ecr (terraform)
Reference
TBD
Example
Create a repo and allow pulling from other accounts (hashicorp/aws 4.x)
modules/ecr/variables.tf
variable "tags_common" {
description = "Common tags map: env, ci, department, program"
type = map(string)
nullable = false
}
variable "create_repo" {
description = "Create the ECR repo?"
type = bool
nullable = false
}
variable "ecr_name" {
description = "Repository name"
type = string
nullable = false
}
modules/ecr/ecr.tf
# Elastic Container Registry (ecr)
# --------------------------------
# Create ECR repo, only in 'test' AWS account
resource "aws_ecr_repository" "repo" {
count = var.create_repo ? 1 : 0
name = var.ecr_name
image_tag_mutability = "MUTABLE"
image_scanning_configuration {
scan_on_push = false
}
tags = var.tags_common
}
# Policy for allowing other accounts to pull image from the repo created in 'test' AWS account
resource "aws_ecr_repository_policy" "repo_policy" {
count = var.create_repo ? 1 : 0
repository = aws_ecr_repository.repo[0].name
policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "adds full ecr access to the repository and AllowCrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS" : [
"arn:aws:iam::279642032772:root",
"arn:aws:iam::726690249727:root",
"arn:aws:iam::773096172122:root"
]
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
EOF
}