From 6b87bd95d1f121702bec128b1fe5b88f473ebc3f Mon Sep 17 00:00:00 2001
From: Igor <igor.ushkarev@digital.justice.gov.uk>
Date: Tue, 8 Aug 2023 15:12:40 +0100
Subject: [PATCH] Allow OIDC users (currently Github Actions and CircleCI) to
 also list and delete images in permitted ECRs

---
 main.tf | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 85d3924..5b271ae 100644
--- a/main.tf
+++ b/main.tf
@@ -202,6 +202,7 @@ resource "random_id" "oidc" {
 }
 
 # Base ECR policy for pushing and pulling images, can be used across all OIDC providers
+# Also allows listing existing images and deleting them
 # See: https://github.com/aws-actions/amazon-ecr-login#permissions
 data "aws_iam_policy_document" "base" {
   version = "2012-10-17"
@@ -214,14 +215,17 @@ data "aws_iam_policy_document" "base" {
   }
 
   statement {
-    sid    = "AllowPushPull"
+    sid    = "AllowPushPullListDelete"
     effect = "Allow"
     actions = [
       "ecr:BatchGetImage",
       "ecr:BatchCheckLayerAvailability",
+      "ecr:BatchDeleteImage",
       "ecr:CompleteLayerUpload",
+      "ecr:DescribeImages",
       "ecr:GetDownloadUrlForLayer",
       "ecr:InitiateLayerUpload",
+      "ecr:ListImages",
       "ecr:PutImage",
       "ecr:UploadLayerPart"
     ]