resource "aws_ecr_repository" "this" { # tfsec:ignore:aws-ecr-repository-customer-key tfsec:ignore:aws-ecr-enforce-immutable-repository
  # Risk is low for KMS AES-256 encryption
  name = var.name
  tags = merge(var.standard_tags, var.tags)
  # image_tag_mutability = "IMMUTABLE" 
  # Allow mutable tags for now - TO-DO
  # MSOCI-2182 - This breaks the push process for new changes to the portal servers.
  # The codebuild code depends on being able to tag a new image with the latest tag.

  image_scanning_configuration {
    scan_on_push = true
  }
}

data "aws_iam_policy_document" "ecr_repository_policy" {
  statement {
    sid    = "LetCodebuildServiceUseTheseImages"
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["codebuild.amazonaws.com"]
    }
    actions = [
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchGetImage",
      "ecr:BatchCheckLayerAvailability"
    ]
  }

  statement {
    sid    = "LetCodebuildIAMRolePushImagesHere"
    effect = "Allow"
    principals {
      type        = "AWS"
      identifiers = [var.codebuild_assume_role_arn]
    }
    actions = [
      "ecr:BatchCheckLayerAvailability",
      "ecr:BatchGetImage",
      "ecr:CompleteLayerUpload",
      "ecr:DescribeImages",
      "ecr:DescribeRepositories",
      "ecr:GetAuthorizationToken",
      "ecr:GetDownloadUrlForLayer",
      "ecr:InitiateLayerUpload",
      "ecr:ListImages",
      "ecr:PutImage",
      "ecr:UploadLayerPart",
    ]
  }

}

#Allow codebuild to access the ECR Repository to use the images
resource "aws_ecr_repository_policy" "this" {
  repository = aws_ecr_repository.this.name
  policy     = data.aws_iam_policy_document.ecr_repository_policy.json
}