fix: Update the permission for the public ecr (#7)

main.tf

@@ -25,8 +25,8 @@ data "aws_iam_policy_document" "repository" {
       }
 
       actions = [
-        "ecr:BatchGetImage",
-        "ecr:GetDownloadUrlForLayer",
+        "ecr-public:BatchGetImage",
+        "ecr-public:GetDownloadUrlForLayer",
       ]
     }
   }
@@ -62,7 +62,7 @@ data "aws_iam_policy_document" "repository" {
   }
 
   dynamic "statement" {
-    for_each = length(var.repository_read_write_access_arns) > 0 ? [var.repository_read_write_access_arns] : []
+    for_each = length(var.repository_read_write_access_arns) > 0 && var.repository_type == "private" ? [var.repository_read_write_access_arns] : []
 
     content {
       sid = "ReadWrite"
@@ -80,6 +80,27 @@ data "aws_iam_policy_document" "repository" {
       ]
     }
   }
+
+  dynamic "statement" {
+    for_each = length(var.repository_read_write_access_arns) > 0 && var.repository_type == "public" ? [var.repository_read_write_access_arns] : []
+
+    content {
+      sid = "ReadWrite"
+
+      principals {
+        type        = "AWS"
+        identifiers = statement.value
+      }
+
+      actions = [
+        "ecr-public:BatchCheckLayerAvailability",
+        "ecr-public:CompleteLayerUpload",
+        "ecr-public:InitiateLayerUpload",
+        "ecr-public:PutImage",
+        "ecr-public:UploadLayerPart",
+      ]
+    }
+  }
 }
 
 ################################################################################