# Policies Roles Lab

### Introduction

In this lesson, we'll ask you to move step by step to set up architecture that will allow the EC2 machine to access the ECR resource.  Let's get started.

### Policies Setup

Let's begin by reviewing the broad steps that we'll need.

<img src="./ec2-ecr-permissions.png" width="60%">

So we'll have an ECR repository (this you may have already set up) and we'll need to give our EC2 access to it.  To do so, we'll create an IAM role and wrap it in an IAM profile (the IAM profile is what we'll directly attach to the EC2 instance -- just because).  Then we need to give the IAM role two different policies: 

1. A trust policy -- that allows EC2s the ability to assume the IAM role
2. An identity policy -- that grants authorization to the principal to access ECR services.



### Implementing in Terraform

Ok, so take a look at the `tf/main.tf`  There, you can see code for creating the EC2 machine.  And we already have the ECR repo created, so now we'll need to grant the proper permissions.

What's the first step?  

Creating an IAM role.

So currently the IAM role looks like the following.

```bash
resource "aws_iam_role" "ec2_ecr_role" {
    name = "ec2-ecr-role"

    assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
    ]
  })
}
```

Let's unpack it.  So we create an `aws_iam_role` and call is `ec2_ecr_role` in terraform.  Then we give it a name.  We directly attach the `assume_role_policy`, which should allow ec2 machines to assume the role.  And then we specify the Version of the API we are using, and then have `Statement` equal an empty list.  The statement is where we'll specify the permissions we want to grant.  And we want to give an assume role permission.  

Ok, so statement should be a list of dictionaries, and this is the dictionary we would like to provide.  Paste this in the statement.

```bash
  {
  Action = "" 
  Effect = "" 
  Principal = {}
  Sid = ""
  }
```

Now think about what we want the values to be for `Action`, `Effect`, `Principal`, and `Sid`.

Think. 

* Ok, so Action should equal "sts:AssumeRole".  The `sts` is the security token service -- essentially the role will will need to grant a token allowing the EC2 machine to assume the role.
* Effect should be "Allow".  We only have two different Effects, Allow and Deny.  And here we want to allow the ability to get the token.
* Principal -- This is who we want to grant that assume role ability to.  There are different options -- you can grant the ability to a service, or to a specific aws account.  For example, to grant an aws account the ability to assume a role, it could be `"Principal": {"AWS": "arn:aws:iam::123456789012:user/MyUser"}`.  But in this case we want an entire service the ability to assume this role so we will have the following:

```
  Principal =  {Service = "ec2.amazonaws.com"}
```


Ok, so fill that into terraform and the first step is done.  We have created a role, and directly set the assume role policy to allow EC2 machines to adopt this role.  If you look at the diagram, you can see that the Red `IAM Role` and that the Yellow `Trust Policy` are both complete.

<img src="./ec2-ecr-permissions.png" width="60%">

Next, let's just create that wrapper for the IAM profile -- the `IAM Role`.

```bash
resource "aws_iam_instance_profile" "ec2_profile" {
 name = "ec2-ecr-instance-profile"
 role = aws_iam_role.ec2_ecr_role.name
}
```

So here, we create the terraform resource `aws_iam_instance_profile` and then name the profile.  And we attach the role to the profile, by specifying the name of the role: `role = aws_iam_role.ec2_ecr_role.name`.

And now that we have the profile, we can attach the profile to the EC2 machine.

Go to the aws_instance, and add a field for `iam_instance_profile`, where we'll specify the name of the profile we just created.

```bash
resource "aws_instance" "ec2_instance" {
  ami           = "ami-0d7a109bf30624c99"
  instance_type = "t2.micro"
  iam_instance_profile = aws_iam_instance_profile.ec2_iam_profile.name
  ...
```

Ok, once this is complete, let's take another look at our diagram to see what we accomplished and what we have left.

<img src="./ec2-ecr-permissions.png" width="60%">

Ok, so a lot of the steps are now complete. 
1. We created the IAM role with the trust policy allowing EC2 instances to adopt it. 
2. Then we created the IAM profile.  
3. And then we attached the profile to the EC2 instance, who we want to assume the role:  `iam_instance_profile = aws_iam_instance_profile.ec2_profile.name`.

So what's left?  Well we need to create a new role, that will endow our IAM role IAM with some rights -- the right to access our ECR.  Ok, so to accomplish that, we need to attach an ECR access policy to our IAM role.

```python
resource "aws_iam_role_policy_attachment" "ecr_read_only" {
 role = None 
 policy_arn = ""
}
```

To do we can create an `aws_iam_role_policy_attachment`, which does what it sounds like, and then can name it `ecr_read_only`.  And we just spcify the `role` and the `policy_arn`.  

So now fill in the following.

* `policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"` -- this you can find by searching through pre-exising AWS policies.

* And fill in `role = aws_iam_role.ec2_ecr_role.name`.

Ok that will be it.  With that we attach the role to the ECR policy, and we already attached the role to our EC2 instance, and set an assume role policy allowing an EC2 to assume that role.

#### Trying it out

Ok, so now `cd` into the `web_app/tf` folder and then:

* Update the `ec2_instance` `key_name` attribute to align with the keys for one your `.pem` files.
* You may also need to update the `ami`.  We are using yum, so any ami that is a aws linux, or redhat ami should work.

Then run the following.

```bash
terraform init
terraform apply
```

* Ssh into the EC2

Then we want to ssh into the EC2 machine to confirm that we can access our ECR.  So if you look at the output, you'll see an output indicating how to ssh into the machine.  And once you ssh in there, you can confirm that you can access ECR.

```bash
    aws ecr describe-repositories
```

And if you want to try pulling down an image, you can do so by copying the root url from one of the `repositoryUri's` (just the content before the slash), and replace it with what we have listed after `--password-stdin`, also make sure that the `--region` matches your region:

```bash
aws ecr get-login-password --region us-east-1 | sudo docker login --username AWS --password-stdin ******.dkr.ecr.us-east-1.amazonaws.com
```

And then, now that you are logged in, use the full repository uri to run the following.
```
sudo docker pull ********.dkr.ecr.us-east-1.amazonaws.com/flask_app:latest
```

### Summary

Ok, so in this lab we moved through the steps of granting creating a role to give our EC2 machine the ability to access our ECR repository.

<img src="./ec2-ecr-permissions.png" width="60%">

Doing so involved, creating a role, and specifying the `assume_role_policy` which specifies the secure token service can grant an access token to the EC2 machine.

```bash
resource "aws_iam_role" "ec2_ecr_role" {
    name = "ec2-ecr-allow"

    assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
      Action = "sts:AssumeRole" #right here
      Effect = "Allow" # and here 
      Principal = {
      Service = "ec2.amazonaws.com" # and here
      }
      Sid = ""
      },
    ]
  })
```

And then we created a profile, and attached the profile to our specific EC2 machine.

```bash
resource "aws_instance" "ec2_instance" {
  ami           = "ami-0d7a109bf30624c99" # you may need to update this
  instance_type = "t2.micro"
  iam_instance_profile = aws_iam_instance_profile.ec2_profile.name
```

And finally, we needed to attach the ECR read policy to that IAM role.

```bash
resource "aws_iam_role_policy_attachment" "ecr_read_only" {
 role = aws_iam_role.ec2_ecr_role.name
 policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
}
```

### Resources

[Repo Policy Examples](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html)