Merge pull request #3 from synapsestudios/2-attach-policy

Attach IAM policy to repository
synapsestudios · Feb 2, 2023 · 0eac29e · 0eac29e
2 parents f0ef9c6 + cd43207
commit 0eac29e
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -24,9 +24,9 @@ No modules.
 
 The following resources are used by this module:
 
-- [aws_ecr_lifecycle_policy.ecr_lifecycle_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) (resource)
-- [aws_ecr_repository.ecr_repo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) (resource)
-- [aws_iam_policy_document.ecr_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) (data source)
+- [aws_ecr_lifecycle_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) (resource)
+- [aws_ecr_repository.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) (resource)
+- [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) (data source)
 
 ## Required Inputs
 

diff --git a/main.tf b/main.tf
@@ -2,7 +2,7 @@ provider "aws" {
   region = var.region
 }
 
-resource "aws_ecr_repository" "ecr_repo" {
+resource "aws_ecr_repository" "this" {
   name                 = var.name
   image_tag_mutability = "MUTABLE"
 
@@ -11,8 +11,8 @@ resource "aws_ecr_repository" "ecr_repo" {
   }
 }
 
-resource "aws_ecr_lifecycle_policy" "ecr_lifecycle_policy" {
-  repository = aws_ecr_repository.ecr_repo.name
+resource "aws_ecr_lifecycle_policy" "this" {
+  repository = aws_ecr_repository.this.name
 
   policy = <<EOF
 {
@@ -35,8 +35,9 @@ EOF
 }
 
 // Create aws ecr repository that allows a list of arns to push and pull from it
-data "aws_iam_policy_document" "ecr_policy" {
+data "aws_iam_policy_document" "this" {
   statement {
+    sid = "AllowPushPull"
     actions = [
       "ecr:BatchCheckLayerAvailability",
       "ecr:BatchGetImage",
@@ -51,8 +52,10 @@ data "aws_iam_policy_document" "ecr_policy" {
       type        = "AWS"
     }
     effect = "Allow"
-    resources = [
-      aws_ecr_repository.ecr_repo.arn
-    ]
   }
 }
+
+resource "aws_ecr_repository_policy" "this" {
+  repository = aws_ecr_repository.this.name
+  policy     = data.aws_iam_policy_document.this.json
+}