Giter Site home page Giter Site logo

ministryofjustice / cloud-platform-terraform-ecr-credentials Goto Github PK

View Code? Open in Web Editor NEW
2.0 5.0 5.0 17.68 MB

ECR repositories and credentials for the Cloud Platform

License: MIT License

HCL 92.74% Go 7.26%
terraform-module cloud-platform ecr-repositories

cloud-platform-terraform-ecr-credentials's Introduction

cloud-platform-terraform-ecr-credentials

Releases

This Terraform module will create an Amazon Elastic Container Registry private repository for use on the Cloud Platform.

If you're using GitHub as your OIDC provider, this module will automatically create the required variables for authentication in your GitHub repository. By default these will be created as repository secrets and variables. Alternatively, you can configure the module to instead create the ECR secrets and variables in your own defined GitHub Environments with the github_environments field. This pattern is useful if you wish to define separate ECR repositories for different Cloud Platform environments within the same GitHub repository.

If you're using CircleCI as your OIDC provider, this module will create a Kubernetes ConfigMap in your namespace with your authentication variables to use as environment variables in CircleCI.

This module only supports authentication with GitHub Actions and CircleCI.

Usage

module "container_repository" {
  source = "github.com/ministryofjustice/cloud-platform-terraform-ecr-credentials?ref=version" # use the latest release

  # Repository configuration
  repo_name = var.namespace

  # OpenID Connect configuration
  oidc_providers      = ["github"]
  github_repositories = ["example-repository"]

  # Tags
  business_unit          = var.business_unit
  application            = var.application
  is_production          = var.is_production
  team_name              = var.team_name # also used for naming the container repository
  namespace              = var.namespace # also used for creating a Kubernetes ConfigMap
  environment_name       = var.environment
  infrastructure_support = var.infrastructure_support
}

See the examples/ folder for more information.

Requirements

Name Version
terraform >= 1.2.5
aws >= 4.0.0
github >= 5.0.0
kubernetes >= 2.0.0
random >= 3.0.0

Providers

Name Version
aws >= 4.0.0
github >= 5.0.0
kubernetes >= 2.0.0
random >= 3.0.0

Modules

No modules.

Resources

Name Type
aws_ecr_lifecycle_policy.canned resource
aws_ecr_lifecycle_policy.lifecycle_policy resource
aws_ecr_repository.repo resource
aws_iam_policy.ecr resource
aws_iam_policy.irsa resource
aws_iam_role.circleci resource
aws_iam_role.github resource
aws_iam_role_policy_attachment.circleci_ecr resource
aws_iam_role_policy_attachment.github_ecr resource
github_actions_environment_secret.ecr_role_to_assume resource
github_actions_environment_variable.ecr_region resource
github_actions_environment_variable.ecr_repository resource
github_actions_secret.ecr_role_to_assume resource
github_actions_variable.ecr_region resource
github_actions_variable.ecr_repository resource
kubernetes_config_map_v1.circleci_oidc resource
random_id.oidc resource
aws_caller_identity.current data source
aws_iam_openid_connect_provider.circleci data source
aws_iam_openid_connect_provider.github data source
aws_iam_policy_document.base data source
aws_iam_policy_document.circleci data source
aws_iam_policy_document.github data source
aws_iam_policy_document.irsa data source
aws_region.current data source
aws_secretsmanager_secret.circleci data source
aws_secretsmanager_secret_version.circleci data source

Inputs

Name Description Type Default Required
application Application name string n/a yes
business_unit Area of the MOJ responsible for the service string n/a yes
canned_lifecycle_policy A canned lifecycle policy to remove tagged or untagged images map(any) null no
deletion_protection (Optional) Whether the ECR should have deletion protection enabled for non-empty registry. Set this to false if you intend to delete your ECR resource or namespace. NOTE: PR owner has responsibility to ensure that no other environments are sharing this ECR. Defaults to true. bool true no
environment_name Environment name string n/a yes
github_actions_prefix String prefix for GitHub Actions variable and secrets key string "" no
github_environments GitHub environment in which to create github actions secrets list(string) [] no
github_repositories GitHub repositories in which to create github actions secrets list(string) [] no
infrastructure_support The team responsible for managing the infrastructure. Should be of the form () string n/a yes
is_production Whether this is used for production or not string n/a yes
lifecycle_policy A lifecycle policy consists of one or more rules that determine which images in a repository should be expired. string null no
namespace Namespace name string n/a yes
oidc_providers OIDC providers for this ECR repository, valid values are "github" or "circleci" list(string) [] no
repo_name Name of the repository to be created string n/a yes
team_name Team name string n/a yes

Outputs

Name Description
irsa_policy_arn IAM policy ARN for access to the container repository
repo_arn ECR repository ARN
repo_url ECR repository URL

Tags

Some of the inputs for this module are tags. All infrastructure resources must be tagged to meet the MOJ Technical Guidance on Documenting owners of infrastructure.

You should use your namespace variables to populate these. See the Usage section for more information.

Reading Material

cloud-platform-terraform-ecr-credentials's People

Contributors

ale-novo avatar alkar avatar davidkelliott avatar dependabot[bot] avatar digitalronin avatar github-actions[bot] avatar jackstockley89 avatar jakemulley avatar jaskaransarkaria avatar jasonbirchall avatar lukaszraczylo avatar mogaal avatar mtrbls avatar ollieanwyll avatar poornima-krishnasamy avatar razvan-moj avatar razvan-moj-zz avatar sj-williams avatar ushkarev avatar vijay-veeranki avatar

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

ermiasworku asmega uk-gov-mirror asmtal barryhalper

cloud-platform-terraform-ecr-credentials's Issues

Lowercase repo name, on creation

If the team name in the user's variables.tf file has upper-case letters (e.g.
WebOps), then ECR creation will fail because AWS will reject the name
WebOops/my-test (assuming a namespace called my-test).

This PR helps to mitigate this:
ministryofjustice/cloud-platform-cli#38

However, users can still edit their variables.tf file, and the upper-case team
name is technically correct, so we should adjust this module so that it still
works correctly in that case.

Forced to use prefix on repository with multiple environments

Hi CP.

Recently, I was forced to provide a prefix for ECR to write variables to GitHub environments. An issue occurred that prevented me from optimising my deployment script.

Problem
Even though GitHub environments were defined in the ECR module, the module persistently tried to write variables at the application repository level using the names ECR_REGION and ECR_ROLE_TO_ASSUME for each deployment, regardless of the configured github_environment.

This issue caused the ECR module to fail in concourse builds due to an inability to overwrite repository variables.

Solution
Prevent the ECR module from writing application repository-level variables when github_environment is set.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.