ECR: add repository permission/policy

[maust]

Is your feature request related to a problem?
Each of our environments are separated into AWS accounts, as part of the staging process we copy the needed docker images from the development account into the production account. Therefore we currently add a read permission on the ECR repository in the development account to the production AWS account.

Currently this is done using terraform, but we would like to remove the ECR repositories in terraform and use the ECR controller, example:

resource "aws_ecr_repository_policy" "policy" {
  repository = "REPOSITORY_NAME"
  policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AWS_ACCOUNT_PRODUCTION:root"
      },
      "Action": [
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:ListImages"
      ]
    }
  ]
}
EOF
}

Describe the solution you'd like
Allow managing ECR repository policies/permission. In our case the policy is always the same for all ECR repositories (e.g. could be stored as configmap).

Describe alternatives you've considered
As a workaround we will just use a cron job adding the policy for all our ECR repositories.

[jaypipes]

Sorry for the delayed response on this @maust! So, what you are describing is not actually something that the ECR ACK service controller handles. The above is describing an IAM Policy resource, not an ECR Repository.

We have a separate issue that discusses a requested IAM ACK service controller, and one of the resources that would be supported in that ACK service controller would be an IAM Policy.

I'm going to close this issue out since it's a duplicate of #222. Please let me know if you have any further questions, and I encourage you to comment on issue #222 with details of your needs.

[jackivanov]

@jaypipes Can you elaborate on why this is an IAM ACK task, please? Per the docs it's an ECR feature, and the ECR API has SetRepositoryPolicy action. It doesn't look like it needs to be separated from the ECR ACK from my perspective

[jaypipes]

@jackivanov you're absolutely correct. I was mistaken and did not realize there was an ECR repository-specific Policy attribute. Apologies!

[jaypipes]

@a-hilaly do you think we can add support for updating an ECR Repository's Policy to the custom update code?

[a-hilaly]

@a-hilaly do you think we can add support for updating an ECR Repository's Policy to the custom update code?

I just checked the SetRepositoryPolicy API Call. That is definitely possible. Working on it ASAP