# Roles and Policies with ECR and Terraform

### Introduction

In the last lesson, we saw how we can create an ECR repository and then access an image in ECR from our EC2 instance.  In this lesson, we'll see how we can perform these steps with terraform.  Let's get started.

### Creating our Resources

We can get started by writing the code for our EC2 and ECR resources.  We've seen the EC2 resource before.  And with the addition of some security groups to grant ssh and http access, it looks like the following.

```bash
resource "aws_instance" "example" {
 ami = "ami-123456" # Replace with your AMI
 instance_type = "t2.micro"
}
```

And we can create an ECR repository with the following:

```bash
resource "aws_ecr_repository" "my_ecr_repository" {
  name = "flask-web-app"
}
```

### Defining roles and policies

Ok, so next we'll need to define roles and policies that allow an EC2 machine to access our ECR.  Let's move through this.

1. Defining our Role

* The role in terraform is referred to as an iam role -- an identity and access management role.  You can think of a role like a **keycard** that allows access to different kinds of resources (eg. like an ECR repository), and actions that can be performed on that reosurce.  In AWS these statements of permission are called **policies**.

Ok, let's create a role.

```bash
resource "aws_iam_role" "ec2_ecr_role" {
    name = "ec2-ecr-role"

}
```

Ok, that's our keycard above, but right now it doesn't have any policies associated with it, and so cannot really do anything.  There are two different kinds of policies that we'll work with in this lesson.

1. A trust policy
    * The trust policy specifies what kind of resource can get this iam role.  That is, who gets to hold onto the keycard.  In this case we'll want our EC2 machine to hold onto the keycard.
2. Identity Policy
    * This specifies what access is granted to a resource -- ie what actions can be performed on what resource.

#### The Trust Policy

Ok, so when we create a role, we normally also specify the trust policy.  So let's update that role from above to look like the following.

```bash
resource "aws_iam_role" "ec2_ecr_role" {
  name = "ec2-ecr-role"

  assume_role_policy = jsonencode({
  Version = "2012-10-17"
  Statement = [
    {
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {Service = "ec2.amazonaws.com"}
      Sid = ""
    },
    ]
  })
}
```

> So you can see that when defining the role we are adding a statement that lays out the policy. So the principal is who will be allowed to act -- here an ec2 machine -- and the action is what they will be allowed to do, Assume the Role of this IAM role.  The Sid is the statement id, and we could assign one for reference/descriptive purposes, but here we just leave it blank.  

### The Identity policy

Ok, so we just specified the trust policy, saying who gets access to this keycard.  Next up is to specify the resource policy, where we say what they can do with the keycard.

* Attaching an identity policy

```bash
resource "aws_iam_role_policy_attachment" "ecr_read_only" {
 role = aws_iam_role.ec2_ecr_role.name
 policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
}
```

So the above, uses an already specified policy, that has various permissions, and then attaches this policy to our `aws_iam_role`.

We are using a prebuilt policy, and specifying the arn -- that is the Amazon Resource Number, as a way to identify the policy.  If you want, you can just copy and paste that arn string directly into the search box in AWS.

<img src="./arn-number.png" width="70%">

And from there, you can click teh `AmazonEC2ContainerRegistryReadOnly` link.  There, you'll see that the policy itself defines the following statement:

<img src="./json-doc.png" width="60%">

Ok, so you can see something similar.  We are defining a set of actions that can be performed.  And at the bottom, the `Resource: "*"` means that this applies to any ECR resource.

So above, when specified the following:

```bash
resource "aws_iam_role_policy_attachment" "ecr_read_only" {
 role = aws_iam_role.ec2_ecr_role.name
 policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
}
```

We are attaching these permissions to our role, and we already said that EC2 instances can assume the role.

### Attaching the role

The last step is to attach the role to a specific EC2 instance.  We may think we can directly attach the role to the EC2 machine, but instead we need to first create an AWS instance profile.

```bash
resource "aws_iam_instance_profile" "ec2_profile" {
 name = "ec2-ecr-instance-profile"
 role = aws_iam_role.ec2_ecr_role.name
}
```

An AWS instance profile, is just a wrapper around the role.  It's kind of pointless, from our perspective.  We just need to wrap the role in the profile, and then we'll attach the profile to the EC2 instance.  

Let's attach the profile now.

```bash
resource "aws_instance" "example" {
 ami = "ami-123456" # Replace with your AMI
 instance_type = "t2.micro"
 iam_instance_profile = aws_iam_instance_profile.ec2_profile.name
}
```

Ok, so that's it.  We just gave our AWS EC2 instance, the ability to pull down our images from our ECR resource.

### Trying it out

Alright now we should be able to try out our policies.  Run 

* terraform apply
* then ssh into the ec2 machine
* Confirm you can login the Docker client (with the ECR repository from the last lab)

If you can perform those steps, then we know that you have access to the ECR repository.

### A Visual Summary

Ok, so there were a few steps there, and perhaps a diagram can help.

<img src="./ec2-ecr-permissions.png" width="60%">

As you can see above, we create an IAM role, and attach two policies: 
    
1. IAM Policy - EC2ContainerRegistryPolicy that grants the role access to the ECR resources
2. Trust Policy - This allows EC2s to assume this role

The trust policy is directly specified on the role, but the IAM Policy had to be attached to our role.

```bash
resource "aws_iam_role_policy_attachment" "ecr_read_only" {
 role = aws_iam_role.ec2_ecr_role.name
 policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
}
```

Then, we needed to create a profile that wraps around our IAM role, and we directly associate that profile on our EC2 instance.