allow rw to all team repos (#7)

* allow rw to all team repos * fmt * fix source * fmt * feedback mitch * wrong acc * tidy
ministryofjustice · Nov 23, 2018 · 2a7577d · 2a7577d
1 parent aba4213
commit 2a7577d
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 17 deletions.
diff --git a/examples/README.md b/examples/README.md
@@ -10,4 +10,28 @@ The output will be in a kubernetes `Secret`, which includes the values of `acces
 
 In your namespace's path in the [cloud-platform-environments](https://github.com/ministryofjustice/cloud-platform-environments/) repository, create a directory called `resources` (if you have not created one already) and refer to the contents of [main.tf](main.tf) to define the module properties. Make sure to change placeholder values to what is appropriate and refer to the top-level README file in this repository for extra variables that you can use to further customise your resource.
 
-Commit your changes to a branch and raise a pull request. Once approved, you can merge and the changes will be applied. Shortly after, you should be able to access the `Secret` on kubernetes and acccess the resources. You might want to refer to the [documentation on Secrets](https://kubernetes.io/docs/concepts/configuration/secret/).
+Commit your changes to a branch and raise a pull request. Once approved, you can merge and the changes will be applied. Shortly after, you should be able to access the `Secret` on kubernetes and acccess the resources. The generated key allows access to all the Docker repositories tagged with the team's name. You might want to refer to the [documentation on Secrets](https://kubernetes.io/docs/concepts/configuration/secret/).
+
+## From your laptop
+
+Read the AWS key/secret out of your namespace with
+
+```
+kubectl --context=example-team-context --namespace example-app-ns get secret example-team-ecr-credentials-output -o json
+
+```
+
+With the AWS_ env vars exported, the usual ECR command apply, restricted by IAM policy to the namespace matching your Github team's slug:
+
+```
+eval $(aws ecr get-login --no-include-email)
+
+aws ecr describe-repositories
+
+docker tag <localimage> <accountid>.dkr.ecr.eu-west-1.amazonaws.com/example-team/example-repo:nginx
+
+docker push <accountid>.dkr.ecr.eu-west-1.amazonaws.com/example-team/example-repo:nginx
+
+aws ecr batch-delete-image --repository-name example-team/example-repo --image-ids imageTag=nginx
+
+```
diff --git a/examples/main.tf b/examples/main.tf
@@ -13,8 +13,7 @@ provider "aws" {
  *
  */
 module "example_team_ecr_credentials" {
-  source = "github.com/ministryofjustice/cloud-platform-terraform-ecr-credentials?ref=1.0"
-
+  source    = "github.com/ministryofjustice/cloud-platform-terraform-ecr-credentials?ref=2.0"
   repo_name = "example-repo"
   team_name = "example-team"
 }

diff --git a/main.tf b/main.tf
@@ -21,31 +21,31 @@ resource "aws_iam_access_key" "key" {
 data "aws_iam_policy_document" "policy" {
   statement {
     actions = [
-      "ecr:CompleteLayerUpload",
-      "ecr:UploadLayerPart",
-      "ecr:InitiateLayerUpload",
-      "ecr:PutImage",
+      "ecr:GetAuthorizationToken",
+      "ecr:DescribeRepositories",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:ListImages",
+      "ecr:DescribeImages",
+      "ecr:BatchGetImage",
     ]
 
     resources = [
-      "${aws_ecr_repository.repo.arn}",
+      "*",
     ]
   }
 
   statement {
     actions = [
-      "ecr:GetAuthorizationToken",
-      "ecr:BatchCheckLayerAvailability",
-      "ecr:GetDownloadUrlForLayer",
-      "ecr:GetRepositoryPolicy",
-      "ecr:DescribeRepositories",
-      "ecr:ListImages",
-      "ecr:DescribeImages",
-      "ecr:BatchGetImage",
+      "ecr:CompleteLayerUpload",
+      "ecr:BatchDeleteImage",
+      "ecr:UploadLayerPart",
+      "ecr:InitiateLayerUpload",
+      "ecr:PutImage",
     ]
 
     resources = [
-      "*",
+      "arn:aws:ecr:eu-west-1:926803513772:repository/${var.team_name}/*",
     ]
   }
 }