diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 314c02b..9de9608 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.76.0 + rev: v1.88.0 hooks: - id: terraform_fmt - id: terraform_wrapper_module_for_each @@ -24,7 +24,7 @@ repos: - '--args=--only=terraform_standard_module_structure' - '--args=--only=terraform_workspace_remote' - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.3.0 + rev: v4.5.0 hooks: - id: check-merge-conflict - id: end-of-file-fixer diff --git a/README.md b/README.md index f0bbb49..7f2c1e2 100644 --- a/README.md +++ b/README.md @@ -238,6 +238,7 @@ No modules. | [repository\_lifecycle\_policy](#input\_repository\_lifecycle\_policy) | The policy document. This is a JSON formatted string. See more details about [Policy Parameters](http://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html#lifecycle_policy_parameters) in the official AWS docs | `string` | `""` | no | | [repository\_name](#input\_repository\_name) | The name of the repository | `string` | `""` | no | | [repository\_policy](#input\_repository\_policy) | The JSON policy to apply to the repository. If not specified, uses the default policy | `string` | `null` | no | +| [repository\_policy\_statements](#input\_repository\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `any` | `{}` | no | | [repository\_read\_access\_arns](#input\_repository\_read\_access\_arns) | The ARNs of the IAM users/roles that have read access to the repository | `list(string)` | `[]` | no | | [repository\_read\_write\_access\_arns](#input\_repository\_read\_write\_access\_arns) | The ARNs of the IAM users/roles that have read/write access to the repository | `list(string)` | `[]` | no | | [repository\_type](#input\_repository\_type) | The type of repository to create. Either `public` or `private` | `string` | `"private"` | no | diff --git a/main.tf b/main.tf index 2b707d5..3dc21cd 100644 --- a/main.tf +++ b/main.tf @@ -62,7 +62,6 @@ data "aws_iam_policy_document" "repository" { } } - dynamic "statement" { for_each = var.repository_type == "private" && length(var.repository_lambda_read_access_arns) > 0 ? [1] : [] @@ -129,6 +128,47 @@ data "aws_iam_policy_document" "repository" { ] } } + + dynamic "statement" { + for_each = var.repository_policy_statements + + content { + sid = try(statement.value.sid, null) + actions = try(statement.value.actions, null) + not_actions = try(statement.value.not_actions, null) + effect = try(statement.value.effect, null) + resources = try(statement.value.resources, null) + not_resources = try(statement.value.not_resources, null) + + dynamic "principals" { + for_each = try(statement.value.principals, []) + + content { + type = principals.value.type + identifiers = principals.value.identifiers + } + } + + dynamic "not_principals" { + for_each = try(statement.value.not_principals, []) + + content { + type = not_principals.value.type + identifiers = not_principals.value.identifiers + } + } + + dynamic "condition" { + for_each = try(statement.value.conditions, []) + + content { + test = condition.value.test + values = condition.value.values + variable = condition.value.variable + } + } + } + } } ################################################################################ diff --git a/variables.tf b/variables.tf index f3eb525..965a5c8 100644 --- a/variables.tf +++ b/variables.tf @@ -102,6 +102,12 @@ variable "repository_read_write_access_arns" { default = [] } +variable "repository_policy_statements" { + description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage" + type = any + default = {} +} + ################################################################################ # Lifecycle Policy ################################################################################ diff --git a/wrappers/main.tf b/wrappers/main.tf index 1359698..2c48b6e 100644 --- a/wrappers/main.tf +++ b/wrappers/main.tf @@ -3,31 +3,32 @@ module "wrapper" { for_each = var.items + attach_repository_policy = try(each.value.attach_repository_policy, var.defaults.attach_repository_policy, true) create = try(each.value.create, var.defaults.create, true) - tags = try(each.value.tags, var.defaults.tags, {}) - repository_type = try(each.value.repository_type, var.defaults.repository_type, "private") + create_lifecycle_policy = try(each.value.create_lifecycle_policy, var.defaults.create_lifecycle_policy, true) + create_registry_policy = try(each.value.create_registry_policy, var.defaults.create_registry_policy, false) + create_registry_replication_configuration = try(each.value.create_registry_replication_configuration, var.defaults.create_registry_replication_configuration, false) create_repository = try(each.value.create_repository, var.defaults.create_repository, true) - repository_name = try(each.value.repository_name, var.defaults.repository_name, "") - repository_image_tag_mutability = try(each.value.repository_image_tag_mutability, var.defaults.repository_image_tag_mutability, "IMMUTABLE") - repository_encryption_type = try(each.value.repository_encryption_type, var.defaults.repository_encryption_type, null) - repository_kms_key = try(each.value.repository_kms_key, var.defaults.repository_kms_key, null) - repository_image_scan_on_push = try(each.value.repository_image_scan_on_push, var.defaults.repository_image_scan_on_push, true) - repository_policy = try(each.value.repository_policy, var.defaults.repository_policy, null) - repository_force_delete = try(each.value.repository_force_delete, var.defaults.repository_force_delete, null) - attach_repository_policy = try(each.value.attach_repository_policy, var.defaults.attach_repository_policy, true) create_repository_policy = try(each.value.create_repository_policy, var.defaults.create_repository_policy, true) - repository_read_access_arns = try(each.value.repository_read_access_arns, var.defaults.repository_read_access_arns, []) - repository_lambda_read_access_arns = try(each.value.repository_lambda_read_access_arns, var.defaults.repository_lambda_read_access_arns, []) - repository_read_write_access_arns = try(each.value.repository_read_write_access_arns, var.defaults.repository_read_write_access_arns, []) - create_lifecycle_policy = try(each.value.create_lifecycle_policy, var.defaults.create_lifecycle_policy, true) - repository_lifecycle_policy = try(each.value.repository_lifecycle_policy, var.defaults.repository_lifecycle_policy, "") + manage_registry_scanning_configuration = try(each.value.manage_registry_scanning_configuration, var.defaults.manage_registry_scanning_configuration, false) public_repository_catalog_data = try(each.value.public_repository_catalog_data, var.defaults.public_repository_catalog_data, {}) - create_registry_policy = try(each.value.create_registry_policy, var.defaults.create_registry_policy, false) registry_policy = try(each.value.registry_policy, var.defaults.registry_policy, null) registry_pull_through_cache_rules = try(each.value.registry_pull_through_cache_rules, var.defaults.registry_pull_through_cache_rules, {}) - manage_registry_scanning_configuration = try(each.value.manage_registry_scanning_configuration, var.defaults.manage_registry_scanning_configuration, false) - registry_scan_type = try(each.value.registry_scan_type, var.defaults.registry_scan_type, "ENHANCED") - registry_scan_rules = try(each.value.registry_scan_rules, var.defaults.registry_scan_rules, []) - create_registry_replication_configuration = try(each.value.create_registry_replication_configuration, var.defaults.create_registry_replication_configuration, false) registry_replication_rules = try(each.value.registry_replication_rules, var.defaults.registry_replication_rules, []) + registry_scan_rules = try(each.value.registry_scan_rules, var.defaults.registry_scan_rules, []) + registry_scan_type = try(each.value.registry_scan_type, var.defaults.registry_scan_type, "ENHANCED") + repository_encryption_type = try(each.value.repository_encryption_type, var.defaults.repository_encryption_type, null) + repository_force_delete = try(each.value.repository_force_delete, var.defaults.repository_force_delete, null) + repository_image_scan_on_push = try(each.value.repository_image_scan_on_push, var.defaults.repository_image_scan_on_push, true) + repository_image_tag_mutability = try(each.value.repository_image_tag_mutability, var.defaults.repository_image_tag_mutability, "IMMUTABLE") + repository_kms_key = try(each.value.repository_kms_key, var.defaults.repository_kms_key, null) + repository_lambda_read_access_arns = try(each.value.repository_lambda_read_access_arns, var.defaults.repository_lambda_read_access_arns, []) + repository_lifecycle_policy = try(each.value.repository_lifecycle_policy, var.defaults.repository_lifecycle_policy, "") + repository_name = try(each.value.repository_name, var.defaults.repository_name, "") + repository_policy = try(each.value.repository_policy, var.defaults.repository_policy, null) + repository_policy_statements = try(each.value.repository_policy_statements, var.defaults.repository_policy_statements, {}) + repository_read_access_arns = try(each.value.repository_read_access_arns, var.defaults.repository_read_access_arns, []) + repository_read_write_access_arns = try(each.value.repository_read_write_access_arns, var.defaults.repository_read_write_access_arns, []) + repository_type = try(each.value.repository_type, var.defaults.repository_type, "private") + tags = try(each.value.tags, var.defaults.tags, {}) } diff --git a/wrappers/outputs.tf b/wrappers/outputs.tf index 5da7c09..ec6da5f 100644 --- a/wrappers/outputs.tf +++ b/wrappers/outputs.tf @@ -1,5 +1,5 @@ output "wrapper" { description = "Map of outputs of a wrapper." value = module.wrapper - # sensitive = false # No sensitive module output found + # sensitive = false # No sensitive module output found }