From c846565c5f8bd9bf455b2529aa448a31a3409b87 Mon Sep 17 00:00:00 2001 From: Johan Steenhoven <1254233+sbkg0002@users.noreply.github.com> Date: Fri, 19 Jan 2024 11:39:24 +0100 Subject: [PATCH 1/5] Allow custom lifecycle policy --- main.tf | 39 +++++++++++++++++++++++---------------- variables.tf | 6 ++++++ 2 files changed, 29 insertions(+), 16 deletions(-) diff --git a/main.tf b/main.tf index 3154963..67f8252 100644 --- a/main.tf +++ b/main.tf @@ -1,23 +1,25 @@ locals { ecr_policies = merge(local.readonly_ecr_policy, var.additional_ecr_policy_statements) - policy_rule_untagged_image = [{ - rulePriority = 1 - description = "Keep untagged images for 1 day" - selection = { - tagStatus = "untagged" - countType = "sinceImagePushed" - countUnit = "days" - countNumber = 1 - } - action = { - type = "expire" + policy_rule_untagged_image = [ + { + rulePriority = 1 + description = "Keep untagged images for 1 day" + selection = { + tagStatus = "untagged" + countType = "sinceImagePushed" + countUnit = "days" + countNumber = 1 + } + action = { + type = "expire" + } } - }] + ] readonly_ecr_policy = length(var.principals_readonly_access) > 0 ? { "ReadonlyAccess" = { - effect = "Allow" + effect = "Allow" principal = { type = "AWS" identifiers = [for k in var.principals_readonly_access : "arn:aws:iam::${k}:root"] @@ -56,15 +58,20 @@ resource "aws_ecr_repository" "default" { } } +locals { + ecr_policy_to_apply = var.custom_lifecycle_policy_rules != null && var.custom_lifecycle_policy_rules != "" ? var.custom_lifecycle_policy_rules : jsonencode({ + rules = local.policy_rule_untagged_image + }) +} + resource "aws_ecr_lifecycle_policy" "default" { for_each = toset(var.enable_lifecycle_policy ? var.repository_names : []) repository = aws_ecr_repository.default[each.value].name - policy = jsonencode({ - rules = local.policy_rule_untagged_image - }) + policy = local.ecr_policy_to_apply } + data "aws_iam_policy_document" "default" { count = local.ecr_policies != null ? 1 : 0 diff --git a/variables.tf b/variables.tf index d0f786c..8b2a027 100644 --- a/variables.tf +++ b/variables.tf @@ -16,6 +16,12 @@ variable "additional_ecr_policy_statements" { default = null } +variable "custom_lifecycle_policy_rules" { + type = string + description = "JSON definition of custom policy Rules" + default = null +} + variable "enable_lifecycle_policy" { type = bool description = "Set to false to prevent the module from adding any lifecycle policies to any repositories" From e19bb9101cdd10794873e8bb879c38992e65d79b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 23 Jan 2024 15:04:22 +0000 Subject: [PATCH 2/5] docs(readme): update module usage --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index cd2c8d8..5d8198a 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,7 @@ No modules. |------|-------------|------|---------|:--------:| | [repository\_names](#input\_repository\_names) | list of repository names, names can include namespaces: prefixes ending with a slash (/) | `list(string)` | n/a | yes | | [additional\_ecr\_policy\_statements](#input\_additional\_ecr\_policy\_statements) | Map of additional ecr repository policy statements | 
map(object({
    effect = string
    principal = object({
      type        = string
      identifiers = list(string)
    })
    actions = list(string)
    condition = optional(list(object({
      test     = string
      variable = string
      values   = list(string)
    })), [])
  }))
| `null` | no | +| [custom\_lifecycle\_policy\_rules](#input\_custom\_lifecycle\_policy\_rules) | JSON definition of custom policy Rules | `string` | `null` | no | | [enable\_lifecycle\_policy](#input\_enable\_lifecycle\_policy) | Set to false to prevent the module from adding any lifecycle policies to any repositories | `bool` | `true` | no | | [force\_delete](#input\_force\_delete) | When deleting a repository, force the deletion if it is not empty | `bool` | `false` | no | | [image\_tag\_mutability](#input\_image\_tag\_mutability) | The tag mutability setting for the repository. Must be: `MUTABLE` or `IMMUTABLE` | `string` | `"IMMUTABLE"` | no | From 76904e6b31f033aa75bcd0552b8e9969ec6d8907 Mon Sep 17 00:00:00 2001 From: Sjoerd Tromp Date: Tue, 23 Jan 2024 16:52:43 +0100 Subject: [PATCH 3/5] clear up the description --- variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/variables.tf b/variables.tf index 8b2a027..bed8ad4 100644 --- a/variables.tf +++ b/variables.tf @@ -17,8 +17,8 @@ variable "additional_ecr_policy_statements" { } variable "custom_lifecycle_policy_rules" { - type = string - description = "JSON definition of custom policy Rules" + type = string + description = "JSON definition of custom policy Rules, this will disable the default policy" default = null } From a2b8fc82a70567332231bb17cda0504967d88c73 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 23 Jan 2024 15:53:04 +0000 Subject: [PATCH 4/5] docs(readme): update module usage --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5d8198a..a1db356 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ No modules. |------|-------------|------|---------|:--------:| | [repository\_names](#input\_repository\_names) | list of repository names, names can include namespaces: prefixes ending with a slash (/) | `list(string)` | n/a | yes | | [additional\_ecr\_policy\_statements](#input\_additional\_ecr\_policy\_statements) | Map of additional ecr repository policy statements | 
map(object({
    effect = string
    principal = object({
      type        = string
      identifiers = list(string)
    })
    actions = list(string)
    condition = optional(list(object({
      test     = string
      variable = string
      values   = list(string)
    })), [])
  }))
| `null` | no | -| [custom\_lifecycle\_policy\_rules](#input\_custom\_lifecycle\_policy\_rules) | JSON definition of custom policy Rules | `string` | `null` | no | +| [custom\_lifecycle\_policy\_rules](#input\_custom\_lifecycle\_policy\_rules) | JSON definition of custom policy Rules, this will disable the default policy | `string` | `null` | no | | [enable\_lifecycle\_policy](#input\_enable\_lifecycle\_policy) | Set to false to prevent the module from adding any lifecycle policies to any repositories | `bool` | `true` | no | | [force\_delete](#input\_force\_delete) | When deleting a repository, force the deletion if it is not empty | `bool` | `false` | no | | [image\_tag\_mutability](#input\_image\_tag\_mutability) | The tag mutability setting for the repository. Must be: `MUTABLE` or `IMMUTABLE` | `string` | `"IMMUTABLE"` | no | From 8f9151d776f6a6f93d4406ee4f02bbe802d4672e Mon Sep 17 00:00:00 2001 From: Sjoerd Tromp Date: Tue, 23 Jan 2024 16:54:43 +0100 Subject: [PATCH 5/5] Fix --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 67f8252..cfae52f 100644 --- a/main.tf +++ b/main.tf @@ -5,7 +5,7 @@ locals { { rulePriority = 1 description = "Keep untagged images for 1 day" - selection = { + selection = { tagStatus = "untagged" countType = "sinceImagePushed" countUnit = "days" @@ -19,7 +19,7 @@ locals { readonly_ecr_policy = length(var.principals_readonly_access) > 0 ? { "ReadonlyAccess" = { - effect = "Allow" + effect = "Allow" principal = { type = "AWS" identifiers = [for k in var.principals_readonly_access : "arn:aws:iam::${k}:root"]