Inicio Explorar Axuda
Rexistro Iniciar sesión
AFS
/
xdr-terraform-modules
2
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Árbore: d386223329
Ramas Etiquetas
xdr-terraform-m...
/
submodules
/
codebuild
/
codebuild-ecr-image
/
ecr_repo.tf

ecr_repo.tf 1.7 KB
Histórico Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758 
  1. resource "aws_ecr_repository" "this" { # tfsec:ignore:aws-ecr-repository-customer-key tfsec:ignore:aws-ecr-enforce-immutable-repository
    2. 

  2.   # Risk is low for KMS AES-256 encryption
    3. 

  3.   name = var.name
    4. 

  4.   tags = merge(var.standard_tags, var.tags)
    5. 

  5.   # image_tag_mutability = "IMMUTABLE" 
    6. 

  6.   # Allow mutable tags for now - TO-DO
    7. 

  7.   # MSOCI-2182 - This breaks the push process for new changes to the portal servers.
    8. 

  8.   # The codebuild code depends on being able to tag a new image with the latest tag.
    9. 

  9. 

  10.   image_scanning_configuration {
    11. 

  11.     scan_on_push = true
    12. 

  12.   }
    13. 

  13. }
    14. 

  14. 

  15. data "aws_iam_policy_document" "ecr_repository_policy" {
    16. 

  16.   statement {
    17. 

  17.     sid    = "LetCodebuildServiceUseTheseImages"
    18. 

  18.     effect = "Allow"
    19. 

  19.     principals {
    20. 

  20.       type        = "Service"
    21. 

  21.       identifiers = ["codebuild.amazonaws.com"]
    22. 

  22.     }
    23. 

  23.     actions = [
    24. 

  24.       "ecr:GetDownloadUrlForLayer",
    25. 

  25.       "ecr:BatchGetImage",
    26. 

  26.       "ecr:BatchCheckLayerAvailability"
    27. 

  27.     ]
    28. 

  28.   }
    29. 

  29. 

  30.   statement {
    31. 

  31.     sid    = "LetCodebuildIAMRolePushImagesHere"
    32. 

  32.     effect = "Allow"
    33. 

  33.     principals {
    34. 

  34.       type        = "AWS"
    35. 

  35.       identifiers = [var.codebuild_assume_role_arn]
    36. 

  36.     }
    37. 

  37.     actions = [
    38. 

  38.       "ecr:BatchCheckLayerAvailability",
    39. 

  39.       "ecr:BatchGetImage",
    40. 

  40.       "ecr:CompleteLayerUpload",
    41. 

  41.       "ecr:DescribeImages",
    42. 

  42.       "ecr:DescribeRepositories",
    43. 

  43.       "ecr:GetAuthorizationToken",
    44. 

  44.       "ecr:GetDownloadUrlForLayer",
    45. 

  45.       "ecr:InitiateLayerUpload",
    46. 

  46.       "ecr:ListImages",
    47. 

  47.       "ecr:PutImage",
    48. 

  48.       "ecr:UploadLayerPart",
    49. 

  49.     ]
    50. 

  50.   }
    51. 

  51. 

  52. }
    53. 

  53. 

  54. #Allow codebuild to access the ECR Repository to use the images
    55. 

  55. resource "aws_ecr_repository_policy" "this" {
    56. 

  56.   repository = aws_ecr_repository.this.name
    57. 

  57.   policy     = data.aws_iam_policy_document.ecr_repository_policy.json
    58. 

  58. }
    59.