generated from cds-snc/project-template
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create a public ECR for Sbom scans (#499)
* Adding files to create a public ECR Repository accessible only to accounts within our organization * Adding plan action to pass the aws_org_id * Adding changes as recommended by Pat * Deleting old private ECR code
- Loading branch information
1 parent
6e1d173
commit ee110a5
Showing
4 changed files
with
49 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,18 +1,47 @@ | ||
| resource "aws_ecr_repository" "generate_sbom" { | ||
| name = "${var.product_name}/generate_sbom/trivy" | ||
| image_tag_mutability = "MUTABLE" | ||
|
|
||
| image_scanning_configuration { | ||
| scan_on_push = true | ||
| } | ||
|
|
||
| encryption_configuration { | ||
| encryption_type = "KMS" | ||
| } | ||
|
|
||
| resource "aws_ecrpublic_repository" "generate_sbom_public" { | ||
| provider = aws.us-east-1 | ||
| repository_name = "${var.product_name}/generate_sbom/trivy" | ||
| tags = { | ||
| (var.billing_tag_key) = var.billing_tag_value | ||
| Terraform = true | ||
| Product = "${var.product_name}-${var.tool_name}" | ||
| } | ||
| } | ||
| } | ||
| data "aws_iam_policy_document" "sbom_public_policy_document" { | ||
| provider = aws.us-east-1 | ||
| statement { | ||
| sid = "sbom_public_policy" | ||
| effect = "Allow" | ||
|
|
||
|
|
||
| principals { | ||
| type = "AWS" | ||
| identifiers = ["*"] | ||
| } | ||
| actions = [ | ||
| "ecr:BatchCheckLayerAvailability", | ||
| "ecr:BatchDeleteImage", | ||
| "ecr:BatchGetImage", | ||
| "ecr:CompleteLayerUpload", | ||
| "ecr:DescribeImages", | ||
| "ecr:DescribeRepositories", | ||
| "ecr:GetDownloadUrlForLayer", | ||
| "ecr:GetRepositoryPolicy", | ||
| "ecr:InitiateLayerUpload", | ||
| "ecr:ListImages", | ||
| "ecr:PutImage", | ||
| "ecr:SetRepositoryPolicy", | ||
| "ecr:UploadLayerPart" | ||
| ] | ||
| condition { | ||
| test = "StringEquals" | ||
| variable = "aws:PrincipalOrgID" | ||
| values = [var.aws_org_id] | ||
| } | ||
| } | ||
| } | ||
| resource "aws_ecrpublic_repository_policy" "sbom_public_policy" { | ||
| provider = aws.us-east-1 | ||
| repository_name = aws_ecrpublic_repository.generate_sbom_public.repository_name | ||
| policy = sensitive(data.aws_iam_policy_document.sbom_public_policy_document.json) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| variable "aws_org_id" { | ||
| description = "The AWS org account ID. Used to limit which accounts can access the public repository." | ||
| type = string | ||
| sensitive = true | ||
| } |