diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 0b96c0b..95bf573 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -20,9 +20,6 @@ jobs: - name: terraform setup uses: hashicorp/setup-terraform@v1 - with: - terraform_version: 0.12.29 - # cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} # TODO: This step duplicates work done by the Makefile. # - name: check terraform formatting diff --git a/README.md b/README.md index f16ffb8..052039c 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ The following arguments are supported: * `lifecycle_policy_path` – (Optional) Path to JSON document containing lifecycle policy. -* `readers` - (Optional) List of account ARNs that can pull images. +* `readers` - (Optional) List of account ARNs that can pull images. These accounts are also granted describe and list access to the corresponding repo(s) and images. * `repos` - (Required) List of repository names. diff --git a/policy.tf b/policy.tf index ed0ca20..27714ab 100644 --- a/policy.tf +++ b/policy.tf @@ -2,7 +2,10 @@ locals { actions_read = [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", + "ecr:DescribeImages", + "ecr:DescribeRepositories", "ecr:GetDownloadUrlForLayer", + "ecr:ListImages", ] actions_write = [ "ecr:BatchCheckLayerAvailability", diff --git a/variables.tf b/variables.tf index 99c79a5..e71c0c4 100644 --- a/variables.tf +++ b/variables.tf @@ -9,7 +9,7 @@ variable "lifecycle_policy_path" { } variable "readers" { - description = "List of account ARNs that can pull images." + description = "List of account ARNs that can pull images. These accounts are also granted describe and list access to the corresponding repo(s) and images." type = list(string) default = [] } diff --git a/versions.tf b/versions.tf index d9b6f79..6964268 100644 --- a/versions.tf +++ b/versions.tf @@ -1,3 +1,3 @@ terraform { - required_version = ">= 0.12" + required_version = ">= 1.3" }