Add ECR

Author: jhkennedy

CHANGELOG.md

@@ -7,7 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [10.11.12]
 
 ### Changed
-- Expanded the hyp3-ci stack permissions for JPL deployments to allow listing CloudFormation stacks and CloudFormation permissions were expended to any region to support deploying HyP3-based monitoring stacks.
+- The hyp3-ci stack permission for JPL deployments were expended to support deploying HyP3-based monitoring stacks:
+  - Listing CloudFormation stacks is now allowed.
+  - CloudFormation permissions were expended to any region from just us-west-2.
+  - ECR actions are now allowed.
 
 ## [10.11.11]
 

cicd-stacks/JPL-deployment-policy-cf.yml

@@ -18,6 +18,7 @@ Resources:
               - dynamodb:*
               - ec2:*
               - ecs:*
+              - ecr:GetAuthorizationToken
               - events:*
               - iam:CreateServiceLinkedRole
               - iam:DeleteServiceLinkedRole
@@ -60,6 +61,20 @@ Resources:
               - cloudformation:GetTemplateSummary
             Resource: !Sub "arn:aws:cloudformation:*:${AWS::AccountId}:stack/*"
 
+          - Effect: Allow
+            Action:
+              - ecr:BatchCheckLayerAvailability
+              - ecr:GetDownloadUrlForLayer
+              - ecr:DescribeRepositories
+              - ecr:ListImages
+              - ecr:DescribeImages
+              - ecr:BatchGetImage
+              - ecr:InitiateLayerUpload
+              - ecr:UploadLayerPart
+              - ecr:CompleteLayerUpload
+              - ecr:PutImage
+            Resource: !Sub "arn:aws:ecr:*:${AWS::AccountId}:repository/*"
+
   ApiGatewayLoggingRole:
     Type: Custom::JplRole
     Properties: