-
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathreplication.tf
69 lines (57 loc) · 1.71 KB
/
replication.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
###################################################
# Replication Policy
###################################################
data "aws_iam_policy_document" "replication" {
count = length(var.replication_policies) > 0 ? 1 : 0
dynamic "statement" {
for_each = var.replication_policies
iterator = policy
content {
sid = "ReplicationAccess${policy.value.account}"
effect = "Allow"
principals {
type = "AWS"
identifiers = [
"arn:aws:iam::${policy.value.account}:root"
]
}
actions = (policy.value.allow_create_repository
? ["ecr:CreateRepository", "ecr:ReplicateImage"]
: ["ecr:ReplicateImage"]
)
resources = [
for repository in policy.value.repositories :
"arn:aws:ecr:${local.region}:${local.account_id}:repository/${repository}"
]
}
}
}
###################################################
# Replication Rules
###################################################
resource "aws_ecr_replication_configuration" "this" {
count = length(var.replication_rules) > 0 ? 1 : 0
replication_configuration {
dynamic "rule" {
for_each = var.replication_rules
iterator = rule
content {
dynamic "destination" {
for_each = rule.value.destinations
content {
registry_id = coalesce(destination.value.account, local.account_id)
region = destination.value.region
}
}
dynamic "repository_filter" {
for_each = rule.value.filters
iterator = filter
content {
filter_type = filter.value.type
filter = filter.value.value
}
}
}
}
}
}