Difference between revisions of "Terraform resource: aws ecr repository policy"
Jump to navigation
Jump to search
| (9 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | * <code>aws_ecr_repository_policy</code> [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy ref] | |
| − | * https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy | + | |
| − | aws_ecr_repository_policy | + | |
| + | == Examples == | ||
| + | === Official example === | ||
| + | <pre> | ||
| + | resource "aws_ecr_repository" "foo" { | ||
| + | name = "bar" | ||
| + | } | ||
| + | |||
| + | data "aws_iam_policy_document" "foopolicy" { | ||
| + | statement { | ||
| + | sid = "new policy" | ||
| + | effect = "Allow" | ||
| + | |||
| + | principals { | ||
| + | type = "AWS" | ||
| + | identifiers = ["123456789012"] | ||
| + | } | ||
| + | |||
| + | actions = [ | ||
| + | "ecr:GetDownloadUrlForLayer", | ||
| + | "ecr:BatchGetImage", | ||
| + | "ecr:BatchCheckLayerAvailability", | ||
| + | "ecr:PutImage", | ||
| + | "ecr:InitiateLayerUpload", | ||
| + | "ecr:UploadLayerPart", | ||
| + | "ecr:CompleteLayerUpload", | ||
| + | "ecr:DescribeRepositories", | ||
| + | "ecr:GetRepositoryPolicy", | ||
| + | "ecr:ListImages", | ||
| + | "ecr:DeleteRepository", | ||
| + | "ecr:BatchDeleteImage", | ||
| + | "ecr:SetRepositoryPolicy", | ||
| + | "ecr:DeleteRepositoryPolicy", | ||
| + | ] | ||
| + | } | ||
| + | } | ||
| + | |||
| + | resource "aws_ecr_repository_policy" "foopolicy" { | ||
| + | repository = aws_ecr_repository.foo.name | ||
| + | policy = data.aws_iam_policy_document.foopolicy.json | ||
| + | } | ||
| + | </pre> | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | === Example === | ||
| + | resource "aws_ecr_repository_policy" "access_policy" { | ||
| + | for_each = toset(var.your-org_ecr_repos) | ||
| + | repository = each.key | ||
| + | |||
| + | policy = <<EOF | ||
| + | { | ||
| + | "Version": "2008-10-17", | ||
| + | "Statement": [ | ||
| + | { | ||
| + | "Sid": "AllowPushPull", | ||
| + | "Effect": "Allow", | ||
| + | "Principal": { | ||
| + | "AWS": [ | ||
| + | "arn:aws:iam::0123456789:root", | ||
| + | "arn:aws:iam::9876543210:user/MyAdmin" | ||
| + | ] | ||
| + | }, | ||
| + | "Action": [ | ||
| + | "[[ecr:GetDownloadUrlForLayer]]", | ||
| + | "[[ecr:BatchGetImage]]", | ||
| + | "[[ecr:BatchCheckLayerAvailability]]", | ||
| + | "[[ecr:PutImage]]", | ||
| + | "[[ecr:InitiateLayerUpload]]", | ||
| + | "[[ecr:UploadLayerPart]]", | ||
| + | "[[ecr:CompleteLayerUpload]]" | ||
| + | ] | ||
| + | } | ||
| + | ] | ||
| + | } | ||
| + | EOF | ||
| + | |||
| + | depends_on = [aws_ecr_repository.your-org_repos] | ||
| + | } | ||
| + | |||
== Related == | == Related == | ||
| Line 7: | Line 87: | ||
== See also == | == See also == | ||
| + | * {{tf ecr}} | ||
* {{ECR}} | * {{ECR}} | ||
[[Category:ECR]] | [[Category:ECR]] | ||
Latest revision as of 08:01, 17 May 2023
aws_ecr_repository_policyref
Examples[edit]
Official example[edit]
resource "aws_ecr_repository" "foo" {
name = "bar"
}
data "aws_iam_policy_document" "foopolicy" {
statement {
sid = "new policy"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["123456789012"]
}
actions = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy",
]
}
}
resource "aws_ecr_repository_policy" "foopolicy" {
repository = aws_ecr_repository.foo.name
policy = data.aws_iam_policy_document.foopolicy.json
}
Example[edit]
resource "aws_ecr_repository_policy" "access_policy" {
for_each = toset(var.your-org_ecr_repos)
repository = each.key
policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::0123456789:root",
"arn:aws:iam::9876543210:user/MyAdmin"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}
EOF
depends_on = [aws_ecr_repository.your-org_repos]
}
Related[edit]
See also[edit]
- Terraform AWS ECR:
aws_ecr_repository, aws_ecr_repository_policy, aws_ecrpublic_repository, aws_ecrpublic_repository_policy, aws_ecr_registry_policy, aws_ecr_registry_scanning_configuration, aws_ecr_replication_configuration - ECR,
aws ecr, Amazon ECR Public Gallery: public.ecr.aws, Terraform AWS ECR, Troubleshooting ECR,ecr:,ecr:ReplicateImage, ECR scanning,AllowPushPull
Advertising:
