feat: Add new variable for allowing ECR image sharing to lambda service in external account (#16)

thepoppingone · bryantbiggs · web-flow · commit be2edd1b481e · 2023-02-16T12:02:54.000+01:00
Co-authored-by: Bryant Biggs &lt;bryantbiggs@gmail.com&gt;
Co-authored-by: Poh Peng &lt;thepoppingone@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -234,6 +234,7 @@ No modules.
 | <a name="input_repository_image_scan_on_push"></a> [repository\_image\_scan\_on\_push](#input\_repository\_image\_scan\_on\_push) | Indicates whether images are scanned after being pushed to the repository (`true`) or not scanned (`false`) | `bool` | `true` | no |
 | <a name="input_repository_image_tag_mutability"></a> [repository\_image\_tag\_mutability](#input\_repository\_image\_tag\_mutability) | The tag mutability setting for the repository. Must be one of: `MUTABLE` or `IMMUTABLE`. Defaults to `IMMUTABLE` | `string` | `"IMMUTABLE"` | no |
 | <a name="input_repository_kms_key"></a> [repository\_kms\_key](#input\_repository\_kms\_key) | The ARN of the KMS key to use when encryption\_type is `KMS`. If not specified, uses the default AWS managed key for ECR | `string` | `null` | no |
+| <a name="input_repository_lambda_read_access_arns"></a> [repository\_lambda\_read\_access\_arns](#input\_repository\_lambda\_read\_access\_arns) | The ARNs of the Lambda service roles that have read access to the repository | `list(string)` | `[]` | no |
 | <a name="input_repository_lifecycle_policy"></a> [repository\_lifecycle\_policy](#input\_repository\_lifecycle\_policy) | The policy document. This is a JSON formatted string. See more details about [Policy Parameters](http://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html#lifecycle_policy_parameters) in the official AWS docs | `string` | `""` | no |
 | <a name="input_repository_name"></a> [repository\_name](#input\_repository\_name) | The name of the repository | `string` | `""` | no |
 | <a name="input_repository_policy"></a> [repository\_policy](#input\_repository\_policy) | The JSON policy to apply to the repository. If not specified, uses the default policy | `string` | `null` | no |
diff --git a/main.tf b/main.tf
@@ -62,6 +62,33 @@ data "aws_iam_policy_document" "repository" {
     }
   }
 
+
+  dynamic "statement" {
+    for_each = var.repository_type == "private" && length(var.repository_lambda_read_access_arns) > 0 ? [1] : []
+
+    content {
+      sid = "PrivateLambdaReadOnly"
+
+      principals {
+        type        = "Service"
+        identifiers = ["lambda.amazonaws.com"]
+      }
+
+      actions = [
+        "ecr:BatchGetImage",
+        "ecr:GetDownloadUrlForLayer",
+      ]
+
+      condition {
+        test     = "StringLike"
+        variable = "aws:sourceArn"
+
+        values = var.repository_lambda_read_access_arns
+      }
+
+    }
+  }
+
   dynamic "statement" {
     for_each = length(var.repository_read_write_access_arns) > 0 && var.repository_type == "private" ? [var.repository_read_write_access_arns] : []
 
diff --git a/variables.tf b/variables.tf
@@ -90,6 +90,12 @@ variable "repository_read_access_arns" {
   default     = []
 }
 
+variable "repository_lambda_read_access_arns" {
+  description = "The ARNs of the Lambda service roles that have read access to the repository"
+  type        = list(string)
+  default     = []
+}
+
 variable "repository_read_write_access_arns" {
   description = "The ARNs of the IAM users/roles that have read/write access to the repository"
   type        = list(string)
diff --git a/wrappers/main.tf b/wrappers/main.tf
@@ -17,6 +17,7 @@ module "wrapper" {
   attach_repository_policy                  = try(each.value.attach_repository_policy, var.defaults.attach_repository_policy, true)
   create_repository_policy                  = try(each.value.create_repository_policy, var.defaults.create_repository_policy, true)
   repository_read_access_arns               = try(each.value.repository_read_access_arns, var.defaults.repository_read_access_arns, [])
+  repository_lambda_read_access_arns        = try(each.value.repository_lambda_read_access_arns, var.defaults.repository_lambda_read_access_arns, [])
   repository_read_write_access_arns         = try(each.value.repository_read_write_access_arns, var.defaults.repository_read_write_access_arns, [])
   create_lifecycle_policy                   = try(each.value.create_lifecycle_policy, var.defaults.create_lifecycle_policy, true)
   repository_lifecycle_policy               = try(each.value.repository_lifecycle_policy, var.defaults.repository_lifecycle_policy, "")
