From ed2a445e6a1597b10abbb9d2c5184d2b030d27dd Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Mon, 2 Dec 2024 13:01:24 -0600
Subject: [PATCH] converted to role from root

---
 app/tf/ecr.tf | 4 ++--
 app/tf/kms.tf | 6 ++----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/app/tf/ecr.tf b/app/tf/ecr.tf
index ed65b22..62b5aa6 100644
--- a/app/tf/ecr.tf
+++ b/app/tf/ecr.tf
@@ -2,7 +2,7 @@ data "aws_caller_identity" "current" {}
 locals {
   principal_root_arn       = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
   development_account      = "743794601996"
-  development_env_root_arn = "arn:aws:iam::${local.development_account}:root"
+  development_env_role_arn = "arn:aws:iam::${local.development_account}:role/*"
 }
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
 resource "aws_ecr_repository" "image_repo" {
@@ -28,7 +28,7 @@ resource "aws_ecr_repository_policy" "repository_policy" {
         Sid    = "AllowCrossAccountPull"
         Effect = "Allow"
         Principal = {
-          AWS = "${local.development_env_root_arn}"
+          AWS = "${local.development_env_role_arn}"
         }
         Action = [
           "ecr:BatchCheckLayerAvailability",
diff --git a/app/tf/kms.tf b/app/tf/kms.tf
index cf8b3a6..b4b90dc 100644
--- a/app/tf/kms.tf
+++ b/app/tf/kms.tf
@@ -29,11 +29,9 @@ resource "aws_kms_key_policy" "ecr_key_policy" {
       {
         Effect = "Allow"
         Principal = {
-          AWS = "${local.development_env_root_arn}"
+          AWS = "${local.development_env_role_arn}"
         }
-        Action = [
-          "kms:Decrypt"
-        ]
+        Action = ["kms:Decrypt"]
         Resource = "*"
       }
     ]