From 28be97c9bf685b9a5e751b7a6dc075022af3aaec Mon Sep 17 00:00:00 2001
From: Vedant Pareek <dunefro@gmail.com>
Date: Tue, 30 Apr 2024 09:55:20 +0530
Subject: [PATCH 1/4] Reduced permissions for ECR in IAM

---
 iam-ecr.tf   | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 iam-sa.tf    |  2 +-
 variables.tf |  2 +-
 3 files changed, 50 insertions(+), 2 deletions(-)
 create mode 100644 iam-ecr.tf

diff --git a/iam-ecr.tf b/iam-ecr.tf
new file mode 100644
index 0000000..6f8b30b
--- /dev/null
+++ b/iam-ecr.tf
@@ -0,0 +1,48 @@
+data "aws_iam_policy_document" "svcfoundry_access_to_ecr" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecr:GetRegistryPolicy",
+      "ecr:DescribeImageScanFindings",
+      "ecr:GetLifecyclePolicyPreview",
+      "ecr:CreateRepository",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:DescribeImageReplicationStatus",
+      "ecr:ListTagsForResource",
+      "ecr:BatchGetRepositoryScanningConfiguration",
+      "ecr:GetRegistryScanningConfiguration",
+      "ecr:PutImage",
+      "ecr:BatchGetImage",
+      "ecr:DescribeRepositories",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetRepositoryPolicy",
+      "ecr:GetLifecyclePolicy",
+      "ecr:ListImages",
+      "ecr:InitiateLayerUpload",
+      "ecr:CompleteLayerUpload",
+      "ecr:DescribeImages",
+      "ecr:DeleteRepository",
+      "ecr:UploadLayerPart",
+    ]
+
+    resources = [
+      "arn:aws:ecr:${var.aws_region}:${var.aws_account_id}:repository/tfy-*"
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecr:DescribeRegistry",
+      "ecr:GetAuthorizationToken",
+      "sts:GetServiceBearerToken"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "svcfoundry_access_to_ecr" {
+  name_prefix = "${local.svcfoundry_unique_name}-access-to-ecr"
+  description = "ECR access for ${var.svcfoundry_name} on ${var.cluster_name}"
+  policy      = data.aws_iam_policy_document.svcfoundry_access_to_ecr.json
+  tags        = local.tags
+}
\ No newline at end of file
diff --git a/iam-sa.tf b/iam-sa.tf
index 3d1e278..4e6fe47 100644
--- a/iam-sa.tf
+++ b/iam-sa.tf
@@ -21,7 +21,7 @@ module "truefoundry_oidc_iam" {
     aws_iam_policy.svcfoundry_access_to_ssm.arn,
     aws_iam_policy.svcfoundry_access_to_multitenant_ssm.arn,
     aws_iam_policy.truefoundry_assume_role_all.arn,
-    data.aws_iam_policy.servicefoundry_ecr_policy.arn,
+    aws_iam_policy.svcfoundry_access_to_ecr.arn,
     aws_iam_policy.truefoundry_db_iam_auth_policy.arn,
   ]
   tags = local.tags
diff --git a/variables.tf b/variables.tf
index e58b7ca..d9e0866 100644
--- a/variables.tf
+++ b/variables.tf
@@ -248,7 +248,7 @@ variable "mlfoundry_k8s_namespace" {
 }
 
 ##################################################################################
-## Servicefoundry
+## Servicefoundry service account
 ##################################################################################
 
 variable "svcfoundry_name" {

From 5d03198a5e8d3977e9a6c5d834b7be85892e60e0 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 30 Apr 2024 04:27:53 +0000
Subject: [PATCH 2/4] terraform-docs: automated action

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index f336749..a65aeb3 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@ Truefoundry AWS Control Plane Module
 |------|------|
 | [aws_db_instance.truefoundry_db](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/db_instance) | resource |
 | [aws_db_subnet_group.rds](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/db_subnet_group) | resource |
+| [aws_iam_policy.svcfoundry_access_to_ecr](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.svcfoundry_access_to_multitenant_ssm](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.svcfoundry_access_to_ssm](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.truefoundry_assume_role_all](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/iam_policy) | resource |
@@ -42,6 +43,7 @@ Truefoundry AWS Control Plane Module
 | [aws_security_group.rds-public](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/security_group) | resource |
 | [random_password.truefoundry_db_password](https://registry.terraform.io/providers/hashicorp/random/3.5.1/docs/resources/password) | resource |
 | [aws_iam_policy.servicefoundry_ecr_policy](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy_document.svcfoundry_access_to_ecr](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.svcfoundry_access_to_multitenant_ssm](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.svcfoundry_access_to_ssm](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.truefoundry_assume_role_all](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/data-sources/iam_policy_document) | data source |

From 92614b8d1088a95e904c058c7d0adb89e4defa16 Mon Sep 17 00:00:00 2001
From: Vedant Pareek <dunefro@gmail.com>
Date: Tue, 30 Apr 2024 12:09:19 +0530
Subject: [PATCH 3/4] Removed ECR full access policy

---
 iam-sa.tf | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/iam-sa.tf b/iam-sa.tf
index 4e6fe47..dadb7ce 100644
--- a/iam-sa.tf
+++ b/iam-sa.tf
@@ -1,9 +1,5 @@
 # From https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/examples/irsa/irsa.tf
 
-data "aws_iam_policy" "servicefoundry_ecr_policy" {
-  name = "AmazonEC2ContainerRegistryFullAccess"
-}
-
 module "truefoundry_oidc_iam" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
   version = "5.39.0"

From 9a209607ea1a7ff6768ad7902d5b747646f690cb Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 30 Apr 2024 06:41:10 +0000
Subject: [PATCH 4/4] terraform-docs: automated action

---
 README.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/README.md b/README.md
index a65aeb3..7964925 100644
--- a/README.md
+++ b/README.md
@@ -42,7 +42,6 @@ Truefoundry AWS Control Plane Module
 | [aws_security_group.rds](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/security_group) | resource |
 | [aws_security_group.rds-public](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/resources/security_group) | resource |
 | [random_password.truefoundry_db_password](https://registry.terraform.io/providers/hashicorp/random/3.5.1/docs/resources/password) | resource |
-| [aws_iam_policy.servicefoundry_ecr_policy](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy_document.svcfoundry_access_to_ecr](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.svcfoundry_access_to_multitenant_ssm](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.svcfoundry_access_to_ssm](https://registry.terraform.io/providers/hashicorp/aws/5.44.0/docs/data-sources/iam_policy_document) | data source |