Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

repository_policy_statements use not properly documented/example #53

Open
1 task done
mengesb opened this issue Feb 7, 2025 · 1 comment
Open
1 task done

repository_policy_statements use not properly documented/example #53

mengesb opened this issue Feb 7, 2025 · 1 comment

Comments

@mengesb
Copy link

mengesb commented Feb 7, 2025
edited
Loading

Description

I attempted to use the submodule repository-template with the variable repository_policy_statements, however I was unsuccessful in intrepreting the desired format.

terraform-aws-ecr/modules/repository-template/variables.tf

Lines 127 to 131 in 8105d04

variable "repository_policy_statements" {
description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage"
type = any
default = {}
}

The following would appear to be valid for your object constraints:

var.repository_policy_statements input 
  repository_policy_statements = {
    AllowOrgReadOnly = {
      sid = "AllowPDOrgReadOnly"

      actions = [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer",
        "ecr:DescribeImages",
        "ecr:DescribeRepositories",
        "ecr:ListImages",
        "ecr:ListTagsForResource"
      ]

      principals = {
        type        = "AWS"
        identifiers = ["*"]
      }

      condition = {
        test     = "ForAnyValue:StringLike"
        variable = "aws:PrincipalOrgPaths"
        values   = ["o-XXXXXXXXXX/r-XXXX/ou-XXXX-XXXXXXXX/*"]
      }
    }
    LambdaECRImageRetrievalPolicy = {
      sid = "LambdaECRImageRetrievalPolicy"

      actions = [
        "ecr:BatchGetImage",
        "ecr:DeleteRepositoryPolicy",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:SetRepositoryPolicy"
      ]

      principals = {
        type        = "Service"
        identifiers = ["lambda.amazonaws.com"]
      }

      condition = {
        test     = "ForAnyValue:StringLike"
        variable = "aws:ResourceOrgPaths"
        values   = ["o-XXXXXXXXXX/r-XXXX/ou-XXXX-XXXXXXXX/*"]
      }
    }
  }

Unfortunately this produced an error, so I reverted to using repository_policy and absorb the default policy the module provides

terraform-aws-ecr/modules/repository-template/variables.tf

Lines 65 to 69 in 8105d04

variable "repository_policy" {
description = "The JSON policy to apply to the repository. If not specified, uses the default policy"
type = string
default = null
}

Ideally I would simply amend the additional statements and make use of the existing policy however the error produced was as follows:

terraform plan (error) 
Error: Unsupported attribute

  on .terraform/modules/docker-pullthrough-template/modules/repository-template/main.tf line 135, in data "aws_iam_policy_document" "repository":
 135:           type        = principals.value.type
    ├────────────────
    │ principals.value is tuple with 1 element

This value does not have any attributes.

Error: Unsupported attribute

  on .terraform/modules/docker-pullthrough-template/modules/repository-template/main.tf line 135, in data "aws_iam_policy_document" "repository":
 135:           type        = principals.value.type
    ├────────────────
    │ principals.value is "AWS"

Can't access attributes on a primitive-typed value (string).

Error: Unsupported attribute

  on .terraform/modules/docker-pullthrough-template/modules/repository-template/main.tf line 135, in data "aws_iam_policy_document" "repository":
 135:           type        = principals.value.type
    ├────────────────
    │ principals.value is tuple with 1 element

This value does not have any attributes.

Error: Unsupported attribute

  on .terraform/modules/docker-pullthrough-template/modules/repository-template/main.tf line 135, in data "aws_iam_policy_document" "repository":
 135:           type        = principals.value.type
    ├────────────────
    │ principals.value is "Service"

Can't access attributes on a primitive-typed value (string).

Error: Unsupported attribute

  on .terraform/modules/docker-pullthrough-template/modules/repository-template/main.tf line 136, in data "aws_iam_policy_document" "repository":
 136:           identifiers = principals.value.identifiers
    ├────────────────
    │ principals.value is tuple with 1 element

This value does not have any attributes.

