diff --git a/README.md b/README.md
index 093ad15..7371d3b 100644
--- a/README.md
+++ b/README.md
@@ -62,32 +62,20 @@ No modules.
| [aws_ecr_lifecycle_policy.canned](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
| [aws_ecr_lifecycle_policy.lifecycle_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
| [aws_ecr_repository.repo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
-| [aws_iam_access_key.key_2023](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_policy.ecr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.circleci](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.circleci_ecr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.github_ecr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_user.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
-| [aws_iam_user_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
-| [github_actions_environment_secret.ecr_access_key](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
-| [github_actions_environment_secret.ecr_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
| [github_actions_environment_secret.ecr_role_to_assume](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
-| [github_actions_environment_secret.ecr_secret_key](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
-| [github_actions_environment_secret.ecr_url](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
| [github_actions_environment_variable.ecr_region](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_variable) | resource |
| [github_actions_environment_variable.ecr_repository](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_variable) | resource |
-| [github_actions_secret.ecr_access_key](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
-| [github_actions_secret.ecr_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
| [github_actions_secret.ecr_role_to_assume](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
-| [github_actions_secret.ecr_secret_key](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
-| [github_actions_secret.ecr_url](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
| [github_actions_variable.ecr_region](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource |
| [github_actions_variable.ecr_repository](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource |
| [kubernetes_config_map_v1.circleci_oidc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1) | resource |
| [random_id.oidc](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
-| [random_id.user](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_openid_connect_provider.circleci](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
| [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
@@ -95,7 +83,6 @@ No modules.
| [aws_iam_policy_document.circleci](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_secretsmanager_secret.circleci](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
| [aws_secretsmanager_secret_version.circleci](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |
@@ -110,10 +97,6 @@ No modules.
| [deletion\_protection](#input\_deletion\_protection) | (Optional) Whether the ECR should have deletion protection enabled for non-empty registry. Set this to false if you intend to delete your ECR resource or namespace. NOTE: PR owner has responsibility to ensure that no other environments are sharing this ECR. Defaults to true. | `bool` | `true` | no |
| [environment\_name](#input\_environment\_name) | Environment name | `string` | n/a | yes |
| [github\_actions\_prefix](#input\_github\_actions\_prefix) | String prefix for GitHub Actions variable and secrets key | `string` | `""` | no |
-| [github\_actions\_secret\_ecr\_access\_key](#input\_github\_actions\_secret\_ecr\_access\_key) | The name of the github actions secret containing the ECR AWS access key | `string` | `"ECR_AWS_ACCESS_KEY_ID"` | no |
-| [github\_actions\_secret\_ecr\_name](#input\_github\_actions\_secret\_ecr\_name) | The name of the github actions secret containing the ECR name | `string` | `"ECR_NAME"` | no |
-| [github\_actions\_secret\_ecr\_secret\_key](#input\_github\_actions\_secret\_ecr\_secret\_key) | The name of the github actions secret containing the ECR AWS secret key | `string` | `"ECR_AWS_SECRET_ACCESS_KEY"` | no |
-| [github\_actions\_secret\_ecr\_url](#input\_github\_actions\_secret\_ecr\_url) | The name of the github actions secret containing the ECR URL | `string` | `"ECR_URL"` | no |
| [github\_environments](#input\_github\_environments) | GitHub environment in which to create github actions secrets | `list(string)` | `[]` | no |
| [github\_repositories](#input\_github\_repositories) | GitHub repositories in which to create github actions secrets | `list(string)` | `[]` | no |
| [infrastructure\_support](#input\_infrastructure\_support) | The team responsible for managing the infrastructure. Should be of the form () | `string` | n/a | yes |
@@ -128,11 +111,9 @@ No modules.
