Merge pull request #26 from openbraininstitute/private_registry

Add policy to allow to pull a private image from certain identitites

Author: danifr

main.tf

@@ -338,8 +338,9 @@ module "public_ecr_github_actions_upload_credentials_notebook_service" {
 }
 
 module "obi_notebook_image" {
-  source          = "./private-ecr-repo"
-  repository_name = "obi-notebook-image"
+  source                     = "./private-ecr-repo"
+  repository_name            = "obi-notebook-image"
+  allowed_to_pull_identities = ["arn:aws:iam::992382665735:role/eksctl-jupyterhub-svc-nodegroup-ng-NodeInstanceRole-ZT1FeO9Ce2wc"]
 }
 
 module "private_ecr_github_actions_upload_credentials_obi-notebook_image" {

private-ecr-repo/policy.tf

@@ -0,0 +1,22 @@
+data "aws_iam_policy_document" "allow_eks_pull_from_ecr" {
+  statement {
+    sid    = "AllowEKSCrossAccountPullfromECR-${var.repository_name}"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = var.allowed_to_pull_identities
+    }
+
+    actions = [
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer"
+    ]
+  }
+}
+
+resource "aws_ecr_repository_policy" "allow_eks_pull_from_ecr" {
+  repository = aws_ecr_repository.private_repo.name
+  policy     = data.aws_iam_policy_document.allow_eks_pull_from_ecr.json
+}

private-ecr-repo/variables.tf

@@ -3,3 +3,8 @@ variable "repository_name" {
   description = "Name of the repository"
   sensitive   = false
 }
+
+variable "allowed_to_pull_identities" {
+  type        = list(any)
+  description = "List of AWS identities that are allow to pull from the private repository"
+}