host ecr in the central aws account

app/tf/backend.tf

@@ -0,0 +1,8 @@
+terraform {
+  backend "s3" {
+    bucket  = "terraform-remote-state-076680484948"
+    encrypt = true
+    key     = "tf/add-aws-ecr-ecs-fargate/terraform.tfstate"
+    region  = "us-east-2"
+  }
+}

app/tf/ecr.tf

@@ -0,0 +1,43 @@
+data "aws_caller_identity" "current" {}
+locals {
+  principal_root_arn       = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+  development_account      = "743794601996"
+  development_env_root_arn = "arn:aws:iam::${local.development_account}:root"
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
+resource "aws_ecr_repository" "image_repo" {
+  name                 = var.name
+  image_tag_mutability = "IMMUTABLE"
+  encryption_configuration {
+    encryption_type = "KMS"
+    kms_key         = aws_kms_key.ecr_kms_key.arn
+  }
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}
+# ECR Repository policy for cross-account access
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_registry_policy
+resource "aws_ecr_repository_policy" "repository_policy" {
+  repository = aws_ecr_repository.image_repo.name
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowCrossAccountPull"
+        Effect = "Allow"
+        Principal = {
+          AWS = "${local.development_env_root_arn}"
+        }
+        Action = [
+          "ecr:BatchCheckLayerAvailability",
+          "ecr:BatchGetImage",
+          "ecr:DescribeImages",
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:ListImages"
+        ]
+      }
+    ]
+  })
+}

app/tf/kms.tf

@@ -0,0 +1,41 @@
+# Create a KMS key for encryption
+resource "aws_kms_key" "ecr_kms_key" {
+  description             = "KMS key to encrypt ECR images in central AWS account."
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+}
+# KMS key policy allowing AccountB to use the key for ECR image encryption/decryption
+resource "aws_kms_alias" "ecr_key_alias" {
+  name          = "alias/${var.name}-ecr-repository-key"
+  target_key_id = aws_kms_key.ecr_kms_key.key_id
+}
+
+resource "aws_kms_key_policy" "ecr_key_policy" {
+  key_id = aws_kms_key.ecr_kms_key.key_id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      # Allow Central AWS account to perform any KMS actions
+      {
+        Sid    = "Enable IAM User Permissions"
+        Action = ["kms:*"]
+        Effect = "Allow"
+        Principal = {
+          AWS = "${local.principal_root_arn}"
+        }
+        Resource = "*"
+      },
+      # Allow Dev environment to use the KMS key for decryption
+      {
+        Effect = "Allow"
+        Principal = {
+          AWS = "${local.development_env_root_arn}"
+        }
+        Action = [
+          "kms:Decrypt"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}

app/tf/provider.tf

@@ -0,0 +1,19 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.42.0"
+    }
+  }
+}
+
+provider "aws" {
+  region     = var.region
+  access_key = var.access_key
+  secret_key = var.secret_key
+  default_tags {
+    tags = {
+      Source = "https://github.com/kunduso/add-aws-ecr-ecs-fargate"
+    }
+  }
+}

app/tf/variables.tf

@@ -0,0 +1,25 @@
+#Define AWS Region
+variable "region" {
+  description = "Infrastructure region."
+  type        = string
+  default     = "us-east-2"
+}
+#Define IAM User Access Key
+variable "access_key" {
+  description = "The access_key that belongs to the IAM user."
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+#Define IAM User Secret Key
+variable "secret_key" {
+  description = "The secret_key that belongs to the IAM user."
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+variable "name" {
+  description = "The name of the application."
+  type        = string
+  default     = "app-6"
+}