cds-snc · maxneuvians · Jan 21, 2024 · Jan 21, 2024 · Jan 21, 2024 · Jan 21, 2024
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -11,6 +11,11 @@
 			"version": "2.2.29"
 		},
 		"ghcr.io/devcontainers/features/docker-in-docker:2": {},
+		"terraform": {
+			"version": "1.3.8",
+			"tflint": "latest",
+			"terragrunt": "0.43.2"
+		},
 	},
 	"extensions": [
 		"redhat.vscode-yaml",

diff --git a/.github/workflows/merge_to_main.yaml b/.github/workflows/merge_to_main.yaml
@@ -40,3 +40,7 @@ jobs:
       - name: Apply aws/acm
         working-directory: terragrunt/acm
         run: terragrunt apply --terragrunt-non-interactive -auto-approve
+
+      - name: Apply aws/ecr
+        working-directory: terragrunt/ecr
+        run: terragrunt apply --terragrunt-non-interactive -auto-approve
diff --git a/.github/workflows/pull_requests_terraform.yml b/.github/workflows/pull_requests_terraform.yml
@@ -49,4 +49,13 @@ jobs:
           comment-title: Plan for aws/acm
           directory: ./terragrunt/acm
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          terragrunt: true
+          terragrunt: true
+
+      - name: Plan aws/ecr
+        uses: cds-snc/terraform-plan@28d2efe5155573489fa5b5816fad20d44d1f274b # v3.0.7
+        with:
+          comment-delete: true
+          comment-title: Plan for aws/ecr
+          directory: ./terragrunt/ecr
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          terragrunt: true
diff --git a/aws/.checkov.yml b/aws/.checkov.yml
@@ -1,15 +1,17 @@
 # Config for checkov Terraform static analysis
 
 skip-check:
-  - CKV_AWS_28  # DynamoDB point-in-time recovery not required (data is ephemeral)
+  - CKV_AWS_28 # DynamoDB point-in-time recovery not required (data is ephemeral)
   - CKV_AWS_115 # Lambda concurrent execution limit not required
   - CKV_AWS_116 # Lambda DLQ not required
   - CKV_AWS_117 # Lambda does not need to be in a VPC
   - CKV_AWS_119 # DynamoDB default service key encryption is acceptable
   - CKV_AWS_120 # API caching is not wanted
-  - CKV_AWS_173 # Lambda environment variable encryption with default KMS key is acceptable  
+  - CKV_AWS_173 # Lambda environment variable encryption with default KMS key is acceptable
   - CKV2_AWS_16 # DynamoDB auto scaling not required
-  - CKV_AWS_50  # TODO: enable Lambda x-ray tracing "PassThrough"
-  - CKV_AWS_76  # TODO: enable API gateway access logging
-  - CKV2_AWS_4  # TODO: set API gateway stage logging level
-  - CKV2_AWS_29 # TODO: add WAF
+  - CKV_AWS_50 # TODO: enable Lambda x-ray tracing "PassThrough"
+  - CKV_AWS_76 # TODO: enable API gateway access logging
+  - CKV2_AWS_4 # TODO: set API gateway stage logging level
+  - CKV2_AWS_29 # TODO: add WAF
+  - CKV_AWS_136 # Public code already
+  - CKV_AWS_51 # Tags should be mutable to get latest
diff --git a/aws/ecr/ecr.tf b/aws/ecr/ecr.tf
@@ -0,0 +1,47 @@
+resource "aws_ecr_repository" "app" {
+  name                 = "${var.product_name}/app"
+  image_tag_mutability = "MUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+
+  tags = {
+    CostCentre = var.product_name
+    Terraform  = true
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "encrypted_message_policy" {
+  repository = aws_ecr_repository.app.name
+  policy = jsonencode({
+    "rules" : [
+      {
+        "rulePriority" : 1,
+        "description" : "Expire untagged images older than 14 days",
+        "selection" : {
+          "tagStatus" : "untagged",
+          "countType" : "sinceImagePushed",
+          "countUnit" : "days",
+          "countNumber" : 14
+        },
+        "action" : {
+          "type" : "expire"
+        }
+      },
+      {
+        "rulePriority" : 2,
+        "description" : "Keep last 20 tagged images",
+        "selection" : {
+          "tagStatus" : "tagged",
+          "tagPrefixList" : ["latest"],
+          "countType" : "imageCountMoreThan",
+          "countNumber" : 20
+        },
+        "action" : {
+          "type" : "expire"
+        }
+      }
+    ]
+  })
+}
diff --git a/terragrunt/ecr/terragrunt.hcl b/terragrunt/ecr/terragrunt.hcl
@@ -0,0 +1,28 @@
+# DO NOT CHANGE ANYTHING BELOW HERE UNLESS YOU KNOW WHAT YOU ARE DOING
+
+terraform {
+  source = "../../aws//ecr"
+}
+
+dependencies {
+  paths = ["../acm"]
+}
+
+dependency "acm" {
+  config_path = "../acm"
+
+  # Configure mock outputs for the `validate` command that are returned when there are no outputs available (e.g the
+  # module hasn't been applied yet.
+  mock_outputs_allowed_terraform_commands = ["plan-all", "validate"]
+  mock_outputs = {
+    domain_cert_arn     = ""
+  }
+}
+
+include {
+  path = find_in_parent_folders()
+}
+
+inputs = {
+  domain_cert_arn     = dependency.acm.outputs.domain_cert_arn
+}