feat: Add support for creating custom repository policy statements (#27)

bryantbiggs · web-flow · commit fb9126ca4c9a · 2024-03-04T11:09:03.000-08:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.76.0
+    rev: v1.88.0
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each
@@ -24,7 +24,7 @@ repos:
           - '--args=--only=terraform_standard_module_structure'
           - '--args=--only=terraform_workspace_remote'
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v4.5.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer
diff --git a/README.md b/README.md
@@ -238,6 +238,7 @@ No modules.
 | <a name="input_repository_lifecycle_policy"></a> [repository\_lifecycle\_policy](#input\_repository\_lifecycle\_policy) | The policy document. This is a JSON formatted string. See more details about [Policy Parameters](http://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html#lifecycle_policy_parameters) in the official AWS docs | `string` | `""` | no |
 | <a name="input_repository_name"></a> [repository\_name](#input\_repository\_name) | The name of the repository | `string` | `""` | no |
 | <a name="input_repository_policy"></a> [repository\_policy](#input\_repository\_policy) | The JSON policy to apply to the repository. If not specified, uses the default policy | `string` | `null` | no |
+| <a name="input_repository_policy_statements"></a> [repository\_policy\_statements](#input\_repository\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `any` | `{}` | no |
 | <a name="input_repository_read_access_arns"></a> [repository\_read\_access\_arns](#input\_repository\_read\_access\_arns) | The ARNs of the IAM users/roles that have read access to the repository | `list(string)` | `[]` | no |
 | <a name="input_repository_read_write_access_arns"></a> [repository\_read\_write\_access\_arns](#input\_repository\_read\_write\_access\_arns) | The ARNs of the IAM users/roles that have read/write access to the repository | `list(string)` | `[]` | no |
 | <a name="input_repository_type"></a> [repository\_type](#input\_repository\_type) | The type of repository to create. Either `public` or `private` | `string` | `"private"` | no |
diff --git a/main.tf b/main.tf
@@ -62,7 +62,6 @@ data "aws_iam_policy_document" "repository" {
     }
   }
 
-
   dynamic "statement" {
     for_each = var.repository_type == "private" && length(var.repository_lambda_read_access_arns) > 0 ? [1] : []
 
@@ -129,6 +128,47 @@ data "aws_iam_policy_document" "repository" {
       ]
     }
   }
+
+  dynamic "statement" {
+    for_each = var.repository_policy_statements
+
+    content {
+      sid           = try(statement.value.sid, null)
+      actions       = try(statement.value.actions, null)
+      not_actions   = try(statement.value.not_actions, null)
+      effect        = try(statement.value.effect, null)
+      resources     = try(statement.value.resources, null)
+      not_resources = try(statement.value.not_resources, null)
+
+      dynamic "principals" {
+        for_each = try(statement.value.principals, [])
+
+        content {
+          type        = principals.value.type
+          identifiers = principals.value.identifiers
+        }
+      }
+
+      dynamic "not_principals" {
+        for_each = try(statement.value.not_principals, [])
+
+        content {
+          type        = not_principals.value.type
+          identifiers = not_principals.value.identifiers
+        }
+      }
+
+      dynamic "condition" {
+        for_each = try(statement.value.conditions, [])
+
+        content {
+          test     = condition.value.test
+          values   = condition.value.values
+          variable = condition.value.variable
+        }
+      }
+    }
+  }
 }
 
 ################################################################################
diff --git a/variables.tf b/variables.tf
@@ -102,6 +102,12 @@ variable "repository_read_write_access_arns" {
   default     = []
 }
 
+variable "repository_policy_statements" {
+  description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage"
+  type        = any
+  default     = {}
+}
+
 ################################################################################
 # Lifecycle Policy
 ################################################################################
diff --git a/wrappers/main.tf b/wrappers/main.tf
@@ -3,31 +3,32 @@ module "wrapper" {
 
