.registry_policy, null)
registry_pull_through_cache_rules = try(each.value.registry_pull_through_cache_rules, var.defaults.registry_pull_through_cache_rules, {})
- manage_registry_scanning_configuration = try(each.value.manage_registry_scanning_configuration, var.defaults.manage_registry_scanning_configuration, false)
- registry_scan_type = try(each.value.registry_scan_type, var.defaults.registry_scan_type, "ENHANCED")
- registry_scan_rules = try(each.value.registry_scan_rules, var.defaults.registry_scan_rules, [])
- create_registry_replication_configuration = try(each.value.create_registry_replication_configuration, var.defaults.create_registry_replication_configuration, false)
registry_replication_rules = try(each.value.registry_replication_rules, var.defaults.registry_replication_rules, [])
+ registry_scan_rules = try(each.value.registry_scan_rules, var.defaults.registry_scan_rules, [])
+ registry_scan_type = try(each.value.registry_scan_type, var.defaults.registry_scan_type, "ENHANCED")
+ repository_encryption_type = try(each.value.repository_encryption_type, var.defaults.repository_encryption_type, null)
+ repository_force_delete = try(each.value.repository_force_delete, var.defaults.repository_force_delete, null)
+ repository_image_scan_on_push = try(each.value.repository_image_scan_on_push, var.defaults.repository_image_scan_on_push, true)
+ repository_image_tag_mutability = try(each.value.repository_image_tag_mutability, var.defaults.repository_image_tag_mutability, "IMMUTABLE")
+ repository_kms_key = try(each.value.repository_kms_key, var.defaults.repository_kms_key, null)
+ repository_lambda_read_access_arns = try(each.value.repository_lambda_read_access_arns, var.defaults.repository_lambda_read_access_arns, [])
+ repository_lifecycle_policy = try(each.value.repository_lifecycle_policy, var.defaults.repository_lifecycle_policy, "")
+ repository_name = try(each.value.repository_name, var.defaults.repository_name, "")
+ repository_policy = try(each.value.repository_policy, var.defaults.repository_policy, null)
+ repository_policy_statements = try(each.value.repository_policy_statements, var.defaults.repository_policy_statements, {})
+ repository_read_access_arns = try(each.value.repository_read_access_arns, var.defaults.repository_read_access_arns, [])
+ repository_read_write_access_arns = try(each.value.repository_read_write_access_arns, var.defaults.repository_read_write_access_arns, [])
+ repository_type = try(each.value.repository_type, var.defaults.repository_type, "private")
+ tags = try(each.value.tags, var.defaults.tags, {})
}
diff --git a/wrappers/outputs.tf b/wrappers/outputs.tf
index 5da7c09..ec6da5f 100644
--- a/wrappers/outputs.tf
+++ b/wrappers/outputs.tf
@@ -1,5 +1,5 @@
output "wrapper" {
description = "Map of outputs of a wrapper."
value = module.wrapper
- # sensitive = false # No sensitive module output found
+ # sensitive = false # No sensitive module output found
}