From 60d56adfcaee20f900a27638cbd3c0cd70a73826 Mon Sep 17 00:00:00 2001
From: Andriy Knysh <aknysh@users.noreply.github.com>
Date: Tue, 3 Oct 2017 19:23:07 -0400
Subject: [PATCH] Add `AmazonEC2ContainerRegistryReadOnly` policy to provide
 read-only access to `ECR` repositories (#15)

---
 main.tf | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/main.tf b/main.tf
index 3ce8b031..5d1fef17 100644
--- a/main.tf
+++ b/main.tf
@@ -122,6 +122,13 @@ resource "aws_iam_role_policy_attachment" "ssm-automation" {
   }
 }
 
+# http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker.container.console.html
+# http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html#AmazonEC2ContainerRegistryReadOnly
+resource "aws_iam_role_policy_attachment" "ecr-readonly" {
+  role       = "${aws_iam_role.ec2.name}"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+}
+
 resource "aws_ssm_activation" "ec2" {
   name               = "${module.label.id}"
   iam_role           = "${aws_iam_role.ec2.id}"