From 803705bb4fa54ab40f991c193abfc03c5661e6da Mon Sep 17 00:00:00 2001 From: Erik Heeren Date: Fri, 7 Nov 2025 11:21:14 +0100 Subject: [PATCH] IAM user with permissions to download launch system containers --- main.tf | 6 +++ outputs.tf | 10 +++++ private-ecr-download-credentials/main.tf | 42 +++++++++++++++++++ private-ecr-download-credentials/outputs.tf | 11 +++++ private-ecr-download-credentials/variables.tf | 4 ++ 5 files changed, 73 insertions(+) create mode 100644 private-ecr-download-credentials/main.tf create mode 100644 private-ecr-download-credentials/outputs.tf create mode 100644 private-ecr-download-credentials/variables.tf diff --git a/main.tf b/main.tf index 3e469b8..a8769f9 100644 --- a/main.tf +++ b/main.tf @@ -389,6 +389,12 @@ module "private_ecr_github_actions_upload_credentials_launch_system_family" { github_repository_name = "launch-system" # it is in the same repo as launch-system, this is not a typo } +module "private_ecr_download_credentials_launch_system_family" { + source = "./private-ecr-download-credentials" + + ecr_repository_name = "launch-system*" +} + module "auth_manager" { source = "./private-ecr-repo" diff --git a/outputs.tf b/outputs.tf index ee2ab84..7ff3cbf 100644 --- a/outputs.tf +++ b/outputs.tf @@ -148,3 +148,13 @@ output "private_ecr_github_actions_upload_credentials_obi_auth_manager_secret_ac value = module.private_ecr_github_actions_upload_credentials_auth_manager.privateecr_upload_secret_access_key sensitive = true } + +output "private_ecr_download_credentials_launch_family_access_key_id" { + value = module.private_ecr_download_credentials_launch_system_family.access_key_id + sensitive = true +} + +output "private_ecr_download_credentials_launch_family_secret_access_key" { + value = module.private_ecr_download_credentials_launch_system_family.secret_access_key + sensitive = true +} diff --git a/private-ecr-download-credentials/main.tf b/private-ecr-download-credentials/main.tf new file mode 100644 index 0000000..0f12260 --- /dev/null +++ b/private-ecr-download-credentials/main.tf @@ -0,0 +1,42 @@ +locals { + sanitized_repo_name = replace(var.ecr_repository_name, "*", "") + iam_user_name = "azure_download_${local.sanitized_repo_name}" +} + +resource "aws_iam_user" "download_user" { + name = local.iam_user_name +} + +resource "aws_iam_access_key" "ecr_user_access_key" { + user = aws_iam_user.download_user.name +} + +resource "aws_iam_policy" "download_policy" { + name = "ecr-download-policy" + description = "Policy to allow downloading images from a private ECR" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:GetAuthorizationToken" + ] + Resource = ["arn:aws:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/${var.ecr_repository_name}"] + } + ] + }) +} + +resource "aws_iam_user_policy_attachment" "azure_download_policy_attachment" { + user = aws_iam_user.download_user.name + policy_arn = aws_iam_policy.download_policy.arn +} + +data "aws_caller_identity" "current" {} + +data "aws_region" "current" {} diff --git a/private-ecr-download-credentials/outputs.tf b/private-ecr-download-credentials/outputs.tf new file mode 100644 index 0000000..e6971ad --- /dev/null +++ b/private-ecr-download-credentials/outputs.tf @@ -0,0 +1,11 @@ +output "access_key_id" { + description = "The access key ID for the IAM user" + value = aws_iam_access_key.ecr_user_access_key.id + sensitive = true +} + +output "secret_access_key" { + description = "The secret access key for the IAM user" + value = aws_iam_access_key.ecr_user_access_key.secret + sensitive = true +} diff --git a/private-ecr-download-credentials/variables.tf b/private-ecr-download-credentials/variables.tf new file mode 100644 index 0000000..4439c90 --- /dev/null +++ b/private-ecr-download-credentials/variables.tf @@ -0,0 +1,4 @@ +variable "ecr_repository_name" { + description = "Name of the ECR repository" + type = string +}