ECR Access from differents organizations

ecr-policy.tf

// Grant Read Only access to all account inside AWS organization
data "aws_iam_policy_document" "ecr_organization_readonly_access" {
  statement {
    sid    = "ReadonlyAccess"
    effect = "Allow"

    principals {
      type        = "*"
      identifiers = ["*"]
    }

    condition {
      test     = "StringLike"
      variable = "aws:PrincipalOrgID"
      values = [
        "o-123456", # Main Organization
        "o-329873", # Different Organization
        "o-sdf65s", # Another Organization
      ]
    }

    actions = [
      "ecr:GetAuthorizationToken",
      "ecr:BatchCheckLayerAvailability",
      "ecr:GetDownloadUrlForLayer",
      "ecr:GetRepositoryPolicy",
      "ecr:DescribeRepositories",
      "ecr:ListImages",
      "ecr:DescribeImages",
      "ecr:BatchGetImage",
      "ecr:DescribeImageScanFindings",
    ]
  }
}

resource "aws_ecr_repository_policy" "ecr-policy" {
  repository = "my-repo-name"

  policy = data.aws_iam_policy_document.ecr_organization_readonly_access.json

  depends_on = [
    aws_ecr_repository.my-repo-name
  ]
}