# Roles and Policies with ECR and Terraform

### Introduction

In the last lesson, we used terraform to explore roles and policies.  As we saw, we can think of an IAM role as a keycard that gives us the ability to act on resources.  And for the keycard to grant that access, we need to attach one or more policies to that role, that give various permissions to a resource (like pulling an image from an ECR repo).  And then we can attach the IAM role to a separate resource (like an EC2), to allow the resource to have those permissions.

We can see this in the diagram below.  It shows us creating an IAM role that (1) allows EC2 machines to assume that role, and (2) has a policy giving the role ECR access.  We then attached the IAM profile to an EC2 machine.

<img src="./ec2-ecr-permissions.png" width="60%">

### More Reviewing

In this reading, we'll use terraform to explore policies, roles and resources more deeply.  But before we do, let's start by reviewing the terraform file.  Take a look at the `tf/main.tf`  There, you can see code for creating the EC2 machine, and then further down creating: 

* The role and the Assume Role Policy (that allows EC2 machines to assume the role)
* And the instance profile, which is a container for the role, that we'll directly attach the profile to the EC2 resource

```bash
resource "aws_iam_role" "ec2_ecr_role" {
    name = "ec2-ecr-role"

    assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
      Service = "ec2.amazonaws.com"
      }
      Sid = ""
      },
    ]
  })
}

resource "aws_iam_instance_profile" "ec2_profile" {
 name = "ec2-ecr-instance-profile"
 role = aws_iam_role.ec2_ecr_role.name
}

resource "aws_instance" "ec2_instance" {
  ami           = "ami-0d7a109bf30624c99"
  instance_type = "t2.micro"
  iam_instance_profile = aws_iam_instance_profile.ec2_iam_profile.name
  ...
```

And then we attach a policy to that role.

```python
resource "aws_iam_role_policy_attachment" "ecr_read_only" {
 role = aws_iam_role.ec2_ecr_role.name
 policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
}
```

### Deeper with Policies

Ok, so in those last lines of terraform code, we give our `ec2_ecr_role` permisssions by attaching a pre-existing policy in AWS.  And remember that we can find that policy simply by pasting the arn string directly into the search box in AWS.

And there we'll see that the policy itself has the following statement:

<img src="./json-doc.png" width="60%">

You can see how the policy document works.  We specify the `Version` (that's the aws api verion), and a list of statements.  Here, we only have one statement, and it has an `Effect` of `Allow`, to then allow the below Actions.  The option would be to specify `Deny` to deny the ability to perform certain actions.  And then for resource, the `*` specifies allowing those permissions on any ECR image.

#### Trying it out

Ok, so now `cd` into the `web_app/tf` folder and then:

* Update the `ec2_instance` `key_name` attribute to align with the keys for one your `.pem` files.
* You may also need to update the `ami`.  We are using yum, so any ami that is a aws linux, or redhat ami should work.

Then run the following.

```bash
terraform init
terraform apply
```

If you look at the output, you'll see an output indicating how to ssh into the machine.  The you can confirm that you can access ECR.
    
```bash
    aws ecr describe-repositories
```

And if you want to try pulling down an image, you can do so by copying the root url from one of the `repositoryUri's` (just the content before the slash), and replace it with what we have listed after `--password-stdin`, also make sure that the `--region` matches your region:

```bash
aws ecr get-login-password --region us-east-1 | sudo docker login --username AWS --password-stdin 086729879076.dkr.ecr.us-east-1.amazonaws.com
```

And then, now that you are logged in, use the full repository uri to run the following.
```
sudo docker pull 086729879076.dkr.ecr.us-east-1.amazonaws.com/flask_app:latest
```

* Creating our own policy

Ok, so above we are using a pre-existing IAM policy, the `arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly` policy defined by AWS.  But we can also create our own policy.

You'll see at the bottom of the `web_app/tf/main.tf` file, we have defined the following.

```bash
resource "aws_iam_policy" "ecr_custom_read_only" {
  name        = "ecr_custom_read_only"
  description = "Policy that allows ECR pull images"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action   = ["ecr:GetAuthorizationToken",
        "ecr:BatchGetImage",
         "ecr:BatchCheckLayerAvailability", 
         "ecr:GetDownloadUrlForLayer"]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}
```

So above, we are creating an ECR policy, and that policy only for the actions that allows for downloading an image from ECR, but nothing else.  For example, notice that we cannot list or describe the ECR images with the above.  

