#docs (2019-04)
Discussions related to https://github.com/cloudposse/docs
Archive: https://archive.sweetops.com/docs/
2019-04-10
![Stephen Lawrence avatar](https://secure.gravatar.com/avatar/fa37d47dbb63c8558e8e7ea1263271cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
Hello, checking on the status of the docs for https://github.com/cloudposse/terraform-aws-kops-ecr
Terraform module to provision an ECR repository and grant users and kubernetes nodes access to it. - cloudposse/terraform-aws-kops-ecr
![Stephen Lawrence avatar](https://secure.gravatar.com/avatar/fa37d47dbb63c8558e8e7ea1263271cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
The usage section is showing an older version of the modules.
![Stephen Lawrence avatar](https://secure.gravatar.com/avatar/fa37d47dbb63c8558e8e7ea1263271cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
When I update my code to point at the latest releases of the two mentioned modules, I get this:
module.kops_ecr.module.kops_metadata.data.aws_security_group.bastion: data.aws_security_group.bastion: no matching SecurityGroup found
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
@Stephen Lawrence yes, ignore those version numbers.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Use the latest per the release.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
here’s another example: https://github.com/cloudposse/terraform-root-modules/tree/master/aws/ecr
Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules
2019-04-11
![Stephen Lawrence avatar](https://secure.gravatar.com/avatar/fa37d47dbb63c8558e8e7ea1263271cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
I see, I am looking for a quick way to get an ECR + a user for our kubernetes cluster + ci to access.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
What we do is grant the nodes’ instance profile/role access to ECR
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that way it’s seamless
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
are you using kops
?
![Stephen Lawrence avatar](https://secure.gravatar.com/avatar/fa37d47dbb63c8558e8e7ea1263271cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
Yes, we have kops building our VPC and k8s cluster
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
perfect.
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
this is how we do it: https://github.com/cloudposse/terraform-root-modules/blob/master/aws/ecr/kops_ecr_app.tf
Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
Example Terraform service catalog of “root module” blueprints for provisioning reference architectures - cloudposse/terraform-root-modules
![Stephen Lawrence avatar](https://secure.gravatar.com/avatar/fa37d47dbb63c8558e8e7ea1263271cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0008-72.png)
@Erik Osterman (Cloud Posse) I would need to create an assumable role outside of this?
2019-04-12
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
So you would provision your ECR repo like this:
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
module "kops_ecr_app" {
source = "git::<https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.4.0>"
namespace = "${var.namespace}"
stage = "${var.stage}"
name = "${var.kops_ecr_app_repository_name}"
enabled = "${var.kops_ecr_app_enabled}"
principals_full_access = ["${local.principals_full_access}"]
principals_readonly_access = ["${local.principals_readonly_access}"]
tags = "${module.label.tags}"
}
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
where principals_readonly_access
are the principals of your kops cluster nodes & masters
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
that says, create a new ECR repo for an “app” (since you need one repo per app in AWS; not like in docker hub)
![Erik Osterman (Cloud Posse) avatar](https://secure.gravatar.com/avatar/88c480d4f73b813904e00a5695a454cb.jpg?s=72&d=https%3A%2F%2Fa.slack-edge.com%2Fdf10d%2Fimg%2Favatars%2Fava_0023-72.png)
then allow principals_readonly_access
to pull from that repo