diff --git a/README.md b/README.md index faa67f6..8120104 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ This repository contains code and resources related to various use cases involvi - [Use Case 4: Enable Health Checks and CloudWatch Logs for AWS Fargate Tasks](#use-case-4-enable-health-checks-and-cloudwatch-logs-for-aws-fargate-tasks) - [Use Case 5: Protecting Credentials and Variables in AWS Fargate Containers using AWS Secrets Manager](#use-case-5-protecting-credentials-and-variables-in-aws-fargate-containers-using-aws-secrets-manager) - [Use Case 6: Blue-Green Deployments for Amazon ECS Fargate with CodeDeploy, Terraform, and GitHub Actions](#use-case-6-blue-green-deployments-for-amazon-ecs-fargate-with-codedeploy-terraform-and-github-actions) +- [Use Case 7: Setup cross-account Amazon Elastic Container Registry (ECR) access using Terraform and GitHub Actions](#use-case-7-setup-cross-account-amazon-elastic-container-registry-ecr-access-using-terraform-and-github-actions) - [Prerequisites](#prerequisites) - [Usage](#usage) - [Contributing](#contributing) @@ -99,12 +100,19 @@ This use case focuses on how to use a blue-green deployment pattern to release u For more details, please choose - [blue-green-deployments-for-amazon-ecs-fargate-with-codedeploy-terraform-and-github-actions.](https://skundunotes.com/2024/10/31/blue-green-deployments-for-amazon-ecs-fargate-with-codedeploy-terraform-and-github-actions/) +## Use Case 7: Setup cross-account Amazon Elastic Container Registry (ECR) access using Terraform and GitHub Actions +**🔔 Attention:** The code for this specific use case is located in the [`central-ecr`](https://github.com/kunduso/add-aws-ecr-ecs-fargate/tree/central-ecr) branch. Please refer to this branch instead of the default `main` branch. **🔔** +![Image](https://skdevops.files.wordpress.com/2024/12/107-image-0.png) +Application development teams manage multiple product environments—Dev, Test, Stage, and Prod—to ensure isolation, security, governance, and management. In this setup, it is common to adopt a **spoke-and-wheel architecture**, where an Amazon ECR repository (acting as the hub) is shared across various container hosting environments (such as Amazon ECS clusters) located in different AWS accounts. + +This architecture is achieved by hosting the ECR repository in one AWS account and deploying ECS services for each environment in separate AWS accounts. To enable cross-account access, specific AWS IAM permissions must be configured in both the ECR and ECS accounts. In this **use-case**, I explain the Terraform configuration to apply to the AWS account hosting the Amazon ECR repository and the AWS account hosting the Amazon ECS service. To read more, choose [-setup-cross-account-amazon-elastic-container-registry-ecr-access-using-terraform-and-github-actions.](https://skundunotes.com/2024/12/04/setup-cross-account-amazon-elastic-container-registry-ecr-access-using-terraform-and-github-actions/) Additionally, this repository includes:
- [Checkov pipeline](./.github/workflows/code-scan.yml) for scanning the Terraform code for security and compliance issues. The entire setup and deployment process is automated via the GitHub Actions pipelines, eliminating the need for manual steps. + ## Prerequisites For this code to function without errors, create an OpenID connect identity provider in Amazon Identity and Access Management that has a trust relationship with your GitHub repository. You can read about it [here](https://skundunotes.com/2023/02/28/securely-integrate-aws-credentials-with-github-actions-using-openid-connect/) to get a detailed explanation with steps.
Store the `ARN` of the `IAM Role` as a GitHub secret which is referred in the `terraform.yml` and `app-cd-cd.yml` file. diff --git a/app/tf/kms.tf b/app/tf/kms.tf index cf8b3a6..4434f0d 100644 --- a/app/tf/kms.tf +++ b/app/tf/kms.tf @@ -31,9 +31,7 @@ resource "aws_kms_key_policy" "ecr_key_policy" { Principal = { AWS = "${local.development_env_root_arn}" } - Action = [ - "kms:Decrypt" - ] + Action = ["kms:Decrypt"] Resource = "*" } ]