diff --git a/README.md b/README.md
index 1c9ec2d..85e221a 100644
--- a/README.md
+++ b/README.md
@@ -153,6 +153,7 @@ module "iglu_server" {
| [max\_size](#input\_max\_size) | The maximum number of servers in this server-group | `number` | `2` | no |
| [min\_size](#input\_min\_size) | The minimum number of servers in this server-group | `number` | `1` | no |
| [patches\_allowed](#input\_patches\_allowed) | Whether or not patches are allowed for published Iglu Schemas | `bool` | `true` | no |
+| [private\_ecr\_registry](#input\_private\_ecr\_registry) | The URL of an ECR registry that the sub-account has access to (e.g. '000000000000.dkr.ecr.cn-north-1.amazonaws.com.cn/') | `string` | `""` | no |
| [scale\_down\_cooldown\_sec](#input\_scale\_down\_cooldown\_sec) | Time (in seconds) until another scale-down action can occur | `number` | `600` | no |
| [scale\_down\_cpu\_threshold\_percentage](#input\_scale\_down\_cpu\_threshold\_percentage) | The average CPU percentage that we must be below to scale-down | `number` | `20` | no |
| [scale\_down\_eval\_minutes](#input\_scale\_down\_eval\_minutes) | The number of consecutive minutes that we must be below the threshold to scale-down | `number` | `60` | no |
diff --git a/main.tf b/main.tf
index cb06f92..71e2992 100644
--- a/main.tf
+++ b/main.tf
@@ -27,6 +27,20 @@ data "aws_caller_identity" "current" {}
locals {
is_aws_global = replace(data.aws_region.current.name, "cn-", "") == data.aws_region.current.name
iam_partition = local.is_aws_global ? "aws" : "aws-cn"
+
+ is_private_ecr_registry = var.private_ecr_registry != ""
+ private_ecr_registry_statement = [{
+ Action = [
+ "ecr:GetAuthorizationToken",
+ "ecr:BatchGetImage",
+ "ecr:GetDownloadUrlForLayer"
+ ]
+ Effect = "Allow"
+ Resource = [
+ "*"
+ ]
+ }]
+ private_ecr_registry_statement_final = local.is_private_ecr_registry ? local.private_ecr_registry_statement : []
}
module "telemetry" {
@@ -81,24 +95,25 @@ EOF
resource "aws_iam_policy" "iam_policy" {
name = var.name
- policy = <