Merge pull request #18 from DNXLabs/feature/ecr-lifecycle

lgothelipe · web-flow · commit 2868fe67171f · 2023-03-29T14:24:48.000+11:00
Add scan on push, ecr lifecycle and kms optional
diff --git a/README.md b/README.md
@@ -11,10 +11,7 @@ The following resources will be created:
    - Set the Amazon ECR image scanning on push  = true
       - Amazon ECR image scanning helps in identifying software vulnerabilities in your container images.
  - ECR policies
- - Create a ECR lifecyle
-    - Expire images older than 14 days
-    - Expire images with feature tag
-    - Expire images with the same tag
+ - ECR lifecyle
 
 <!--- BEGIN_TF_DOCS --->
 
@@ -35,8 +32,10 @@ The following resources will be created:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | image\_tag\_mutability | The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE. Defaults to MUTABLE. | `string` | `"MUTABLE"` | no |
-| kms\_key\_arn | KMS Key ARN to use a CMK instead of default key | `string` | n/a | yes |
+| kms\_key\_arn | KMS Key ARN to use a CMK instead of default key | `string` | `""` | no |
+| lifecycle\_policy | JSON formatted string ECR repository lifecycle policy. | `string` | `""` | no |
 | name | Name for ECR repository | `any` | n/a | yes |
+| scan\_on\_push | Configuration block that defines image scanning configuration for the repository. | `bool` | `true` | no |
 | tags | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | `map(string)` | `{}` | no |
 | trust\_accounts | Accounts to trust and allow ECR fetch | `list(string)` | n/a | yes |
 
diff --git a/_variables.tf b/_variables.tf
@@ -10,6 +10,7 @@ variable "trust_accounts" {
 variable "kms_key_arn" {
   type        = string
   description = "KMS Key ARN to use a CMK instead of default key"
+  default     = ""
 }
 
 variable "image_tag_mutability" {
@@ -18,6 +19,18 @@ variable "image_tag_mutability" {
   default     = "MUTABLE"
 }
 
+variable "scan_on_push" {
+  description = "Configuration block that defines image scanning configuration for the repository."
+  type        = bool
+  default     = true
+}
+
+variable "lifecycle_policy" {
+  description = "JSON formatted string ECR repository lifecycle policy."
+  type        = string
+  default     = ""
+}
+
 variable "tags" {
   description = "Map of tags that will be added to created resources. By default resources will be tagged with name and environment."
   type        = map(string)
diff --git a/ecr-lifecycle.tf b/ecr-lifecycle.tf
@@ -1,59 +1,6 @@
-# resource "aws_ecr_lifecycle_policy" "default" {
-#   repository = "${aws_ecr_repository.default.name}"
+resource "aws_ecr_lifecycle_policy" "default" {
+  count      = var.lifecycle_policy != "" ? 1 : 0
+  repository = aws_ecr_repository.default.name
 
-#   policy = <<EOF
-# {
-#   "rules": [
-#     {
-#       "rulePriority": 1,
-#       "description": "Expire images older than 14 days",
-#       "selection": {
-#         "countUnit": "days",
-#         "countType": "sinceImagePushed",
-#         "countNumber": 14,
-#         "tagStatus": "untagged"
-#       },
-#       "action": {
-#         "type": "expire"
-#       }
-#     },
-#     {
-#       "rulePriority": 2,
-#       "description": "Expire images with feature tag",
-#       "selection": {
-#         "countType": "imageCountMoreThan",
-#         "tagPrefixList": [
-#           "feature",
-#           "prod",
-#           "deploy",
-#           "qa",
-#           "nonprod",
-#           "staging",
-#           "preprod",
-#           "dev",
-#           "test",
-#           "production"
-#         ],
-#         "countNumber": 1,
-#         "tagStatus": "tagged"
-#       },
-#       "action": {
-#         "type": "expire"
-#       }
-#     },
-#     {
-#       "rulePriority": 3,
-#       "description": "Expire images with the same tag",
-#       "selection": {
-#         "countType": "imageCountMoreThan",
-#         "countNumber": 1,
-#         "tagStatus": "any"
-#       },
-#       "action": {
-#         "type": "expire"
-#       }
-#     }
-#   ]
-# }
-# EOF
-# }
+  policy = var.lifecycle_policy
+}
diff --git a/ecr-repositories.tf b/ecr-repositories.tf
@@ -3,14 +3,18 @@ resource "aws_ecr_repository" "default" {
   image_tag_mutability = var.image_tag_mutability
 
   encryption_configuration {
-    encryption_type = "KMS"
-    kms_key         = length(var.kms_key_arn) > 0 ? var.kms_key_arn : ""
+    encryption_type = var.kms_key_arn != "" ? "KMS" : "AES256"
+    kms_key         = var.kms_key_arn
+  }
+
+  image_scanning_configuration {
+    scan_on_push = var.scan_on_push
   }
 
   tags = merge(
     var.tags,
     {
-      "Name" = "${var.name}"
+      "Name" = var.name
     },
   )
 

Original file line number	Diff line number	Diff line change
`@@ -3,14 +3,18 @@ resource "aws_ecr_repository" "default" {`
`3`	`3`	`image_tag_mutability = var.image_tag_mutability`
`4`	`4`
`5`	`5`	`encryption_configuration {`
`6`		`- encryption_type = "KMS"`
`7`		`- kms_key = length(var.kms_key_arn) > 0 ? var.kms_key_arn : ""`
	`6`	`+ encryption_type = var.kms_key_arn != "" ? "KMS" : "AES256"`
	`7`	`+ kms_key = var.kms_key_arn`
	`8`	`+ }`
	`9`	`+`
	`10`	`+ image_scanning_configuration {`
	`11`	`+ scan_on_push = var.scan_on_push`
`8`	`12`	`}`
`9`	`13`
`10`	`14`	`tags = merge(`
`11`	`15`	`var.tags,`
`12`	`16`	`{`
`13`		`- "Name" = "${var.name}"`
	`17`	`+ "Name" = var.name`
`14`	`18`	`},`
`15`	`19`	`)`
`16`	`20`