Error: Unsupported attribute

  on .terraform/modules/docker-pullthrough-template/modules/repository-template/main.tf line 136, in data "aws_iam_policy_document" "repository":
 136:           identifiers = principals.value.identifiers
    ├────────────────
    │ principals.value is "AWS"

Can't access attributes on a primitive-typed value (string).

Error: Unsupported attribute

  on .terraform/modules/docker-pullthrough-template/modules/repository-template/main.tf line 136, in data "aws_iam_policy_document" "repository":
 136:           identifiers = principals.value.identifiers
    ├────────────────
    │ principals.value is tuple with 1 element

This value does not have any attributes.

Error: Unsupported attribute

  on .terraform/modules/docker-pullthrough-template/modules/repository-template/main.tf line 136, in data "aws_iam_policy_document" "repository":
 136:           identifiers = principals.value.identifiers
    ├────────────────
    │ principals.value is "Service"

Can't access attributes on a primitive-typed value (string).
  • ✋ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version [Required]: 2.3.1

  • Terraform version: 1.10.5

  • Provider version(s): 5.86.0

Reproduction Code [Required]

Steps to reproduce the behavior:

This is just a simple terraform plan. I used the default example, and provided values to var.repository_policy_statements and a few other options

terraform minimal plan 
data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}

data "aws_kms_key" "ecr" {
  key_id = "alias/aws/ecr"
}

module "docker-pullthrough-template" {
  source  = "terraform-aws-modules/ecr/aws//modules/repository-template"
  version = "~> 2.3.1"

  create                   = true # default
  create_iam_role          = true # default
  encryption_type          = "KMS"
  kms_key_arn              = data.aws_kms_key.ecr.arn
  create_repository_policy = true # default
  iam_role_use_name_prefix = true # default
  iam_role_name            = "onemedical-ecr"

  #repository_policy = data.aws_iam_policy_document.combined_policy.json
  repository_policy_statements = {
    AllowOrgReadOnly = {
      sid = "AllowOrgReadOnly"

      actions = [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer",
        "ecr:DescribeImages",
        "ecr:DescribeRepositories",
        "ecr:ListImages",
        "ecr:ListTagsForResource"
      ]

      principals = {
        type        = "AWS"
        identifiers = ["*"]
      }

      condition = {
        test     = "ForAnyValue:StringLike"
        variable = "aws:PrincipalOrgPaths"
        values   = ["o-XXXXXXXXXX/r-XXXX/ou-XXXX-XXXXXXXXXX/*"]
      }
    }
    LambdaECRImageRetrievalPolicy = {
      sid = "LambdaECRImageRetrievalPolicy"

      actions = [
        "ecr:BatchGetImage",
        "ecr:DeleteRepositoryPolicy",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:SetRepositoryPolicy"
      ]

      principals = {
        type        = "Service"
        identifiers = ["lambda.amazonaws.com"]
      }

      condition = {
        test     = "ForAnyValue:StringLike"
        variable = "aws:ResourceOrgPaths"
        values   = ["o-XXXXXXXXXX/r-XXXX/ou-XXXX-XXXXXXXXXX/*"]
      }
    }
  }

  # Template
  description          = "Docker pull-through template"
  prefix               = "docker"
  image_tag_mutability = "MUTABLE"

  # Pull-through cache rule
  create_pull_through_cache_rule = false
  upstream_registry_url          = "registry-1.docker.io"
  credential_arn                 = module.secrets_manager_dockerhub_credentials.secret_arn
}

The above gives warnings during terraform plan

Expected behavior

Terraform should parse principals and conditions elements normally and correctly populate the dynamic statement portion

Actual behavior

Error

Terminal Output Screenshot(s)

Included above

Additional context
@mengesb
Copy link
Author

mengesb commented Feb 7, 2025

If the variable were a defined map(object(...)) that would provide more clarity on usage of this variable, and with new optional() functions it could be setup in a way that would work with not all options provided.

I also remember something about nested dynamic statements being potentially an issue ... but not sure that remains true today.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mengesb