ecr (terraform)

Reference

Example

Create a repo and allow pulling from other accounts (hashicorp/aws 4.x)

Reference

TBD

Example

Create a repo and allow pulling from other accounts (hashicorp/aws 4.x)

modules/ecr/variables.tf

variable "tags_common" {

description = "Common tags map: env, ci, department, program"

type = map(string)

nullable = false

}

variable "create_repo" {

description = "Create the ECR repo?"

type = bool

nullable = false

}

variable "ecr_name" {

description = "Repository name"

type = string

nullable = false

}

modules/ecr/ecr.tf

# Elastic Container Registry (ecr)

# --------------------------------

# Create ECR repo, only in 'test' AWS account

resource "aws_ecr_repository" "repo" {

count = var.create_repo ? 1 : 0

name = var.ecr_name

image_tag_mutability = "MUTABLE"

image_scanning_configuration {

scan_on_push = false

}

tags = var.tags_common

}

# Policy for allowing other accounts to pull image from the repo created in 'test' AWS account

resource "aws_ecr_repository_policy" "repo_policy" {

count = var.create_repo ? 1 : 0

repository = aws_ecr_repository.repo[0].name

policy = <<EOF

{

"Version": "2008-10-17",

"Statement": [

{

"Sid": "adds full ecr access to the repository and AllowCrossAccountPull",

"Effect": "Allow",

"Principal": {

"AWS" : [

"arn:aws:iam::279642032772:root",

"arn:aws:iam::726690249727:root",

"arn:aws:iam::773096172122:root"

]

},

"Action": [

"ecr:BatchCheckLayerAvailability",

"ecr:BatchGetImage",

"ecr:CompleteLayerUpload",

"ecr:GetDownloadUrlForLayer",

"ecr:GetLifecyclePolicy",

"ecr:InitiateLayerUpload",

"ecr:PutImage",

"ecr:UploadLayerPart"

]

}

]

}

EOF

}