From f19ddf240878bf20550093d38bd158b18badd505 Mon Sep 17 00:00:00 2001
From: Artem Zhelezov <36639304+zhelezovartem@users.noreply.github.com>
Date: Tue, 12 Mar 2024 21:33:55 +0600
Subject: [PATCH] use beta registry for prod

---
 .github/workflows/sub_deploy_to_prod.yml | 31 ++---------------
 deployment/terraform/data.tf             |  1 +
 deployment/terraform/deployment.tf       |  4 +--
 deployment/terraform/ecr.tf              | 42 ++++++++++++++++++++++++
 4 files changed, 46 insertions(+), 32 deletions(-)
 create mode 100644 deployment/terraform/data.tf
 create mode 100644 deployment/terraform/ecr.tf

diff --git a/.github/workflows/sub_deploy_to_prod.yml b/.github/workflows/sub_deploy_to_prod.yml
index 464d77f..cafbe02 100644
--- a/.github/workflows/sub_deploy_to_prod.yml
+++ b/.github/workflows/sub_deploy_to_prod.yml
@@ -34,39 +34,12 @@ jobs:
         echo "service_name=${{ env.SERVICE_NAME }}"                         >> ${GITHUB_OUTPUT}                
         echo "image_tag=${{ inputs.IMAGE_TAG }}"                            >> ${GITHUB_OUTPUT}
         echo "aws_account_id=274425519734"                                  >> ${GITHUB_OUTPUT}
-        echo "ecr_registry=274425519734.dkr.ecr.eu-central-1.amazonaws.com" >> ${GITHUB_OUTPUT}
+        echo "ecr_registry=244531986313.dkr.ecr.eu-central-1.amazonaws.com" >> ${GITHUB_OUTPUT}
         echo "aws_region=eu-central-1"                                      >> ${GITHUB_OUTPUT}
         echo "gh_actions_iam_role_name=gh_actions_services"                 >> ${GITHUB_OUTPUT}
 
-  push-image-to-prod-ecr:
-    needs: [variables]
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: write
-    steps:
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: ${{ needs.variables.outputs.aws_region }}
-          role-duration-seconds: 2400
-          role-session-name: ${{ github.event.repository.name }}
-          role-to-assume: arn:aws:iam::${{ needs.variables.outputs.aws_account_id }}:role/${{ needs.variables.outputs.gh_actions_iam_role_name }}
-
-      - name: Login to Amazon ECR (Elastic Container Registry)
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
-
-      - name: Push image to private prod-ECR
-        run: |
-          PUBLIC_IMAGE_NAME=cyberdojo/${{ needs.variables.outputs.service_name }}:${{ inputs.IMAGE_TAG }}
-          PRIVATE_IMAGE_NAME=${{ needs.variables.outputs.ecr_registry }}/${{ needs.variables.outputs.service_name }}:${{ inputs.IMAGE_TAG }}
-          docker pull ${PUBLIC_IMAGE_NAME}
-          docker tag ${PUBLIC_IMAGE_NAME} ${PRIVATE_IMAGE_NAME}
-          docker push ${PRIVATE_IMAGE_NAME}
-
   deploy-to-aws-prod:
-    needs: [variables, push-image-to-prod-ecr]
+    needs: [variables]
     permissions:
       id-token: write
       contents: write
diff --git a/deployment/terraform/data.tf b/deployment/terraform/data.tf
new file mode 100644
index 0000000..c9976a9
--- /dev/null
+++ b/deployment/terraform/data.tf
@@ -0,0 +1 @@
+data "aws_organizations_organization" "org" {}
\ No newline at end of file
diff --git a/deployment/terraform/deployment.tf b/deployment/terraform/deployment.tf
index 0ec7728..f3a80e6 100644
--- a/deployment/terraform/deployment.tf
+++ b/deployment/terraform/deployment.tf
@@ -1,5 +1,5 @@
 module "ecs-service" {
-  source                    = "s3::https://s3-eu-central-1.amazonaws.com/terraform-modules-9d7e951c290ec5bbe6506e0ddb064808764bc636/terraform-modules.zip//ecs-service/v3"
+  source                    = "s3::https://s3-eu-central-1.amazonaws.com/terraform-modules-9d7e951c290ec5bbe6506e0ddb064808764bc636/terraform-modules.zip//ecs-service/v4"
   service_name              = var.service_name
   TAGGED_IMAGE              = var.TAGGED_IMAGE
   enable_execute_command    = "true"
@@ -8,8 +8,6 @@ module "ecs-service" {
   mem_reservation           = var.mem_reservation
   mem_limit                 = var.mem_limit
   app_env_vars              = local.app_env_vars
-  ecr_replication_targets   = var.ecr_replication_targets
-  ecr_replication_origin    = var.ecr_replication_origin
   ecs_wait_for_steady_state = true
   tags                      = module.tags.result
 }
diff --git a/deployment/terraform/ecr.tf b/deployment/terraform/ecr.tf
new file mode 100644
index 0000000..0e5f45a
--- /dev/null
+++ b/deployment/terraform/ecr.tf
@@ -0,0 +1,42 @@
+module "aws_ecr_repository" {
+  count               = var.env == "staging" ? 1 : 0
+  source              = "s3::https://s3-eu-central-1.amazonaws.com/terraform-modules-dacef8339fbd41ce31c346f854a85d0c74f7c4e8/terraform-modules.zip//ecr/v6"
+  ecr_repository_name = var.service_name
+  tags                = module.tags.result
+}
+
+# Allow pull dev image for all Kosli org
+data "aws_iam_policy_document" "allow_pull_from_org" {
+  count = var.env == "staging" ? 1 : 0
+  statement {
+    sid    = "AllowPullFromOrg"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = [
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:PutImage",
+      "ecr:InitiateLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload"
+    ]
+
+    condition {
+      test     = "ForAnyValue:StringLike"
+      variable = "aws:PrincipalOrgID"
+      values   = [data.aws_organizations_organization.org.id]
+    }
+  }
+}
+
+resource "aws_ecr_repository_policy" "allow_pull" {
+  count      = var.env == "staging" ? 1 : 0
+  repository = module.aws_ecr_repository[0].ecr_repository_name
+  policy     = data.aws_iam_policy_document.allow_pull_from_org[0].json
+}