feat: allow happy users to leverage pull through caching (#3245)

chanzuckerberg · Apr 19, 2024 · 32bc6af · 32bc6af
1 parent 5d4adbe
commit 32bc6af
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 11 deletions.
diff --git a/terraform/modules/happy-github-ci-role/README.md b/terraform/modules/happy-github-ci-role/README.md
@@ -28,11 +28,12 @@
 
 | Name | Type |
 |------|------|
-| [aws_iam_policy.ecr-scanner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_role_policy_attachment.ecr-scanner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy.ecr_scanner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.pull_through_cache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.ecr-scanner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.ecr_scanner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.pull_through_cache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 

diff --git a/terraform/modules/happy-github-ci-role/ecr.tf b/terraform/modules/happy-github-ci-role/ecr.tf
@@ -37,7 +37,7 @@ module "autocreated_ecr_writer_policy" {
   owner   = var.tags.owner
 }
 
-data "aws_iam_policy_document" "ecr-scanner" {
+data "aws_iam_policy_document" "ecr_scanner" {
   statement {
     sid = "ScanECR"
 
@@ -55,15 +55,40 @@ data "aws_iam_policy_document" "ecr-scanner" {
   }
 }
 
-resource "aws_iam_policy" "ecr-scanner" {
+resource "aws_iam_role_policy" "ecr_scanner" {
+  role        = var.gh_actions_role_name
   name_prefix = "gh_actions_ecr_scan_${random_pet.this.id}"
-  path        = "/"
-
-  policy = data.aws_iam_policy_document.ecr-scanner.json
+  policy      = data.aws_iam_policy_document.ecr_scanner.json
 }
 
-resource "aws_iam_role_policy_attachment" "ecr-scanner" {
-  role = var.gh_actions_role_name
+data "aws_iam_policy_document" "pull_through_cache" {
+  statement {
+    sid = "PullThroughCacheCorePlatformProdECR"
+
+    actions = [
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:BatchGetImage",
+      "ecr:BatchImportUpstreamImage",
+      "ecr:CreateRepository",
+      "ecr:DescribeImageScanFindings",
+      "ecr:DescribeImages",
+      "ecr:DescribeRepositories",
+      "ecr:GetAuthorizationToken",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:GetLifecyclePolicy",
+      "ecr:GetLifecyclePolicyPreview",
+      "ecr:GetRepositoryPolicy",
+      "ecr:ListImages",
+      "ecr:ListTagsForResource",
+      "ecr:TagResource",
+    ]
 
-  policy_arn = aws_iam_policy.ecr-scanner.arn
+    resources = ["arn:aws:ecr:us-west-2:533267185808:repository/*"]
+  }
 }
+
+resource "aws_iam_role_policy" "pull_through_cache" {
+  role        = var.gh_actions_role_name
+  name_prefix = "read_only_pull_through_cache_core_platform_prod_access"
+  policy      = data.aws_iam_policy_document.pull_through_cache.json
+}