fix: Update the permission for the public ecr (#7)

niroz89 · web-flow · commit 70f3252311f2 · 2022-06-26T13:05:24.000-04:00
diff --git a/main.tf b/main.tf
@@ -25,8 +25,8 @@ data "aws_iam_policy_document" "repository" {
       }
 
       actions = [
-        "ecr:BatchGetImage",
-        "ecr:GetDownloadUrlForLayer",
+        "ecr-public:BatchGetImage",
+        "ecr-public:GetDownloadUrlForLayer",
       ]
     }
   }
@@ -62,7 +62,7 @@ data "aws_iam_policy_document" "repository" {
   }
 
   dynamic "statement" {
-    for_each = length(var.repository_read_write_access_arns) > 0 ? [var.repository_read_write_access_arns] : []
+    for_each = length(var.repository_read_write_access_arns) > 0 && var.repository_type == "private" ? [var.repository_read_write_access_arns] : []
 
     content {
       sid = "ReadWrite"
@@ -80,6 +80,27 @@ data "aws_iam_policy_document" "repository" {
       ]
     }
   }
+
+  dynamic "statement" {
+    for_each = length(var.repository_read_write_access_arns) > 0 && var.repository_type == "public" ? [var.repository_read_write_access_arns] : []
+
+    content {
+      sid = "ReadWrite"
+
+      principals {
+        type        = "AWS"
+        identifiers = statement.value
+      }
+
+      actions = [
+        "ecr-public:BatchCheckLayerAvailability",
+        "ecr-public:CompleteLayerUpload",
+        "ecr-public:InitiateLayerUpload",
+        "ecr-public:PutImage",
+        "ecr-public:UploadLayerPart",
+      ]
+    }
+  }
 }
 
 ################################################################################

Original file line number	Diff line number	Diff line change
`@@ -25,8 +25,8 @@ data "aws_iam_policy_document" "repository" {`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`actions = [`
`28`		`- "ecr:BatchGetImage",`
`29`		`- "ecr:GetDownloadUrlForLayer",`
	`28`	`+ "ecr-public:BatchGetImage",`
	`29`	`+ "ecr-public:GetDownloadUrlForLayer",`
`30`	`30`	`]`
`31`	`31`	`}`
`32`	`32`	`}`
`@@ -62,7 +62,7 @@ data "aws_iam_policy_document" "repository" {`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`dynamic "statement" {`
`65`		`- for_each = length(var.repository_read_write_access_arns) > 0 ? [var.repository_read_write_access_arns] : []`
	`65`	`+ for_each = length(var.repository_read_write_access_arns) > 0 && var.repository_type == "private" ? [var.repository_read_write_access_arns] : []`
`66`	`66`
`67`	`67`	`content {`
`68`	`68`	`sid = "ReadWrite"`
`@@ -80,6 +80,27 @@ data "aws_iam_policy_document" "repository" {`
`80`	`80`	`]`
`81`	`81`	`}`
`82`	`82`	`}`
	`83`	`+`
	`84`	`+ dynamic "statement" {`
	`85`	`+ for_each = length(var.repository_read_write_access_arns) > 0 && var.repository_type == "public" ? [var.repository_read_write_access_arns] : []`
	`86`	`+`
	`87`	`+ content {`
	`88`	`+ sid = "ReadWrite"`
	`89`	`+`
	`90`	`+ principals {`
	`91`	`+ type = "AWS"`
	`92`	`+ identifiers = statement.value`
	`93`	`+ }`
	`94`	`+`
	`95`	`+ actions = [`
	`96`	`+ "ecr-public:BatchCheckLayerAvailability",`
	`97`	`+ "ecr-public:CompleteLayerUpload",`
	`98`	`+ "ecr-public:InitiateLayerUpload",`
	`99`	`+ "ecr-public:PutImage",`
	`100`	`+ "ecr-public:UploadLayerPart",`
	`101`	`+ ]`
	`102`	`+ }`
	`103`	`+ }`
`83`	`104`	`}`
`84`	`105`
`85`	`106`	`################################################################################`