Skip to content

Commit

Permalink
Merge pull request #90 from ministryofjustice/add-tags
Browse files Browse the repository at this point in the history
Add tags
  • Loading branch information
jakemulley authored Jul 27, 2023
2 parents 190ee3b + 925e5c1 commit 64ad5be
Show file tree
Hide file tree
Showing 8 changed files with 143 additions and 55 deletions.
9 changes: 7 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,16 +91,21 @@ No modules.

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_application"></a> [application](#input\_application) | Application name | `string` | n/a | yes |
| <a name="input_business_unit"></a> [business\_unit](#input\_business\_unit) | Area of the MOJ responsible for the service | `string` | n/a | yes |
| <a name="input_canned_lifecycle_policy"></a> [canned\_lifecycle\_policy](#input\_canned\_lifecycle\_policy) | A canned lifecycle policy to remove tagged or untagged images | `map(any)` | `null` | no |
| <a name="input_deletion_protection"></a> [deletion\_protection](#input\_deletion\_protection) | (Optional) Whether the ECR should have deletion protection enabled for non-empty registry. Set this to false if you intend to delete your ECR resource or namespace. NOTE: PR owner has responsibility to ensure that no other environments are sharing this ECR. Defaults to true. | `bool` | `true` | no |
| <a name="input_environment_name"></a> [environment\_name](#input\_environment\_name) | Environment name | `string` | n/a | yes |
| <a name="input_github_actions_prefix"></a> [github\_actions\_prefix](#input\_github\_actions\_prefix) | String prefix for GitHub Actions variable and secrets key | `string` | `""` | no |
| <a name="input_github_environments"></a> [github\_environments](#input\_github\_environments) | GitHub environment in which to create github actions secrets | `list(string)` | `[]` | no |
| <a name="input_github_repositories"></a> [github\_repositories](#input\_github\_repositories) | GitHub repositories in which to create github actions secrets | `list(string)` | `[]` | no |
| <a name="input_infrastructure_support"></a> [infrastructure\_support](#input\_infrastructure\_support) | The team responsible for managing the infrastructure. Should be of the form <team-name> (<team-email>) | `string` | n/a | yes |
| <a name="input_is_production"></a> [is\_production](#input\_is\_production) | Whether this is used for production or not | `string` | n/a | yes |
| <a name="input_lifecycle_policy"></a> [lifecycle\_policy](#input\_lifecycle\_policy) | A lifecycle policy consists of one or more rules that determine which images in a repository should be expired. | `string` | `null` | no |
| <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace name | `string` | `null` | no |
| <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace name | `string` | n/a | yes |
| <a name="input_oidc_providers"></a> [oidc\_providers](#input\_oidc\_providers) | OIDC providers for this ECR repository, valid values are "github" or "circleci" | `list(string)` | `[]` | no |
| <a name="input_repo_name"></a> [repo\_name](#input\_repo\_name) | Name of the repository to be created | `string` | n/a | yes |
| <a name="input_team_name"></a> [team\_name](#input\_team\_name) | Name of the team creating the credentials | `string` | n/a | yes |
| <a name="input_team_name"></a> [team\_name](#input\_team\_name) | Team name | `string` | n/a | yes |

## Outputs

Expand Down
11 changes: 9 additions & 2 deletions examples/ecr.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,7 @@ module "ecr" {
source = "github.com/ministryofjustice/cloud-platform-terraform-ecr-credentials?ref=5.3.0"

# REQUIRED: Repository configuration
team_name = var.team_name
repo_name = var.namespace
namespace = var.namespace

# REQUIRED: OIDC providers to configure, either "github", "circleci", or both
oidc_providers = ["github"]
Expand Down Expand Up @@ -76,4 +74,13 @@ module "ecr" {
# Defaults to true

# deletion_protection = false

# Tags (commented out until release)
# business_unit = var.business_unit
# application = var.application
# is_production = var.is_production
team_name = var.team_name # also used for naming the container repository
namespace = var.namespace # also used for creating a Kubernetes ConfigMap
# environment_name = var.environment
# infrastructure_support = var.infrastructure_support
}
51 changes: 16 additions & 35 deletions examples/variables.tf
Original file line number Diff line number Diff line change
@@ -1,56 +1,37 @@
/*
* When using this module through the cloud-platform-environments,
* the next 3 variables are automatically supplied by the pipeline.
*
*/
variable "cluster_name" {}

variable "kubernetes_cluster" {}

variable "application" {
description = "Name of Application you are deploying"
default = "example-app"
variable "business_unit" {
default = "Platforms"
}

variable "namespace" {
default = "example-team"
variable "application" {
default = "cloud-platform-terraform-ecr-credentials example module"
}

variable "business_unit" {
description = "Area of the MOJ responsible for the service."
default = "Example"
variable "is_production" {
default = "false"
}

variable "team_name" {
description = "The name of your development team"
default = "example"
default = "webops"
}

variable "environment_name" {
description = "The type of environment you're deploying to."
default = "development"
}

variable "infrastructure_support" {
description = "The team responsible for managing the infrastructure. Should be of the form team-email."
default = "[email protected]"
variable "namespace" {
default = "cloud-platform-terraform-ecr-credentials-example-module"
}

