From b731f829341a9a8c80da500db5ce7690ccead151 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Mar 2024 23:23:18 +0000 Subject: [PATCH 01/12] Bump google.golang.org/protobuf from 1.31.0 to 1.33.0 in /test Bumps google.golang.org/protobuf from 1.31.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: indirect ... Signed-off-by: dependabot[bot] --- test/go.mod | 2 +- test/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/go.mod b/test/go.mod index c74e709..be27c01 100644 --- a/test/go.mod +++ b/test/go.mod @@ -55,6 +55,6 @@ require ( google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect google.golang.org/grpc v1.56.3 // indirect - google.golang.org/protobuf v1.31.0 // indirect + google.golang.org/protobuf v1.33.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/test/go.sum b/test/go.sum index 3567735..957cfb2 100644 --- a/test/go.sum +++ b/test/go.sum @@ -948,8 +948,8 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From 6cc1aa8abdaf67509eb0f8213ff7792b111db7d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Apr 2024 08:13:00 +0000 Subject: [PATCH 02/12] Bump actions/setup-go from 2 to 5 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2 to 5. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v2...v5) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/unit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml index d728c27..e77219f 100644 --- a/.github/workflows/unit.yml +++ b/.github/workflows/unit.yml @@ -11,7 +11,7 @@ jobs: uses: actions/checkout@v4 - name: Setup Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v5 with: go-version: 1.21.6 - name: Run Terratest Unit Tests @@ -28,7 +28,7 @@ jobs: uses: actions/checkout@v4 - name: Setup Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v5 with: go-version: 1.21.6 - name: Run Terratest Unit Tests From 073f0e3a25855f09574d51a69def3d5f80e5c030 Mon Sep 17 00:00:00 2001 From: sj-williams Date: Tue, 23 Apr 2024 16:44:36 +0100 Subject: [PATCH 03/12] set repo vars resource creation dependency on environments list --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 68065aa..5706884 100644 --- a/main.tf +++ b/main.tf @@ -294,7 +294,7 @@ resource "aws_iam_role_policy_attachment" "github_ecr" { # Actions resource "github_actions_secret" "ecr_role_to_assume" { - for_each = local.enable_github ? local.github_repos : [] + for_each = (length(var.github_environments) == 0 && local.enable_github) ? local.github_repos : [] repository = each.value secret_name = local.github_variable_names["ECR_ROLE_TO_ASSUME"] @@ -302,7 +302,7 @@ resource "github_actions_secret" "ecr_role_to_assume" { } resource "github_actions_variable" "ecr_region" { - for_each = local.enable_github ? local.github_repos : [] + for_each = (length(var.github_environments) == 0 && local.enable_github) ? local.github_repos : [] repository = each.value variable_name = local.github_variable_names["ECR_REGION"] @@ -310,7 +310,7 @@ resource "github_actions_variable" "ecr_region" { } resource "github_actions_variable" "ecr_repository" { - for_each = local.enable_github ? local.github_repos : [] + for_each = (length(var.github_environments) == 0 && local.enable_github) ? local.github_repos : [] repository = each.value variable_name = local.github_variable_names["ECR_REPOSITORY"] From a60ef245a8e07e6c01d79ce0c94ac724fb1bd6a2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 28 Apr 2024 05:18:17 +0000 Subject: [PATCH 04/12] Bump github.com/hashicorp/go-getter from 1.7.1 to 1.7.4 in /test Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.7.1 to 1.7.4. - [Release notes](https://github.com/hashicorp/go-getter/releases) - [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml) - [Commits](https://github.com/hashicorp/go-getter/compare/v1.7.1...v1.7.4) --- updated-dependencies: - dependency-name: github.com/hashicorp/go-getter dependency-type: indirect ... Signed-off-by: dependabot[bot] --- test/go.mod | 2 +- test/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/go.mod b/test/go.mod index c74e709..6265677 100644 --- a/test/go.mod +++ b/test/go.mod @@ -26,7 +26,7 @@ require ( github.com/googleapis/gax-go/v2 v2.7.1 // indirect github.com/hashicorp/errwrap v1.0.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/hashicorp/go-getter v1.7.1 // indirect + github.com/hashicorp/go-getter v1.7.4 // indirect github.com/hashicorp/go-multierror v1.1.0 // indirect github.com/hashicorp/go-safetemp v1.0.0 // indirect github.com/hashicorp/go-version v1.6.0 // indirect diff --git a/test/go.sum b/test/go.sum index 3567735..8219353 100644 --- a/test/go.sum +++ b/test/go.sum @@ -344,8 +344,8 @@ github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/U github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-getter v1.7.1 h1:SWiSWN/42qdpR0MdhaOc/bLR48PLuP1ZQtYLRlM69uY= -github.com/hashicorp/go-getter v1.7.1/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744= +github.com/hashicorp/go-getter v1.7.4 h1:3yQjWuxICvSpYwqSayAdKRFcvBl1y/vogCxczWSmix0= +github.com/hashicorp/go-getter v1.7.4/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744= github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI= github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-safetemp