Merge pull request #23 from dwhswenson/fix-lambda-permissions

ethanholz · web-flow · commit 8131e654dfef · 2026-02-25T10:00:46.000-07:00
Add permissions for lambda downloads to containers
diff --git a/modules/lambda-image-build/main.tf b/modules/lambda-image-build/main.tf
@@ -53,6 +53,48 @@ resource "aws_ecr_lifecycle_policy" "cleanup" {
   })
 }
 
+resource "aws_ecr_repository_policy" "self_access" {
+  repository = aws_ecr_repository.lambda_image.name
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowAccountPushPull"
+        Effect = "Allow"
+        Action = [
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:BatchGetImage",
+          "ecr:BatchCheckLayerAvailability",
+          "ecr:PutImage",
+          "ecr:InitiateLayerUpload",
+          "ecr:UploadLayerPart",
+          "ecr:CompleteLayerUpload",
+        ]
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        }
+      },
+      {
+        Sid    = "AllowLambdaImagePull"
+        Effect = "Allow"
+        Action = [
+          "ecr:BatchGetImage",
+          "ecr:GetDownloadUrlForLayer",
+        ]
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+        Condition = {
+          StringLike = {
+            "aws:sourceArn" = "arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:*"
+          }
+        }
+      }
+    ]
+  })
+}
+
 resource "null_resource" "build_and_push" {
   triggers = {
     image_tag       = var.image_tag
@@ -75,6 +117,7 @@ resource "null_resource" "build_and_push" {
 
   depends_on = [
     aws_ecr_lifecycle_policy.cleanup,
+    aws_ecr_repository_policy.self_access,
   ]
 }
 
diff --git a/modules/lambda-image-republish/main.tf b/modules/lambda-image-republish/main.tf
@@ -47,10 +47,34 @@ resource "aws_ecr_repository_policy" "self_access" {
       {
         Sid    = "AllowAccountPushPull"
         Effect = "Allow"
-        Action = ["ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload"]
+        Action = [
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:BatchGetImage",
+          "ecr:BatchCheckLayerAvailability",
+          "ecr:PutImage",
+          "ecr:InitiateLayerUpload",
+          "ecr:UploadLayerPart",
+          "ecr:CompleteLayerUpload",
+        ]
         Principal = {
           AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
         }
+      },
+      {
+        Sid    = "AllowLambdaImagePull"
+        Effect = "Allow"
+        Action = [
+          "ecr:BatchGetImage",
+          "ecr:GetDownloadUrlForLayer",
+        ]
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+        Condition = {
+          StringLike = {
+            "aws:sourceArn" = "arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:*"
+          }
+        }
       }
     ]
   })
