From 2dd5f1122d6077e870fffd50ac20eaab1f930614 Mon Sep 17 00:00:00 2001
From: pjdufour-truss <patrick.dufour@truss.works>
Date: Fri, 17 May 2019 15:46:04 -0500
Subject: [PATCH] lockdown ecr

---
 README.md    |  1 +
 main.tf      | 18 ++++++++++++++++--
 variables.tf |  6 ++++++
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 60849ba..647b4f0 100644
--- a/README.md
+++ b/README.md
@@ -71,6 +71,7 @@ module "app_ecs_service" {
 | container\_health\_check\_port | An additional port on which the container can receive a health check.  Zero means the container port can only receive a health check on the port set by the container_port variable. | string | `"0"` | no |
 | container\_image | The image of the container. | string | `"golang:1.12.5-alpine"` | no |
 | container\_port | The port on which the container will receive traffic. | string | `"80"` | no |
+| ecr\_repo\_arn | The ARN of the ECR repo.  By default, allows all repositories. | string | `"*"` | no |
 | ecs\_cluster\_arn | The ARN of the ECS cluster. | string | n/a | yes |
 | ecs\_instance\_role | The name of the ECS instance role. | string | `""` | no |
 | ecs\_subnet\_ids | Subnet IDs for the ECS tasks. | list | n/a | yes |
diff --git a/main.tf b/main.tf
index c090090..cb0e934 100644
--- a/main.tf
+++ b/main.tf
@@ -253,12 +253,19 @@ data "aws_iam_policy_document" "instance_role_policy_doc" {
   statement {
     actions = [
       "ecr:GetAuthorizationToken",
+    ]
+
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
       "ecr:BatchCheckLayerAvailability",
       "ecr:GetDownloadUrlForLayer",
       "ecr:BatchGetImage",
     ]
 
-    resources = ["*"]
+    resources = ["${var.ecr_repo_arn}"]
   }
 }
 
@@ -298,12 +305,19 @@ data "aws_iam_policy_document" "task_execution_role_policy_doc" {
   statement {
     actions = [
       "ecr:GetAuthorizationToken",
+    ]
+
+    resources = ["*"]
+  }
+
+  statement {
+    actions = [
       "ecr:BatchCheckLayerAvailability",
       "ecr:GetDownloadUrlForLayer",
       "ecr:BatchGetImage",
     ]
 
-    resources = ["*"]
+    resources = ["${var.ecr_repo_arn}"]
   }
 }
 
diff --git a/variables.tf b/variables.tf
index e6ed3aa..c2e9f07 100644
--- a/variables.tf
+++ b/variables.tf
@@ -20,6 +20,12 @@ variable "logs_cloudwatch_group" {
   type        = "string"
 }
 
+variable "ecr_repo_arn" {
+  description = "The ARN of the ECR repo.  By default, allows all repositories."
+  type        = "string"
+  default     = "*"
+}
+
 variable "ecs_use_fargate" {
   description = "Whether to use Fargate for the task definition."
   default     = false