AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126
							data "github_repository" "this" {
    name    = var.name
}

resource "aws_codebuild_project" "this_no_artifact" {
  count                 = var.artifact_s3_bucket=="" ? 1 : 0

  name                  = var.name
  description           = "Container for ${var.name}"
  service_role          = var.service_role
  encryption_key        = var.kms_key
  badge_enabled         = var.badge_enabled

  source {
    type                = "GITHUB_ENTERPRISE"
    location            = data.github_repository.this.http_clone_url
    report_build_status = true

    git_submodules_config {
      fetch_submodules = false
    }
  }

  environment {
    compute_type        = "BUILD_GENERAL1_SMALL"
    image               = var.codebuild_image
    type                = "LINUX_CONTAINER"
    privileged_mode     = true
  }

  artifacts {
    type                = "NO_ARTIFACTS"
  }

  tags = merge(var.standard_tags, var.tags)
}
 
resource "aws_ecr_repository" "this-server" {
    name  = "portal_server"

    image_scanning_configuration {
      scan_on_push = true
    }
}

resource "aws_ecr_repository" "this-nginx" {
    name  = "django_nginx"

    image_scanning_configuration {
      scan_on_push = true
    }
}

data "aws_iam_policy_document" "ecr_cross_account_policy" {
  statement {
    sid = "ECRWrite"
    effect = "Allow"
    actions = [
      "ecr:GetAuthorizationToken",
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchGetImage",
      "ecr:BatchCheckLayerAvailability",
      "ecr:PutImage",
      "ecr:InitiateLayerUpload",
      "ecr:UploadLayerPart",
      "ecr:CompleteLayerUpload",
      "ecr:DescribeRepositories",
      "ecr:ListImages",
      "ecr:DescribeImages",
    ]
    principals {
      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
      type        = "AWS"
    }
  }
}

resource "aws_ecr_repository_policy" "this-server" {
  repository = aws_ecr_repository.this-server.name
  policy = data.aws_iam_policy_document.ecr_cross_account_policy.json
}

resource "aws_ecr_lifecycle_policy" "this-server" {
  repository = aws_ecr_repository.this-server.name
  policy = file("${path.module}/lifecycle-policy.json")
}

resource "aws_ecr_repository_policy" "this-nginx" {
  repository = aws_ecr_repository.this-nginx.name
  policy = data.aws_iam_policy_document.ecr_cross_account_policy.json
}

resource "aws_ecr_lifecycle_policy" "this-nginx" {
  repository = aws_ecr_repository.this-nginx.name
  policy = file("${path.module}/lifecycle-policy.json")
}

resource "aws_codebuild_webhook" "this" {
  project_name  = var.name
  filter_group {
    filter {
      type    = "EVENT"
      pattern = "PUSH"
    }

    filter {
      type    = "HEAD_REF"
      pattern = "^refs\\/heads\\/release\\/.*$"
    }
  }

  depends_on = [ aws_codebuild_project.this_no_artifact  ]
}

resource "github_repository_webhook" "this" {
  active     = true
  events     = ["push"]
  repository = data.github_repository.this.name

  configuration {
    url          = aws_codebuild_webhook.this.payload_url
    secret       = aws_codebuild_webhook.this.secret
    content_type = "json"
    insecure_ssl = false
  }
}