Merge pull request #19 from DNXLabs/hotfix/fix-ecr-policy-issue-when-not-using-trust-accounts-option

fix ecr policy issue when not using trust accounts option

Author: luizfds

ecr-policies.tf

@@ -1,66 +1,73 @@
+
 resource "aws_ecr_repository_policy" "default" {
   repository = aws_ecr_repository.default.name
+  policy     = data.aws_iam_policy_document.default.json
+}
+
+data "aws_iam_policy_document" "default" {
+  dynamic "statement" {
+    for_each = length(try(var.trust_accounts, [])) > 0 ? [1] : []
+
+    content {
+      sid    = "AllowPull"
+      effect = "Allow"
+
+      principals {
+        type        = "AWS"
+        identifiers = formatlist("arn:aws:iam::%s:root", var.trust_accounts)
+      }
 
-  policy = <<EOF
-{
-  "Version": "2008-10-17",
-  "Statement": [
-    {
-      "Sid": "AllowPull",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": [
-          ${join(",", formatlist("\"arn:aws:iam::%s:root\"", var.trust_accounts))}
-        ]
-      },
-      "Action": [
+      actions = [
         "ecr:GetDownloadUrlForLayer",
         "ecr:BatchGetImage",
         "ecr:BatchCheckLayerAvailability",
         "ecr:DescribeImageScanFindings"
       ]
-    },
-    {
-      "Sid": "AllowWriteMgmt",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": [
-          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
-        ]
-      },
-      "Action": [
-        "ecr:GetDownloadUrlForLayer",
-        "ecr:BatchGetImage",
-        "ecr:BatchCheckLayerAvailability",
-        "ecr:PutImage",
-        "ecr:InitiateLayerUpload",
-        "ecr:UploadLayerPart",
-        "ecr:CompleteLayerUpload"
-      ]
-    },
-    {
-      "Sid": "LambdaECRImageCrossAccountRetrievalPolicy",
-      "Effect": "Allow",
-      "Principal": {
-        "Service": [
-          "lambda.amazonaws.com"
-        ]
-      },
-      "Action": [
+    }
+  }
+
+  statement {
+    sid    = "AllowWriteMgmt"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+
+    actions = [
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:PutImage",
+      "ecr:InitiateLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload"
+    ]
+  }
+
+  dynamic "statement" {
+    for_each = length(try(var.trust_accounts, [])) > 0 ? [1] : []
+
+    content {
+      sid    = "LambdaECRImageCrossAccountRetrievalPolicy"
+      effect = "Allow"
+
+      principals {
+        type        = "Service"
+        identifiers = ["lambda.amazonaws.com"]
+      }
+
+      actions = [
         "ecr:GetDownloadUrlForLayer",
         "ecr:BatchGetImage"
-      ],
-      "Condition": {
-        "StringLike": {
-          "aws:sourceArn": [
-            ${join(",", formatlist("\"arn:aws:lambda:%s:%s:function:*\"", data.aws_region.current.name, var.trust_accounts))}
-          ]
-        }
+      ]
+
+      condition {
+        test     = "StringLike"
+        variable = "aws:sourceArn"
+        values   = formatlist("arn:aws:lambda:%s:%s:function:*", data.aws_region.current.name, var.trust_accounts)
       }
     }
-  ]
-}
-EOF
-
-  depends_on = [aws_ecr_repository.default]
+  }
 }