-
-
Notifications
You must be signed in to change notification settings - Fork 133
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
## What * Grant permission to access ECR using ECR policy with principal that have access to it. Basically, let ECR describe who can access it, rather than each user/role listing the modules they can access ## Why * To solve IAM limit problem (more scalable strategy and probably the way we should have done it from the get go) ## Breaking changes * Variable `roles` replaced with `principals_full_access` or `principals_readonly_access` and expects list or role\user arns as value * We removed policies that provide access to the registry. (`policy_login_name`, `policy_login_arn`, `policy_read_name`, `policy_read_arn`, `policy_write_name`, `policy_write_arn`). So you do not need to attach the policies to IAM role\user. Please provide IAM role\user arn as variable `principals_full_access` or `principals_readonly_access` depend on what type of access to you need. Example: ``` module "kops_ecr" { source = "git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.2.11" name = "${var.name}" namespace = "${var.namespace}" stage = "${var.stage}" use_fullname = "${var.use_fullname}" roles = [ "${module.kops_metadata.masters_role_name}", "${module.kops_metadata.nodes_role_name}", ] } resource "aws_iam_policy_attachment" "login" { count = "${signum(length(var.users))}" name = "${module.label.id}" users = ["${var.users}"] policy_arn = "${module.kops_ecr.policy_login_arn}" } ``` now should be ``` module "kops_ecr" { source = "git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.3.0" name = "${var.name}" namespace = "${var.namespace}" stage = "${var.stage}" use_fullname = "${var.use_fullname}" principals_readonly_access = [ "${module.kops_metadata.masters_role_arn}", "${module.kops_metadata.nodes_role_arn}", ] principals_full_access = [ "${var.users_arns}" ] } ```
- Loading branch information
Showing
3 changed files
with
117 additions
and
164 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters