From cbad52b4f88aea4265bfde02e280306bfbfd69d6 Mon Sep 17 00:00:00 2001 From: Dmitry Borisov Date: Sat, 28 Dec 2024 00:52:46 +0300 Subject: [PATCH 1/5] Module updated to use latest resources. Licence updated. --- .gitmodules | 3 - .infra/icmk | 1 - LICENSE | 222 ++++++++++++++++++++++++++++++++++---- Makefile | 8 -- README.md | 35 ++++-- examples/complete/main.tf | 21 ++-- examples/minimal/main.tf | 6 +- main.tf | 15 ++- variables.tf | 36 ++++++- 9 files changed, 287 insertions(+), 60 deletions(-) delete mode 100644 .gitmodules delete mode 160000 .infra/icmk delete mode 100644 Makefile diff --git a/.gitmodules b/.gitmodules deleted file mode 100644 index 3225751..0000000 --- a/.gitmodules +++ /dev/null @@ -1,3 +0,0 @@ -[submodule ".infra/icmk"] - path = .infra/icmk - url = https://github.com/hazelops/icmk.git diff --git a/.infra/icmk b/.infra/icmk deleted file mode 160000 index 90c3690..0000000 --- a/.infra/icmk +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 90c369091d19a01e5483ef0acd4a030ea0277d24 diff --git a/LICENSE b/LICENSE index 963d300..59c4a75 100644 --- a/LICENSE +++ b/LICENSE @@ -1,21 +1,201 @@ -MIT License - -Copyright (c) 2020-present HazelOps OÜ https://hazelops.com - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2024 HazelOps OÜ + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Makefile b/Makefile deleted file mode 100644 index 53eb12b..0000000 --- a/Makefile +++ /dev/null @@ -1,8 +0,0 @@ -NAMESPACE = nutcorp -ICMK_VERSION ?= master -ENV_DIR = $(PWD) - -include .infra/icmk/*.mk - -# Infrastructure -test: terraform.checkov terraform.tflint diff --git a/README.md b/README.md index 96e8bbd..da09cad 100644 --- a/README.md +++ b/README.md @@ -18,12 +18,12 @@ This module provides settings: ## Usage -### Miminal setup & Unrestricted access to ECR +### Minimal setup & Unrestricted access to ECR ```hcl module "ecr" { source = "hazelops/ecr/aws" - version = "~> 1.0" + version = "~> 2.0" name = "test" } ``` @@ -32,17 +32,24 @@ module "ecr" { ```hcl module "ecr" { - source = "hazelops/ecr/aws" - version = "~> 1.0" - name = "test" - enabled = true - pull_arns = ["arn:aws:iam::1234567890:user/johnd"] - push_arns = ["arn:aws:iam::123454321:user/elvis"] - max_any_image_count = 3 + source = "hazelops/ecr/aws" + version = "~> 2.0" + name = "test" + enabled = true + pull_arns = ["arn:aws:iam::1234567890:user/johnd"] + push_arns = ["arn:aws:iam::123454321:user/elvis"] + image_tag_mutability = "IMMUTABLE" + image_scan_on_push = true + encryption_type = "KMS" + max_any_image_count = 5 + tags = { + Name = "test" + Terraform = "true" + } } ``` - + ## Requirements No requirements. @@ -70,13 +77,18 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [ecr\_policy](#input\_ecr\_policy) | Optional ECR policy to be applied. | `string` | `""` | no | +| [ecr\_policy](#input\_ecr\_policy) | Optional ECR policy to be applied. | `list(string)` | `[]` | no | | [enabled](#input\_enabled) | If not enabled, no resources will be created. | `bool` | `true` | no | +| [encryption\_type](#input\_encryption\_type) | The encryption type for the repository. Must be one of: `KMS` or `AES256`. Defaults to `AES256.` | `string` | `null` | no | | [force\_delete](#input\_force\_delete) | If true, will delete the repository even if it contains images. | `bool` | `false` | no | +| [image\_scan\_on\_push](#input\_image\_scan\_on\_push) | Indicates whether images are scanned after being pushed to the repository (`true`) or not scanned (`false`). | `bool` | `false` | no | +| [image\_tag\_mutability](#input\_image\_tag\_mutability) | The tag mutability setting for the repository. Must be one of: `MUTABLE` or `IMMUTABLE`. Defaults to `MUTABLE`. | `string` | `"MUTABLE"` | no | +| [kms\_key](#input\_kms\_key) | The ARN of the KMS key to use when encryption\_type is `KMS`. If not specified, uses the default AWS managed key for ECR. | `string` | `null` | no | | [max\_any\_image\_count](#input\_max\_any\_image\_count) | Maximum number of images that you want to retain in repository. | `number` | `100` | no | | [name](#input\_name) | Name of the ECR repository. | `any` | n/a | yes | | [pull\_arns](#input\_pull\_arns) | List of IAM ARNs that can pull images. | `list(string)` | `[]` | no | | [push\_arns](#input\_push\_arns) | List of IAM ARNs that can push and pull images and tags. | `list(string)` | `[]` | no | +| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | ## Outputs @@ -84,6 +96,7 @@ No modules. |------|-------------| | [repository\_id](#output\_repository\_id) | n/a | | [repository\_url](#output\_repository\_url) | n/a | + ### Terraform Module Registry diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 083a7a3..5362d69 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -1,9 +1,16 @@ module "ecr" { - source = "hazelops/ecr/aws" - version = "~> 1.0" - name = "test" - enabled = true - pull_arns = ["arn:aws:iam::1234567890:user/johnd"] - push_arns = ["arn:aws:iam::123454321:user/elvis"] - max_any_image_count = 3 + source = "hazelops/ecr/aws" + version = "~> 2.0" + name = "test" + enabled = true + pull_arns = ["arn:aws:iam::1234567890:user/johnd"] + push_arns = ["arn:aws:iam::123454321:user/elvis"] + image_tag_mutability = "IMMUTABLE" + image_scan_on_push = true + encryption_type = "KMS" + max_any_image_count = 5 + tags = { + Name = "test" + Terraform = "true" + } } diff --git a/examples/minimal/main.tf b/examples/minimal/main.tf index fa28273..c57273b 100644 --- a/examples/minimal/main.tf +++ b/examples/minimal/main.tf @@ -1,5 +1,5 @@ module "ecr" { - source = "hazelops/ecr/aws" - version = "~> 1.0" - name = "test" + source = "hazelops/ecr/aws" + version = "~> 2.0" + name = "test" } diff --git a/main.tf b/main.tf index 323fee3..9b5b666 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,16 @@ resource "aws_ecr_repository" "this" { - count = var.enabled ? 1 : 0 - name = var.name - force_delete = var.force_delete + count = var.enabled ? 1 : 0 + name = var.name + force_delete = var.force_delete + image_tag_mutability = var.image_tag_mutability + encryption_configuration { + encryption_type = var.encryption_type + kms_key = var.kms_key + } + image_scanning_configuration { + scan_on_push = var.image_scan_on_push + } + tags = var.tags } resource "aws_ecr_repository_policy" "this" { diff --git a/variables.tf b/variables.tf index d6cba99..ec73b92 100644 --- a/variables.tf +++ b/variables.tf @@ -26,12 +26,42 @@ variable "ecr_policy" { } variable "max_any_image_count" { - default = 100 - type = number + default = 100 + type = number description = "Maximum number of images that you want to retain in repository." } variable "force_delete" { - default = false + default = false description = "If true, will delete the repository even if it contains images." } + +variable "image_tag_mutability" { + default = "MUTABLE" + description = "The tag mutability setting for the repository. Must be one of: `MUTABLE` or `IMMUTABLE`. Defaults to `MUTABLE`." +} + +variable "kms_key" { + description = "The ARN of the KMS key to use when encryption_type is `KMS`. If not specified, uses the default AWS managed key for ECR." + type = string + default = null +} + +variable "image_scan_on_push" { + description = "Indicates whether images are scanned after being pushed to the repository (`true`) or not scanned (`false`)." + type = bool + default = false +} + +variable "encryption_type" { + description = "The encryption type for the repository. Must be one of: `KMS` or `AES256`. Defaults to `AES256.`" + type = string + default = null +} + +variable "tags" { + description = "A map of tags to add to all resources." + type = map(string) + default = {} +} + From 0bb6c9d1190336648dc2bda1feac0a100fd2a791 Mon Sep 17 00:00:00 2001 From: Dmitry Borisov Date: Sat, 28 Dec 2024 00:55:10 +0300 Subject: [PATCH 2/5] Linter added --- .github/workflows/linter.yml | 72 ++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 .github/workflows/linter.yml diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml new file mode 100644 index 0000000..a9d2018 --- /dev/null +++ b/.github/workflows/linter.yml @@ -0,0 +1,72 @@ +name: "Terraform Checks" +defaults: + run: + shell: bash +on: + pull_request: + +jobs: + # Performs linting and format checks and suggests fixes on PR + terraform-linter: + name: Terraform Linter + runs-on: ubuntu-latest + timeout-minutes: 5 + strategy: + matrix: + terraform_version: [1.5.6, 1.10.1] # Actual and latest versions used + fail-fast: false + steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + submodules: true + + - uses: hashicorp/setup-terraform@v3 + with: + terraform_version: "${{ matrix.terraform_version }}" + + - name: Terraform init + run: terraform init + + - name: Tflint Report Output + uses: reviewdog/action-tflint@v1.23.2 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + tflint_version: "v0.49.0" # Version set due to this https://github.com/reviewdog/action-tflint/issues/83 + reporter: github-pr-review + fail_on_error: "true" + filter_mode: "added" + flags: "--module" # This option should work until tflint v0.5.1. + + # Performs linting and format checks and suggests fixes on PR + terraform-formatter: + name: Terraform Formatter + runs-on: ubuntu-latest + timeout-minutes: 5 + strategy: + matrix: + terraform_version: [1.5.6, 1.10.1] # Actual and latest versions used + fail-fast: false + steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + submodules: true + + - uses: hashicorp/setup-terraform@v3 + with: + terraform_version: "${{ matrix.terraform_version }}" + + - name: Terraform init + run: terraform init + + # This step applies format suggestions locally which would be used by a suggester + - name: Terraform Format suggestions + run: terraform fmt + + - uses: reviewdog/action-suggester@v1.18.0 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + tool_name: "terraform" + fail_on_error: "true" + filter_mode: "added" From 27dddf2b9f3459c59a897a38f0d4bff73dcbfa46 Mon Sep 17 00:00:00 2001 From: Dmitry Borisov Date: Sat, 28 Dec 2024 00:57:12 +0300 Subject: [PATCH 3/5] Variable type added --- variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/variables.tf b/variables.tf index ec73b92..e859fbd 100644 --- a/variables.tf +++ b/variables.tf @@ -37,6 +37,7 @@ variable "force_delete" { } variable "image_tag_mutability" { + type = string default = "MUTABLE" description = "The tag mutability setting for the repository. Must be one of: `MUTABLE` or `IMMUTABLE`. Defaults to `MUTABLE`." } From 846c7491adf5c18816cece2058e45544bee69d42 Mon Sep 17 00:00:00 2001 From: Dmitry Borisov Date: Sat, 28 Dec 2024 01:05:26 +0300 Subject: [PATCH 4/5] Readme updated --- README.md | 23 +---------------------- examples/minimal/main.tf | 5 ----- 2 files changed, 1 insertion(+), 27 deletions(-) delete mode 100644 examples/minimal/main.tf diff --git a/README.md b/README.md index da09cad..87d3152 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # Terraform ECR Module - +[![Terraform Tests](https://github.com/hazelops/terraform-aws-ecr/actions/workflows/linter.yml/badge.svg)](https://github.com/hazelops/terraform-aws-ecr/actions/workflows/linter.yml) Terraform module that creates ECR resources on AWS. @@ -28,27 +28,6 @@ module "ecr" { } ``` -### Full setup & Restricted access to ECR by IAM arns - -```hcl -module "ecr" { - source = "hazelops/ecr/aws" - version = "~> 2.0" - name = "test" - enabled = true - pull_arns = ["arn:aws:iam::1234567890:user/johnd"] - push_arns = ["arn:aws:iam::123454321:user/elvis"] - image_tag_mutability = "IMMUTABLE" - image_scan_on_push = true - encryption_type = "KMS" - max_any_image_count = 5 - tags = { - Name = "test" - Terraform = "true" - } -} -``` - ## Requirements diff --git a/examples/minimal/main.tf b/examples/minimal/main.tf deleted file mode 100644 index c57273b..0000000 --- a/examples/minimal/main.tf +++ /dev/null @@ -1,5 +0,0 @@ -module "ecr" { - source = "hazelops/ecr/aws" - version = "~> 2.0" - name = "test" -} From 754ed6a0ef25605a5e309a93a3dc9f5580745cea Mon Sep 17 00:00:00 2001 From: Dmitry Borisov Date: Sat, 28 Dec 2024 01:07:20 +0300 Subject: [PATCH 5/5] Fix & update --- examples/complete/main.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 5362d69..a588a6b 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -9,8 +9,4 @@ module "ecr" { image_scan_on_push = true encryption_type = "KMS" max_any_image_count = 5 - tags = { - Name = "test" - Terraform = "true" - } }