Merge pull request #348 from mdr-engineering/feature/ftd_MSOCI-2020_ScanOnPush

Enhanced codebuild functionality for projects

base/codebuild_ecr_base/main.tf

@@ -3,6 +3,10 @@
 resource "aws_ecr_repository" "codebuild-rhel7" {
   name  = "codebuild-rhel7"
   tags = merge(var.standard_tags, var.tags)
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
 }
 
 #Allow codebuild to access the ECR Repository
@@ -60,4 +64,4 @@ EOF
 #     ]
 # }
 # EOF
-# }
+# }

base/codebuild_ecr_customer_portal/main.tf

@@ -37,10 +37,18 @@ resource "aws_codebuild_project" "this_no_artifact" {
  
 resource "aws_ecr_repository" "this-server" {
     name  = "portal_server"
+
+    image_scanning_configuration {
+      scan_on_push = true
+    }
 }
 
 resource "aws_ecr_repository" "this-nginx" {
     name  = "django_nginx"
+
+    image_scanning_configuration {
+      scan_on_push = true
+    }
 }
 
 data "aws_iam_policy_document" "ecr_cross_account_policy" {

base/codebuild_ecr_project/main.tf

@@ -20,6 +20,8 @@ resource "aws_codebuild_project" "this_no_artifact" {
     }
   }
 
+  source_version = var.source_version
+
   environment {
     compute_type        = "BUILD_GENERAL1_SMALL"
     image               = var.codebuild_image
@@ -35,7 +37,11 @@ resource "aws_codebuild_project" "this_no_artifact" {
 }
  
 resource "aws_ecr_repository" "this" {
-    name  = var.name
+  name  = var.name
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
 }
 
 data "aws_iam_policy_document" "ecr_cross_account_policy" {
@@ -60,6 +66,22 @@ data "aws_iam_policy_document" "ecr_cross_account_policy" {
       identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
     }
   }
+  # Allow codebuild access
+  statement {
+    sid    = "CodeBuildAccessPrincipal"
+    effect = "Allow"
+
+    actions = [
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["codebuild.amazonaws.com"]
+    }
+  }
 }
 
 resource "aws_ecr_repository_policy" "this" {
@@ -80,6 +102,8 @@ resource "aws_codebuild_webhook" "this" {
 }
 
 resource "github_repository_webhook" "this" {
+  count = var.enable_webhooks ? 1 : 0
+
   active     = true
   events     = ["push"]
   repository = data.github_repository.this.name

base/codebuild_ecr_project/outputs.tf

@@ -0,0 +1,3 @@
+output repo_url {
+  value = aws_ecr_repository.this.repository_url
+}

base/codebuild_ecr_project/vars.tf

@@ -3,6 +3,19 @@ variable "tags" {
   type        = map
   default     = { }
 }
+
+variable "source_version" {
+  description = "Tag or branch for the git repository."
+  type = string
+  default = "master"
+}
+
+variable "enable_webhooks" {
+  description = "Build on changes?"
+  type = bool
+  default = true
+}
+
 variable "standard_tags" { type = map }
 variable "environment" { type = string }
 variable "aws_partition" { type = string }
@@ -27,4 +40,4 @@ variable "badge_enabled" {
 variable "webhook_branch_filter" {
     type = string
     default = "^(master|develop)$"
-}
+}