Skip to content

feat(ecr): migrate IAM to infrastructure/aws/iam/ecr module#372

Merged
sebastiancorrea81 merged 7 commits into
mainfrom
feat/ecr-cross-account-iam
May 28, 2026
Merged

feat(ecr): migrate IAM to infrastructure/aws/iam/ecr module#372
sebastiancorrea81 merged 7 commits into
mainfrom
feat/ecr-cross-account-iam

Conversation

@sebastiancorrea81

Copy link
Copy Markdown
Collaborator

Summary

  • Creates new infrastructure/aws/iam/ecr module following the same layer separation as external_dns and agent IAM modules
  • Moves all AWS IAM resources (application role, ECR manager policy, build workflow user/access key) out of nullplatform/asset/ecr/iam.tf into the new IAM module
  • Adds optional cross-account ECR pull support via enable_cross_account_pull + pull_account_ids variables
  • nullplatform/asset/ecr now only manages nullplatform_provider_config and receives IAM values as input variables

Why

IAM resources (AWS layer) were mixed inside a NullPlatform-layer module. This blocked tracking repository_policy_pull_accounts changes because nullplatform_provider_config.ecr requires ignore_changes = [attributes] to prevent drift from agent mutations. By owning IAM in the infrastructure layer, Terraform tracks all AWS permission changes correctly without workarounds.

Migration notes

Existing deployments require tofu state mv for the 6 IAM resources before applying:

tofu state mv module.nullplatform_asset_repository.aws_iam_role.nullplatform_application_role               module.ecr_iam.aws_iam_role.nullplatform_application_role
tofu state mv module.nullplatform_asset_repository.aws_iam_policy.nullplatform_ecr_manager_policy          module.ecr_iam.aws_iam_policy.nullplatform_ecr_manager_policy
tofu state mv module.nullplatform_asset_repository.aws_iam_user.nullplatform_build_workflow_user            module.ecr_iam.aws_iam_user.nullplatform_build_workflow_user
tofu state mv module.nullplatform_asset_repository.aws_iam_access_key.nullplatform_build_workflow_user_key  module.ecr_iam.aws_iam_access_key.nullplatform_build_workflow_user_key
tofu state mv module.nullplatform_asset_repository.aws_iam_role_policy_attachment.ecr_manager_policy        module.ecr_iam.aws_iam_role_policy_attachment.ecr_manager_policy
tofu state mv module.nullplatform_asset_repository.aws_iam_user_policy_attachment.ecr_manager_policy_user   module.ecr_iam.aws_iam_user_policy_attachment.ecr_manager_policy_user

Test plan

  • tofu plan shows 0 destroy after state mv
  • tofu apply creates only new cross-account IAM resources
  • Second tofu plan shows no drift on nullplatform_provider_config.ecr

🤖 Generated with Claude Code

sebas_correa and others added 5 commits May 27, 2026 17:21
Cross-account ECR pull is now managed as a first-class IAM role in
infrastructure/aws/iam/ecr, following the same pattern as external_dns
and agent IAM modules. This decouples AWS permission management from
nullplatform_provider_config.ecr, avoiding the ignore_changes drift issue.

The nullplatform/asset/ecr module no longer embeds repository policies
in provider config attributes — enable_cross_account_pull and
repository_policy_pull_accounts variables are removed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove unused aws_caller_identity data source from nullplatform/asset/ecr
- Delete empty locals.tf from nullplatform/asset/ecr
- Add enable_cross_account_pull bool (default false) to infrastructure/aws/iam/ecr
- Make pull_account_ids optional (default [])
- Gate all IAM resources behind enable_cross_account_pull with count

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… is enabled

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Move all IAM resources (application role, ECR manager policy, build
workflow user and access key) from nullplatform/asset/ecr/iam.tf to
infrastructure/aws/iam/ecr, following the same layer separation as
external_dns and agent modules.

nullplatform/asset/ecr now receives IAM values as input variables and
only manages the nullplatform_provider_config resource.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Comment thread infrastructure/aws/iam/ecr/main.tf Fixed
Replaces aws_iam_user_policy_attachment with an IAM group + group policy
attachment + user group membership, satisfying Trivy AWS-0143.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Comment on lines +60 to +62
resource "aws_iam_group" "nullplatform_ecr_managers" {
name = "nullplatform-${var.cluster_name}-ecr-managers"
}

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Won't fix / acknowledged. This group is exclusively for a CI/CD build workflow user that authenticates via programmatic access keys (no console login). MFA enforcement at the group level would require the access key to call sts:GetSessionToken with an MFA token on every CI run, which is not compatible with standard CI/CD pipelines. The attack surface is already minimized: the user has a scoped policy limited to ECR operations only.

@sebastiancorrea81 sebastiancorrea81 merged commit faa35b8 into main May 28, 2026
44 checks passed
@sebastiancorrea81 sebastiancorrea81 deleted the feat/ecr-cross-account-iam branch May 28, 2026 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants