Skip to content

Commit

Permalink
MLPAB-1487 - ecs unable to pull image from ecr after enabling tighter…
Browse files Browse the repository at this point in the history 
… policies on vpc endpoints (#771)

* remove gateway endpoints
  • Loading branch information
@andrewpearce-digital
andrewpearce-digital authored Oct 13, 2023
1 parent 9f109a0 commit 2418688
Showing 1 changed file with 55 additions and 55 deletions.
110 changes: 55 additions & 55 deletions terraform/account/region/vpc_endpoints.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,8 @@ resource "aws_security_group_rule" "vpc_endpoints_public_subnet_ingress" {
locals {
interface_endpoint = toset([
"ec2",
"ecr.api",
"ecr.dkr",
# "ecr.api",
# "ecr.dkr",
"execute-api",
"events",
"logs",
Expand Down Expand Up @@ -86,59 +86,59 @@ data "aws_route_tables" "public" {
}
}

resource "aws_vpc_endpoint" "s3" {
provider = aws.region
vpc_id = module.network.vpc.id
service_name = "com.amazonaws.${data.aws_region.current.name}.s3"
route_table_ids = tolist(data.aws_route_tables.public.ids)
vpc_endpoint_type = "Gateway"
policy = data.aws_iam_policy_document.s3_vpc_endpoint.json
tags = { Name = "s3-private-${data.aws_region.current.name}" }
}
# resource "aws_vpc_endpoint" "s3" {
# provider = aws.region
# vpc_id = module.network.vpc.id
# service_name = "com.amazonaws.${data.aws_region.current.name}.s3"
# route_table_ids = tolist(data.aws_route_tables.public.ids)
# vpc_endpoint_type = "Gateway"
# policy = data.aws_iam_policy_document.s3_vpc_endpoint.json
# tags = { Name = "s3-private-${data.aws_region.current.name}" }
# }

data "aws_iam_policy_document" "s3_vpc_endpoint" {
provider = aws.region
statement {
sid = "S3VpcEndpointPolicy"
actions = ["s3:*"]
resources = ["*"]
principals {
type = "AWS"
identifiers = ["*"]
}
condition {
test = "StringEquals"
variable = "aws:PrincipalAccount"
values = [data.aws_caller_identity.current.account_id]
}
}
}
# data "aws_iam_policy_document" "s3_vpc_endpoint" {
# provider = aws.region
# statement {
# sid = "S3VpcEndpointPolicy"
# actions = ["s3:*"]
# resources = ["*"]
# principals {
# type = "AWS"
# identifiers = ["*"]
# }
# condition {
# test = "StringEquals"
# variable = "aws:PrincipalAccount"
# values = [data.aws_caller_identity.current.account_id]
# }
# }
# }

resource "aws_vpc_endpoint" "dynamodb" {
provider = aws.region
vpc_id = module.network.vpc.id
service_name = "com.amazonaws.${data.aws_region.current.name}.dynamodb"
route_table_ids = tolist(data.aws_route_tables.public.ids)
vpc_endpoint_type = "Gateway"
policy = data.aws_iam_policy_document.dynamodb_vpc_endpoint.json
tags = { Name = "dynamodb-private-${data.aws_region.current.name}" }
}
# resource "aws_vpc_endpoint" "dynamodb" {
# provider = aws.region
# vpc_id = module.network.vpc.id
# service_name = "com.amazonaws.${data.aws_region.current.name}.dynamodb"
# route_table_ids = tolist(data.aws_route_tables.public.ids)
# vpc_endpoint_type = "Gateway"
# policy = data.aws_iam_policy_document.dynamodb_vpc_endpoint.json
# tags = { Name = "dynamodb-private-${data.aws_region.current.name}" }
# }

data "aws_iam_policy_document" "dynamodb_vpc_endpoint" {
provider = aws.region
statement {
sid = "DynamoDBVpcEndpointPolicy"
effect = "Allow"
actions = ["dynamodb:*"]
resources = ["*"]
principals {
type = "AWS"
identifiers = ["*"]
}
condition {
test = "StringEquals"
variable = "aws:PrincipalAccount"
values = [data.aws_caller_identity.current.account_id]
}
}
}
# data "aws_iam_policy_document" "dynamodb_vpc_endpoint" {
# provider = aws.region
# statement {
# sid = "DynamoDBVpcEndpointPolicy"
# effect = "Allow"
# actions = ["dynamodb:*"]
# resources = ["*"]
# principals {
# type = "AWS"
# identifiers = ["*"]
# }
# condition {
# test = "StringEquals"
# variable = "aws:PrincipalAccount"
# values = [data.aws_caller_identity.current.account_id]
# }
# }
# }

0 comments on commit 2418688

Please sign in to comment.