| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657 |
- # Defines an IAM user that can only download ECR images, intended for
- # use in POP nodes where we need containers, but won't necessarily have
- # EC2 instance role credentials. Maybe one day this goes to vault, I
- # hope. It would be nice.
- # data "aws_iam_policy_document" "ecr_policy_pop" {
- # statement {
- # sid = "AllowECRReadOnly"
- # effect = "Allow"
- # actions = [
- # "ecr:GetAuthorizationToken",
- # "ecr:BatchCheckLayerAvailability",
- # "ecr:GetDownloadUrlForLayer",
- # "ecr:GetRepositoryPolicy",
- # "ecr:DescribeRepositories",
- # "ecr:ListImages",
- # "ecr:DescribeImages",
- # "ecr:BatchGetImage"
- # ]
-
- # resources = [
- # "*"
- # ]
- # }
- # }
- # resource "aws_iam_policy" "ecr_policy_pop" {
- # name = "ecr_policy_pop"
- # path = "/"
- # policy = "${data.aws_iam_policy_document.ecr_policy_pop.json}"
- # }
- # resource "aws_iam_user" "pop_service_account" {
- # name = "svc-mdrpop"
- # path = "/service/"
- # }
- # resource "aws_iam_user_policy_attachment" "pop_service_account_1" {
- # user = "${aws_iam_user.pop_service_account.name}"
- # policy_arn = "${aws_iam_policy.ecr_policy_pop.arn}"
- # }
- # resource "aws_iam_access_key" "pop_service_account" {
- # user = "${aws_iam_user.pop_service_account.name}"
- # pgp_key = "${file("../00-organizations-and-iam/duane_waddle.pgp")}"
- # }
- # output "pop_service_account_key_id" {
- # value = "${aws_iam_access_key.pop_service_account.id}"
- # }
- # output "pop_service_account_secret" {
- # value = "${aws_iam_access_key.pop_service_account.encrypted_secret}"
- # }
|
