AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117
							data "github_repository" "this" {
    name    = var.name
}

resource "aws_codebuild_project" "this_no_artifact" {
  count                 = var.artifact_s3_bucket=="" ? 1 : 0

  name                  = var.name
  description           = "Container for ${var.name}"
  service_role          = var.service_role
  encryption_key        = var.kms_key
  badge_enabled         = var.badge_enabled

  source {
    type                = "GITHUB_ENTERPRISE"
    location            = data.github_repository.this.http_clone_url
    report_build_status = true
    git_submodules_config {
      fetch_submodules = false
    }
  }

  source_version = var.source_version

  environment {
    compute_type        = "BUILD_GENERAL1_SMALL"
    image               = var.codebuild_image
    type                = "LINUX_CONTAINER"
    privileged_mode     = true
  }

  artifacts {
    type                = "NO_ARTIFACTS"
  }

  tags = merge(var.standard_tags, var.tags)
}
 
resource "aws_ecr_repository" "this" {
  name  = var.name

  image_scanning_configuration {
    scan_on_push = true
  }
}

data "aws_iam_policy_document" "ecr_cross_account_policy" {
  statement {
    sid = "ECRWrite"
    effect = "Allow"
    actions = [
      "ecr:GetAuthorizationToken",
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchGetImage",
      "ecr:BatchCheckLayerAvailability",
      "ecr:PutImage",
      "ecr:InitiateLayerUpload",
      "ecr:UploadLayerPart",
      "ecr:CompleteLayerUpload",
      "ecr:DescribeRepositories",
      "ecr:ListImages",
      "ecr:DescribeImages",
    ]
    principals {
      type = "AWS"
      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
    }
  }
  # Allow codebuild access
  statement {
    sid    = "CodeBuildAccessPrincipal"
    effect = "Allow"

    actions = [
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchGetImage",
      "ecr:BatchCheckLayerAvailability",
    ]

    principals {
      type        = "Service"
      identifiers = ["codebuild.amazonaws.com"]
    }
  }
}

resource "aws_ecr_repository_policy" "this" {
  repository = aws_ecr_repository.this.name
  policy = data.aws_iam_policy_document.ecr_cross_account_policy.json
}

resource "aws_ecr_lifecycle_policy" "this" {
  repository = aws_ecr_repository.this.name
  policy = file("${path.module}/default-lifecycle-policy.json")
}

resource "aws_codebuild_webhook" "this" {
  project_name  = var.name
  branch_filter = var.webhook_branch_filter

  depends_on = [ aws_codebuild_project.this_no_artifact ]
}

resource "github_repository_webhook" "this" {
  count = var.enable_webhooks ? 1 : 0

  active     = true
  events     = ["push"]
  repository = data.github_repository.this.name

  configuration {
    url          = aws_codebuild_webhook.this.payload_url
    secret       = aws_codebuild_webhook.this.secret
    content_type = "json"
    insecure_ssl = false
  }
}