Halaman utama Jelajahi Bantuan
Daftar Masuk
AFS
/
xdr-terraform-modules
2
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Jelajahi Sumber

Adds a lifecycle policy for ECR; Public Block on Codebuild Artifacts

1. It adds a lifecycle to delete > 1 year old images.
2. It puts a public block on the s3 artifacts.

To be tagged v5.1.3
Fred Damstra [afs macbook] 3 tahun lalu
induk
871e7f80c5
melakukan
d386223329
4 mengubah file dengan 57 tambahan dan 3 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 0 1
      base/account_standards/README.md
  2. 16 0
      base/codebuild_ecr_base/s3.tf
  3. 0 2
      submodules/codebuild/codebuild-ecr-image/ecr_repo.tf
  4. 41 0
      submodules/codebuild/codebuild-ecr-image/lifecycle.tf

+ 0 - 1
base/account_standards/README.md
Tampilan Berkas 

@@ -1,4 +1,3 @@
 
 # Account Standards
 
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
 
-

+ 16 - 0
base/codebuild_ecr_base/s3.tf
Tampilan Berkas 

@@ -39,3 +39,19 @@ data "aws_iam_policy_document" "artifacts" {
 
     }
 
   }
 
 }
 
+
 
+resource "aws_s3_bucket_public_access_block" "artifacts" {
 
+  bucket = aws_s3_bucket.artifacts.id
 
+
 
+  block_public_acls       = true
 
+  block_public_policy     = true
 
+  ignore_public_acls      = true
 
+  restrict_public_buckets = true
 
+}
 
+
 
+resource "aws_s3_bucket_versioning" "artifacts" {
 
+  bucket = aws_s3_bucket.artifacts.id
 
+  versioning_configuration {
 
+    status = "Enabled"
 
+  }
 
+}

+ 0 - 2
submodules/codebuild/codebuild-ecr-image/ecr_repo.tf
Tampilan Berkas 

@@ -1,4 +1,3 @@
 
-
 
 resource "aws_ecr_repository" "this" { # tfsec:ignore:aws-ecr-repository-customer-key tfsec:ignore:aws-ecr-enforce-immutable-repository
 
   # Risk is low for KMS AES-256 encryption
 
   name = var.name
 
@@ -57,4 +56,3 @@ resource "aws_ecr_repository_policy" "this" {
 
   repository = aws_ecr_repository.this.name
 
   policy     = data.aws_iam_policy_document.ecr_repository_policy.json
 
 }
 
-

+ 41 - 0
submodules/codebuild/codebuild-ecr-image/lifecycle.tf
Tampilan Berkas 

@@ -0,0 +1,41 @@
 
+# Simple lifecycle policy that expires images that are untagged, or over 1 year old.
 
+#
 
+# Lifecycle policies for ECR aren't very powerful. To do better than this,
 
+# we would need to change the way we tag images. But ECR is nearly as cheap
 
+# as S3 storage, so a few extra images isn't going to hurt anybody.
 
+resource "aws_ecr_lifecycle_policy" "basicpolicy" {
 
+  repository = aws_ecr_repository.this.name
 
+
 
+  policy = <<EOF
 
+{
 
+  "rules": [
 
+    {
 
+      "rulePriority": 1,
 
+      "description": "Remove Untagged Images",
 
+      "selection": {
 
+        "tagStatus": "untagged",
 
+        "countType": "sinceImagePushed",
 
+        "countUnit": "days",
 
+        "countNumber": 1
 
+      },
 
+      "action": {
 
+        "type": "expire"
 
+      }
 
+    },
 
+    {
 
+      "rulePriority": 2,
 
+      "description": "Remove images older than 1 year",
 
+      "selection": {
 
+        "tagStatus": "any",
 
+        "countType": "sinceImagePushed",
 
+        "countUnit": "days",
 
+        "countNumber": 365
 
+      },
 
+      "action": {
 
+        "type": "expire"
 
+      }
 
+    }
 
+  ]
 
+}
 
+EOF
 
+}