This Terraform module will create an Amazon Elastic Container Registry private repository for use on the Cloud Platform.
If you're using GitHub as your OIDC provider, this module will automatically create the required variables for authentication in your GitHub repository. By default these will be created as repository secrets and variables. Alternatively, you can configure the module to instead create the ECR secrets and variables in your own defined GitHub Environments with the github_environments field. This pattern is useful if you wish to define separate ECR repositories for different Cloud Platform environments within the same GitHub repository.
If you're using CircleCI as your OIDC provider, this module will create a Kubernetes ConfigMap in your namespace with your authentication variables to use as environment variables in CircleCI.
This module only supports authentication with GitHub Actions and CircleCI.
module "container_repository" {
source = "github.com/ministryofjustice/cloud-platform-terraform-ecr-credentials?ref=version" # use the latest release
# Repository configuration
repo_name = var.namespace
# OpenID Connect configuration
oidc_providers = ["github"]
github_repositories = ["example-repository"]
# Tags
business_unit = var.business_unit
application = var.application
is_production = var.is_production
team_name = var.team_name # also used for naming the container repository
namespace = var.namespace # also used for creating a Kubernetes ConfigMap
environment_name = var.environment
infrastructure_support = var.infrastructure_support
}See the examples/ folder for more information.
| Name | Version |
|---|---|
| terraform | >= 1.2.5 |
| aws | >= 4.0.0 |
| github | >= 5.0.0 |
| kubernetes | >= 2.0.0 |
| random | >= 3.0.0 |
| Name | Version |
|---|---|
| aws | >= 4.0.0 |
| github | >= 5.0.0 |
| kubernetes | >= 2.0.0 |
| random | >= 3.0.0 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| application | Application name | string |
n/a | yes |
| business_unit | Area of the MOJ responsible for the service | string |
n/a | yes |
| canned_lifecycle_policy | A canned lifecycle policy to remove tagged or untagged images | map(any) |
null |
no |
| deletion_protection | (Optional) Whether the ECR should have deletion protection enabled for non-empty registry. Set this to false if you intend to delete your ECR resource or namespace. NOTE: PR owner has responsibility to ensure that no other environments are sharing this ECR. Defaults to true. | bool |
true |
no |
| environment_name | Environment name | string |
n/a | yes |
| github_actions_prefix | String prefix for GitHub Actions variable and secrets key | string |
"" |
no |
| github_environments | GitHub environment in which to create github actions secrets | list(string) |
[] |
no |
| github_repositories | GitHub repositories in which to create github actions secrets | list(string) |
[] |
no |
| infrastructure_support | The team responsible for managing the infrastructure. Should be of the form () | string |
n/a | yes |
| is_production | Whether this is used for production or not | string |
n/a | yes |
| lifecycle_policy | A lifecycle policy consists of one or more rules that determine which images in a repository should be expired. | string |
null |
no |
| namespace | Namespace name | string |
n/a | yes |
| oidc_providers | OIDC providers for this ECR repository, valid values are "github" or "circleci" | list(string) |
[] |
no |
| repo_name | Name of the repository to be created | string |
n/a | yes |
| team_name | Team name | string |
n/a | yes |
| Name | Description |
|---|---|
| irsa_policy_arn | IAM policy ARN for access to the container repository |
| repo_arn | ECR repository ARN |
| repo_url | ECR repository URL |
Some of the inputs for this module are tags. All infrastructure resources must be tagged to meet the MOJ Technical Guidance on Documenting owners of infrastructure.
You should use your namespace variables to populate these. See the Usage section for more information.