Merge pull request #20 from trussworks/lockdown_ecr

Lockdown ECR
trussworks · May 20, 2019 · 6aaa9f3 · 6aaa9f3
2 parents 6d0ca00 + 2dd5f11
commit 6aaa9f3
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -71,6 +71,7 @@ module "app_ecs_service" {
 | container\_health\_check\_port | An additional port on which the container can receive a health check.  Zero means the container port can only receive a health check on the port set by the container_port variable. | string | `"0"` | no |
 | container\_image | The image of the container. | string | `"golang:1.12.5-alpine"` | no |
 | container\_port | The port on which the container will receive traffic. | string | `"80"` | no |
+| ecr\_repo\_arn | The ARN of the ECR repo.  By default, allows all repositories. | string | `"*"` | no |
 | ecs\_cluster\_arn | The ARN of the ECS cluster. | string | n/a | yes |
 | ecs\_instance\_role | The name of the ECS instance role. | string | `""` | no |
 | ecs\_subnet\_ids | Subnet IDs for the ECS tasks. | list | n/a | yes |

diff --git a/main.tf b/main.tf
@@ -253,12 +253,19 @@ data "aws_iam_policy_document" "instance_role_policy_doc" {
   statement {
     actions = [
       "ecr:GetAuthorizationToken",
+    ]
+
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
       "ecr:BatchCheckLayerAvailability",
       "ecr:GetDownloadUrlForLayer",
       "ecr:BatchGetImage",
     ]
 
-    resources = ["*"]
+    resources = ["${var.ecr_repo_arn}"]
   }
 }
 
@@ -298,12 +305,19 @@ data "aws_iam_policy_document" "task_execution_role_policy_doc" {
   statement {
     actions = [
       "ecr:GetAuthorizationToken",
+    ]
+
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
       "ecr:BatchCheckLayerAvailability",
       "ecr:GetDownloadUrlForLayer",
       "ecr:BatchGetImage",
     ]
 
-    resources = ["*"]
+    resources = ["${var.ecr_repo_arn}"]
   }
 }
 

diff --git a/variables.tf b/variables.tf
@@ -20,6 +20,12 @@ variable "logs_cloudwatch_group" {
   type        = "string"
 }
 
+variable "ecr_repo_arn" {
+  description = "The ARN of the ECR repo.  By default, allows all repositories."
+  type        = "string"
+  default     = "*"
+}
+
 variable "ecs_use_fargate" {
   description = "Whether to use Fargate for the task definition."
   default     = false