Adding encryption_type to allow using kms without passing key id and adding ecr:ListImages for argocd-image-updater

Author: adenot

_variables.tf

@@ -7,6 +7,12 @@ variable "trust_accounts" {
   description = "Accounts to trust and allow ECR fetch"
 }
 
+variable "encryption_type" {
+  type        = string
+  description = "Encryption type, KMS or AES256. When kms_key_arn is passed, encryption_type is always KMS"
+  default     = "KMS"
+}
+
 variable "kms_key_arn" {
   type        = string
   description = "KMS Key ARN to use a CMK instead of default key"
@@ -35,4 +41,4 @@ variable "tags" {
   description = "Map of tags that will be added to created resources. By default resources will be tagged with name and environment."
   type        = map(string)
   default     = {}
-}
+}

ecr-policies.tf

@@ -21,7 +21,8 @@ data "aws_iam_policy_document" "default" {
         "ecr:GetDownloadUrlForLayer",
         "ecr:BatchGetImage",
         "ecr:BatchCheckLayerAvailability",
-        "ecr:DescribeImageScanFindings"
+        "ecr:DescribeImageScanFindings",
+        "ecr:ListImages"
       ]
     }
   }

ecr-repositories.tf

@@ -3,7 +3,7 @@ resource "aws_ecr_repository" "default" {
   image_tag_mutability = var.image_tag_mutability
 
   encryption_configuration {
-    encryption_type = var.kms_key_arn != "" ? "KMS" : "AES256"
+    encryption_type = var.kms_key_arn != "" ? "KMS" : var.encryption_type
     kms_key         = var.kms_key_arn
   }