From 32bc6af77e2abb9d420d47c391a9e887f23aed89 Mon Sep 17 00:00:00 2001 From: Jake Heath <76011913+jakeyheath@users.noreply.github.com> Date: Fri, 19 Apr 2024 09:00:01 -0700 Subject: [PATCH] feat: allow happy users to leverage pull through caching (#3245) --- .../modules/happy-github-ci-role/README.md | 7 ++-- terraform/modules/happy-github-ci-role/ecr.tf | 41 +++++++++++++++---- 2 files changed, 37 insertions(+), 11 deletions(-) diff --git a/terraform/modules/happy-github-ci-role/README.md b/terraform/modules/happy-github-ci-role/README.md index 0a37be84c7..1c4b26099d 100644 --- a/terraform/modules/happy-github-ci-role/README.md +++ b/terraform/modules/happy-github-ci-role/README.md @@ -28,11 +28,12 @@ | Name | Type | |------|------| -| [aws_iam_policy.ecr-scanner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role_policy_attachment.ecr-scanner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy.ecr_scanner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.pull_through_cache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.ecr-scanner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.ecr_scanner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.pull_through_cache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs diff --git a/terraform/modules/happy-github-ci-role/ecr.tf b/terraform/modules/happy-github-ci-role/ecr.tf index 947d578fd7..3e4df266b3 100644 --- a/terraform/modules/happy-github-ci-role/ecr.tf +++ b/terraform/modules/happy-github-ci-role/ecr.tf @@ -37,7 +37,7 @@ module "autocreated_ecr_writer_policy" { owner = var.tags.owner } -data "aws_iam_policy_document" "ecr-scanner" { +data "aws_iam_policy_document" "ecr_scanner" { statement { sid = "ScanECR" @@ -55,15 +55,40 @@ data "aws_iam_policy_document" "ecr-scanner" { } } -resource "aws_iam_policy" "ecr-scanner" { +resource "aws_iam_role_policy" "ecr_scanner" { + role = var.gh_actions_role_name name_prefix = "gh_actions_ecr_scan_${random_pet.this.id}" - path = "/" - - policy = data.aws_iam_policy_document.ecr-scanner.json + policy = data.aws_iam_policy_document.ecr_scanner.json } -resource "aws_iam_role_policy_attachment" "ecr-scanner" { - role = var.gh_actions_role_name +data "aws_iam_policy_document" "pull_through_cache" { + statement { + sid = "PullThroughCacheCorePlatformProdECR" + + actions = [ + "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:BatchImportUpstreamImage", + "ecr:CreateRepository", + "ecr:DescribeImageScanFindings", + "ecr:DescribeImages", + "ecr:DescribeRepositories", + "ecr:GetAuthorizationToken", + "ecr:GetDownloadUrlForLayer", + "ecr:GetLifecyclePolicy", + "ecr:GetLifecyclePolicyPreview", + "ecr:GetRepositoryPolicy", + "ecr:ListImages", + "ecr:ListTagsForResource", + "ecr:TagResource", + ] - policy_arn = aws_iam_policy.ecr-scanner.arn + resources = ["arn:aws:ecr:us-west-2:533267185808:repository/*"] + } } + +resource "aws_iam_role_policy" "pull_through_cache" { + role = var.gh_actions_role_name + name_prefix = "read_only_pull_through_cache_core_platform_prod_access" + policy = data.aws_iam_policy_document.pull_through_cache.json +} \ No newline at end of file