Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Resource: aws_ecr_repository_policy_statement #985

Closed
wants to merge 2 commits into from
Closed

New Resource: aws_ecr_repository_policy_statement #985

wants to merge 2 commits into from

Conversation

greenboxal
Copy link

This resource allows to manage ECR policy statements as single resources, allowing to spread them across several modules. This is useful as a ECR repository can have only one policy document.

It was implemented in the same way that aws_security_group_rule works: It locks the resource mutex and applies the diff (add, remove or change the statement) over the policy document and applies it on the repository.

@greenboxal
Copy link
Author

@stack72 as discussed in #979, just improved the documentation.

@stack72 stack72 mentioned this pull request Jun 29, 2017
Closed
@radeksimko radeksimko added the new-resource Introduces a new resource. label Jul 3, 2017
@Ninir
Copy link
Contributor

Ninir commented Aug 30, 2017

Hi @greenboxal

Sorry for taking this long to get back to you.
I have read the discussion in the other PR, and I am just wondering why not using the aws_ecr_repository_policy policy along with the template_file (for reusability)?

Hope I understood the use-case well 😄

THanks!

@Ninir Ninir added the waiting-response Maintainers are waiting on response from community or contributor. label Aug 30, 2017
@greenboxal
Copy link
Author

You can only apply one policy per repository. A lot of times you want to deploy the same application in different infrastructures, using the same repository. Maybe for creating a staging -> production pipeline.

Let's say you have a module called my-cool-app, and that I want to provision it twice, one for production, one for staging. Still, I want to use the same ECR repository.

If I want to use the same repository, I can't create the repo inside the module, otherwise I would end up with two different repositories. I need to create a policy for each my-cool-app module instance, so its EC2 instances can download the images from the repo.

The first approach that come to my head is: create one policy for each module instance and attach them to the repo. But then you have a issue here: ECR repos can only have one policy.

This resources solves this, in the same way that aws_security_group_rule resource solves a related issue with security groups. You can do a kind of "dependency injection".

Ninir
Ninir reviewed Sep 8, 2017
View reviewed changes
aws/resource_aws_ecr_repository_policy_statement.go

if policy.Statements == nil {
policy.Statements = make([]*ecrPolicyStatement, 0)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@greenboxal Do you think you could take some time to create a data source called aws_iam_policy_document which would have a source_policy document, that would allow to merge your policy into the source one?

Your use case seems totally valid and it would be a great addition to have it! 👍
I am just wondering that maybe we could make this part reusable so that we can handle this case in several situations. What do you think? :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Ninir this sounds almost exactly like what I did with #2890

@radeksimko radeksimko added the size/XL Managed by automation to categorize the size of a PR. label Nov 15, 2017
@radeksimko radeksimko added the service/ecr Issues and PRs that pertain to the ecr service. label Jan 16, 2018
@radeksimko radeksimko changed the title Add aws_ecr_policy_statement New Resource: aws_ecr_repository_policy_statement Jan 16, 2018
@bflad
Copy link
Contributor

bflad commented Jan 26, 2018
edited
Loading

I believe this will be helped/solved in a more generic sense with #2890

@bflad
Copy link
Contributor

bflad commented Apr 26, 2018

As noted above, this was solved more generically with the aws_iam_policy_document data source. 👍

@bflad bflad closed this Apr 26, 2018
@ghost
Copy link

ghost commented Apr 6, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 6, 2020
@breathingdust breathingdust removed the waiting-response Maintainers are waiting on response from community or contributor. label Sep 17, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Ninir Ninir Ninir left review comments

@devonbleak devonbleak devonbleak left review comments

Assignees
No one assigned
Labels
new-resource Introduces a new resource. service/ecr Issues and PRs that pertain to the ecr service. size/XL Managed by automation to categorize the size of a PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@greenboxal @Ninir @bflad @devonbleak @breathingdust @radeksimko