search

terraform-aws-modules / terraform-aws-ecr

Terraform module to create AWS ECR resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/ecr/aws
Apache License 2.0
52 stars 109 forks source link

Can this module be used as ECR for lambda image code? #34

Closed aws-spark closed 5 months ago

aws-spark commented 5 months ago

Description

I want to use this module, if possible, to host local AWS account lambda ECR code images. I am having trouble with the policies however. Could the examples be updated if possible to reflect how appropriate policies would be set for lambda to consume the ECR images as code? For that matter could any example show how to set a custom policy, or to ignore changes to policy (made by other AWS services - lambda)? I can see input: repository_lambda_read_access_arns will result in a policy of:

{
  "Sid": "PrivateLambdaReadOnly",
  "Effect": "Allow",
  "Principal": {
    "Service": "lambda.amazonaws.com"
  },
  "Action": [
    "ecr:BatchGetImage",
    "ecr:GetDownloadUrlForLayer"
  ],
  "Condition": {
    "StringLike": {
      "aws:sourceArn": "arn:aws:iam::<account>:role/<ecr_name>"
    }
  }
}

this is almost a match on what lambda itself seems to want to set on the ECR, this permission appears after lambda is set to grab the ECR image:

{
  "Sid": "LambdaECRImageRetrievalPolicy",
  "Effect": "Allow",
  "Principal": {
    "Service": "lambda.amazonaws.com"
  },
  "Action": [
    "ecr:BatchGetImage",
    "ecr:DeleteRepositoryPolicy",
    "ecr:GetDownloadUrlForLayer",
    "ecr:GetRepositoryPolicy",
    "ecr:SetRepositoryPolicy"
  ],
  "Condition": {
    "StringLike": {
      "aws:sourceArn": "arn:aws:lambda:<region>:<account>:function:*"
    }
  }
}

I am unsure if this is just a user error my end or a feature request sorry. I should also add that an initial build of the ECR with this module and then a lambda build to reference the ECR as code image does work at first. Where things go awry is any future terraform apply will look to strip the added policy that lambda has added, and this results in permissions errors for Lambda then not being allowed to access the ECR.

If your request is for a new feature, please use the Feature request template.

⚠️ Note

Before you submit an issue, please perform the following first:

  1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
  2. Re-initialize the project root to pull down modules: terraform init
  3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

Reproduction Code [Required]

Steps to reproduce the behavior:

Expected behavior

Actual behavior

Terminal Output Screenshot(s)

Additional context

antonbabenko commented 5 months ago

Here you can find the code to use Lambda with ECR resources.

I have just updated it (https://github.com/terraform-aws-modules/terraform-aws-lambda/pull/559) and included integration with this ECR repository - https://github.com/terraform-aws-modules/terraform-aws-lambda/blob/master/examples/container-image/main.tf

aws-spark commented 5 months ago

Thanks. This example: https://github.com/terraform-aws-modules/terraform-aws-ecr/blob/master/examples/complete/main.tf still lacks how to set the lambda policy (LambdaECRImageRetrievalPolicy) though, or any custom policy. Nevermind, have abandoned the use of this module and built as resources instead.

github-actions[bot] commented 4 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.