   for_each = var.items
 
+  attach_repository_policy                  = try(each.value.attach_repository_policy, var.defaults.attach_repository_policy, true)
   create                                    = try(each.value.create, var.defaults.create, true)
-  tags                                      = try(each.value.tags, var.defaults.tags, {})
-  repository_type                           = try(each.value.repository_type, var.defaults.repository_type, "private")
+  create_lifecycle_policy                   = try(each.value.create_lifecycle_policy, var.defaults.create_lifecycle_policy, true)
+  create_registry_policy                    = try(each.value.create_registry_policy, var.defaults.create_registry_policy, false)
+  create_registry_replication_configuration = try(each.value.create_registry_replication_configuration, var.defaults.create_registry_replication_configuration, false)
   create_repository                         = try(each.value.create_repository, var.defaults.create_repository, true)
-  repository_name                           = try(each.value.repository_name, var.defaults.repository_name, "")
-  repository_image_tag_mutability           = try(each.value.repository_image_tag_mutability, var.defaults.repository_image_tag_mutability, "IMMUTABLE")
-  repository_encryption_type                = try(each.value.repository_encryption_type, var.defaults.repository_encryption_type, null)
-  repository_kms_key                        = try(each.value.repository_kms_key, var.defaults.repository_kms_key, null)
-  repository_image_scan_on_push             = try(each.value.repository_image_scan_on_push, var.defaults.repository_image_scan_on_push, true)
-  repository_policy                         = try(each.value.repository_policy, var.defaults.repository_policy, null)
-  repository_force_delete                   = try(each.value.repository_force_delete, var.defaults.repository_force_delete, null)
-  attach_repository_policy                  = try(each.value.attach_repository_policy, var.defaults.attach_repository_policy, true)
   create_repository_policy                  = try(each.value.create_repository_policy, var.defaults.create_repository_policy, true)
-  repository_read_access_arns               = try(each.value.repository_read_access_arns, var.defaults.repository_read_access_arns, [])
-  repository_lambda_read_access_arns        = try(each.value.repository_lambda_read_access_arns, var.defaults.repository_lambda_read_access_arns, [])
-  repository_read_write_access_arns         = try(each.value.repository_read_write_access_arns, var.defaults.repository_read_write_access_arns, [])
-  create_lifecycle_policy                   = try(each.value.create_lifecycle_policy, var.defaults.create_lifecycle_policy, true)
-  repository_lifecycle_policy               = try(each.value.repository_lifecycle_policy, var.defaults.repository_lifecycle_policy, "")
+  manage_registry_scanning_configuration    = try(each.value.manage_registry_scanning_configuration, var.defaults.manage_registry_scanning_configuration, false)
   public_repository_catalog_data            = try(each.value.public_repository_catalog_data, var.defaults.public_repository_catalog_data, {})
-  create_registry_policy                    = try(each.value.create_registry_policy, var.defaults.create_registry_policy, false)
   registry_policy                           = try(each.value.registry_policy, var.defaults.registry_policy, null)
   registry_pull_through_cache_rules         = try(each.value.registry_pull_through_cache_rules, var.defaults.registry_pull_through_cache_rules, {})
-  manage_registry_scanning_configuration    = try(each.value.manage_registry_scanning_configuration, var.defaults.manage_registry_scanning_configuration, false)
-  registry_scan_type                        = try(each.value.registry_scan_type, var.defaults.registry_scan_type, "ENHANCED")
-  registry_scan_rules                       = try(each.value.registry_scan_rules, var.defaults.registry_scan_rules, [])
-  create_registry_replication_configuration = try(each.value.create_registry_replication_configuration, var.defaults.create_registry_replication_configuration, false)
   registry_replication_rules                = try(each.value.registry_replication_rules, var.defaults.registry_replication_rules, [])
+  registry_scan_rules                       = try(each.value.registry_scan_rules, var.defaults.registry_scan_rules, [])
+  registry_scan_type                        = try(each.value.registry_scan_type, var.defaults.registry_scan_type, "ENHANCED")
+  repository_encryption_type                = try(each.value.repository_encryption_type, var.defaults.repository_encryption_type, null)
+  repository_force_delete                   = try(each.value.repository_force_delete, var.defaults.repository_force_delete, null)
+  repository_image_scan_on_push             = try(each.value.repository_image_scan_on_push, var.defaults.repository_image_scan_on_push, true)
+  repository_image_tag_mutability           = try(each.value.repository_image_tag_mutability, var.defaults.repository_image_tag_mutability, "IMMUTABLE")
+  repository_kms_key                        = try(each.value.repository_kms_key, var.defaults.repository_kms_key, null)
+  repository_lambda_read_access_arns        = try(each.value.repository_lambda_read_access_arns, var.defaults.repository_lambda_read_access_arns, [])
+  repository_lifecycle_policy               = try(each.value.repository_lifecycle_policy, var.defaults.repository_lifecycle_policy, "")
+  repository_name                           = try(each.value.repository_name, var.defaults.repository_name, "")
+  repository_policy                         = try(each.value.repository_policy, var.defaults.repository_policy, null)
+  repository_policy_statements              = try(each.value.repository_policy_statements, var.defaults.repository_policy_statements, {})
+  repository_read_access_arns               = try(each.value.repository_read_access_arns, var.defaults.repository_read_access_arns, [])
+  repository_read_write_access_arns         = try(each.value.repository_read_write_access_arns, var.defaults.repository_read_write_access_arns, [])
+  repository_type                           = try(each.value.repository_type, var.defaults.repository_type, "private")
+  tags                                      = try(each.value.tags, var.defaults.tags, {})
 }
diff --git a/wrappers/outputs.tf b/wrappers/outputs.tf
@@ -1,5 +1,5 @@
 output "wrapper" {
   description = "Map of outputs of a wrapper."
   value       = module.wrapper
-  # sensitive = false  # No sensitive module output found
+  # sensitive = false # No sensitive module output found
 }

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`output "wrapper" {`
`2`	`2`	`description = "Map of outputs of a wrapper."`
`3`	`3`	`value = module.wrapper`
`4`		`- # sensitive = false # No sensitive module output found`
	`4`	`+ # sensitive = false # No sensitive module output found`
`5`	`5`	`}`