awscc_ecr_registry_policy (Resource)

The AWS::ECR::RegistryPolicy resource creates or updates the permissions policy for a private registry. A private registry policy is used to specify permissions for another AWS-account and is used when configuring cross-account replication. For more information, see Registry permissions in the Amazon Elastic Container Registry User Guide.

Example Usage

Specify a registry policy for a private registry

The following example create a private registry policy and grants permission for an AWS account to create repositories and replicate their contents to your private registry.

data "aws_caller_identity" "current" {}

resource "awscc_ecr_registry_policy" "example" {
  policy_text = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "ReplicationAccessCrossAccount"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${var.source_account}:root"
        }
        Action = [
          "ecr:CreateRepository",
          "ecr:ReplicateImage"
        ]
        Resource = "${awscc_ecr_repository.example.arn}/*"
      }
    ]
  })
}

resource "awscc_ecr_repository" "example" {
  repository_name      = "example-ecr"
  image_tag_mutability = "MUTABLE"
  image_scanning_configuration = {
    scan_on_push = true
  }
}

variable "source_account" {
  type = string
}

Schema

Required

Read-Only

Import

Import is supported using the following syntax:

$ terraform import awscc_ecr_registry_policy.example <resource ID>