AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133
							data "github_repository" "this" {
  name = var.name
}

resource "aws_codebuild_project" "this_no_artifact" {
  count = var.artifact_s3_bucket == "" ? 1 : 0

  name           = var.name
  description    = "Container for ${var.name}"
  service_role   = var.service_role
  encryption_key = var.kms_key
  badge_enabled  = var.badge_enabled

  source {
    type                = "GITHUB_ENTERPRISE"
    location            = data.github_repository.this.http_clone_url
    report_build_status = true
    git_clone_depth     = 1
    git_submodules_config {
      fetch_submodules = var.fetch_submodules
    }
  }

  source_version = var.source_version

  environment {
    compute_type    = "BUILD_GENERAL1_SMALL"
    image           = var.codebuild_image
    type            = "LINUX_CONTAINER"
    privileged_mode = true
  }

  artifacts {
    type = "NO_ARTIFACTS"
  }

  tags = merge(local.standard_tags, var.tags)

  # Govcloud incompatible with "project visibility"
  # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
  lifecycle { ignore_changes = [project_visibility] }
}

# image_tag_mutability = "IMMUTABLE" 
# MSOCI-2182 - This breaks the push process for new changes to the portal servers.
# The codebuild code depends on being able to tag a new image with the latest tag.
# tfsec:ignore:aws-ecr-enforce-immutable-repository Allow mutable tags for now - TO-DO
resource "aws_ecr_repository" "this" {
  # checkov:skip=CKV_AWS_136: Risk is low for AES-256 encryption
	# checkov:skip=CKV_AWS_51: see tfsec explanation above
  name = var.name

  image_scanning_configuration {
    scan_on_push = true
  }

# tfsec:ignore:aws-ecr-repository-customer-key Risk is low for AES-256 encryption
  encryption_configuration {
        encryption_type = "AES256"
  }
}

data "aws_iam_policy_document" "ecr_cross_account_policy" {
  statement {
    sid     = "ECRWrite"
    effect  = "Allow"
    actions = [
      "ecr:GetAuthorizationToken",
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchGetImage",
      "ecr:BatchCheckLayerAvailability",
      "ecr:PutImage",
      "ecr:InitiateLayerUpload",
      "ecr:UploadLayerPart",
      "ecr:CompleteLayerUpload",
      "ecr:DescribeRepositories",
      "ecr:ListImages",
      "ecr:DescribeImages",
    ]
    principals {
      type        = "AWS"
      identifiers = sort([for a in local.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"])
    }
  }
  # Allow codebuild access
  statement {
    sid     = "CodeBuildAccessPrincipal"
    effect  = "Allow"

    actions = [
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchGetImage",
      "ecr:BatchCheckLayerAvailability",
    ]

    principals {
      type        = "Service"
      identifiers = ["codebuild.amazonaws.com"]
    }
  }
}

resource "aws_ecr_repository_policy" "this" {
  repository = aws_ecr_repository.this.name
  policy     = data.aws_iam_policy_document.ecr_cross_account_policy.json
}

resource "aws_ecr_lifecycle_policy" "this" {
  repository = aws_ecr_repository.this.name
  policy     = file("${path.module}/default-lifecycle-policy.json")
}

resource "aws_codebuild_webhook" "this" {
  project_name  = var.name
  branch_filter = var.webhook_branch_filter

  depends_on    = [aws_codebuild_project.this_no_artifact]
}

resource "github_repository_webhook" "this" {
  count      = var.enable_webhooks ? 1 : 0

  active     = true
  events     = ["push"]
  repository = data.github_repository.this.name

  configuration {
    url          = aws_codebuild_webhook.this.payload_url
    secret       = aws_codebuild_webhook.this.secret
    content_type = "json"
    insecure_ssl = false
  }
}