Update module sources and add ECR registry policy (#63)

* Update module sources and add ECR registry policy

* Update src/main.tf

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Add account_map_enabled variable to Terraform file

* Add 'account_map' variable for account ID mapping

Added a new variable 'account_map' to define a structured mapping of account names to IDs with optional attributes.

* Fix formatting in variables-account-map.tf

* Update descriptions for account_map variables

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: goruha

src/main.tf

@@ -3,18 +3,32 @@ locals {
 }
 
 module "full_access" {
-  source = "../account-map/modules/roles-to-principals"
+  source = "github.com/cloudposse-terraform-components/aws-account-map//src/modules/roles-to-principals?ref=v1.536.1"
 
   role_map = var.read_write_account_role_map
 
+  tenant      = var.account_map_enabled ? module.iam_roles.global_tenant_name : null
+  environment = var.account_map_enabled ? module.iam_roles.global_environment_name : null
+  stage       = var.account_map_enabled ? module.iam_roles.global_stage_name : null
+
+  account_map_bypass   = !var.account_map_enabled
+  account_map_defaults = var.account_map
+
   context = module.this.context
 }
 
 module "readonly_access" {
-  source = "../account-map/modules/roles-to-principals"
+  source = "github.com/cloudposse-terraform-components/aws-account-map//src/modules/roles-to-principals?ref=v1.536.1"
 
   role_map = var.read_only_account_role_map
 
+  tenant      = var.account_map_enabled ? module.iam_roles.global_tenant_name : null
+  environment = var.account_map_enabled ? module.iam_roles.global_environment_name : null
+  stage       = var.account_map_enabled ? module.iam_roles.global_stage_name : null
+
+  account_map_bypass   = !var.account_map_enabled
+  account_map_defaults = var.account_map
+
   context = module.this.context
 }
 
@@ -63,3 +77,29 @@ resource "aws_ecr_pull_through_cache_rule" "this" {
   upstream_registry_url = each.value.registry
   credential_arn        = length(each.value.secret) > 0 ? data.aws_secretsmanager_secret.cache_credentials[each.key].arn : null
 }
+
+data "aws_caller_identity" "current" {
+  count = local.enabled ? 1 : 0
+}
+
+resource "aws_ecr_registry_policy" "this" {
+  for_each = toset(local.enabled && length(var.pull_through_cache_rules) > 0 ? ["true"] : [])
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ecr:BatchGetImage",
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:GetImageCopyStatus",
+          "ecr:BatchImportUpstreamImage"
+        ]
+        Principal = {
+          AWS = distinct(compact(concat(module.full_access.principals, module.readonly_access.principals, [local.ecr_user_arn])))
+        }
+        Resource = format("arn:aws:ecr:%s:%s:repository/*", var.region, one(data.aws_caller_identity.current.*.account_id))
+      }
+    ]
+  })
+}

src/variables-account-map.tf

@@ -0,0 +1,25 @@
+variable "account_map_enabled" {
+  type        = bool
+  description = "INFO: Temporary variable required for account-map deprication plan. Please do not change the value"
+  default     = true
+}
+
+variable "account_map" {
+  type = object({
+    full_account_map              = map(string)
+    audit_account_account_name    = optional(string, "")
+    root_account_account_name     = optional(string, "")
+    identity_account_account_name = optional(string, "")
+    aws_partition                 = optional(string, "aws")
+    iam_role_arn_templates        = optional(map(string), {})
+  })
+  description = "INFO: Temporary variable required for account-map deprication plan. Please do not change the value"
+  default = {
+    full_account_map              = {}
+    audit_account_account_name    = ""
+    root_account_account_name     = ""
+    identity_account_account_name = ""
+    aws_partition                 = "aws"
+    iam_role_arn_templates        = {}
+  }
+}