diff --git a/examples/README.md b/examples/README.md index b3ec1fe..cb78755 100644 --- a/examples/README.md +++ b/examples/README.md @@ -10,4 +10,28 @@ The output will be in a kubernetes `Secret`, which includes the values of `acces In your namespace's path in the [cloud-platform-environments](https://github.com/ministryofjustice/cloud-platform-environments/) repository, create a directory called `resources` (if you have not created one already) and refer to the contents of [main.tf](main.tf) to define the module properties. Make sure to change placeholder values to what is appropriate and refer to the top-level README file in this repository for extra variables that you can use to further customise your resource. -Commit your changes to a branch and raise a pull request. Once approved, you can merge and the changes will be applied. Shortly after, you should be able to access the `Secret` on kubernetes and acccess the resources. You might want to refer to the [documentation on Secrets](https://kubernetes.io/docs/concepts/configuration/secret/). +Commit your changes to a branch and raise a pull request. Once approved, you can merge and the changes will be applied. Shortly after, you should be able to access the `Secret` on kubernetes and acccess the resources. The generated key allows access to all the Docker repositories tagged with the team's name. You might want to refer to the [documentation on Secrets](https://kubernetes.io/docs/concepts/configuration/secret/). + +## From your laptop + +Read the AWS key/secret out of your namespace with + +``` +kubectl --context=example-team-context --namespace example-app-ns get secret example-team-ecr-credentials-output -o json + +``` + +With the AWS_ env vars exported, the usual ECR command apply, restricted by IAM policy to the namespace matching your Github team's slug: + +``` +eval $(aws ecr get-login --no-include-email) + +aws ecr describe-repositories + +docker tag .dkr.ecr.eu-west-1.amazonaws.com/example-team/example-repo:nginx + +docker push .dkr.ecr.eu-west-1.amazonaws.com/example-team/example-repo:nginx + +aws ecr batch-delete-image --repository-name example-team/example-repo --image-ids imageTag=nginx + +``` diff --git a/examples/main.tf b/examples/main.tf index a290e78..2fe707e 100644 --- a/examples/main.tf +++ b/examples/main.tf @@ -13,8 +13,7 @@ provider "aws" { * */ module "example_team_ecr_credentials" { - source = "github.com/ministryofjustice/cloud-platform-terraform-ecr-credentials?ref=1.0" - + source = "github.com/ministryofjustice/cloud-platform-terraform-ecr-credentials?ref=2.0" repo_name = "example-repo" team_name = "example-team" } diff --git a/main.tf b/main.tf index 6662b9c..20da79e 100644 --- a/main.tf +++ b/main.tf @@ -21,31 +21,31 @@ resource "aws_iam_access_key" "key" { data "aws_iam_policy_document" "policy" { statement { actions = [ - "ecr:CompleteLayerUpload", - "ecr:UploadLayerPart", - "ecr:InitiateLayerUpload", - "ecr:PutImage", + "ecr:GetAuthorizationToken", + "ecr:DescribeRepositories", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:ListImages", + "ecr:DescribeImages", + "ecr:BatchGetImage", ] resources = [ - "${aws_ecr_repository.repo.arn}", + "*", ] } statement { actions = [ - "ecr:GetAuthorizationToken", - "ecr:BatchCheckLayerAvailability", - "ecr:GetDownloadUrlForLayer", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:ListImages", - "ecr:DescribeImages", - "ecr:BatchGetImage", + "ecr:CompleteLayerUpload", + "ecr:BatchDeleteImage", + "ecr:UploadLayerPart", + "ecr:InitiateLayerUpload", + "ecr:PutImage", ] resources = [ - "*", + "arn:aws:ecr:eu-west-1:926803513772:repository/${var.team_name}/*", ] } }