Let's make it even more restrictive than then one above.  Instead of `Resource = "*"`, choose `Resource = ["arn"]`, and instead of "arn" input the arn of one of your ecr images.

Next, let's remove the policy attachmment or `ecr_read_only` (just comment it out), and create a new policy attachment of the following:

```bash
# resource "aws_iam_role_policy_attachment" "ecr_read_only" {
#  role = aws_iam_role.ec2_ecr_role.name
#  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
# }

resource "aws_iam_role_policy_attachment" "example_attach" {
  role       = aws_iam_role.ec2_ecr_role.name
  policy_arn = aws_iam_policy.ecr_custom_read_only.arn
}
```

* So notice that above, we define the attachment using the exact same fields as before -- the role we want to attach the policy to, and the policy arn.  And we get that policy arn by just calling `.arn`.

Then apply the changes:

```bash
terraform apply
```

And ssh into your ec2 machine, and check the following:

1. Confirm that you can no longer describe the ecr repositories
    * `aws ecr describe-repositories`

<img src="./access-denied.png" width="60%">

2. Confirm that **you can** pull down the image that you granted permission for
    * But **cannot** pull down any others
    * To do so, replace `your-region` with your region, and also place in the information for your account after `--password-stdin`.

```bash
aws ecr get-login-password --region your-region | sudo docker login --username AWS --password-stdin your-aws-account-id.dkr.ecr.your-region.amazonaws.com

sudo docker pull 086729879076.dkr.ecr.us-east-1.amazonaws.com/flask_app:latest
```

* A quick review

Ok, so just to review we saw that we attach a role to a resource (like an EC2 machine), and to a role, we attach one or more policies.  And each one of those policies has one or more *actions* which are typically permissions that specify what actions we can perform on that resource.

### Adding Resource Permissions

Now so far we have seen two types of policies.

* We have primarily worked with one type of policy, **identity** policies, which attach to our IAM role.  We have seen that the identity policy is used to attach permissions to a role, and that the role acts like a keycard we can give to resources.

* We also saw the **assume role policy**, which allows our ec2 machine to machine to assume the role (ie hold onto the keycard).  

```bash
resource "aws_iam_role" "ec2_ecr_role" {
    name = "ec2-ecr-allow"

    assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
      Service = "ec2.amazonaws.com"
      }
      ...
```

Now the last policy to learn about is a **resource policy**.

A resource policy operates slightly differently than an identity policy.  If an IAM policy  acts like a keycard, granting access to whoever holds the keycard, then a resource policy is like a bouncer, standing in front of our ECR (or another) resource, saying who can enter.

So the resource policy is attached directly to the resource, instead of being attached to the role.

We can see this by looking at the `aws_ecr_repository_policy` defined in the `tf-resource/resource_ec2.tf` file.  There we'll see the following:

```bash
resource "aws_ecr_repository_policy" "ec2_access" {
  repository = "app-repo"

  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Sid    = "AllowEC2RoleAccess",
        Effect = "Allow",
        Principal = {
          AWS = aws_iam_role.ec2_resource_access_role.arn
        },
        Action = [
          "ecr:GetDownloadUrlForLayer",
          "ecr:BatchGetImage",
          "ecr:BatchCheckLayerAvailability"
        ]
      }
    ]
  })
}
```

Look at the second line of the statement above:
    
```bash
repository = "app-repo"
```

    
So you can see that the resource policy attaches directly to the repository named `app-repo` -- it does not attach to an IAM role.

### Applying our changes

So now navigate to the `tf-resource` folder, and the `resource_ec2.tf` file.  There you'll see we have defined an iam_role up top, followed by an instance profile that we'll attach to an ec2 machine, and then comes the `ecr_repository_policy`.  Update the `repository=app-repo`, to match one of your repositories.  

You can find it by navigating to `Amazon ECR > Private Registry > Repositiories`.

<img src="./existing-repos.png" width="60%">

So we'll specify that we want to give access to this repository, and then later down we specify the principal indicating who gets access to this repository.
```bash
Principal = {
          AWS = aws_iam_role.ec2_resource_access_role.arn
        }
```

> So again, you can think of this being like a bouncer who now has certain resources on it's list it will allow in. 

