mmiranda/ecr-policy.tf

## ecr-policy.tf
// Grant Read Only access to all account inside AWS organization
data "aws_iam_policy_document" "ecr_organization_readonly_access" {
  statement {
    sid    = "ReadonlyAccess"
    effect = "Allow"

    principals {
      type        = "*"
      identifiers = ["*"]
    }

    condition {
      test     = "StringLike"
      variable = "aws:PrincipalOrgID"
      values = [
        "o-123456", # Main Organization
        "o-329873", # Different Organization
        "o-sdf65s", # Another Organization
      ]
    }

    actions = [
      "ecr:GetAuthorizationToken",
      "ecr:BatchCheckLayerAvailability",
      "ecr:GetDownloadUrlForLayer",
      "ecr:GetRepositoryPolicy",
      "ecr:DescribeRepositories",
      "ecr:ListImages",
      "ecr:DescribeImages",
      "ecr:BatchGetImage",
      "ecr:DescribeImageScanFindings",
    ]
  }
}

resource "aws_ecr_repository_policy" "ecr-policy" {
  repository = "my-repo-name"

  policy = data.aws_iam_policy_document.ecr_organization_readonly_access.json

  depends_on = [
    aws_ecr_repository.my-repo-name
  ]
}
	// Grant Read Only access to all account inside AWS organization
	data "aws_iam_policy_document" "ecr_organization_readonly_access" {
	statement {
	sid = "ReadonlyAccess"
	effect = "Allow"

	principals {
	type = "*"
	identifiers = ["*"]
	}

	condition {
	test = "StringLike"
	variable = "aws:PrincipalOrgID"
	values = [
	"o-123456", # Main Organization
	"o-329873", # Different Organization
	"o-sdf65s", # Another Organization
	]
	}

	actions = [
	"ecr:GetAuthorizationToken",
	"ecr:BatchCheckLayerAvailability",
	"ecr:GetDownloadUrlForLayer",
	"ecr:GetRepositoryPolicy",
	"ecr:DescribeRepositories",
	"ecr:ListImages",
	"ecr:DescribeImages",
	"ecr:BatchGetImage",
	"ecr:DescribeImageScanFindings",
	]
	}
	}

	resource "aws_ecr_repository_policy" "ecr-policy" {
	repository = "my-repo-name"

	policy = data.aws_iam_policy_document.ecr_organization_readonly_access.json

	depends_on = [
	aws_ecr_repository.my-repo-name
	]
	}