From 0498b4776c3a9e3aad5531affdb6748b6a8b4abb Mon Sep 17 00:00:00 2001 From: Alexander Koshelev Date: Thu, 28 Dec 2023 16:31:14 +0800 Subject: [PATCH 1/2] feat: repository_lambda_read_access added --- README.md | 3 ++- main.tf | 9 +-------- variables.tf | 11 ++++++++--- 3 files changed, 11 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index f0bbb49..0c7042c 100644 --- a/README.md +++ b/README.md @@ -234,7 +234,8 @@ No modules. | [repository\_image\_scan\_on\_push](#input\_repository\_image\_scan\_on\_push) | Indicates whether images are scanned after being pushed to the repository (`true`) or not scanned (`false`) | `bool` | `true` | no | | [repository\_image\_tag\_mutability](#input\_repository\_image\_tag\_mutability) | The tag mutability setting for the repository. Must be one of: `MUTABLE` or `IMMUTABLE`. Defaults to `IMMUTABLE` | `string` | `"IMMUTABLE"` | no | | [repository\_kms\_key](#input\_repository\_kms\_key) | The ARN of the KMS key to use when encryption\_type is `KMS`. If not specified, uses the default AWS managed key for ECR | `string` | `null` | no | -| [repository\_lambda\_read\_access\_arns](#input\_repository\_lambda\_read\_access\_arns) | The ARNs of the Lambda service roles that have read access to the repository | `list(string)` | `[]` | no | +| [repository\_lambda\_read\_access](#input\_repository\_lambda\_read\_access) | Determines whether the repository policy will allow read access to the repository for all lambda functions in the account | `bool` | `false` | no | +| [repository\_lambda\_read\_access\_arns](#input\_repository\_lambda\_read\_access\_arns) | Deprecated. Use `repository_lambda_read_access` instead | `list(string)` | `[]` | no | | [repository\_lifecycle\_policy](#input\_repository\_lifecycle\_policy) | The policy document. This is a JSON formatted string. See more details about [Policy Parameters](http://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html#lifecycle_policy_parameters) in the official AWS docs | `string` | `""` | no | | [repository\_name](#input\_repository\_name) | The name of the repository | `string` | `""` | no | | [repository\_policy](#input\_repository\_policy) | The JSON policy to apply to the repository. If not specified, uses the default policy | `string` | `null` | no | diff --git a/main.tf b/main.tf index 2b707d5..f542555 100644 --- a/main.tf +++ b/main.tf @@ -64,7 +64,7 @@ data "aws_iam_policy_document" "repository" { dynamic "statement" { - for_each = var.repository_type == "private" && length(var.repository_lambda_read_access_arns) > 0 ? [1] : [] + for_each = var.repository_type == "private" && (var.repository_lambda_read_access || length(var.repository_lambda_read_access_arns) > 0) ? [1] : [] content { sid = "PrivateLambdaReadOnly" @@ -79,13 +79,6 @@ data "aws_iam_policy_document" "repository" { "ecr:GetDownloadUrlForLayer", ] - condition { - test = "StringLike" - variable = "aws:sourceArn" - - values = var.repository_lambda_read_access_arns - } - } } diff --git a/variables.tf b/variables.tf index f3eb525..8798e7d 100644 --- a/variables.tf +++ b/variables.tf @@ -90,10 +90,15 @@ variable "repository_read_access_arns" { default = [] } +variable "repository_lambda_read_access" { + description = "Determines whether the repository policy will allow read access to the repository for all lambda functions in the account" + type = bool + default = false +} variable "repository_lambda_read_access_arns" { - description = "The ARNs of the Lambda service roles that have read access to the repository" - type = list(string) - default = [] + description = "Deprecated. Use `repository_lambda_read_access` instead" + type = [] + default = list(string) } variable "repository_read_write_access_arns" { From 0ead8e0b9fd6ebedda998e47860879c7db41c338 Mon Sep 17 00:00:00 2001 From: Alexander Koshelev Date: Fri, 29 Dec 2023 11:28:37 +0800 Subject: [PATCH 2/2] feat: lambda cross account policy added --- README.md | 3 +++ main.tf | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 15 +++++++++++++ 3 files changed, 78 insertions(+) diff --git a/README.md b/README.md index 0c7042c..0c84d65 100644 --- a/README.md +++ b/README.md @@ -215,6 +215,9 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [allow\_cross\_account\_lambda\_read\_access](#input\_cross\_account\_lambda\_read\_access) | Determines whether the repository policy will allow cross account lambda read access. Required `cross_account_ids`, `cross_account_read_access_lambda_arns` | `bool` | `false` | no | +| [cross\_account\_ids](#input\_cross\_account\_ids) | Cross account ids. Required `allow_cross_account_lambda_read_access`, `cross_account_read_access_lambda_arns` | `list(str)` | `[]` | no | +| [cross\_account\_read\_access\_lambda\_arns](#input\_cross\_account\_read\_access\_lambda\_arns) | Cross account lambda function arns. Required `allow_cross_account_lambda_read_access`, `cross_account_ids` | `list(str)` | `[]` | no | | [attach\_repository\_policy](#input\_attach\_repository\_policy) | Determines whether a repository policy will be attached to the repository | `bool` | `true` | no | | [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no | | [create\_lifecycle\_policy](#input\_create\_lifecycle\_policy) | Determines whether a lifecycle policy will be created | `bool` | `true` | no | diff --git a/main.tf b/main.tf index f542555..ddc530a 100644 --- a/main.tf +++ b/main.tf @@ -81,6 +81,66 @@ data "aws_iam_policy_document" "repository" { } } + dynamic "statement" { + for_each = var.repository_type == "private" && (var.repository_lambda_read_access || length(var.repository_lambda_read_access_arns) > 0) ? [1] : [] + + content { + sid = "PrivateLambdaReadOnly" + + principals { + type = "Service" + identifiers = ["lambda.amazonaws.com"] + } + + actions = [ + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer", + ] + + } + } + dynamic "statement" { + for_each = var.repository_type == "private" && (var.allow_cross_account_lambda_read_access || length(var.cross_account_ids) > 0) ? [1] : [] + + content { + sid = "CrossAccountPermission" + effect = "Allow" + + actions = [ + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer", + ] + + principals { + type = "AWS" + identifiers = [for s in var.cross_account_ids : "arn:aws:iam::${s}:root"] + } + } + } + dynamic "statement" { + for_each = var.repository_type == "private" && (var.allow_cross_account_lambda_read_access || length(var.cross_account_read_access_lambda_arns) > 0) ? [1] : [] + + content { + sid = "LambdaECRImageCrossAccountRetrievalPolicy" + effect = "Allow" + + actions = [ + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer", + ] + + condition { + test = "StringLike" + variable = "aws:sourceARN" + values = var.cross_account_read_access_lambda_arns + } + + principals { + type = "Service" + identifiers = ["lambda.amazonaws.com"] + } + } + } dynamic "statement" { for_each = length(var.repository_read_write_access_arns) > 0 && var.repository_type == "private" ? [var.repository_read_write_access_arns] : [] diff --git a/variables.tf b/variables.tf index 8798e7d..41aa2c1 100644 --- a/variables.tf +++ b/variables.tf @@ -95,6 +95,21 @@ variable "repository_lambda_read_access" { type = bool default = false } +variable "allow_cross_account_lambda_read_access" { + description = "Determines whether the repository policy will allow cross account lambda read access. Required `cross_account_ids`, `cross_account_read_access_lambda_arns`" + type = bool + default = false +} +variable "cross_account_ids" { + description = "Cross account ids. Required `allow_cross_account_lambda_read_access`, `cross_account_read_access_lambda_arns`" + type = list(string) + default = [] +} +variable "cross_account_read_access_lambda_arns" { + description = "Cross account lambda function arns. Required `allow_cross_account_lambda_read_access`, `cross_account_ids`" + type = list(string) + default = [] +} variable "repository_lambda_read_access_arns" { description = "Deprecated. Use `repository_lambda_read_access` instead" type = []