CCL-2122: move ecr_prefix to required variable, update examples and readme

README.md

@@ -7,9 +7,10 @@ You may set common options and override them on a per-repository basis with an e
 
 Lambda ARNS must be declared in a separate list that can only be defined at a per-repository level. This adds additional permissions that allow Lambda to access ECR repositories to use as a runtime container.
 
+ecr_prefix must be provided. This is to provide some logical separation of ECR repositories. This should typically be the name of the tenant or team.
+
 ## Expected YAML config with Explanations
 ```
-tenant: <TENANT NAME> #This is used as a prefix for your ECR repo. i.e. <prefix>/<repo name>
 common_options: # These are common options that can be re-used by all of your ECR repositories
   create_lifecycle_policy: true # Defaults to false. If set to true you will need to specify repository_lifecycle_policy - this is done via filepath to a json file
   repository_lifecycle_policy: ./policies/example_common_repo_lifecycle_policy.json
@@ -35,7 +36,10 @@ common_options: # These are common options that can be re-used by all of your EC
       - "ecr:GetRepositoryPolicy"
       - "ecr:ListImages"
       - "ecr:ListTagsForResource"
-      resources: ["*"]
+      principals:
+        wildcard:
+          type: "*"
+          identifiers: ["*"]
       effect: Allow
       conditions:
       - orgMatch:
@@ -87,7 +91,8 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_ecr_config"></a> [ecr\_config](#input\_ecr\_config) | PAth to YAML file that contains ECR repositories | `any` | n/a | yes |
+| <a name="input_ecr_config"></a> [ecr\_config](#input\_ecr\_config) | Path to YAML file that contains ECR repositories | `any` | n/a | yes |
+| <a name="input_ecr_prefix"></a> [ecr\_prefix](#input\_ecr\_prefix) | This is used to provide logical separation of ECR repositories. This will most likely be the name of the tenant or team | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(string)` | `{}` | no |
 
 ## Outputs

example/example-terraform.tf

@@ -1,6 +1,7 @@
 module "ecr_repos" {
   source = "../"
-
+
+  ecr_prefix = "example-tenant"
   ecr_config = yamldecode(file("./example_repos.yaml"))
 
   tags = {

example/example-terragrunt.hcl

@@ -3,7 +3,8 @@ terraform {
 }
 
 inputs = {
-  association_config = yamldecode(file("./example_repos.yaml"))
+  ecr_prefix = "example-tenant"
+  ecr_config = yamldecode(file("./example_repos.yaml"))
 
   tags = {
     cost-centre = "..."

example/example_repos.yaml

@@ -1,4 +1,3 @@
-tenant: <TENANT NAME> #This is used as a prefix for your ECR repo. i.e. <prefix>/<repo name>
 common_options: # These are common options that can be re-used by all of your ECR repositories
   create_lifecycle_policy: true # Defaults to false. If set to true you will need to specify repository_lifecycle_policy - this is done via filepath to a json file
   repository_lifecycle_policy: ./policies/example_common_repo_lifecycle_policy.json
@@ -24,8 +23,10 @@ common_options: # These are common options that can be re-used by all of your EC
       - "ecr:GetRepositoryPolicy"
       - "ecr:ListImages"
       - "ecr:ListTagsForResource"
-      resources: ["*"]
-      effect: Allow
+      principals:
+        wildcard:
+          type: "*"
+          identifiers: ["*"]
       conditions:
       - orgMatch:
         test: "StringLike"

main.tf

@@ -4,7 +4,7 @@ module "ecr" {
 
   for_each = try(var.ecr_config.repo_list, {})
 
-  repository_name = "${var.ecr_config.tenant}/${each.key}"
+  repository_name = "${var.ecr_prefix}/${each.key}"
   repository_type = "private"
 
   create_lifecycle_policy = try(each.value.create_lifecycle_policy, var.ecr_config.common_options.create_lifecycle_policy, false)

variables.tf

@@ -1,6 +1,11 @@
+variable "ecr_prefix" {
+  type        = string
+  description = "This is used to provide logical separation of ECR repositories. This will most likely be the name of the tenant or team"
+}
+
 variable "ecr_config" {
   type        = any
-  description = "PAth to YAML file that contains ECR repositories"
+  description = "Path to YAML file that contains ECR repositories"
 }
 
 variable "tags" {