feat: repository_lambda_read_access added

README.md

@@ -234,7 +234,8 @@ No modules.
 | <a name="input_repository_image_scan_on_push"></a> [repository\_image\_scan\_on\_push](#input\_repository\_image\_scan\_on\_push) | Indicates whether images are scanned after being pushed to the repository (`true`) or not scanned (`false`) | `bool` | `true` | no |
 | <a name="input_repository_image_tag_mutability"></a> [repository\_image\_tag\_mutability](#input\_repository\_image\_tag\_mutability) | The tag mutability setting for the repository. Must be one of: `MUTABLE` or `IMMUTABLE`. Defaults to `IMMUTABLE` | `string` | `"IMMUTABLE"` | no |
 | <a name="input_repository_kms_key"></a> [repository\_kms\_key](#input\_repository\_kms\_key) | The ARN of the KMS key to use when encryption\_type is `KMS`. If not specified, uses the default AWS managed key for ECR | `string` | `null` | no |
-| <a name="input_repository_lambda_read_access_arns"></a> [repository\_lambda\_read\_access\_arns](#input\_repository\_lambda\_read\_access\_arns) | The ARNs of the Lambda service roles that have read access to the repository | `list(string)` | `[]` | no |
+| <a name="input_repository_lambda_read_access"></a> [repository\_lambda\_read\_access](#input\_repository\_lambda\_read\_access) | Determines whether the repository policy will allow read access to the repository for all lambda functions in the account | `bool` | `false` | no |
+| <a name="input_repository_lambda_read_access_arns"></a> [repository\_lambda\_read\_access\_arns](#input\_repository\_lambda\_read\_access\_arns) | Deprecated. Use `repository_lambda_read_access` instead | `list(string)` | `[]` | no |
 | <a name="input_repository_lifecycle_policy"></a> [repository\_lifecycle\_policy](#input\_repository\_lifecycle\_policy) | The policy document. This is a JSON formatted string. See more details about [Policy Parameters](http://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html#lifecycle_policy_parameters) in the official AWS docs | `string` | `""` | no |
 | <a name="input_repository_name"></a> [repository\_name](#input\_repository\_name) | The name of the repository | `string` | `""` | no |
 | <a name="input_repository_policy"></a> [repository\_policy](#input\_repository\_policy) | The JSON policy to apply to the repository. If not specified, uses the default policy | `string` | `null` | no |

main.tf

@@ -64,7 +64,7 @@ data "aws_iam_policy_document" "repository" {
 
 
   dynamic "statement" {
-    for_each = var.repository_type == "private" && length(var.repository_lambda_read_access_arns) > 0 ? [1] : []
+    for_each = var.repository_type == "private" && (var.repository_lambda_read_access || length(var.repository_lambda_read_access_arns) > 0) ? [1] : []
 
     content {
       sid = "PrivateLambdaReadOnly"
@@ -79,13 +79,6 @@ data "aws_iam_policy_document" "repository" {
         "ecr:GetDownloadUrlForLayer",
       ]
 
-      condition {
-        test     = "StringLike"
-        variable = "aws:sourceArn"
-
-        values = var.repository_lambda_read_access_arns
-      }
-
     }
   }
 

variables.tf

@@ -90,10 +90,15 @@ variable "repository_read_access_arns" {
   default     = []
 }
 
+variable "repository_lambda_read_access" {
+  description = "Determines whether the repository policy will allow read access to the repository for all lambda functions in the account"
+  type        = bool
+  default     = false
+}
 variable "repository_lambda_read_access_arns" {
-  description = "The ARNs of the Lambda service roles that have read access to the repository"
-  type        = list(string)
-  default     = []
+  description = "Deprecated. Use `repository_lambda_read_access` instead"
+  type        = []
+  default     = list(string)
 }
 
 variable "repository_read_write_access_arns" {