variable "is_production" {
default = "false"
variable "environment" {
default = "non-production"
}

variable "slack_channel" {
description = "Team slack channel to use if we need to contact your team"
default = "example"
variable "infrastructure_support" {
default = "Cloud Platform"
}

variable "github_owner" {
description = "Required by the github terraform provider"
description = "Required by the GitHub terraform provider"
default = "ministryofjustice"
}

variable "github_token" {
description = "Required by the github terraform provider"
description = "Required by the GitHub terraform provider"
default = ""
}
}
23 changes: 23 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
locals {
# GitHub configuration
github_repositories = toset([
for repository in var.github_repositories : {
repository = repository
Expand All @@ -15,6 +16,20 @@ locals {
environment = pair[1].environment
}
]

# Tags
default_tags = {
# Mandatory
business-unit = var.business_unit
application = var.application
is-production = var.is_production
owner = var.team_name
namespace = var.namespace # for billing and identification purposes

# Optional
environment-name = var.environment_name
infrastructure-support = var.infrastructure_support
}
}

data "aws_caller_identity" "current" {}
Expand All @@ -27,6 +42,8 @@ resource "aws_ecr_repository" "repo" {
scan_on_push = true
}
force_delete = var.deletion_protection ? false : true

tags = local.default_tags
}

# ECR lifecycle policy
Expand Down Expand Up @@ -132,6 +149,7 @@ resource "aws_iam_policy" "irsa" {
name = "${local.oidc_identifier}-irsa"
path = "/cloud-platform/ecr/"
policy = data.aws_iam_policy_document.irsa.json
tags = local.default_tags
}

####################
Expand Down Expand Up @@ -217,6 +235,7 @@ resource "aws_iam_policy" "ecr" {

name = local.oidc_identifier
policy = data.aws_iam_policy_document.base.json
tags = local.default_tags
}

# GitHub: OIDC provider
Expand Down Expand Up @@ -258,6 +277,8 @@ resource "aws_iam_role" "github" {

name = "${local.oidc_identifier}-github"
assume_role_policy = data.aws_iam_policy_document.github.json

tags = local.default_tags
}

resource "aws_iam_role_policy_attachment" "github_ecr" {
Expand Down Expand Up @@ -361,6 +382,8 @@ resource "aws_iam_role" "circleci" {

name = "${local.oidc_identifier}-circleci"
assume_role_policy = data.aws_iam_policy_document.circleci.json

tags = local.default_tags
}

resource "aws_iam_role_policy_attachment" "circleci_ecr" {
Expand Down
14 changes: 11 additions & 3 deletions test/unit-test/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,15 @@ provider "aws" {
module "ecr" {
source = "../.."

repo_name = "ecr-repo-unit-test"
team_name = "cloud-platform"
namespace = "cloud-platform"
# Configuration
repo_name = var.namespace

# Tags
business_unit = var.business_unit
application = var.application
is_production = var.is_production
team_name = var.team_name # also used for naming the container repository
namespace = var.namespace # also used for creating a Kubernetes ConfigMap
environment_name = var.environment
infrastructure_support = var.infrastructure_support
}
37 changes: 37 additions & 0 deletions test/unit-test/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
variable "business_unit" {
default = "Platforms"
}

variable "application" {
default = "cloud-platform-terraform-ecr-credentials example module"
}

variable "is_production" {
default = "false"
}

variable "team_name" {
default = "webops"
}

variable "namespace" {
default = "cloud-platform-terraform-ecr-credentials-example-module"
}

variable "environment" {
default = "non-production"
}

variable "infrastructure_support" {
default = "Cloud Platform"
}

variable "github_owner" {
description = "Required by the GitHub terraform provider"
default = "ministryofjustice"
}

variable "github_token" {
description = "Required by the GitHub terraform provider"
default = ""
}
4 changes: 2 additions & 2 deletions test/unit-test/versions.tf
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
terraform {
required_version = ">= 1.2.5"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0.0"
version = ">= 4.0.0"
}
}
required_version = ">= 1.2.5"
}
49 changes: 38 additions & 11 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,6 @@ variable "repo_name" {
type = string
}

variable "team_name" {
description = "Name of the team creating the credentials"
type = string
}

variable "namespace" {
description = "Namespace name"
type = string
default = null
}

variable "github_repositories" {
description = "GitHub repositories in which to create github actions secrets"
default = []
Expand Down Expand Up @@ -59,3 +48,41 @@ variable "deletion_protection" {
type = bool
default = true
}

########
# Tags #
########
variable "business_unit" {
description = "Area of the MOJ responsible for the service"
type = string
}

variable "application" {
description = "Application name"
type = string
}

variable "is_production" {
description = "Whether this is used for production or not"
type = string
}

variable "team_name" {
description = "Team name"
type = string
}

variable "namespace" {
description = "Namespace name"
type = string
}

variable "environment_name" {
description = "Environment name"
type = string
}

variable "infrastructure_support" {
description = "The team responsible for managing the infrastructure. Should be of the form <team-name> (<team-email>)"
type = string
}

0 comments on commit 64ad5be

Please sign in to comment.