From cf415f04a05ee0f9dcca12eb8e2e2a958437f419 Mon Sep 17 00:00:00 2001
From: Sam Vevang <sam.vevang@gmail.com>
Date: Fri, 13 Sep 2024 10:23:19 -0500
Subject: [PATCH 1/3] Set up new private perms

---
 iam-roles/PRX-GHA-AccessRole/template.yml | 25 +++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/iam-roles/PRX-GHA-AccessRole/template.yml b/iam-roles/PRX-GHA-AccessRole/template.yml
index de0cfb273..bc87a14c1 100644
--- a/iam-roles/PRX-GHA-AccessRole/template.yml
+++ b/iam-roles/PRX-GHA-AccessRole/template.yml
@@ -41,6 +41,7 @@ Resources:
         - !Ref SesMailSendPolicy
         - !Ref PassCloudFormationRolePolicy
         - !Ref EcrPublicPushPolicy
+        - !Ref PrivateEcrPushPolicy
       RoleName: PRX-GHA-AccessRole
       Tags:
         - { Key: prx:meta:tagging-version, Value: "2021-04-07" }
@@ -162,3 +163,27 @@ Resources:
             Resource: "*"
             Sid: AllowEcrPublicRepoImagePush
         Version: "2012-10-17"
+
+  # GH actions push to private ECR repos
+  PrivateEcrPushPolicy:
+      Type: AWS::IAM::ManagedPolicy
+      Properties:
+        Description: Allows pushing Docker images to private ECR repositories
+        PolicyDocument:
+          Version: "2012-10-17"
+          Statement:
+            - Effect: Allow
+              Action:
+                - ecr:GetAuthorizationToken
+                - ecr:BatchCheckLayerAvailability
+                - ecr:GetDownloadUrlForLayer
+                - ecr:GetRepositoryPolicy
+                - ecr:DescribeRepositories
+                - ecr:ListImages
+                - ecr:DescribeImages
+                - ecr:BatchGetImage
+                - ecr:InitiateLayerUpload
+                - ecr:UploadLayerPart
+                - ecr:CompleteLayerUpload
+                - ecr:PutImage
+              Resource: "*"
\ No newline at end of file

From 76c17fecfa0f66b82a7332ceda36d35b20ea942c Mon Sep 17 00:00:00 2001
From: Sam Vevang <sam.vevang@gmail.com>
Date: Fri, 13 Sep 2024 10:25:42 -0500
Subject: [PATCH 2/3] Trim permission to push

---
 iam-roles/PRX-GHA-AccessRole/template.yml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/iam-roles/PRX-GHA-AccessRole/template.yml b/iam-roles/PRX-GHA-AccessRole/template.yml
index bc87a14c1..fce778193 100644
--- a/iam-roles/PRX-GHA-AccessRole/template.yml
+++ b/iam-roles/PRX-GHA-AccessRole/template.yml
@@ -174,14 +174,7 @@ Resources:
           Statement:
             - Effect: Allow
               Action:
-                - ecr:GetAuthorizationToken
                 - ecr:BatchCheckLayerAvailability
-                - ecr:GetDownloadUrlForLayer
-                - ecr:GetRepositoryPolicy
-                - ecr:DescribeRepositories
-                - ecr:ListImages
-                - ecr:DescribeImages
-                - ecr:BatchGetImage
                 - ecr:InitiateLayerUpload
                 - ecr:UploadLayerPart
                 - ecr:CompleteLayerUpload

From 77fbecfda0ddb4314f5ed881aa3f16f387aac47f Mon Sep 17 00:00:00 2001
From: Sam Vevang <sam.vevang@gmail.com>
Date: Fri, 13 Sep 2024 10:33:56 -0500
Subject: [PATCH 3/3] Add a newline

---
 iam-roles/PRX-GHA-AccessRole/template.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iam-roles/PRX-GHA-AccessRole/template.yml b/iam-roles/PRX-GHA-AccessRole/template.yml
index fce778193..902111e64 100644
--- a/iam-roles/PRX-GHA-AccessRole/template.yml
+++ b/iam-roles/PRX-GHA-AccessRole/template.yml
@@ -179,4 +179,4 @@ Resources:
                 - ecr:UploadLayerPart
                 - ecr:CompleteLayerUpload
                 - ecr:PutImage
-              Resource: "*"
\ No newline at end of file
+              Resource: "*"