Basic terraform for remote account ECR access by an ECS

account_a_remote_access_policy.tf

resource "aws_ecr_repository" "account_a" {
  name  = var.ecr_name

  tags = local.tags
}

resource "aws_ecr_repository_policy" "account_a" {
  repository = aws_ecr_repository.this.name

  policy = data.aws_iam_policy_document.account_a.json
}

data "aws_iam_policy_document" "account_a" {
  statement {
    sid = "RemoteAccessPolicyDocument"

    actions = [
      "ecr:GetAuthorizationToken",
      "ecr:BatchCheckLayerAvailability",
      "ecr:GetDownloadUrlForLayer",
      "ecr:GetRepositoryPolicy",
      "ecr:DescribeRepositories",
      "ecr:ListImages",
      "ecr:DescribeImages",
      "ecr:BatchGetImage",
    ]

    effect = "Allow"

    principals {
      type = "AWS"

      identifiers = [
        "arn:aws:iam::${var.account_b_id}:root"
      ]
    }
  }
}

account_b_ecr_execution_policy.tf

data "aws_iam_policy_document" "execution" {
  statement {
    sid = "AllowECRAuth"
    actions = [
      "ecr:GetAuthorizationToken",
    ]
    resources = [
      "*"
    ]
  }

  statement {
    sid = "AllowECRAccess"
    actions = [
      "ecr:BatchCheckLayerAvailability",
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchGetImage",
    ]
    resources = [
      var.account_a_ecr_arn
    ]
  }
}