add mixins, update docs (#33)

* add mixins, update docs

* versions.tf

Author: Benbentwo

README.yaml

@@ -7,13 +7,18 @@ description: |-
   This utilizes
   [the roles-to-principals submodule](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/account-map/modules/roles-to-principals)
   to assign accounts to various roles. It is also compatible with the
-  [GitHub Actions IAM Role mixin](https://github.com/cloudposse/terraform-aws-components/blob/master/mixins/github-actions-iam-role/README-github-action-iam-role.md).
+  [GitHub Actions IAM Role mixin](https://github.com/cloudposse-terraform-components/mixins/blob/main/src/mixins/github-actions-iam-role/README-github-action-iam-role.md).
+
+  <details>
+    <summary>Warning (Older) regarding <code>eks-iam</code> component </summary>
 
   > [!WARNING]
   >
   > Older versions of our reference architecture have an`eks-iam` component that needs to be updated to provide sufficient
   > IAM roles to allow pods to pull from ECR repos
 
+  </details>
+
   ## Usage
 
   **Stack Level**: Regional

mixins/DO_NOT_VENDOR_versions.tf

@@ -0,0 +1,12 @@
+# DO NOT VENDOR THIS FILE
+# This file is used to satisfy the tests of this repository and should not be vendored.
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.9.0"
+    }
+  }
+}

mixins/github-actions-iam-policy.tf

@@ -0,0 +1,53 @@
+locals {
+  github_actions_iam_policy = data.aws_iam_policy_document.github_actions_iam_policy.json
+  ecr_resources_static      = [for k, v in module.ecr.repository_arn_map : v]
+  ecr_resources_wildcard    = [for k, v in module.ecr.repository_arn_map : "${v}/*"]
+  resources                 = concat(local.ecr_resources_static, local.ecr_resources_wildcard)
+}
+
+data "aws_iam_policy_document" "github_actions_iam_policy" {
+  statement {
+    sid    = "AllowECRPermissions"
+    effect = "Allow"
+    actions = [
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:BatchDeleteImage",
+      "ecr:BatchGetImage",
+      "ecr:CompleteLayerUpload",
+      "ecr:DeleteLifecyclePolicy",
+      "ecr:DescribeImages",
+      "ecr:DescribeImageScanFindings",
+      "ecr:DescribeRepositories",
+      "ecr:GetAuthorizationToken",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:GetLifecyclePolicy",
+      "ecr:GetLifecyclePolicyPreview",
+      "ecr:GetRepositoryPolicy",
+      "ecr:InitiateLayerUpload",
+      "ecr:ListImages",
+      "ecr:PutImage",
+      "ecr:PutImageScanningConfiguration",
+      "ecr:PutImageTagMutability",
+      "ecr:PutLifecyclePolicy",
+      "ecr:StartImageScan",
+      "ecr:StartLifecyclePolicyPreview",
+      "ecr:TagResource",
+      "ecr:UntagResource",
+      "ecr:UploadLayerPart",
+    ]
+    resources = local.resources
+  }
+
+  # required as minimum permissions for pushing and logging into a public ECR repository
+  # https://github.com/aws-actions/amazon-ecr-login#permissions
+  # https://docs.aws.amazon.com/AmazonECR/latest/public/docker-push-ecr-image.html
+  statement {
+    sid    = "AllowEcrGetAuthorizationToken"
+    effect = "Allow"
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "sts:GetServiceBearerToken"
+    ]
+    resources = ["*"]
+  }
+}