From de34314d93ba9d74aef3ed29e168dbe816bd9b6b Mon Sep 17 00:00:00 2001 From: Johnny Che Date: Wed, 26 Feb 2025 14:56:26 +0000 Subject: [PATCH 1/2] CCL-2122: correct example for organisation --- README.md | 5 ++++- example/example_repos.yaml | 6 ++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 950a50b..ac948af 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,10 @@ common_options: # These are common options that can be re-used by all of your EC - "ecr:GetRepositoryPolicy" - "ecr:ListImages" - "ecr:ListTagsForResource" - resources: ["*"] + principals: + wildcard: + type: "*" + identifiers: ["*"] effect: Allow conditions: - orgMatch: diff --git a/example/example_repos.yaml b/example/example_repos.yaml index 8b1deac..e36453f 100644 --- a/example/example_repos.yaml +++ b/example/example_repos.yaml @@ -24,8 +24,10 @@ common_options: # These are common options that can be re-used by all of your EC - "ecr:GetRepositoryPolicy" - "ecr:ListImages" - "ecr:ListTagsForResource" - resources: ["*"] - effect: Allow + principals: + wildcard: + type: "*" + identifiers: ["*"] conditions: - orgMatch: test: "StringLike" From f797790aa466c7d71ef09f04597b6827a377f142 Mon Sep 17 00:00:00 2001 From: Johnny Che Date: Wed, 26 Feb 2025 15:53:54 +0000 Subject: [PATCH 2/2] CCL-2122: Move prefix setting into a mandatory variable to avoid copy-paste issues --- README.md | 6 ++++-- example/example-terraform.tf | 3 ++- example/example-terragrunt.hcl | 3 ++- example/example_repos.yaml | 1 - main.tf | 2 +- variables.tf | 7 ++++++- 6 files changed, 15 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index ac948af..df86be2 100644 --- a/README.md +++ b/README.md @@ -7,9 +7,10 @@ You may set common options and override them on a per-repository basis with an e Lambda ARNS must be declared in a separate list that can only be defined at a per-repository level. This adds additional permissions that allow Lambda to access ECR repositories to use as a runtime container. +ecr_prefix must be provided. This is to provide some logical separation of ECR repositories. This should typically be the name of the tenant or team. + ## Expected YAML config with Explanations ``` -tenant: #This is used as a prefix for your ECR repo. i.e. / common_options: # These are common options that can be re-used by all of your ECR repositories create_lifecycle_policy: true # Defaults to false. If set to true you will need to specify repository_lifecycle_policy - this is done via filepath to a json file repository_lifecycle_policy: ./policies/example_common_repo_lifecycle_policy.json @@ -90,7 +91,8 @@ No resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [ecr\_config](#input\_ecr\_config) | PAth to YAML file that contains ECR repositories | `any` | n/a | yes | +| [ecr\_config](#input\_ecr\_config) | Path to YAML file that contains ECR repositories | `any` | n/a | yes | +| [ecr\_prefix](#input\_ecr\_prefix) | This is used to provide logical separation of ECR repositories. This will most likely be the name of the tenant or team | `string` | n/a | yes | | [tags](#input\_tags) | n/a | `map(string)` | `{}` | no | ## Outputs diff --git a/example/example-terraform.tf b/example/example-terraform.tf index affe56e..86230c0 100644 --- a/example/example-terraform.tf +++ b/example/example-terraform.tf @@ -1,6 +1,7 @@ module "ecr_repos" { source = "../" - + + ecr_prefix = "example-tenant" ecr_config = yamldecode(file("./example_repos.yaml")) tags = { diff --git a/example/example-terragrunt.hcl b/example/example-terragrunt.hcl index ae50635..f002fec 100644 --- a/example/example-terragrunt.hcl +++ b/example/example-terragrunt.hcl @@ -3,7 +3,8 @@ terraform { } inputs = { - association_config = yamldecode(file("./example_repos.yaml")) + ecr_prefix = "example-tenant" + ecr_config = yamldecode(file("./example_repos.yaml")) tags = { cost-centre = "..." diff --git a/example/example_repos.yaml b/example/example_repos.yaml index e36453f..a26cd92 100644 --- a/example/example_repos.yaml +++ b/example/example_repos.yaml @@ -1,4 +1,3 @@ -tenant: #This is used as a prefix for your ECR repo. i.e. / common_options: # These are common options that can be re-used by all of your ECR repositories create_lifecycle_policy: true # Defaults to false. If set to true you will need to specify repository_lifecycle_policy - this is done via filepath to a json file repository_lifecycle_policy: ./policies/example_common_repo_lifecycle_policy.json diff --git a/main.tf b/main.tf index ef693a3..aadfcd7 100644 --- a/main.tf +++ b/main.tf @@ -4,7 +4,7 @@ module "ecr" { for_each = try(var.ecr_config.repo_list, {}) - repository_name = "${var.ecr_config.tenant}/${each.key}" + repository_name = "${var.ecr_prefix}/${each.key}" repository_type = "private" create_lifecycle_policy = try(each.value.create_lifecycle_policy, var.ecr_config.common_options.create_lifecycle_policy, false) diff --git a/variables.tf b/variables.tf index 1d85f04..f0e0b7c 100644 --- a/variables.tf +++ b/variables.tf @@ -1,6 +1,11 @@ +variable "ecr_prefix" { + type = string + description = "This is used to provide logical separation of ECR repositories. This will most likely be the name of the tenant or team" +} + variable "ecr_config" { type = any - description = "PAth to YAML file that contains ECR repositories" + description = "Path to YAML file that contains ECR repositories" } variable "tags" {