Adds a lifecycle policy for ECR; Public Block on Codebuild Artifacts

1. It adds a lifecycle to delete > 1 year old images.
2. It puts a public block on the s3 artifacts.

To be tagged v5.1.3

base/account_standards/README.md

@@ -1,4 +1,3 @@
 # Account Standards
 
 Creates elements that are standard in all accounts, such as access keys, kms keys, etc.
-

base/codebuild_ecr_base/s3.tf

@@ -39,3 +39,19 @@ data "aws_iam_policy_document" "artifacts" {
     }
   }
 }
+
+resource "aws_s3_bucket_public_access_block" "artifacts" {
+  bucket = aws_s3_bucket.artifacts.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_versioning" "artifacts" {
+  bucket = aws_s3_bucket.artifacts.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}

submodules/codebuild/codebuild-ecr-image/ecr_repo.tf

@@ -1,4 +1,3 @@
-
 resource "aws_ecr_repository" "this" { # tfsec:ignore:aws-ecr-repository-customer-key tfsec:ignore:aws-ecr-enforce-immutable-repository
   # Risk is low for KMS AES-256 encryption
   name = var.name
@@ -57,4 +56,3 @@ resource "aws_ecr_repository_policy" "this" {
   repository = aws_ecr_repository.this.name
   policy     = data.aws_iam_policy_document.ecr_repository_policy.json
 }
-

submodules/codebuild/codebuild-ecr-image/lifecycle.tf

@@ -0,0 +1,41 @@
+# Simple lifecycle policy that expires images that are untagged, or over 1 year old.
+#
+# Lifecycle policies for ECR aren't very powerful. To do better than this,
+# we would need to change the way we tag images. But ECR is nearly as cheap
+# as S3 storage, so a few extra images isn't going to hurt anybody.
+resource "aws_ecr_lifecycle_policy" "basicpolicy" {
+  repository = aws_ecr_repository.this.name
+
+  policy = <<EOF
+{
+  "rules": [
+    {
+      "rulePriority": 1,
+      "description": "Remove Untagged Images",
+      "selection": {
+        "tagStatus": "untagged",
+        "countType": "sinceImagePushed",
+        "countUnit": "days",
+        "countNumber": 1
+      },
+      "action": {
+        "type": "expire"
+      }
+    },
+    {
+      "rulePriority": 2,
+      "description": "Remove images older than 1 year",
+      "selection": {
+        "tagStatus": "any",
+        "countType": "sinceImagePushed",
+        "countUnit": "days",
+        "countNumber": 365
+      },
+      "action": {
+        "type": "expire"
+      }
+    }
+  ]
+}
+EOF
+}