Merge pull request #22 from schubergphilis/custom_life_cycle_policy_r…

…ules

enhancement: add an attribute to define your own policy

README.md

@@ -37,6 +37,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_repository_names"></a> [repository\_names](#input\_repository\_names) | list of repository names, names can include namespaces: prefixes ending with a slash (/) | `list(string)` | n/a | yes |
 | <a name="input_additional_ecr_policy_statements"></a> [additional\_ecr\_policy\_statements](#input\_additional\_ecr\_policy\_statements) | Map of additional ecr repository policy statements | <pre>map(object({<br>    effect = string<br>    principal = object({<br>      type        = string<br>      identifiers = list(string)<br>    })<br>    actions = list(string)<br>    condition = optional(list(object({<br>      test     = string<br>      variable = string<br>      values   = list(string)<br>    })), [])<br>  }))</pre> | `null` | no |
+| <a name="input_custom_lifecycle_policy_rules"></a> [custom\_lifecycle\_policy\_rules](#input\_custom\_lifecycle\_policy\_rules) | JSON definition of custom policy Rules, this will disable the default policy | `string` | `null` | no |
 | <a name="input_enable_lifecycle_policy"></a> [enable\_lifecycle\_policy](#input\_enable\_lifecycle\_policy) | Set to false to prevent the module from adding any lifecycle policies to any repositories | `bool` | `true` | no |
 | <a name="input_force_delete"></a> [force\_delete](#input\_force\_delete) | When deleting a repository, force the deletion if it is not empty | `bool` | `false` | no |
 | <a name="input_image_tag_mutability"></a> [image\_tag\_mutability](#input\_image\_tag\_mutability) | The tag mutability setting for the repository. Must be: `MUTABLE` or `IMMUTABLE` | `string` | `"IMMUTABLE"` | no |

main.tf

@@ -1,19 +1,21 @@
 locals {
   ecr_policies = merge(local.readonly_ecr_policy, var.additional_ecr_policy_statements)
 
-  policy_rule_untagged_image = [{
-    rulePriority = 1
-    description  = "Keep untagged images for 1 day"
-    selection = {
-      tagStatus   = "untagged"
-      countType   = "sinceImagePushed"
-      countUnit   = "days"
-      countNumber = 1
-    }
-    action = {
-      type = "expire"
+  policy_rule_untagged_image = [
+    {
+      rulePriority = 1
+      description  = "Keep untagged images for 1 day"
+      selection = {
+        tagStatus   = "untagged"
+        countType   = "sinceImagePushed"
+        countUnit   = "days"
+        countNumber = 1
+      }
+      action = {
+        type = "expire"
+      }
     }
-  }]
+  ]
 
   readonly_ecr_policy = length(var.principals_readonly_access) > 0 ? {
     "ReadonlyAccess" = {
@@ -56,15 +58,20 @@ resource "aws_ecr_repository" "default" {
   }
 }
 
+locals {
+  ecr_policy_to_apply = var.custom_lifecycle_policy_rules != null && var.custom_lifecycle_policy_rules != "" ? var.custom_lifecycle_policy_rules : jsonencode({
+    rules = local.policy_rule_untagged_image
+  })
+}
+
 resource "aws_ecr_lifecycle_policy" "default" {
   for_each   = toset(var.enable_lifecycle_policy ? var.repository_names : [])
   repository = aws_ecr_repository.default[each.value].name
 
-  policy = jsonencode({
-    rules = local.policy_rule_untagged_image
-  })
+  policy = local.ecr_policy_to_apply
 }
 
+
 data "aws_iam_policy_document" "default" {
   count = local.ecr_policies != null ? 1 : 0
 

variables.tf

@@ -16,6 +16,12 @@ variable "additional_ecr_policy_statements" {
   default     = null
 }
 
+variable "custom_lifecycle_policy_rules" {
+  type        = string
+  description = "JSON definition of custom policy Rules, this will disable the default policy"
+  default     = null
+}
+
 variable "enable_lifecycle_policy" {
   type        = bool
   description = "Set to false to prevent the module from adding any lifecycle policies to any repositories"