From e739663f73afb2cc721978bbc3160ae3f877ca09 Mon Sep 17 00:00:00 2001
From: "Jon R. Roma" <jonroma@jonroma.net>
Date: Tue, 31 Oct 2023 21:35:55 -0500
Subject: [PATCH 1/2] Refine ECR repository IAM policy

Allow reader accounts access to the following actions:

*   ecr:DescribeImages
*   ecr:DescribeRepositories
*   ecr:ListImages

Also update README.md, variables.tf, and versions.tf.

This change will allow users on the development and test accounts to
view ECR repos and images that reside on the production account without
having production credentials.

I do not believe this capability is available through the AWS console,
but it is available through the AWS CLI and API.
---
 README.md    | 2 +-
 policy.tf    | 3 +++
 variables.tf | 2 +-
 versions.tf  | 2 +-
 4 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index f16ffb8..052039c 100644
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@ The following arguments are supported:
 
 * `lifecycle_policy_path` – (Optional) Path to JSON document containing lifecycle policy.
 
-* `readers` - (Optional) List of account ARNs that can pull images.
+* `readers` - (Optional) List of account ARNs that can pull images. These accounts are also granted describe and list access to the corresponding repo(s) and images.
 
 * `repos` - (Required) List of repository names.
 
diff --git a/policy.tf b/policy.tf
index ed0ca20..27714ab 100644
--- a/policy.tf
+++ b/policy.tf
@@ -2,7 +2,10 @@ locals {
   actions_read = [
     "ecr:BatchCheckLayerAvailability",
     "ecr:BatchGetImage",
+    "ecr:DescribeImages",
+    "ecr:DescribeRepositories",
     "ecr:GetDownloadUrlForLayer",
+    "ecr:ListImages",
   ]
   actions_write = [
     "ecr:BatchCheckLayerAvailability",
diff --git a/variables.tf b/variables.tf
index 99c79a5..e71c0c4 100644
--- a/variables.tf
+++ b/variables.tf
@@ -9,7 +9,7 @@ variable "lifecycle_policy_path" {
 }
 
 variable "readers" {
-  description = "List of account ARNs that can pull images."
+  description = "List of account ARNs that can pull images. These accounts are also granted describe and list access to the corresponding repo(s) and images."
   type        = list(string)
   default     = []
 }
diff --git a/versions.tf b/versions.tf
index d9b6f79..6964268 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,3 +1,3 @@
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 1.3"
 }

From d256372730e0ca0f28b8ba390be7c77aa9b52159 Mon Sep 17 00:00:00 2001
From: "Jon R. Roma" <jonroma@jonroma.net>
Date: Wed, 1 Nov 2023 02:32:46 -0500
Subject: [PATCH 2/2] Remove obsolete Terraform version reference in GitHub
 Actions workflow

---
 .github/workflows/terraform.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index 0b96c0b..95bf573 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -20,9 +20,6 @@ jobs:
 
       - name: terraform setup
         uses: hashicorp/setup-terraform@v1
-        with:
-          terraform_version: 0.12.29
-      #   cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
 
 #     TODO: This step duplicates work done by the Makefile.
 #     - name: check terraform formatting