v1.0.0 h1:2HR189eFNrjHQyENnQMMpCiBAsRxzbTMIgBhEyExpmo= From 79ccaaf50ecd9cfd9e99fc0de82d30ec9d21987c Mon Sep 17 00:00:00 2001 From: sj-williams Date: Mon, 29 Apr 2024 16:51:29 +0100 Subject: [PATCH 05/12] readme update --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ca48723..d01d841 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,9 @@ This Terraform module will create an [Amazon Elastic Container Registry](https://aws.amazon.com/ecr/) private repository for use on the Cloud Platform. -If you're using GitHub as your OIDC provider, this module will automatically create the required variables for authentication in your GitHub repository. +If you're using GitHub as your OIDC provider, this module will automatically create the required variables for authentication in your GitHub repository. By default these will be created as [repository secrets and variables](https://docs.github.com/en/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository). Optionally, you can configure the module to create the ECR secrets +and variables in your own defined [GitHub Environments](https://docs.github.com/en/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment). This pattern is useful if you +wish to define separate ECR repositories for different Cloud Platform environments within the same GitHub repository. If you're using CircleCI as your OIDC provider, this module will create a Kubernetes ConfigMap in your namespace with your authentication variables to use as environment variables in CircleCI. From b09aa1ea0ba27837dc74d7e10cca7b090ea81803 Mon Sep 17 00:00:00 2001 From: sj-williams Date: Tue, 30 Apr 2024 08:52:59 +0100 Subject: [PATCH 06/12] readme update --- README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index d01d841..daf9906 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,7 @@ This Terraform module will create an [Amazon Elastic Container Registry](https://aws.amazon.com/ecr/) private repository for use on the Cloud Platform. -If you're using GitHub as your OIDC provider, this module will automatically create the required variables for authentication in your GitHub repository. By default these will be created as [repository secrets and variables](https://docs.github.com/en/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository). Optionally, you can configure the module to create the ECR secrets -and variables in your own defined [GitHub Environments](https://docs.github.com/en/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment). This pattern is useful if you -wish to define separate ECR repositories for different Cloud Platform environments within the same GitHub repository. +If you're using GitHub as your OIDC provider, this module will automatically create the required variables for authentication in your GitHub repository. By default these will be created as [repository secrets and variables](https://docs.github.com/en/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository). Alternatively, you can configure the module to instead create the ECR secrets and variables in your own defined [GitHub Environments](https://docs.github.com/en/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment) with the `github_environments` field. This pattern is useful if you wish to define separate ECR repositories for different Cloud Platform environments within the same GitHub repository. If you're using CircleCI as your OIDC provider, this module will create a Kubernetes ConfigMap in your namespace with your authentication variables to use as environment variables in CircleCI. From 7ff1d79de44cc7036b1938213b2caeac2e4bff99 Mon Sep 17 00:00:00 2001 From: Mike Bell Date: Fri, 31 May 2024 15:11:23 +0100 Subject: [PATCH 07/12] feat: add dependabot to cloud platform project workflow --- .github/workflows/dependencies-project.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/workflows/dependencies-project.yml diff --git a/.github/workflows/dependencies-project.yml b/.github/workflows/dependencies-project.yml new file mode 100644 index 0000000..b3c421c --- /dev/null +++ b/.github/workflows/dependencies-project.yml @@ -0,0 +1,11 @@ +name: Add dependencies to Cloud Platform project + +on: + workflow_dispatch: + schedule: + - cron: '0 0 * * *' + +jobs: + add-dependabot-to-project: + uses: ministryofjustice/cloud-platform-github-workflows/.github/workflows/dependencies-project.yml@main + secrets: inherit From e6b1912f8c6252ab9bd5dd44c909f51166844f56 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 31 May 2024 14:51:03 +0000 Subject: [PATCH 08/12] Bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /test Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.17.0. - [Commits](https://github.com/golang/crypto/compare/v0.14.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] --- test/go.mod | 6 +++--- test/go.sum | 16 ++++++++-------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/test/go.mod b/test/go.mod index c74e709..962fa27 100644 --- a/test/go.mod +++ b/test/go.mod @@ -45,11 +45,11 @@ require ( github.com/ulikunitz/xz v0.5.10 // indirect github.com/zclconf/go-cty v1.9.1 // indirect go.opencensus.io v0.24.0 // indirect - golang.org/x/crypto v0.14.0 // indirect + golang.org/x/crypto v0.17.0 // indirect golang.org/x/net v0.17.0 // indirect golang.org/x/oauth2 v0.8.0 // indirect - golang.org/x/sys v0.13.0 // indirect - golang.org/x/text v0.13.0 // indirect + golang.org/x/sys v0.15.0 // indirect + golang.org/x/text v0.14.