From b6838847bf8c67751c77fb8938d9039d3bcb201b Mon Sep 17 00:00:00 2001 From: Arminio Andrei Date: Wed, 22 May 2024 10:50:43 +0300 Subject: [PATCH] fix: grant push/pull to eks-deployer batch role in prod In order to be able to tag images with eks-deployer batch job we need to add its roles to ecr iam policy. --- dist/index.js | 2 +- src/resources/ecr-iam-policy.json | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/dist/index.js b/dist/index.js index 108be3b3..0eb31a60 100644 --- a/dist/index.js +++ b/dist/index.js @@ -94429,7 +94429,7 @@ module.exports = parseParams /***/ ((module) => { "use strict"; -module.exports = JSON.parse('{"Version":"2012-10-17","Statement":[{"Sid":"OrganizationReadOnlyAccess","Effect":"Allow","Principal":"*","Action":["ecr:BatchCheckLayerAvailability","ecr:BatchGetImage","ecr:DescribeImageScanFindings","ecr:DescribeImages","ecr:DescribeRepositories","ecr:GetAuthorizationToken","ecr:GetDownloadUrlForLayer","ecr:GetRepositoryPolicy","ecr:ListImages"],"Condition":{"StringLike":{"aws:PrincipalOrgID":"o-u7wq0k1pyq"}}},{"Sid":"AllowCrossAccountPushPull","Effect":"Allow","Principal":{"AWS":["arn:aws:iam::694518486591:role/ts_all_base_administrator_role","arn:aws:iam::694518486591:role/ts_all_base_eks-deployer_role","arn:aws:iam::933138817065:role/ts_all_card_eks-deployer_role","arn:aws:iam::615254691163:role/ts_all_test_ci-it-slave_role","arn:aws:iam::615254691163:role/ts_all_test_ci-components-slave_role","arn:aws:iam::408856936053:role/ts_all_prod_eks-deployer_role"]},"Action":["ecr:BatchCheckLayerAvailability","ecr:BatchGetImage","ecr:CompleteLayerUpload","ecr:DescribeImageScanFindings","ecr:DescribeImages","ecr:DescribeRepositories","ecr:GetAuthorizationToken","ecr:GetDownloadUrlForLayer","ecr:GetRepositoryPolicy","ecr:InitiateLayerUpload","ecr:ListImages","ecr:PutImage","ecr:UploadLayerPart"]}]}'); +module.exports = JSON.parse('{"Version":"2012-10-17","Statement":[{"Sid":"OrganizationReadOnlyAccess","Effect":"Allow","Principal":"*","Action":["ecr:BatchCheckLayerAvailability","ecr:BatchGetImage","ecr:DescribeImageScanFindings","ecr:DescribeImages","ecr:DescribeRepositories","ecr:GetAuthorizationToken","ecr:GetDownloadUrlForLayer","ecr:GetRepositoryPolicy","ecr:ListImages"],"Condition":{"StringLike":{"aws:PrincipalOrgID":"o-u7wq0k1pyq"}}},{"Sid":"AllowCrossAccountPushPull","Effect":"Allow","Principal":{"AWS":["arn:aws:iam::694518486591:role/ts_all_base_administrator_role","arn:aws:iam::694518486591:role/ts_all_base_eks-deployer_role","arn:aws:iam::933138817065:role/ts_all_card_eks-deployer_role","arn:aws:iam::615254691163:role/ts_all_test_ci-it-slave_role","arn:aws:iam::615254691163:role/ts_all_test_ci-components-slave_role","arn:aws:iam::408856936053:role/ts_all_prod_eks-deployer_role","arn:aws:iam::408856936053:role/ts_all_prod_eks-deployer-batch","arn:aws:iam::408856936053:role/ts_all_sand_eks-deployer-batch"]},"Action":["ecr:BatchCheckLayerAvailability","ecr:BatchGetImage","ecr:CompleteLayerUpload","ecr:DescribeImageScanFindings","ecr:DescribeImages","ecr:DescribeRepositories","ecr:GetAuthorizationToken","ecr:GetDownloadUrlForLayer","ecr:GetRepositoryPolicy","ecr:InitiateLayerUpload","ecr:ListImages","ecr:PutImage","ecr:UploadLayerPart"]}]}'); /***/ }), diff --git a/src/resources/ecr-iam-policy.json b/src/resources/ecr-iam-policy.json index 25e28a33..e3486874 100644 --- a/src/resources/ecr-iam-policy.json +++ b/src/resources/ecr-iam-policy.json @@ -32,7 +32,9 @@ "arn:aws:iam::933138817065:role/ts_all_card_eks-deployer_role", "arn:aws:iam::615254691163:role/ts_all_test_ci-it-slave_role", "arn:aws:iam::615254691163:role/ts_all_test_ci-components-slave_role", - "arn:aws:iam::408856936053:role/ts_all_prod_eks-deployer_role" + "arn:aws:iam::408856936053:role/ts_all_prod_eks-deployer_role", + "arn:aws:iam::408856936053:role/ts_all_prod_eks-deployer-batch", + "arn:aws:iam::408856936053:role/ts_all_sand_eks-deployer-batch" ] }, "Action": [