From ee110a59658725df0387ce23b7922631ecd224c4 Mon Sep 17 00:00:00 2001 From: Sylvia McLaughlin <85905333+sylviamclaughlin@users.noreply.github.com> Date: Wed, 2 Oct 2024 15:36:30 -0700 Subject: [PATCH] Create a public ECR for Sbom scans (#499) * Adding files to create a public ECR Repository accessible only to accounts within our organization * Adding plan action to pass the aws_org_id * Adding changes as recommended by Pat * Deleting old private ECR code --- .../generate-sbom-terragrunt-apply.yml | 1 + .../generate-sbom-terragrunt-plan.yml | 1 + terragrunt/aws/generate_sbom/ecr.tf | 55 ++++++++++++++----- terragrunt/aws/generate_sbom/inputs.tf | 5 ++ 4 files changed, 49 insertions(+), 13 deletions(-) create mode 100644 terragrunt/aws/generate_sbom/inputs.tf diff --git a/.github/workflows/generate-sbom-terragrunt-apply.yml b/.github/workflows/generate-sbom-terragrunt-apply.yml index ea87a659..286e428a 100644 --- a/.github/workflows/generate-sbom-terragrunt-apply.yml +++ b/.github/workflows/generate-sbom-terragrunt-apply.yml @@ -15,6 +15,7 @@ env: CONFTEST_VERSION: 0.27.0 TERRAFORM_VERSION: 1.1.9 TERRAGRUNT_VERSION: 0.36.7 + TF_VAR_aws_org_id: ${{ secrets.AWS_ORG_ID }} TF_INPUT: false permissions: diff --git a/.github/workflows/generate-sbom-terragrunt-plan.yml b/.github/workflows/generate-sbom-terragrunt-plan.yml index 9e4979ff..4be0ca44 100644 --- a/.github/workflows/generate-sbom-terragrunt-plan.yml +++ b/.github/workflows/generate-sbom-terragrunt-plan.yml @@ -14,6 +14,7 @@ env: CONFTEST_VERSION: 0.27.0 TERRAFORM_VERSION: 1.1.9 TERRAGRUNT_VERSION: 0.36.7 + TF_VAR_aws_org_id: ${{ secrets.AWS_ORG_ID }} TF_INPUT: false permissions: diff --git a/terragrunt/aws/generate_sbom/ecr.tf b/terragrunt/aws/generate_sbom/ecr.tf index 9a1788dd..2eda2a64 100644 --- a/terragrunt/aws/generate_sbom/ecr.tf +++ b/terragrunt/aws/generate_sbom/ecr.tf @@ -1,18 +1,47 @@ -resource "aws_ecr_repository" "generate_sbom" { - name = "${var.product_name}/generate_sbom/trivy" - image_tag_mutability = "MUTABLE" - - image_scanning_configuration { - scan_on_push = true - } - - encryption_configuration { - encryption_type = "KMS" - } - +resource "aws_ecrpublic_repository" "generate_sbom_public" { + provider = aws.us-east-1 + repository_name = "${var.product_name}/generate_sbom/trivy" tags = { (var.billing_tag_key) = var.billing_tag_value Terraform = true Product = "${var.product_name}-${var.tool_name}" } -} \ No newline at end of file +} +data "aws_iam_policy_document" "sbom_public_policy_document" { + provider = aws.us-east-1 + statement { + sid = "sbom_public_policy" + effect = "Allow" + + + principals { + type = "AWS" + identifiers = ["*"] + } + actions = [ + "ecr:BatchCheckLayerAvailability", + "ecr:BatchDeleteImage", + "ecr:BatchGetImage", + "ecr:CompleteLayerUpload", + "ecr:DescribeImages", + "ecr:DescribeRepositories", + "ecr:GetDownloadUrlForLayer", + "ecr:GetRepositoryPolicy", + "ecr:InitiateLayerUpload", + "ecr:ListImages", + "ecr:PutImage", + "ecr:SetRepositoryPolicy", + "ecr:UploadLayerPart" + ] + condition { + test = "StringEquals" + variable = "aws:PrincipalOrgID" + values = [var.aws_org_id] + } + } +} +resource "aws_ecrpublic_repository_policy" "sbom_public_policy" { + provider = aws.us-east-1 + repository_name = aws_ecrpublic_repository.generate_sbom_public.repository_name + policy = sensitive(data.aws_iam_policy_document.sbom_public_policy_document.json) +} diff --git a/terragrunt/aws/generate_sbom/inputs.tf b/terragrunt/aws/generate_sbom/inputs.tf new file mode 100644 index 00000000..88235c48 --- /dev/null +++ b/terragrunt/aws/generate_sbom/inputs.tf @@ -0,0 +1,5 @@ +variable "aws_org_id" { + description = "The AWS org account ID. Used to limit which accounts can access the public repository." + type = string + sensitive = true +}