TBD
Eg: docrepo
<env>/main.tf
locals {
ci = "myapp"
# ECR locals
ecr_allow_cross_account_pull = [
"arn:aws:iam::133096172191:root",
"arn:aws:iam::243096172102:root"
]
ecr_create_repo = true
ecr_image_scan_on_push = false
ecr_name = "${local.ci}-dev-back"
}
# ECR repo for back
module "ecr_back" {
# count = 1
source = "../modules/ecr"
allow_cross_account_pull = local.ecr_allow_cross_account_pull
create_repo = local.ecr_create_repo
repo_name = local.ecr_name
image_scan_on_push = local.ecr_image_scan_on_push
}
modules/ecr/variables.tf
variable "create_repo" {
description = "Create the ECR repo?"
type = bool
nullable = false
}
variable "repo_name" {
description = "Repository name"
type = string
nullable = false
}
variable "image_tag_mutability" {
default = "MUTABLE"
description = "Image tag mutability, default 'MUTABLE'"
type = string # "MUTABLE" or "IMMUTABLE"
nullable = false
}
variable "image_scan_on_push" {
description = "Image scan on push?"
type = bool
nullable = false
}
variable "allow_cross_account_pull" {
description = "Principals allowed to pull from the repository, eg: arn:aws:iam::995980900645:root"
type = list(string)
default = []
}
modules/ecr/ecr.tf
# Elastic Container Registry (ecr)
# --------------------------------
# Create ECR repo
resource "aws_ecr_repository" "repo" {
count = var.create_repo ? 1 : 0
name = var.repo_name
image_tag_mutability = var.image_tag_mutability # "MUTABLE" or "IMMUTABLE"
image_scanning_configuration {
scan_on_push = var.image_scan_on_push
}
}
# Policy for allowing other accounts to pull image from the repo
resource "aws_ecr_repository_policy" "repo_policy" {
count = var.create_repo && length(var.allow_cross_account_pull) > 0 ? 1 : 0
repository = aws_ecr_repository.repo[0].name
policy = jsonencode({
Version = "2008-10-17"
Statement = [
{
Sid = "AllowCrossAccountPull"
Effect = "Allow"
Principal = {
AWS = var.allow_cross_account_pull
}
Action = [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
})
}
modules/ecr/outputs.tf
output "ecr_repo_url" {
value = try(aws_ecr_repository.repo[0].repository_url, null)
}
<env>/main.tf
locals {
ecr_repos = [
{
name = "${local.ci}_api"
scan_on_push = false
},
{
name = "${local.ci}_autors"
scan_on_push = false
}
]
}
modules/ecr/variables.tf
variable "repos" {
description = "A list of repository objects with 'name' and 'scan_on_push' attributes."
type = list(object({
name = string
scan_on_push = bool
}))
}
modules/ecr/ecr.tf
# Create repos
resource "aws_ecr_repository" "repo" {
for_each = { for repo in var.repos : repo.name => repo }
name = each.value.name
image_tag_mutability = "MUTABLE" # "MUTABLE" or "IMMUTABLE"
image_scanning_configuration {
scan_on_push = each.value.scan_on_push
}
}
# Policy for allowing other accounts to pull image from the repos
resource "aws_ecr_repository_policy" "repo_policy" {
for_each = aws_ecr_repository.repo
repository = each.value.name
policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "Adds full ecr access to the repository and AllowCrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS" : [
"arn:aws:iam::279642032772:root",
"arn:aws:iam::726690249727:root",
"arn:aws:iam::773096172122:root"
]
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
EOF
}
modules/ecr/variables.tf
variable "tags_common" {
description = "Common tags map: env, ci, department, program"
type = map(string)
nullable = false
}
variable "create_repo" {
description = "Create the ECR repo?"
type = bool
nullable = false
}
variable "ecr_name" {
description = "Repository name"
type = string
nullable = false
}
modules/ecr/ecr.tf
# Elastic Container Registry (ecr)
# --------------------------------
# Create ECR repo, only in 'test' AWS account
resource "aws_ecr_repository" "repo" {
count = var.create_repo ? 1 : 0
name = var.ecr_name
image_tag_mutability = "MUTABLE"
image_scanning_configuration {
scan_on_push = false
}
tags = var.tags_common
}
# Policy for allowing other accounts to pull image from the repo created in 'test' AWS account
resource "aws_ecr_repository_policy" "repo_policy" {
count = var.create_repo ? 1 : 0
repository = aws_ecr_repository.repo[0].name
policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "adds full ecr access to the repository and AllowCrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS" : [
"arn:aws:iam::279642032772:root",
"arn:aws:iam::726690249727:root",
"arn:aws:iam::773096172122:root"
]
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
EOF
}