0.3.0: Reinvent permissions to ECR (#21)
What
- Grant permission to access ECR using ECR policy with principal that have access to it. Basically, let ECR describe who can access it, rather than each user/role listing the modules they can access
Why
- To solve IAM limit problem (more scalable strategy and probably the way we should have done it from the get go)
Breaking changes
- Variable
rolesreplaced withprincipals_full_accessorprincipals_readonly_accessand expects list or role\user arns as value - User should have permissions
data "aws_iam_policy_document" "login" {
statement {
sid = "ECRGetAuthorizationToken"
effect = "Allow"
actions = ["ecr:GetAuthorizationToken"]
resources = ["*"]
}
}
- We removed policies that provide access to the registry. (
policy_login_name,policy_login_arn,policy_read_name,policy_read_arn,policy_write_name,policy_write_arn).
So you do not need to attach the policies to IAM role\user. Please provide IAM role\user arn as variableprincipals_full_accessorprincipals_readonly_accessdepend on what type of access to you need.
Example:
module "kops_ecr" {
source = "git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.2.11"
name = "${var.name}"
namespace = "${var.namespace}"
stage = "${var.stage}"
use_fullname = "${var.use_fullname}"
roles = [
"${module.kops_metadata.masters_role_name}",
"${module.kops_metadata.nodes_role_name}",
]
}
resource "aws_iam_policy_attachment" "login" {
count = "${signum(length(var.users))}"
name = "${module.label.id}"
users = ["${var.users}"]
policy_arn = "${module.kops_ecr.policy_login_arn}"
}
now should be
module "kops_ecr" {
source = "git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.3.0"
name = "${var.name}"
namespace = "${var.namespace}"
stage = "${var.stage}"
use_fullname = "${var.use_fullname}"
principals_readonly_access = [
"${module.kops_metadata.masters_role_arn}",
"${module.kops_metadata.nodes_role_arn}",
]
principals_full_access = [
"${var.users_arns}"
]
}