| Name | Description |
|------|-------------|
-| [access\_key\_id](#output\_access\_key\_id) | Access key id for the credentials |
| [irsa\_policy\_arn](#output\_irsa\_policy\_arn) | n/a |
| [repo\_arn](#output\_repo\_arn) | ECR repository ARN |
| [repo\_url](#output\_repo\_url) | ECR repository URL |
-| [secret\_access\_key](#output\_secret\_access\_key) | Secret for the new credentials |
## Tags
diff --git a/main.tf b/main.tf
index 3278977..85d3924 100644
--- a/main.tf
+++ b/main.tf
@@ -98,134 +98,6 @@ resource "aws_ecr_lifecycle_policy" "canned" {
policy = (var.canned_lifecycle_policy != null) ? jsonencode(local.canned_lifecycle_policies[var.canned_lifecycle_policy.type]) : null
}
-# Legacy access (IAM access keys)
-resource "random_id" "user" {
- byte_length = 8
-}
-
-resource "aws_iam_user" "user" {
- name = "ecr-user-${random_id.user.hex}"
- path = "/system/ecr-user/${var.team_name}/"
-}
-
-resource "aws_iam_access_key" "key_2023" {
- user = aws_iam_user.user.name
-}
-
-data "aws_iam_policy_document" "policy" {
- statement {
- actions = [
- "ecr:GetAuthorizationToken",
- "ecr:DescribeRepositories",
- "ecr:BatchCheckLayerAvailability",
- "ecr:GetDownloadUrlForLayer",
- "ecr:ListImages",
- "ecr:DescribeImages",
- "ecr:BatchGetImage",
- "ecr:ListTagsForResource",
- "ecr:DescribeImageScanFindings",
- "inspector2:List*",
- "inspector2:Get*"
- ]
-
- resources = [
- "*",
- ]
- }
-
- statement {
- actions = [
- "ecr:CompleteLayerUpload",
- "ecr:BatchDeleteImage",
- "ecr:UploadLayerPart",
- "ecr:InitiateLayerUpload",
- "ecr:PutImage",
- "ecr:SetRepositoryPolicy",
- "ecr:DeleteRepositoryPolicy"
- ]
-
- resources = [
- "arn:aws:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/${var.team_name}/*",
- ]
- }
-}
-
-resource "aws_iam_user_policy" "policy" {
- name = "ecr-read-write"
- policy = data.aws_iam_policy_document.policy.json
- user = aws_iam_user.user.name
-}
-
-# Legacy GitHub integration: create GitHub Actions secrets
-resource "github_actions_secret" "ecr_url" {
- for_each = toset(var.github_repositories)
- repository = each.key
- secret_name = var.github_actions_secret_ecr_url
- plaintext_value = trimspace(aws_ecr_repository.repo.repository_url)
-}
-
-resource "github_actions_secret" "ecr_name" {
- for_each = toset(var.github_repositories)
- repository = each.key
- secret_name = var.github_actions_secret_ecr_name
- plaintext_value = trimspace(aws_ecr_repository.repo.name)
-}
-
-resource "github_actions_secret" "ecr_access_key" {
- for_each = toset(var.github_repositories)
- repository = each.key
- secret_name = var.github_actions_secret_ecr_access_key
- plaintext_value = aws_iam_access_key.key_2023.id
-}
-
-resource "github_actions_secret" "ecr_secret_key" {
- for_each = toset(var.github_repositories)
- repository = each.key
- secret_name = var.github_actions_secret_ecr_secret_key
- plaintext_value = aws_iam_access_key.key_2023.secret
-}
-
-# Legacy GitHub integration: Create environment secrets
-resource "github_actions_environment_secret" "ecr_url" {
- for_each = {
- for i in local.github_repo_environments : "${i.repository}.${i.environment}" => i
- }
- repository = each.value.repository
- environment = each.value.environment
- secret_name = var.github_actions_secret_ecr_url
- plaintext_value = trimspace(aws_ecr_repository.repo.repository_url)
-}
-
-resource "github_actions_environment_secret" "ecr_name" {
- for_each = {
- for i in local.github_repo_environments : "${i.repository}.${i.environment}" => i
- }
- repository = each.value.repository
- environment = each.value.environment
- secret_name = var.github_actions_secret_ecr_name
- plaintext_value = trimspace(aws_ecr_repository.repo.name)
-}
-
-resource "github_actions_environment_secret" "ecr_access_key" {
- for_each = {
- for i in local.github_repo_environments : "${i.repository}.${i.environment}" => i
- }
- repository = each.value.repository
- environment = each.value.environment
- secret_name = var.github_actions_secret_ecr_access_key
- plaintext_value = aws_iam_access_key.key_2023.id
-}
-
-resource "github_actions_environment_secret" "ecr_secret_key" {
- for_each = {
- for i in local.github_repo_environments : "${i.repository}.${i.environment}" => i
- }
- repository = each.value.repository
- environment = each.value.environment
- secret_name = var.github_actions_secret_ecr_secret_key
- plaintext_value = aws_iam_access_key.key_2023.secret
-}
-
####################
# IRSA integration #
####################
diff --git a/outputs.tf b/outputs.tf
index 874475d..927b4e9 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,15 +1,3 @@
-output "access_key_id" {
- description = "Access key id for the credentials"
- value = aws_iam_access_key.key_2023.id
- sensitive = true
-}
-
-output "secret_access_key" {
- description = "Secret for the new credentials"
- value = aws_iam_access_key.key_2023.secret
- sensitive = true
-}
-
output "repo_arn" {
description = "ECR repository ARN"
value = aws_ecr_repository.repo.arn
diff --git a/variables.tf b/variables.tf
index 3b918d9..751f05e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -15,30 +15,6 @@ variable "github_environments" {
default = []
}
-variable "github_actions_secret_ecr_name" {
- description = "The name of the github actions secret containing the ECR name"
- default = "ECR_NAME"
- type = string
-}
-
-variable "github_actions_secret_ecr_url" {
- description = "The name of the github actions secret containing the ECR URL"
- default = "ECR_URL"
- type = string
-}
-
-variable "github_actions_secret_ecr_access_key" {
- description = "The name of the github actions secret containing the ECR AWS access key"
- default = "ECR_AWS_ACCESS_KEY_ID"
- type = string
-}
-
-variable "github_actions_secret_ecr_secret_key" {
- description = "The name of the github actions secret containing the ECR AWS secret key"
- default = "ECR_AWS_SECRET_ACCESS_KEY"
- type = string
-}
-
# Lifecycle policy
variable "lifecycle_policy" {
description = "A lifecycle policy consists of one or more rules that determine which images in a repository should be expired."