1- // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2- // SPDX-License-Identifier: Apache-2.0
3-
41import "source-map-support/register" ;
5- import * as cdk from "aws-cdk-lib" ;
6- import { Stack , StackProps , aws_ecr as ecr , RemovalPolicy } from "aws-cdk-lib" ;
2+ import * as cdk from 'aws-cdk-lib' ;
3+ import {
4+ Stack ,
5+ StackProps ,
6+ aws_ecr as ecr ,
7+ aws_iam as iam ,
8+ RemovalPolicy
9+ } from "aws-cdk-lib" ;
710import { type Construct } from "constructs" ;
8- import { readAccountConfig } from "./.. /../config/types " ;
11+ import { readAccountConfig } from ".. /../config/targets " ;
912
1013class ImageStack extends Stack {
1114 constructor ( scope : Construct , id : string , props ?: StackProps ) {
@@ -15,11 +18,28 @@ class ImageStack extends Stack {
1518
1619 for ( const language of Object . keys ( acctConfig ) ) {
1720 if ( acctConfig [ language ] . status === "enabled" ) {
18- new ecr . Repository ( this , `${ language } , {
21+ const repository = new ecr . Repository ( this , `${ language } , {
1922 repositoryName : `${ language } ,
2023 imageScanOnPush : true ,
2124 removalPolicy : RemovalPolicy . RETAIN ,
2225 } ) ;
26+
27+ // Add repository policy to allow access from the specified account
28+ repository . addToResourcePolicy ( new iam . PolicyStatement ( {
29+ effect : iam . Effect . ALLOW ,
30+ principals : [
31+ new iam . AccountPrincipal ( acctConfig [ language ] . account_id )
32+ ] ,
33+ actions : [
34+ "ecr:GetDownloadUrlForLayer" ,
35+ "ecr:BatchGetImage" ,
36+ "ecr:BatchCheckLayerAvailability" ,
37+ "ecr:PutImage" ,
38+ "ecr:InitiateLayerUpload" ,
39+ "ecr:UploadLayerPart" ,
40+ "ecr:CompleteLayerUpload"
41+ ]
42+ } ) ) ;
2343 }
2444 }
2545 }
@@ -32,6 +52,7 @@ new ImageStack(app, "ImageStack", {
3252 account : process . env . CDK_DEFAULT_ACCOUNT ! ,
3353 region : process . env . CDK_DEFAULT_REGION ! ,
3454 } ,
55+ terminationProtection : true
3556} ) ;
3657
3758app . synth ( ) ;
0 commit comments