# Custom Policies with ECR and Terraform

### Introduction

In the last couple of lessons, we used terraform to explore roles and policies.  As we saw, we can think of an IAM role as a keycard that gives us the ability to act on resources.  And for the keycard to grant that access, we need to attach one or more policies to that role, that give various permissions to a resource (like pulling an image from an ECR repo).  And then we can attach the IAM role to a separate resource (like an EC2), to allow the resource to have those permissions.

We can see this in the diagram below.  It shows us creating an IAM role that (1) allows EC2 machines to assume that role, and (2) has a policy giving the role ECR access.  We then attached the IAM profile to an EC2 machine.

<img src="./ec2-ecr-permissions.png" width="60%">

### More Reviewing

In this reading, we'll use terraform to explore policies, roles and resources more deeply.  But before we do, let's start by reviewing the terraform file.  Take a look at the `tf/main.tf`  There, you can see code for creating the EC2 machine, and then further down creating: 

* The role and the Assume Role Policy (that allows EC2 machines to assume the role)
* And the instance profile, which is a container for the role, that we'll directly attach the profile to the EC2 resource

```bash
resource "aws_iam_role" "ec2_ecr_role" {
    name = "ec2-ecr-role"

    assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
      Service = "ec2.amazonaws.com"
      }
      Sid = ""
      },
    ]
  })
}

resource "aws_iam_instance_profile" "ec2_profile" {
 name = "ec2-ecr-instance-profile"
 role = aws_iam_role.ec2_ecr_role.name
}

resource "aws_instance" "ec2_instance" {
  ami           = "ami-0d7a109bf30624c99"
  instance_type = "t2.micro"
  iam_instance_profile = aws_iam_instance_profile.ec2_iam_profile.name
  ...
```

And then we attach a policy to that role.

```python
resource "aws_iam_role_policy_attachment" "ecr_read_only" {
 role = aws_iam_role.ec2_ecr_role.name
 policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
}
```

### Deeper with Policies

Ok, so in those last lines of terraform code, we give our `ec2_ecr_role` permisssions by attaching a pre-existing policy in AWS.  And remember that we can find that policy simply by pasting the arn string directly into the search box in AWS.

And if you searched in AWS, you can see that the policy itself has the following statement:

<img src="./json-doc.png" width="60%">

You can see how the policy document works.  We specify the `Version` (that's the aws api verion), and a list of statements.  Here, we only have one statement, and it has an `Effect` of `Allow`, to then allow the below Actions.  The option would be to specify `Deny` to deny the ability to perform certain actions.  And then for resource, the `*` specifies allowing those permissions on any ECR image.

* Creating our own policy

Ok, so above we are using a pre-existing IAM policy, the `arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly` policy defined by AWS.  But we can also create our own policy.

You'll see at the bottom of the `web_app/tf/main.tf` file, we have defined the following.

```bash
resource "aws_iam_policy" "ecr_custom_read_only" {
  name        = "ecr_custom_read_only"
  description = "Policy that allows ECR pull images"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action   = ["ecr:GetAuthorizationToken",
        "ecr:BatchGetImage",
         "ecr:BatchCheckLayerAvailability", 
         "ecr:GetDownloadUrlForLayer"]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}
```

So above, we are creating an ECR policy, and that policy only for the actions that allows for downloading an image from ECR, but nothing else.  For example, notice that we cannot list or describe the ECR images with the above.  

Let's make it even more restrictive than then one above.  Instead of `Resource = "*"`, choose `Resource = ["arn"]`, and instead of "arn" input the arn of one of your ecr images.

Next, let's remove the policy attachmment or `ecr_read_only` (just comment it out), and create a new policy attachment of the following:

```bash
# resource "aws_iam_role_policy_attachment" "ecr_read_only" {
#  role = aws_iam_role.ec2_ecr_role.name
#  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
# }

resource "aws_iam_role_policy_attachment" "example_attach" {
  role       = aws_iam_role.ec2_ecr_role.name
  policy_arn = aws_iam_policy.ecr_custom_read_only.arn
}
```

* So notice that above, we define the attachment using the exact same fields as before -- the role we want to attach the policy to, and the policy arn.  And we get that policy arn by just calling `.arn`.

Then apply the changes:

```bash
terraform apply
```

And ssh into your ec2 machine, and check the following:

1. Confirm that you can no longer describe the ecr repositories
    * `aws ecr describe-repositories`

<img src="./access-denied.png" width="60%">

2. Confirm that **you can** pull down the image that you granted permission for
    * But **cannot** pull down any others
    * To do so, replace `your-region` with your region, and also place in the information for your account after `--password-stdin`.

```bash
aws ecr get-login-password --region your-region | sudo docker login --username AWS --password-stdin your-aws-account-id.dkr.ecr.your-region.amazonaws.com

sudo docker pull *********.dkr.ecr.us-east-1.amazonaws.com/flask_app:latest
```

* A quick review

Ok, so just to review we saw that we attach a role to a resource (like an EC2 machine), and to a role, we attach one or more policies.  And each one of those policies has one or more *actions* which are typically permissions that specify what actions we can perform on that resource.

### Summary

Ok, so in this lesson, we reviewed identity policies.  And then defined our own identity policy.

```bash
resource "aws_iam_policy" "ecr_custom_read_only" {
  name        = "ecr_custom_read_only"
  description = "Policy that allows ECR pull images"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action   = ["ecr:GetAuthorizationToken",
        "ecr:BatchGetImage",
         "ecr:BatchCheckLayerAvailability", 
         "ecr:GetDownloadUrlForLayer"]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}
```

### Resources

[Repo Policy Examples](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html)