Skip to content

Commit

Permalink
Terraform ECR repositories
Browse files Browse the repository at this point in the history
This works *most* of the time, but there's a bug in terraform that causes
the ECR policy to fail sometimes.

hashicorp/terraform-provider-aws#545

co-authored-by: Paul Linville <[email protected]>
  • Loading branch information
rubberduck203 and Paul Linville committed Jul 12, 2018
1 parent ebecba4 commit f9c3037
Show file tree
Hide file tree
Showing 4 changed files with 155 additions and 0 deletions.
20 changes: 20 additions & 0 deletions alm/container_registry.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
module "joomla_restore_repository" {
source = "ecr"

alm_account_id = "${var.alm_account_id}"
repository_name = "joomla-restore"
}

module "joomla_cron_repository" {
source = "ecr"

alm_account_id = "${var.alm_account_id}"
repository_name = "joomla-cron"
}

module "joomla_nginx_repository" {
source = "ecr"

alm_account_id = "${var.alm_account_id}"
repository_name = "joomla-nginx"
}
28 changes: 28 additions & 0 deletions alm/ecr/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
variable "alm_account_id" {
description = "Account Id of the Application Life Cycle Management network"
}

variable "repository_name" {
description = "Name of the repository to create without the prefix"
}

locals {
policy_file = "${var.alm_account_id == "068920858268" ? "repository_policy.sandbox.json" : "repository_policy.json"}"
}

data "template_file" "repository_policy" {
template = "${file("${path.module}/${local.policy_file}")}"

vars {
alm_account_id = "${var.alm_account_id}"
}
}

resource "aws_ecr_repository" "repository" {
name = "scos/${var.repository_name}"
}

resource "aws_ecr_repository_policy" "restore_policy" {
repository = "${aws_ecr_repository.repository.name}"
policy = "${data.template_file.repository_policy.rendered}"
}
73 changes: 73 additions & 0 deletions alm/ecr/repository_policy.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "JenkinsUserRegistryAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${alm_account_id}:user/jenkins_user"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy",
"ecr:GetLifecyclePolicy",
"ecr:PutLifecyclePolicy",
"ecr:DeleteLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:StartLifecyclePolicyPreview"
]
},
{
"Sid": "DevPullOnlyRegistryAccess",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${alm_account_id}:user/jmorris",
"arn:aws:iam::${alm_account_id}:user/jdenen",
"arn:aws:iam::${alm_account_id}:user/ksmith",
"arn:aws:iam::${alm_account_id}:user/mchirita",
"arn:aws:iam::${alm_account_id}:root",
"arn:aws:iam::${alm_account_id}:user/smillard",
"arn:aws:iam::${alm_account_id}:user/bschwanitz",
"arn:aws:iam::${alm_account_id}:user/brogers",
"arn:aws:iam::${alm_account_id}:user/cyeater",
"arn:aws:iam::${alm_account_id}:user/jlutz",
"arn:aws:iam::${alm_account_id}:user/oqi",
"arn:aws:iam::${alm_account_id}:user/abhagat",
"arn:aws:iam::${alm_account_id}:user/emoore",
"arn:aws:iam::${alm_account_id}:user/bbalser",
"arn:aws:iam::${alm_account_id}:user/afreeman",
"arn:aws:iam::${alm_account_id}:user/cmcclellan",
"arn:aws:iam::${alm_account_id}:user/rjones",
"arn:aws:iam::${alm_account_id}:user/aganesh",
"arn:aws:iam::${alm_account_id}:user/bcromer",
"arn:aws:iam::${alm_account_id}:user/rboyapati",
"arn:aws:iam::${alm_account_id}:user/amarkley",
"arn:aws:iam::${alm_account_id}:user/bbrewer",
"arn:aws:iam::${alm_account_id}:user/jolson",
"arn:aws:iam::${alm_account_id}:user/plinville"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:DescribeImages",
"ecr:DescribeRepositories"
]
}
]
}
34 changes: 34 additions & 0 deletions alm/ecr/repository_policy.sandbox.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllTheThings",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${alm_account_id}:role/admin_role"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy",
"ecr:GetLifecyclePolicy",
"ecr:PutLifecyclePolicy",
"ecr:DeleteLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:StartLifecyclePolicyPreview"
]
}
]
}

0 comments on commit f9c3037

Please sign in to comment.