The aim of this step is to set up a test container registry, so that when I start the dev work I have little to worry on the IAC side.
✅ Create IAM Roles for ECR Access - PR 2
A Read Access role to be used by any application that will be pulling the images, with the below permissions:
- ecr:GetAuthorizationToken,
- ecr:BatchCheckLayerAvailability,
- ecr:GetDownloadUrlForLayer,
- ecr:GetRepositoryPolicy,
- ecr:DescribeRepositories,
- ecr:ListImages,
- ecr:DescribeImages,
- ecr:BatchGetImage,
- ecr:GetLifecyclePolicy,
- ecr:GetLifecyclePolicyPreview,
- ecr:ListTagsForResource,
- ecr:DescribeImageScanFindings
A Read & Write role to be used by whatever agent that will be building the images, with the permissions:
- ecr:GetAuthorizationToken,
- ecr:BatchCheckLayerAvailability,
- ecr:GetDownloadUrlForLayer,
- ecr:GetRepositoryPolicy,
- ecr:DescribeRepositories,
- ecr:ListImages,
- ecr:DescribeImages,
- ecr:BatchGetImage,
- ecr:GetLifecyclePolicy,
- ecr:GetLifecyclePolicyPreview,
- ecr:ListTagsForResource,
- ecr:DescribeImageScanFindings,
- ecr:PutImage,
- ecr:InitiateLayerUpload,
- ecr:UploadLayerPart,
- ecr:CompleteLayerUpload,
- ecr:DeleteRepository,
- ecr:BatchDeleteImage,
- ecr:SetRepositoryPolicy,
- ecr:DeleteRepositoryPolicy
I set these 2 roles with Pricipals as a wildcard (*) to be as permissive as possible, then later I'll figure out further restrictions.
✅ Create a Test ECR Repo - PR 3
This proved a challenge as it's my first time working with Terragrunt, but I was able to get the dependencies (on the above roles) working for this module.
I also checked on S3 and confirmed that out terragrunt remote state is working fine!
Top comments (0)