Add AmazonEC2ContainerRegistryReadOnly policy to provide read-only access to ECR repositories (#15)

aknysh · web-flow · commit 60d56adfcaee · 2017-10-03T19:23:07.000-04:00
diff --git a/main.tf b/main.tf
@@ -122,6 +122,13 @@ resource "aws_iam_role_policy_attachment" "ssm-automation" {
   }
 }
 
+# http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker.container.console.html
+# http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html#AmazonEC2ContainerRegistryReadOnly
+resource "aws_iam_role_policy_attachment" "ecr-readonly" {
+  role       = "${aws_iam_role.ec2.name}"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+}
+
 resource "aws_ssm_activation" "ec2" {
   name               = "${module.label.id}"
   iam_role           = "${aws_iam_role.ec2.id}"

Original file line number	Diff line number	Diff line change
`@@ -122,6 +122,13 @@ resource "aws_iam_role_policy_attachment" "ssm-automation" {`
`122`	`122`	`}`
`123`	`123`	`}`
`124`	`124`
	`125`	`+# http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker.container.console.html`
	`126`	`+# http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html#AmazonEC2ContainerRegistryReadOnly`
	`127`	`+resource "aws_iam_role_policy_attachment" "ecr-readonly" {`
	`128`	`+ role = "${aws_iam_role.ec2.name}"`
	`129`	`+ policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"`
	`130`	`+}`
	`131`	`+`
`125`	`132`	`resource "aws_ssm_activation" "ec2" {`
`126`	`133`	`name = "${module.label.id}"`
`127`	`134`	`iam_role = "${aws_iam_role.ec2.id}"`