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/api v0.114.0 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/test/go.sum b/test/go.sum index 3567735..f9f97d1 100644 --- a/test/go.sum +++ b/test/go.sum @@ -458,8 +458,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -651,13 +651,13 @@ golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -668,8 +668,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From f046863a91e6355ce5b0b296c18d55e5cbf9465a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 1 Jun 2024 08:16:37 +0000 Subject: [PATCH 09/12] Bump terraform-docs/gh-actions from 1.0.0 to 1.2.0 Bumps [terraform-docs/gh-actions](https://github.com/terraform-docs/gh-actions) from 1.0.0 to 1.2.0. - [Release notes](https://github.com/terraform-docs/gh-actions/releases) - [Commits](https://github.com/terraform-docs/gh-actions/compare/v1.0.0...v1.2.0) --- updated-dependencies: - dependency-name: terraform-docs/gh-actions dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/documentation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index b31fd16..628039d 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -9,7 +9,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.ref }} - - uses: terraform-docs/gh-actions@v1.0.0 + - uses: terraform-docs/gh-actions@v1.2.0 with: working-dir: . output-file: README.md From 38b66098a08ff9f41281fba091ec17808f034894 Mon Sep 17 00:00:00 2001 From: Tim Cheung <152907271+timckt@users.noreply.github.com> Date: Tue, 2 Jul 2024 10:18:31 +0100 Subject: [PATCH 10/12] chore: bump example version --- examples/ecr.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/ecr.tf b/examples/ecr.tf index beb1951..d56476b 100644 --- a/examples/ecr.tf +++ b/examples/ecr.tf @@ -5,7 +5,7 @@ * */ module "ecr" { - source = "github.com/ministryofjustice/cloud-platform-terraform-ecr-credentials?ref=6.1.1" + source = "github.com/ministryofjustice/cloud-platform-terraform-ecr-credentials?ref=7.0.0" # Repository configuration repo_name = var.namespace From 17f94764433b243e204745403f0603d249d2a2d8 Mon Sep 17 00:00:00 2001 From: Jason Birchall <31217584+jasonBirchall@users.noreply.github.com> Date: Thu, 3 Oct 2024 17:12:12 +0100 Subject: [PATCH 11/12] :recycle: Store ECR registry URL as a GitHub secret for improved security - Moved the dynamically gathered ECR registry URL to a GitHub secret. - Prevents AWS account details from being exposed in the GitHub Actions logs. - Improves security by masking the ECR registry URL during workflow runtime. - Simplifies workflow configuration by using secrets for sensitive information. - Aligns with best practices for handling sensitive data in CI/CD pipelines. --- main.tf | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 5706884..b219668 100644 --- a/main.tf +++ b/main.tf @@ -1,4 +1,9 @@ +data "aws_caller_identity" "current" {} +data "aws_region" "current" {} + locals { + ecr_registry_url = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com" + # GitHub configuration github_repositories = toset([ for repository in var.github_repositories : { @@ -32,9 +37,6 @@ locals { } } -data "aws_caller_identity" "current" {} -data "aws_region" "current" {} - # ECR repository resource "aws_ecr_repository" "repo" { name = "${var.team_name}/${var.repo_name}" @@ -309,6 +311,14 @@ resource "github_actions_variable" "ecr_region" { value = data.aws_region.current.name } +resource "github_actions_secret" "ecr_registry_url" { + for_each = (length(var.github_environments) == 0 && local.enable_github) ? local.github_repos : [] + + repository = each.value + secret_name = "ECR_REGISTRY_URL" + plaintext_value = local.ecr_registry_url +} + resource "github_actions_variable" "ecr_repository" { for_each = (length(var.github_environments) == 0 && local.enable_github) ? local.github_repos : [] From b9c10e2a254753032001b8c7b993b499f3bfe174 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 3 Oct 2024 16:15:52 +0000 Subject: [PATCH 12/12] terraform-docs: automated action --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index daf9906..a8997f8 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,7 @@ No modules. | [github_actions_environment_secret.ecr_role_to_assume](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource | | [github_actions_environment_variable.ecr_region](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_variable) | resource | | [github_actions_environment_variable.ecr_repository](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_variable) | resource | +| [github_actions_secret.ecr_registry_url](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource | | [github_actions_secret.ecr_role_to_assume](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource | | [github_actions_variable.ecr_region](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource | | [github_actions_variable.ecr_repository](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource |