Página Principal Explorar Ajuda
Registe-se Iniciar Sessão
AFS
/
xdr-terraform-modules
2
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Árvore: 5713a943b8
Ramos Etiquetas
xdr-terraform-m...
/
submodules
/
codebuild
/
codebuild-ecr-image
/
ecr_repo.tf

ecr_repo.tf 1.8 KB
Histórico Em bruto

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364 
  1. # tfsec:ignore:aws-ecr-enforce-immutable-repository
    2. 

  2. resource "aws_ecr_repository" "this" {
    3. 

  3.   # checkov:skip=CKV_AWS_51: see tfsec explanation above
    4. 

  4.   name = var.name
    5. 

  5.   tags = merge(var.standard_tags, var.tags)
    6. 

  6.   # image_tag_mutability = "IMMUTABLE" 
    7. 

  7.   # Allow mutable tags for now - TO-DO
    8. 

  8.   # MSOCI-2182 - This breaks the push process for new changes to the portal servers.
    9. 

  9.   # The codebuild code depends on being able to tag a new image with the latest tag.
    10. 

  10. 

  11.   image_scanning_configuration {
    12. 

  12.     scan_on_push = true
    13. 

  13.   }
    14. 

  14. 

  15. # tfsec:ignore:aws-ecr-repository-customer-key Risk is low for KMS AES-256 encryption
    16. 

  16.   encryption_configuration {
    17. 

  17.         encryption_type = "AES256"
    18. 

  18.   }
    19. 

  19. }
    20. 

  20. 

  21. data "aws_iam_policy_document" "ecr_repository_policy" {
    22. 

  22.   statement {
    23. 

  23.     sid    = "LetCodebuildServiceUseTheseImages"
    24. 

  24.     effect = "Allow"
    25. 

  25.     principals {
    26. 

  26.       type        = "Service"
    27. 

  27.       identifiers = ["codebuild.amazonaws.com"]
    28. 

  28.     }
    29. 

  29.     actions = [
    30. 

  30.       "ecr:GetDownloadUrlForLayer",
    31. 

  31.       "ecr:BatchGetImage",
    32. 

  32.       "ecr:BatchCheckLayerAvailability"
    33. 

  33.     ]
    34. 

  34.   }
    35. 

  35. 

  36.   statement {
    37. 

  37.     sid    = "LetCodebuildIAMRolePushImagesHere"
    38. 

  38.     effect = "Allow"
    39. 

  39.     principals {
    40. 

  40.       type        = "AWS"
    41. 

  41.       identifiers = [var.codebuild_assume_role_arn]
    42. 

  42.     }
    43. 

  43.     actions = [
    44. 

  44.       "ecr:BatchCheckLayerAvailability",
    45. 

  45.       "ecr:BatchGetImage",
    46. 

  46.       "ecr:CompleteLayerUpload",
    47. 

  47.       "ecr:DescribeImages",
    48. 

  48.       "ecr:DescribeRepositories",
    49. 

  49.       "ecr:GetAuthorizationToken",
    50. 

  50.       "ecr:GetDownloadUrlForLayer",
    51. 

  51.       "ecr:InitiateLayerUpload",
    52. 

  52.       "ecr:ListImages",
    53. 

  53.       "ecr:PutImage",
    54. 

  54.       "ecr:UploadLayerPart",
    55. 

  55.     ]
    56. 

  56.   }
    57. 

  57. 

  58. }
    59. 

  59. 

  60. #Allow codebuild to access the ECR Repository to use the images
    61. 

  61. resource "aws_ecr_repository_policy" "this" {
    62. 

  62.   repository = aws_ecr_repository.this.name
    63. 

  63.   policy     = data.aws_iam_policy_document.ecr_repository_policy.json
    64. 

  64. }
    65.