From 3a6ac24045904f2c05fb2cb32fb0439518c65b6d Mon Sep 17 00:00:00 2001
From: Pat Heard <patrick.heard@cds-snc.ca>
Date: Tue, 26 Sep 2023 10:11:42 -0400
Subject: [PATCH] fix: allow OIDC ECR role to pull images (#1446)

Update the OIDC ECR role's permission policy to
allow it to pull images as well.

This is needed for the Docker SBOM workflow step.
---
 infrastructure/terragrunt/aws/ecr/oidc.tf | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/infrastructure/terragrunt/aws/ecr/oidc.tf b/infrastructure/terragrunt/aws/ecr/oidc.tf
index 4c8807dd1..6b7e8a01b 100644
--- a/infrastructure/terragrunt/aws/ecr/oidc.tf
+++ b/infrastructure/terragrunt/aws/ecr/oidc.tf
@@ -32,11 +32,17 @@ data "aws_iam_policy_document" "ecr_push" {
   statement {
     effect = "Allow"
     actions = [
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:BatchGetImage",
       "ecr:CompleteLayerUpload",
-      "ecr:UploadLayerPart",
+      "ecr:DescribeImages",
+      "ecr:DescribeRepositories",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:GetRepositoryPolicy",
       "ecr:InitiateLayerUpload",
-      "ecr:BatchCheckLayerAvailability",
-      "ecr:PutImage"
+      "ecr:ListImages",
+      "ecr:PutImage",
+      "ecr:UploadLayerPart"
     ]
     resources = [
       aws_ecr_repository.wordpress.arn