From f9c3037d4db14bac05763d75328ccfbefcb5c652 Mon Sep 17 00:00:00 2001 From: "Christopher J. McClellan" Date: Thu, 12 Jul 2018 09:35:42 -0400 Subject: [PATCH] Terraform ECR repositories This works *most* of the time, but there's a bug in terraform that causes the ECR policy to fail sometimes. https://github.com/terraform-providers/terraform-provider-aws/issues/545 co-authored-by: Paul Linville --- alm/container_registry.tf | 20 +++++++ alm/ecr/main.tf | 28 ++++++++++ alm/ecr/repository_policy.json | 73 ++++++++++++++++++++++++++ alm/ecr/repository_policy.sandbox.json | 34 ++++++++++++ 4 files changed, 155 insertions(+) create mode 100644 alm/container_registry.tf create mode 100644 alm/ecr/main.tf create mode 100644 alm/ecr/repository_policy.json create mode 100644 alm/ecr/repository_policy.sandbox.json diff --git a/alm/container_registry.tf b/alm/container_registry.tf new file mode 100644 index 00000000..ff2b56b2 --- /dev/null +++ b/alm/container_registry.tf @@ -0,0 +1,20 @@ +module "joomla_restore_repository" { + source = "ecr" + + alm_account_id = "${var.alm_account_id}" + repository_name = "joomla-restore" +} + +module "joomla_cron_repository" { + source = "ecr" + + alm_account_id = "${var.alm_account_id}" + repository_name = "joomla-cron" +} + +module "joomla_nginx_repository" { + source = "ecr" + + alm_account_id = "${var.alm_account_id}" + repository_name = "joomla-nginx" +} diff --git a/alm/ecr/main.tf b/alm/ecr/main.tf new file mode 100644 index 00000000..b246a762 --- /dev/null +++ b/alm/ecr/main.tf @@ -0,0 +1,28 @@ +variable "alm_account_id" { + description = "Account Id of the Application Life Cycle Management network" +} + +variable "repository_name" { + description = "Name of the repository to create without the prefix" +} + +locals { + policy_file = "${var.alm_account_id == "068920858268" ? "repository_policy.sandbox.json" : "repository_policy.json"}" +} + +data "template_file" "repository_policy" { + template = "${file("${path.module}/${local.policy_file}")}" + + vars { + alm_account_id = "${var.alm_account_id}" + } +} + +resource "aws_ecr_repository" "repository" { + name = "scos/${var.repository_name}" +} + +resource "aws_ecr_repository_policy" "restore_policy" { + repository = "${aws_ecr_repository.repository.name}" + policy = "${data.template_file.repository_policy.rendered}" +} diff --git a/alm/ecr/repository_policy.json b/alm/ecr/repository_policy.json new file mode 100644 index 00000000..952805d6 --- /dev/null +++ b/alm/ecr/repository_policy.json @@ -0,0 +1,73 @@ +{ + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "JenkinsUserRegistryAccess", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::${alm_account_id}:user/jenkins_user" + }, + "Action": [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload", + "ecr:DescribeRepositories", + "ecr:GetRepositoryPolicy", + "ecr:ListImages", + "ecr:DescribeImages", + "ecr:DeleteRepository", + "ecr:BatchDeleteImage", + "ecr:SetRepositoryPolicy", + "ecr:DeleteRepositoryPolicy", + "ecr:GetLifecyclePolicy", + "ecr:PutLifecyclePolicy", + "ecr:DeleteLifecyclePolicy", + "ecr:GetLifecyclePolicyPreview", + "ecr:StartLifecyclePolicyPreview" + ] + }, + { + "Sid": "DevPullOnlyRegistryAccess", + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam::${alm_account_id}:user/jmorris", + "arn:aws:iam::${alm_account_id}:user/jdenen", + "arn:aws:iam::${alm_account_id}:user/ksmith", + "arn:aws:iam::${alm_account_id}:user/mchirita", + "arn:aws:iam::${alm_account_id}:root", + "arn:aws:iam::${alm_account_id}:user/smillard", + "arn:aws:iam::${alm_account_id}:user/bschwanitz", + "arn:aws:iam::${alm_account_id}:user/brogers", + "arn:aws:iam::${alm_account_id}:user/cyeater", + "arn:aws:iam::${alm_account_id}:user/jlutz", + "arn:aws:iam::${alm_account_id}:user/oqi", + "arn:aws:iam::${alm_account_id}:user/abhagat", + "arn:aws:iam::${alm_account_id}:user/emoore", + "arn:aws:iam::${alm_account_id}:user/bbalser", + "arn:aws:iam::${alm_account_id}:user/afreeman", + "arn:aws:iam::${alm_account_id}:user/cmcclellan", + "arn:aws:iam::${alm_account_id}:user/rjones", + "arn:aws:iam::${alm_account_id}:user/aganesh", + "arn:aws:iam::${alm_account_id}:user/bcromer", + "arn:aws:iam::${alm_account_id}:user/rboyapati", + "arn:aws:iam::${alm_account_id}:user/amarkley", + "arn:aws:iam::${alm_account_id}:user/bbrewer", + "arn:aws:iam::${alm_account_id}:user/jolson", + "arn:aws:iam::${alm_account_id}:user/plinville" + ] + }, + "Action": [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:DescribeImages", + "ecr:DescribeRepositories" + ] + } + ] +} \ No newline at end of file diff --git a/alm/ecr/repository_policy.sandbox.json b/alm/ecr/repository_policy.sandbox.json new file mode 100644 index 00000000..f0688180 --- /dev/null +++ b/alm/ecr/repository_policy.sandbox.json @@ -0,0 +1,34 @@ +{ + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "AllTheThings", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::${alm_account_id}:role/admin_role" + }, + "Action": [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload", + "ecr:DescribeRepositories", + "ecr:GetRepositoryPolicy", + "ecr:ListImages", + "ecr:DescribeImages", + "ecr:DeleteRepository", + "ecr:BatchDeleteImage", + "ecr:SetRepositoryPolicy", + "ecr:DeleteRepositoryPolicy", + "ecr:GetLifecyclePolicy", + "ecr:PutLifecyclePolicy", + "ecr:DeleteLifecyclePolicy", + "ecr:GetLifecyclePolicyPreview", + "ecr:StartLifecyclePolicyPreview" + ] + } + ] +} \ No newline at end of file