And then later on you can see that we attached that role above to an EC2 instance.

```bash
resource "aws_instance" "ec2_resource" {
  ami           = "ami-0d7a109bf30624c99"
  instance_type = "t2.micro"
  iam_instance_profile = aws_iam_instance_profile.ec2_resource_profile.name
```

For the `aws_instance`, you'll need to update the `key_name` property, and potentially the `iam` property.

Ok, so with those changes let's apply this code.

```bash
terraform init
terraform apply
```

1. Checking the resource ec2

So, now if you look at what we outputted to the terminal, you should see the instructions to ssh into the ec2 resource.

So confirm that you can list the images with the following.

> * `aws ecr list-images --repository-name=app-repo`

But if we try the following:

> ```bash
aws ecr get-login-password --region us-east-1 | sudo docker login --username AWS --password-stdin 086729879076.dkr.ecr.us-east-1.amazonaws.com
```

You may get an error.  Unfortunately, AWS does not allow granting `ecr:GetAuthorizationToken` from a resource policy.  We'll have to use an IAM policy to get the authorization token.

> You don't have to memorize this -- it's just to point out some of the fun things that can go wrong.

Ok, so remember, so far we grant this permissions directly on the resource -- as opposed to the IAM.  

You can see this, by going to the relevant repository (for me, it's `app-repo`), and then clicking on `Repo-Name > Permissions`.

<img src="./app-repo-permissions.png" width="60%">

So above, you can see that the resource gives allow access to those with `ec2-access-role` various actions, like Describe Repository.

2. Adding an Identity Policy

So what if we add on another machine that does not have access through the resource policy, but through our good old identity policy.  How does a resource policy interact with that?

So go to the `tf-resource/iam_ec2.tf` file.  You'll see that part of it is commented out, so make sure the entire file is uncommented.

Then in the ec2 instance, update the `key_name` attribute and potentially the `iam` value.  Then run the following:

```bash
terraform apply
```

And ssh into the ec2 machine.

Ok, so the iam policy defined for the ec2 that we just created grants a generic `AmazonEC2ContainerRegistryReadOnly` policy.  Now that we have a resource policy on our repository, does the identity policy still work?

So you'll see instructions how to ssh into this machine:

```
ssh with into ec2_iam with the following
```

So ssh into the machine, and then try to access the repository.

```bash
aws ecr get-login-password --region us-east-1 | sudo docker login --username AWS --password-stdin 086729879076.dkr.ecr.us-east-1.amazonaws.com

sudo docker pull 086729879076.dkr.ecr.us-east-1.amazonaws.com/flask_app:latest
```

This works.

```bash
aws ecr list-images --repository-name=app-repo
```

This also works.


OK, so we just learned that, even though we have granted permissions to a role through the resource policy, we can also grant permissions to another role through the identity policy.  

* Clean up 

Run `terraform destroy` to remove your resources.

### Summary

Ok, so in this lesson, we reviewed identity policies.  And then defined our own identity policy.

```bash
resource "aws_iam_policy" "ecr_custom_read_only" {
  name        = "ecr_custom_read_only"
  description = "Policy that allows ECR pull images"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action   = ["ecr:GetAuthorizationToken",
        "ecr:BatchGetImage",
         "ecr:BatchCheckLayerAvailability", 
         "ecr:GetDownloadUrlForLayer"]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}
```

We also saw that, if we attach an identity policy to a role, that with a resource policy, we can attach it directly to a resource.

```bash
resource "aws_ecr_repository_policy" "ec2_access" {
  repository = "app-repo"

  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Sid    = "AllowEC2RoleAccess",
        Effect = "Allow",
        Principal = {
          AWS = aws_iam_role.ec2_resource_access_role.arn
        },
        Action = [
          "ecr:GetDownloadUrlForLayer",
          "ecr:BatchGetImage",
          "ecr:BatchCheckLayerAvailability"
        ]
      }
    ]
  })
}
```

So above, the resource is granting permissions to the specified role to perform the above actions on the resource.  And we can see this by navigating to the resource, and clicking on permissions.

<img src="./app-repo-permissions.png" width="60%">

Finally, we saw granting allow access to a role through a resource policy, does not remove our access through an identity policy.

### Resources

[Repo Policy Examples](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html)