Skip to content

ministryofjustice/cloud-platform-terraform-ecr-credentials

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

cloud-platform-terraform-ecr-credentials

Releases

This Terraform module will create an Amazon Elastic Container Registry private repository for use on the Cloud Platform.

If you're using GitHub as your OIDC provider, this module will automatically create the required variables for authentication in your GitHub repository. By default these will be created as repository secrets and variables. Alternatively, you can configure the module to instead create the ECR secrets and variables in your own defined GitHub Environments with the github_environments field. This pattern is useful if you wish to define separate ECR repositories for different Cloud Platform environments within the same GitHub repository.

If you're using CircleCI as your OIDC provider, this module will create a Kubernetes ConfigMap in your namespace with your authentication variables to use as environment variables in CircleCI.

This module only supports authentication with GitHub Actions and CircleCI.

Usage

module "container_repository" {
  source = "github.com/ministryofjustice/cloud-platform-terraform-ecr-credentials?ref=version" # use the latest release

  # Repository configuration
  repo_name = var.namespace

  # OpenID Connect configuration
  oidc_providers      = ["github"]
  github_repositories = ["example-repository"]

  # Tags
  business_unit          = var.business_unit
  application            = var.application
  is_production          = var.is_production
  team_name              = var.team_name # also used for naming the container repository
  namespace              = var.namespace # also used for creating a Kubernetes ConfigMap
  environment_name       = var.environment
  infrastructure_support = var.infrastructure_support
}

See the examples/ folder for more information.

Requirements

Name Version
terraform >= 1.2.5
aws >= 4.0.0
github >= 5.0.0
kubernetes >= 2.0.0
random >= 3.0.0

Providers

Name Version
aws >= 4.0.0
github >= 5.0.0
kubernetes >= 2.0.0
random >= 3.0.0

Modules

No modules.

Resources

Name Type
aws_ecr_lifecycle_policy.canned resource
aws_ecr_lifecycle_policy.lifecycle_policy resource
aws_ecr_repository.repo resource
aws_iam_policy.ecr resource
aws_iam_policy.irsa resource
aws_iam_role.circleci resource
aws_iam_role.github resource
aws_iam_role_policy_attachment.circleci_ecr resource
aws_iam_role_policy_attachment.github_ecr resource
github_actions_environment_secret.ecr_role_to_assume resource
github_actions_environment_variable.ecr_region resource
github_actions_environment_variable.ecr_repository resource
github_actions_secret.ecr_registry_url resource
github_actions_secret.ecr_role_to_assume resource
github_actions_variable.ecr_region resource
github_actions_variable.ecr_repository resource
kubernetes_config_map_v1.circleci_oidc resource
random_id.oidc resource
aws_caller_identity.current data source
aws_iam_openid_connect_provider.circleci data source
aws_iam_openid_connect_provider.github data source
aws_iam_policy_document.base data source
aws_iam_policy_document.circleci data source
aws_iam_policy_document.github data source
aws_iam_policy_document.irsa data source
aws_region.current data source
aws_secretsmanager_secret.circleci data source
aws_secretsmanager_secret_version.circleci data source

Inputs

Name Description Type Default Required
application Application name string n/a yes
business_unit Area of the MOJ responsible for the service string n/a yes
canned_lifecycle_policy A canned lifecycle policy to remove tagged or untagged images map(any) null no
deletion_protection (Optional) Whether the ECR should have deletion protection enabled for non-empty registry. Set this to false if you intend to delete your ECR resource or namespace. NOTE: PR owner has responsibility to ensure that no other environments are sharing this ECR. Defaults to true. bool true no
environment_name Environment name string n/a yes
github_actions_prefix String prefix for GitHub Actions variable and secrets key string "" no
github_environments GitHub environment in which to create github actions secrets list(string) [] no
github_repositories GitHub repositories in which to create github actions secrets list(string) [] no
infrastructure_support The team responsible for managing the infrastructure. Should be of the form () string n/a yes
is_production Whether this is used for production or not string n/a yes
lifecycle_policy A lifecycle policy consists of one or more rules that determine which images in a repository should be expired. string null no
namespace Namespace name string n/a yes
oidc_providers OIDC providers for this ECR repository, valid values are "github" or "circleci" list(string) [] no
repo_name Name of the repository to be created string n/a yes
team_name Team name string n/a yes

Outputs

Name Description
irsa_policy_arn IAM policy ARN for access to the container repository
repo_arn ECR repository ARN
repo_url ECR repository URL

Tags

Some of the inputs for this module are tags. All infrastructure resources must be tagged to meet the MOJ Technical Guidance on Documenting owners of infrastructure.

You should use your namespace variables to populate these. See the Usage section for more information.

Reading Material