Real first commit

telia-oss · Jul 25, 2018 · 61b7eb8 · 61b7eb8
1 parent 60c7d3f
commit 61b7eb8
Show file tree

Hide file tree

Showing 5 changed files with 88 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -2,6 +2,8 @@
 
 [![Build Status](https://travis-ci.com/telia-oss/terraform-aws-ecr.svg?branch=master)](https://travis-ci.com/telia-oss/terraform-aws-ecr)
 
-This module creates an Elastic Container Registry and assosicated policies that can be used by a list of accounts
-
+This module creates a repository on ECR (and associated policies) that other accounts can be given push and pull access to.
 
+- Creates a repository on ECR
+- Creates a policy to allow other accounts push and pull access
+- Creates a lifecycle policy that expires oldest images when a specified limit (default 100) is reached
diff --git a/examples/default/example.tf b/examples/default/example.tf
@@ -10,5 +10,13 @@ data "aws_subnet_ids" "main" {
   vpc_id = "${data.aws_vpc.main.id}"
 }
 
-# REST OF THE EXAMPLE
+module "ecr" {
+  source      = "../../"
+  name_prefix = "example-repo"
 
+  trusted_accounts = [
+    "111122223333", # test account A
+    "444455556666", # test account B
+    "777788889999", # test account C
+  ]
+}
diff --git a/main.tf b/main.tf
@@ -2,3 +2,58 @@
 # Resources
 # ------------------------------------------------------------------------------
 
+resource "aws_ecr_repository" "ecr-repo" {
+  name = "${var.name_prefix}"
+}
+
+resource "aws_ecr_repository_policy" "ecr-policy" {
+  repository = "${aws_ecr_repository.ecr-repo.id}"
+  policy     = "${data.aws_iam_policy_document.ecr-policy-doc.json}"
+}
+
+data "aws_iam_policy_document" "ecr-policy-doc" {
+  "statement" {
+    effect = "Allow"
+
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        "${formatlist("arn:aws:iam::%s:root", var.trusted_accounts)}",
+      ]
+    }
+
+    actions = [
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:PutImage",
+      "ecr:InitiateLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload",
+    ]
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "keep-last-N" {
+  repository = "${aws_ecr_repository.ecr-repo.id}"
+
+  policy = <<EOF
+  {
+    "rules": [
+        {
+            "rulePriority": 1,
+            "description": "Keep last N images",
+            "selection": {
+                "tagStatus": "any",
+                "countType": "imageCountMoreThan",
+                "countNumber": "${var.lifecycle_count_number}"
+            },
+            "action": {
+                "type": "expire"
+            }
+        }
+    ]
+  }
+EOF
+}
diff --git a/outputs.tf b/outputs.tf
@@ -1,4 +1,12 @@
 # ------------------------------------------------------------------------------
 # Output
 # ------------------------------------------------------------------------------
+output "repository_arn" {
+  description = "Full ARN of the repository."
+  value       = "${aws_ecr_repository.ecr-repo.arn}"
+}
 
+output "repository_url" {
+  description = "The URL of the repository (in the form aws_account_id.dkr.ecr.region.amazonaws.com/repositoryName )"
+  value       = "${aws_ecr_repository.ecr-repo.repository_url}"
+}
diff --git a/variables.tf b/variables.tf
@@ -1,12 +1,24 @@
 # ------------------------------------------------------------------------------
 # Variables
 # ------------------------------------------------------------------------------
+
 variable "name_prefix" {
   description = "A prefix used for naming resources."
 }
 
+variable "lifecycle_count_number" {
+  description = "The max number of images to keep in the repository before expiring the oldest"
+  default     = "100"
+}
+
 variable "tags" {
   description = "A map of tags (key-value pairs) passed to resources."
   type        = "map"
   default     = {}
 }
+
+variable "trusted_accounts" {
+  description = "IDs of other accounts that are trusted to pull and push to this repostitory"
+  type        = "list"
+  default     = []
+}