From 44b69646ad5d49f3cd3111b8dcdf757f5664309c Mon Sep 17 00:00:00 2001 From: kevin Date: Tue, 3 Dec 2024 22:01:48 +0000 Subject: [PATCH] Specify ECR for IAM policy Signed-off-by: kevin --- infra/aws/main.tf | 48 +++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 44 insertions(+), 4 deletions(-) diff --git a/infra/aws/main.tf b/infra/aws/main.tf index 032deba..396535a 100644 --- a/infra/aws/main.tf +++ b/infra/aws/main.tf @@ -297,7 +297,7 @@ resource "aws_iam_policy" "premerge_ecr_public_read_access_policy" { "ecr-public:DescribeRegistries", "sts:GetServiceBearerToken" ] - Resource = "*" + Resource = "arn:aws:ecr-public::936637512419:repository/vllm-ci-test-repo" }] }) } @@ -329,7 +329,7 @@ resource "aws_iam_policy" "premerge_ecr_public_write_access_policy" { "ecr-public:UploadLayerPart", "sts:GetServiceBearerToken" ] - Resource = "*" + Resource = "arn:aws:ecr-public::936637512419:repository/vllm-ci-test-repo" }] }) } @@ -352,7 +352,7 @@ resource "aws_iam_policy" "postmerge_ecr_public_read_access_policy" { "ecr-public:DescribeRegistries", "sts:GetServiceBearerToken" ] - Resource = "*" + Resource = "arn:aws:ecr-public::936637512419:repository/vllm-ci-postmerge-repo" }] }) } @@ -384,7 +384,39 @@ resource "aws_iam_policy" "postmerge_ecr_public_read_write_access_policy" { "ecr-public:UploadLayerPart", "sts:GetServiceBearerToken" ] - Resource = "*" + Resource = "arn:aws:ecr-public::936637512419:repository/vllm-ci-postmerge-repo" + }] + }) +} + +resource "aws_iam_policy" "release_ecr_public_read_write_access_policy" { + name = "release-ecr-public-read-write-access-policy" + description = "Policy to push and pull images from release ECR" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [{ + Effect = "Allow" + Action = [ + "ecr-public:BatchCheckLayerAvailability", + "ecr-public:CompleteLayerUpload", + "ecr-public:DescribeImageTags", + "ecr-public:DescribeImages", + "ecr-public:DescribeRegistries", + "ecr-public:DescribeRepositories", + "ecr-public:GetAuthorizationToken", + "ecr-public:GetRegistryCatalogData", + "ecr-public:GetRepositoryCatalogData", + "ecr-public:GetRepositoryPolicy", + "ecr-public:InitiateLayerUpload", + "ecr-public:ListTagsForResource", + "ecr-public:PutImage", + "ecr-public:PutRegistryCatalogData", + "ecr-public:TagResource", + "ecr-public:UploadLayerPart", + "sts:GetServiceBearerToken" + ] + Resource = "arn:aws:ecr-public::936637512419:repository/vllm-release-repo" }] }) } @@ -495,6 +527,14 @@ resource "aws_iam_role_policy_attachment" "postmerge_ecr_public_read_write_acces policy_arn = aws_iam_policy.postmerge_ecr_public_read_write_access_policy.arn } +resource "aws_iam_role_policy_attachment" "release_ecr_public_read_write_access" { + for_each = merge( + aws_cloudformation_stack.bk_queue_postmerge + ) + role = each.value.outputs.InstanceRoleName + policy_arn = aws_iam_policy.release_ecr_public_read_write_access_policy.arn +} + resource "aws_iam_role_policy_attachment" "bk_stack_secrets_access" { for_each = merge( aws_cloudformation_stack.bk_queue,