The AWS::ECR::RegistryPolicy
resource creates or updates the permissions policy for a private registry.
A private registry policy is used to specify permissions for another AWS-account and is used when configuring cross-account replication. For more information, see Registry permissions in the Amazon Elastic Container Registry User Guide.
The following example create a private registry policy and grants permission for an AWS account to create repositories and replicate their contents to your private registry.
data "aws_caller_identity" "current" {}
resource "awscc_ecr_registry_policy" "example" {
policy_text = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "ReplicationAccessCrossAccount"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${var.source_account}:root"
}
Action = [
"ecr:CreateRepository",
"ecr:ReplicateImage"
]
Resource = "${awscc_ecr_repository.example.arn}/*"
}
]
})
}
resource "awscc_ecr_repository" "example" {
repository_name = "example-ecr"
image_tag_mutability = "MUTABLE"
image_scanning_configuration = {
scan_on_push = true
}
}
variable "source_account" {
type = string
}
policy_text
(String) The JSON policy text for your registry.id
(String) Uniquely identifies the resource.registry_id
(String) The registry id.Import is supported using the following syntax:
$ terraform import awscc_ecr_registry_policy.example <resource ID>