data "github_repository" "this" { name = var.name } resource "aws_codebuild_project" "this_no_artifact" { count = var.artifact_s3_bucket == "" ? 1 : 0 name = var.name description = "Container for ${var.name}" service_role = var.service_role encryption_key = var.kms_key badge_enabled = var.badge_enabled source { type = "GITHUB_ENTERPRISE" location = data.github_repository.this.http_clone_url report_build_status = true git_submodules_config { fetch_submodules = false } } environment { compute_type = "BUILD_GENERAL1_SMALL" image = var.codebuild_image type = "LINUX_CONTAINER" privileged_mode = true } artifacts { type = "NO_ARTIFACTS" } tags = merge(local.standard_tags, var.tags) # Govcloud incompatible with "project visibility" # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035 lifecycle { ignore_changes = [project_visibility] } } # image_tag_mutability = "IMMUTABLE" # MSOCI-2182 - This breaks the push process for new changes to the portal servers. # The codebuild code depends on being able to tag a new image with the latest tag. # tfsec:ignore:aws-ecr-enforce-immutable-repository Allow mutable tags for now - TO-DO resource "aws_ecr_repository" "this-server" { # checkov:skip=CKV_AWS_136: Risk is low for AES-256 encryption # checkov:skip=CKV_AWS_51: see tfsec explanation above name = "portal_server" image_scanning_configuration { scan_on_push = true } # tfsec:ignore:aws-ecr-repository-customer-key Risk is low for AES-256 encryption encryption_configuration { encryption_type = "AES256" } } # image_tag_mutability = "IMMUTABLE" # MSOCI-2182 - This breaks the push process for new changes to the portal servers. # The codebuild code depends on being able to tag a new image with the latest tag. # tfsec:ignore:aws-ecr-enforce-immutable-repository Allow mutable tags for now - TO-DO resource "aws_ecr_repository" "this-nginx" { # checkov:skip=CKV_AWS_136: Risk is low for AES-256 encryption # checkov:skip=CKV_AWS_51: see tfsec explanation above name = "django_nginx" image_scanning_configuration { scan_on_push = true } # tfsec:ignore:aws-ecr-repository-customer-key Risk is low for AES-256 encryption encryption_configuration { encryption_type = "AES256" } } data "aws_iam_policy_document" "ecr_cross_account_policy" { statement { sid = "ECRWrite" effect = "Allow" actions = [ "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", ] principals { identifiers = [for a in local.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"] type = "AWS" } } } resource "aws_ecr_repository_policy" "this-server" { repository = aws_ecr_repository.this-server.name policy = data.aws_iam_policy_document.ecr_cross_account_policy.json } resource "aws_ecr_lifecycle_policy" "this-server" { repository = aws_ecr_repository.this-server.name policy = file("${path.module}/lifecycle-policy.json") } resource "aws_ecr_repository_policy" "this-nginx" { repository = aws_ecr_repository.this-nginx.name policy = data.aws_iam_policy_document.ecr_cross_account_policy.json } resource "aws_ecr_lifecycle_policy" "this-nginx" { repository = aws_ecr_repository.this-nginx.name policy = file("${path.module}/lifecycle-policy.json") } resource "aws_codebuild_webhook" "this" { project_name = var.name filter_group { filter { type = "EVENT" pattern = "PUSH" } filter { type = "HEAD_REF" pattern = "^refs\\/heads\\/release\\/.*$" } } depends_on = [aws_codebuild_project.this_no_artifact] } resource "github_repository_webhook" "this" { active = true events = ["push"] repository = data.github_repository.this.name configuration { url = aws_codebuild_webhook.this.payload_url secret = aws_codebuild_webhook.this.secret content_type = "json" insecure_ssl = false } }