Add ECR cross-account access docs (#132)

* Add ECR cross-account access docs

* Add ECR cross-account access docs

README.md

@@ -9,7 +9,9 @@ In this knowledge base you'll find information on how to use your Kubernetes clu
 Each header points to the main README of each platform offering. Within each folder you'll also find documentation on more advanced and/or specific topics.
 
 - AWS
+  - [ECR](aws/ecr.md)
   - [IAM Delegated Access](aws/iam_delegated_access.md)
+  - [RDS](aws/RDS.md)
 - [Backups](backups.md)
 - [Coding Guidelines and Best Practices](coding_guidelines/README.md) - Main coding guidelines we adhere to at Skyscrapers
   - [Concourse](coding_guidelines/concourse.md)

aws/ecr.md

@@ -0,0 +1,55 @@
+# Amazon Elastic Container Registry (ECR)
+
+## Introduction
+
+We usually recommend and setup [ECR](https://aws.amazon.com/ecr/) for our customers.
+
+AWS documentation: <https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html>
+
+## Setup cross-account ECR access
+
+> [!NOTE]
+> Primary audience: Skyscrapers internal
+
+Our blueprints seperate different environments into different AWS accounts (eg. `CustomerStaging`, `CustomerProduction`, `CustomerSharedTooling`, ...). We also recommend to only build a single artifact (container in this case) which is used throughout all environments, meaning ECR repositories are usually hosted in the `CustomerSharedTooling` account.
+
+To provide environment access to these images, we need to setup cross-account access to ECR repositories. On environment account side, our Kubernetes stack codebases already handle the necessary permissions (EKS worker nodes, Flux source controller), but we also need to setup the necessary permissions on the ECR repository side.
+
+This can be done as follows:
+
+```terraform
+data "aws_iam_policy_document" "cross_account" {
+  statement {
+    sid    = "ECRCrossAccountAccess"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = var.cross_account_principal_identifiers
+    }
+
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:GetRepositoryPolicy",
+      "ecr:DescribeRepositories",
+      "ecr:ListImages",
+      "ecr:DescribeImages",
+      "ecr:BatchGetImage",
+      "ecr:DescribeImageScanFindings"
+    ]
+  }
+}
+
+resource "aws_ecr_repository_policy" "cross_account" {
+  for_each   = aws_ecr_repository.repo
+
+  repository = each.value.name
+  policy     = data.aws_iam_policy_document.cross_account.json
+}
+```
+
+Where `var.cross_account_principal_identifiers` is a list of AWS principal identifiers which should have access to the ECR repositories. Usually this is eg. `arn:aws:iam::123456789012:root` for granting a whole AWS account access, but you can also be more specific like `arn:aws:iam::123456789012:role/development-eks-example-com-workers`.
+
+One caveat is that AWS performs a check whether the target principal exists when deploying the policy, so make sure that those target-side roles are already created before applying this policy Before you save the repository policy, make sure that the role exists in the secondary account. If the role doesn't exist, you'll receive an error similar to `invalid repository policy provided`.

kubernetes/flux.md

@@ -1,5 +1,8 @@
 # Flux
 
+> [!NOTE]
+> Primary audience: Skyscrapers customers, Skyscrapers internal
+
 ## Introduction
 
 [Flux](https://fluxcd.io/) is a way to deploy and maintain your applications and components through [GitOps](https://www.gitops.tech/#what-is-gitops). It is designed to keep your Kubernetes clusters in sync based on the configuration in git and to automate updates to configuration when Flux detects it. This documentation provides guidance on setting up and managing your repository structure using Flux in the cooperation with Skyscrapers.
@@ -22,6 +25,7 @@ In short, this means Flux will pull your changes from Git and keep everything re
     - [Grafana Dashboards](#grafana-dashboards)
       - [Flux Cluster Stats](#flux-cluster-stats)
       - [Flux Control Plane](#flux-control-plane)
+  - [ECR access](#ecr-access)
 
 ## Initial setup
 
@@ -180,3 +184,10 @@ This dashboard provides an overview on the overall status of all objects managed
 This dashboard provides an overview of the Flux system components and their health status.
 
 ![Flux Control Plane](./images/flux_control_plane.png)
+
+## ECR access
+
+> [!NOTE]
+> Primary audience: Skyscrapers internal
+
+If AWS ECR is used as registry, Skyscrapers commonly needs to setup cross-account access to ECR repositories. Instructions can be found in the [AWS ECR documentation](/aws/ecr.md#setup-cross-account-ecr-access).