Startsida Utforska Hjälp
Registrera dig Logga in
AFS
/
xdr-terraform-modules
2
0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Bläddra i källkod

Hotfix for ECR Immutable setting

When adding Tag Immutability to the portal repos, things have broken and we can not push new changes to the portal servers. The codebuild code depends on being able to tag a new image with the latest tag. Rick and I have thought up 2 ideas.

1. remove tag immutability
2. give permissions to the codebuild role to be able to delete images from the AWS ECR repository.

We will go with option 1 for now and fine tune at a later date.
Jeremy Cooper [AFS MBP] 3 år sedan
förälder
e69e0ba78d
incheckning
0f972b3f96
2 ändrade filer med 14 tillägg och 3 borttagningar
Delad Vy Visa Diff Statistik
  1. 8 2
      base/codebuild_ecr_customer_portal/main.tf
  2. 6 1
      submodules/codebuild/codebuild-ecr-image/ecr_repo.tf

+ 8 - 2
base/codebuild_ecr_customer_portal/main.tf
Visa fil 

@@ -41,7 +41,10 @@ resource "aws_codebuild_project" "this_no_artifact" {
 
 
 resource "aws_ecr_repository" "this-server" {
 
   name                 = "portal_server"
 
-  image_tag_mutability = "IMMUTABLE"
 
+  # tfsec:ignore:aws-ecr-enforce-immutable-repository Allow mutable tags for now - TO-DO
 
+  # image_tag_mutability = "IMMUTABLE" 
+  # MSOCI-2182 - This breaks the push process for new changes to the portal servers.
 
+  # The codebuild code depends on being able to tag a new image with the latest tag.
 
 
   image_scanning_configuration {
 
     scan_on_push = true
 
@@ -50,7 +53,10 @@ resource "aws_ecr_repository" "this-server" {
 
 
 resource "aws_ecr_repository" "this-nginx" {
 
   name                 = "django_nginx"
 
-  image_tag_mutability = "IMMUTABLE"
 
+  # tfsec:ignore:aws-ecr-enforce-immutable-repository Allow mutable tags for now - TO-DO
 
+  # image_tag_mutability = "IMMUTABLE" 
+  # MSOCI-2182 - This breaks the push process for new changes to the portal servers.
 
+  # The codebuild code depends on being able to tag a new image with the latest tag.
 
 
   image_scanning_configuration {
 
     scan_on_push = true

+ 6 - 1
submodules/codebuild/codebuild-ecr-image/ecr_repo.tf
Visa fil 

@@ -1,7 +1,12 @@
 
 
-resource "aws_ecr_repository" "this" {
 
+resource "aws_ecr_repository" "this" { # tfsec:ignore:aws-ecr-repository-customer-key tfsec:ignore:aws-ecr-enforce-immutable-repository
 
+  # Risk is low for KMS AES-256 encryption
 
   name = var.name
 
   tags = merge(var.standard_tags, var.tags)
 
+  # image_tag_mutability = "IMMUTABLE" 
+  # Allow mutable tags for now - TO-DO
 
+  # MSOCI-2182 - This breaks the push process for new changes to the portal servers.
 
+  # The codebuild code depends on being able to tag a new image with the latest tag.
 
 
   image_scanning_configuration {
 
     scan_on_push = true