🔧 🩹 Attach LambdaECRImageRetrievalPolicy to ECR Repository (#9398)

* push to create PR * 🔧 Add aws_ecr_repository_policy * Remove unneeded parameter * Use 'repository_policy_statements' parameter * Remove unnecessary code
ministryofjustice · Jan 20, 2025 · 4c8057e · 4c8057e
1 parent ca83adb
commit 4c8057e
Showing 1 changed file with 26 additions and 24 deletions.
diff --git a/terraform/environments/analytical-platform-common/ecr-repositories.tf b/terraform/environments/analytical-platform-common/ecr-repositories.tf
@@ -1,26 +1,3 @@
-data "aws_iam_policy_document" "analytical_platform_jml_report_ecr_repository" {
-  statement {
-    sid    = "LambdaECRImageRetrievalPolicy"
-    effect = "Allow"
-    actions = [
-      "ecr:BatchGetImage",
-      "ecr:GetDownloadUrlForLayer",
-      "ecr:SetRepositoryPolicy",
-      "ecr:DeleteRepositoryPolicy",
-      "ecr:GetRepositoryPolicy"
-    ]
-    principals {
-      type        = "Service"
-      identifiers = ["lambda.amazonaws.com"]
-    }
-    condition {
-      test     = "StringLike"
-      variable = "aws:sourceArn"
-      values   = ["arn:aws:lambda:${data.aws_region.current.name}:${local.environment_management.account_ids["analytical-platform-data-production"]}:function:analytical-platform-jml-report*"]
-    }
-  }
-}
-
 module "analytical_platform_jml_report_ecr_repository" {
   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
@@ -29,9 +6,34 @@ module "analytical_platform_jml_report_ecr_repository" {
   version = "2.3.0"
 
   repository_name            = "analytical-platform-jml-report"
-  repository_policy          = data.aws_iam_policy_document.analytical_platform_jml_report_ecr_repository.json
   repository_encryption_type = "KMS"
   repository_kms_key         = module.ecr_kms.key_arn
+  repository_policy_statements = {
+    "lambda-ecr" = {
+      sid    = "LambdaECRImageRetrievalPolicy"
+      effect = "Allow"
+      actions = [
+        "ecr:BatchGetImage",
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:SetRepositoryPolicy",
+        "ecr:DeleteRepositoryPolicy",
+        "ecr:GetRepositoryPolicy"
+      ]
+      principals = [
+        {
+          type        = "service"
+          identifiers = ["lambda.amazonaws.com"]
+        }
+      ]
+      conditions = [
+        {
+          test     = "StringLike"
+          variable = "aws:sourceArn"
+          values   = ["arn:aws:lambda:${data.aws_region.current.name}:${local.environment_management.account_ids["analytical-platform-data-production"]}:function:analytical-platform-jml-report"]
+        }
+      ]
+    }
+  }
 
   create_lifecycle_policy = false