repository_policy_statements use not properly documented/example

[mengesb]

Description

I attempted to use the submodule repository-template with the variable repository_policy_statements, however I was unsuccessful in intrepreting the desired format.

terraform-aws-ecr/modules/repository-template/variables.tf

Lines 127 to 131 in 8105d04

	variable "repository_policy_statements" {
	description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage"
	type = any
	default = {}
	}

The following would appear to be valid for your object constraints:

var.repository_policy_statements input

  repository_policy_statements = {
    AllowOrgReadOnly = {
      sid = "AllowPDOrgReadOnly"

      actions = [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer",
        "ecr:DescribeImages",
        "ecr:DescribeRepositories",
        "ecr:ListImages",
        "ecr:ListTagsForResource"
      ]

      principals = {
        type        = "AWS"
        identifiers = ["*"]
      }

      condition = {
        test     = "ForAnyValue:StringLike"
        variable = "aws:PrincipalOrgPaths"
        values   = ["o-XXXXXXXXXX/r-XXXX/ou-XXXX-XXXXXXXX/*"]
      }
    }
    LambdaECRImageRetrievalPolicy = {
      sid = "LambdaECRImageRetrievalPolicy"

      actions = [
        "ecr:BatchGetImage",
        "ecr:DeleteRepositoryPolicy",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:SetRepositoryPolicy"
      ]

      principals = {
        type        = "Service"
        identifiers = ["lambda.amazonaws.com"]
      }

      condition = {
        test     = "ForAnyValue:StringLike"
        variable = "aws:ResourceOrgPaths"
        values   = ["o-XXXXXXXXXX/r-XXXX/ou-XXXX-XXXXXXXX/*"]
      }
    }
  }

Unfortunately this produced an error, so I reverted to using repository_policy and absorb the default policy the module provides

terraform-aws-ecr/modules/repository-template/variables.tf

Lines 65 to 69 in 8105d04

	variable "repository_policy" {
	description = "The JSON policy to apply to the repository. If not specified, uses the default policy"
	type = string
	default = null
	}

Ideally I would simply amend the additional statements and make use of the existing policy however the error produced was as follows:

terraform plan (error)

Error: Unsupported attribute

  on .terraform/modules/docker-pullthrough-template/modules/repository-template/main.tf line 135, in data "aws_iam_policy_document" "repository":
 135:           type        = principals.value.type
    ├────────────────
    │ principals.value is tuple with 1 element

This value does not have any attributes.

Error: Unsupported attribute

  on .terraform/modules/docker-pullthrough-template/modules/repository-template/main.tf line 135, in data "aws_iam_policy_document" "repository":
 135:           type        = principals.value.type
    ├────────────────
    │ principals.value is "AWS"

Can't access attributes on a primitive-typed value (string).

Error: Unsupported attribute

  on .terraform/modules/docker-pullthrough-template/modules/repository-template/main.tf line 135, in data "aws_iam_policy_document" "repository":
 135:           type        = principals.value.type
    ├────────────────
    │ principals.value is tuple with 1 element

This value does not have any attributes.

Error: Unsupported attribute

  on .terraform/modules/docker-pullthrough-template/modules/repository-template/main.tf line 135, in data "aws_iam_policy_document" "repository":
 135:           type        = principals.value.type
    ├────────────────
    │ principals.value is "Service"

Can't access attributes on a primitive-typed value (string).

Error: Unsupported attribute

  on .terraform/modules/docker-pullthrough-template/modules/repository-template/main.tf line 136, in data "aws_iam_policy_document" "repository":
 136:           identifiers = principals.value.identifiers
    ├────────────────
    │ principals.value is tuple with 1 element

This value does not have any attributes.

Error: Unsupported attribute

  on .terraform/modules/docker-pullthrough-template/modules/repository-template/main.tf line 136, in data "aws_iam_policy_document" "repository":
 136:           identifiers = principals.value.identifiers
    ├────────────────
    │ principals.value is "AWS"

Can't access attributes on a primitive-typed value (string).

Error: Unsupported attribute

  on .terraform/modules/docker-pullthrough-template/modules/repository-template/main.tf line 136, in data "aws_iam_policy_document" "repository":
 136:           identifiers = principals.value.identifiers
    ├────────────────
    │ principals.value is tuple with 1 element

This value does not have any attributes.

Error: Unsupported attribute

  on .terraform/modules/docker-pullthrough-template/modules/repository-template/main.tf line 136, in data "aws_iam_policy_document" "repository":
 136:           identifiers = principals.value.identifiers
    ├────────────────
    │ principals.value is "Service"

Can't access attributes on a primitive-typed value (string).

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: 2.3.1

• Terraform version: 1.10.5

• Provider version(s): 5.86.0

Reproduction Code [Required]

Steps to reproduce the behavior:

This is just a simple terraform plan. I used the default example, and provided values to var.repository_policy_statements and a few other options

terraform minimal plan

data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}

data "aws_kms_key" "ecr" {
  key_id = "alias/aws/ecr"
}

module "docker-pullthrough-template" {
  source  = "terraform-aws-modules/ecr/aws//modules/repository-template"
  version = "~> 2.3.1"

  create                   = true # default
  create_iam_role          = true # default
  encryption_type          = "KMS"
  kms_key_arn              = data.aws_kms_key.ecr.arn
  create_repository_policy = true # default
  iam_role_use_name_prefix = true # default
  iam_role_name            = "onemedical-ecr"

  #repository_policy = data.aws_iam_policy_document.combined_policy.json
  repository_policy_statements = {
    AllowOrgReadOnly = {
      sid = "AllowOrgReadOnly"

      actions = [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer",
        "ecr:DescribeImages",
        "ecr:DescribeRepositories",
        "ecr:ListImages",
        "ecr:ListTagsForResource"
      ]

      principals = {
        type        = "AWS"
        identifiers = ["*"]
      }

      condition = {
        test     = "ForAnyValue:StringLike"
        variable = "aws:PrincipalOrgPaths"
        values   = ["o-XXXXXXXXXX/r-XXXX/ou-XXXX-XXXXXXXXXX/*"]
      }
    }
    LambdaECRImageRetrievalPolicy = {
      sid = "LambdaECRImageRetrievalPolicy"

      actions = [
        "ecr:BatchGetImage",
        "ecr:DeleteRepositoryPolicy",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:SetRepositoryPolicy"
      ]

      principals = {
        type        = "Service"
        identifiers = ["lambda.amazonaws.com"]
      }

      condition = {
        test     = "ForAnyValue:StringLike"
        variable = "aws:ResourceOrgPaths"
        values   = ["o-XXXXXXXXXX/r-XXXX/ou-XXXX-XXXXXXXXXX/*"]
      }
    }
  }

  # Template
  description          = "Docker pull-through template"
  prefix               = "docker"
  image_tag_mutability = "MUTABLE"

  # Pull-through cache rule
  create_pull_through_cache_rule = false
  upstream_registry_url          = "registry-1.docker.io"
  credential_arn                 = module.secrets_manager_dockerhub_credentials.secret_arn
}

The above gives warnings during terraform plan

Expected behavior

Terraform should parse principals and conditions elements normally and correctly populate the dynamic statement portion

Actual behavior

Error

Terminal Output Screenshot(s)

Included above

Additional context

[mengesb]

If the variable were a defined map(object(...)) that would provide more clarity on usage of this variable, and with new optional() functions it could be setup in a way that would work with not all options provided.

I also remember something about nested dynamic statements being potentially an issue ... but not sure that remains true today.

[aldotroiano]

I've found this in the documentation. repository_policy_statements

Hope it helps?
Just testing it out now

[aldotroiano]

@mengesb - here you go.

Works for me like this - Finally!
Banged my head for a few hours on this..

  repository_policy_statements = [
    {
      sid    = "AllowECRRead"
      effect = "Allow"
      actions = [
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchCheckLayerAvailability"
      ]
      principals = [{
        type        = "AWS"
        identifiers = ["arn:aws:iam::<ACCOUNT_ID>:root"]
      }]
    },
    {
      sid    = "AllowECRReadFromLambda"
      effect = "Allow"
      actions = [
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
      principals = [{
        type        = "Service"
        identifiers = ["lambda.amazonaws.com"]
      }]
      condition = [{
        test     = "StringLike"
        variable = "aws:sourceARN"
        values   = ["arn:aws:lambda:<REGION>:<ACCOUNT_ID>:function:*"]  # This is for cross-account access
      }]
    }]

[mengesb]

OK; I could swear I tried something like this, but maybe I was bouncing around too many times and lost track. I would definitely suggest adding this to examples, but THANK YOU 🎉

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.