From d01c787a7a28ae846e79760ae3fa9cb0386bfd74 Mon Sep 17 00:00:00 2001
From: MarcoIeni <11428655+MarcoIeni@users.noreply.github.com>
Date: Fri, 13 Dec 2024 15:12:55 +0100
Subject: [PATCH] chore(ci-staging): allow authenticating to ecr public gallery

---
 terragrunt/modules/ci-runners/gh_oidc.tf | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/terragrunt/modules/ci-runners/gh_oidc.tf b/terragrunt/modules/ci-runners/gh_oidc.tf
index f33083c9..a6ff2905 100644
--- a/terragrunt/modules/ci-runners/gh_oidc.tf
+++ b/terragrunt/modules/ci-runners/gh_oidc.tf
@@ -35,3 +35,23 @@ resource "aws_iam_role" "github_actions_ci_role" {
     ]
   })
 }
+
+# Allow GitHub Actions to authenticate to AWS ECR Public Gallery
+resource "aws_iam_role_policy" "github_actions_ecr_policy" {
+  name = "ecr-auth-policy"
+  role = aws_iam_role.github_actions_ci_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ecr-public:GetAuthorizationToken",
+          "sts:GetServiceBearerToken"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}