首頁 探索 說明
註冊 登入
AFS
/
xdr-terraform-modules
2
0
複刻 0
Files 問題管理 0 合併請求 0 Wiki
瀏覽代碼

Hotfix for ECR Immutable setting

When adding Tag Immutability to the portal repos, things have broken and we can not push new changes to the portal servers. The codebuild code depends on being able to tag a new image with the latest tag. Rick and I have thought up 2 ideas.

1. remove tag immutability
2. give permissions to the codebuild role to be able to delete images from the AWS ECR repository.

We will go with option 1 for now and fine tune at a later date.
Jeremy Cooper [AFS MBP] 3 年之前
父節點
e69e0ba78d
當前提交
0f972b3f96
共有 2 個文件被更改,包括 14 次插入3 次删除
分割檢視 顯示文件統計
  1. 8 2
      base/codebuild_ecr_customer_portal/main.tf
  2. 6 1
      submodules/codebuild/codebuild-ecr-image/ecr_repo.tf

+ 8 - 2
base/codebuild_ecr_customer_portal/main.tf
查看文件 

@@ -41,7 +41,10 @@ resource "aws_codebuild_project" "this_no_artifact" {
 
 
 resource "aws_ecr_repository" "this-server" {
 
   name                 = "portal_server"
 
-  image_tag_mutability = "IMMUTABLE"
 
+  # tfsec:ignore:aws-ecr-enforce-immutable-repository Allow mutable tags for now - TO-DO
 
+  # image_tag_mutability = "IMMUTABLE" 
+  # MSOCI-2182 - This breaks the push process for new changes to the portal servers.
 
+  # The codebuild code depends on being able to tag a new image with the latest tag.
 
 
   image_scanning_configuration {
 
     scan_on_push = true
 
@@ -50,7 +53,10 @@ resource "aws_ecr_repository" "this-server" {
 
 
 resource "aws_ecr_repository" "this-nginx" {
 
   name                 = "django_nginx"
 
-  image_tag_mutability = "IMMUTABLE"
 
+  # tfsec:ignore:aws-ecr-enforce-immutable-repository Allow mutable tags for now - TO-DO
 
+  # image_tag_mutability = "IMMUTABLE" 
+  # MSOCI-2182 - This breaks the push process for new changes to the portal servers.
 
+  # The codebuild code depends on being able to tag a new image with the latest tag.
 
 
   image_scanning_configuration {
 
     scan_on_push = true

+ 6 - 1
submodules/codebuild/codebuild-ecr-image/ecr_repo.tf
查看文件 

@@ -1,7 +1,12 @@
 
 
-resource "aws_ecr_repository" "this" {
 
+resource "aws_ecr_repository" "this" { # tfsec:ignore:aws-ecr-repository-customer-key tfsec:ignore:aws-ecr-enforce-immutable-repository
 
+  # Risk is low for KMS AES-256 encryption
 
   name = var.name
 
   tags = merge(var.standard_tags, var.tags)
 
+  # image_tag_mutability = "IMMUTABLE" 
+  # Allow mutable tags for now - TO-DO
 
+  # MSOCI-2182 - This breaks the push process for new changes to the portal servers.
 
+  # The codebuild code depends on being able to tag a new image with the latest tag.
 
 
   image_scanning_configuration {
 
     scan_on_push = true