Adds module for customer portal

base/codebuild_ecr_customer_portal/README.md

@@ -0,0 +1,17 @@
+# How to Use this Module
+
+Customer Portal was different enough that it needed its own module. 
+
+This module is where the CodeBuild projects are created. It uses the Terraform GitHub Provider and requires a Personal Access Token. This should be your Personal Access Token not mdr-aws-codebuild's token. The provider will look in the environmental variables for the token. 
+
+```
+export GITHUB_TOKEN=<gihub_token>
+```
+
+This module should NOT create the github repo. That is a manual process. I am not comfortable with terraform adding/removing github repos. The github repo should have the same name as the name variable in the terrafgrunt.hcl file. 
+
+## Github Service Account ( mdr-aws-codebuild )
+
+AWS CodeBuild needs a Github Personal Access Token to pull code after the code in a repository has been updated. Terraform is capable of storing the Github Personal Access Token, but that is a bad idea. A better idea is a service account in Github that gives CodeBuild access to specific repositories. This user will need access to repositories in different organizations. The login credentials as well as the Personal Access Token for mdr-aws-codebuild are stored in Vault. 
+
+The service account (mdr-aws-codebuild) needs to have a personal access token manually placed into the aws console. 

base/codebuild_ecr_customer_portal/main.tf

@@ -0,0 +1,101 @@
+data "github_repository" "this" {
+    name    = var.name
+}
+
+resource "aws_codebuild_project" "this_no_artifact" {
+  count                 = var.artifact_s3_bucket=="" ? 1 : 0
+
+  name                  = var.name
+  description           = "Container for ${var.name}"
+  service_role          = var.service_role
+  encryption_key        = var.kms_key
+  badge_enabled         = var.badge_enabled
+
+  source {
+    type                = "GITHUB_ENTERPRISE"
+    location            = data.github_repository.this.http_clone_url
+    report_build_status = true
+  }
+
+  environment {
+    compute_type        = "BUILD_GENERAL1_SMALL"
+    image               = var.codebuild_image
+    type                = "LINUX_CONTAINER"
+    privileged_mode     = true
+  }
+
+  artifacts {
+    type                = "NO_ARTIFACTS"
+  }
+
+  tags = merge(var.standard_tags, var.tags)
+}
+ 
+resource "aws_ecr_repository" "this-api" {
+    name  = "portal-api"
+}
+
+resource "aws_ecr_repository" "this-nginx" {
+    name  = "portal-nginx"
+}
+
+data "aws_iam_policy_document" "ecr_cross_account_policy" {
+  statement {
+    sid = "ECRWrite"
+
+    effect = "Allow"
+
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:PutImage",
+      "ecr:InitiateLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload",
+      "ecr:DescribeRepositories",
+      "ecr:ListImages",
+      "ecr:DescribeImages",
+    ]
+
+    principals {
+      identifiers = [
+        "arn:aws-us-gov:iam::721817724804:root",
+        "arn:aws-us-gov:iam::738800754746:root",
+        "arn:aws-us-gov:iam::701290387780:root",
+      ]
+      type        = "AWS"
+    }
+  }
+}
+
+resource "aws_ecr_repository_policy" "this-api" {
+  repository = aws_ecr_repository.this-api.name
+  policy = data.aws_iam_policy_document.ecr_cross_account_policy.json
+}
+
+resource "aws_ecr_repository_policy" "this-nginx" {
+  repository = aws_ecr_repository.this-nginx.name
+  policy = data.aws_iam_policy_document.ecr_cross_account_policy.json
+}
+
+resource "aws_codebuild_webhook" "this" {
+  project_name  = var.name
+  branch_filter = var.webhook_branch_filter
+
+  depends_on = [ aws_codebuild_project.this_no_artifact  ]
+}
+
+resource "github_repository_webhook" "this" {
+  active     = true
+  events     = ["push"]
+  repository = data.github_repository.this.name
+
+  configuration {
+    url          = aws_codebuild_webhook.this.payload_url
+    secret       = aws_codebuild_webhook.this.secret
+    content_type = "json"
+    insecure_ssl = false
+  }
+}

base/codebuild_ecr_customer_portal/vars.tf

@@ -0,0 +1,29 @@
+variable "tags" {
+  description = "Tags to add to the resource (in addition to global standard tags)"
+  type        = map
+  default     = { }
+}
+variable "standard_tags" { type = map }
+variable "environment" { type = string }
+variable "aws_partition" { type = string }
+variable "aws_partition_alias" { type = string }
+variable "aws_account_id" { type = string }
+variable "name" { type = string }
+variable "service_role" { type = string }
+variable "artifact_s3_bucket" { type = string }
+variable "codebuild_image" {type = string }
+
+variable "kms_key" {
+    type = string
+    default = ""
+}
+
+variable "badge_enabled" {
+    type = string
+    default = "false"
+}
+
+variable "webhook_branch_filter" {
+    type = string
+    default = "^(master|develop)$"
+}

base/codebuild_ecr_project/README.md

@@ -6,7 +6,7 @@ This module is where the CodeBuild projects are created. It uses the Terraform G
 export GITHUB_TOKEN=<gihub_token>
 ```
 
-This module should NOT create the github repo. That is a manual process. I am not comfortable with terraform adding/removing github repos. The github repo should have the same name as the name variable in the terrafgrunt.hcl file. 
+This module should NOT create the github repo. That is a manual process. I am not comfortable with terraform adding/removing github repos. The github repo should have the same name as the name variable in the terrafgrunt.hcl file. The user associated with the Personal Access Token needs to have admin permissions on the github repo. 
 
 ## Github Service Account ( mdr-aws-codebuild )
 

base/codebuild_ecr_project/main.tf

@@ -48,6 +48,9 @@ resource "aws_codebuild_project" "this_no_artifact" {
     type                = "GITHUB_ENTERPRISE"
     location            = data.github_repository.this.http_clone_url
     report_build_status = true
+    git_submodules_config {
+      fetch_submodules = false
+    }
   }
 
   environment {