Merge pull request #18 from DNXLabs/feature/ecr-lifecycle

Add scan on push, ecr lifecycle and kms optional

README.md

@@ -11,10 +11,7 @@ The following resources will be created:
    - Set the Amazon ECR image scanning on push  = true
       - Amazon ECR image scanning helps in identifying software vulnerabilities in your container images.
  - ECR policies
- - Create a ECR lifecyle
-    - Expire images older than 14 days
-    - Expire images with feature tag
-    - Expire images with the same tag
+ - ECR lifecyle
 
 <!--- BEGIN_TF_DOCS --->
 
@@ -35,8 +32,10 @@ The following resources will be created:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | image\_tag\_mutability | The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE. Defaults to MUTABLE. | `string` | `"MUTABLE"` | no |
-| kms\_key\_arn | KMS Key ARN to use a CMK instead of default key | `string` | n/a | yes |
+| kms\_key\_arn | KMS Key ARN to use a CMK instead of default key | `string` | `""` | no |
+| lifecycle\_policy | JSON formatted string ECR repository lifecycle policy. | `string` | `""` | no |
 | name | Name for ECR repository | `any` | n/a | yes |
+| scan\_on\_push | Configuration block that defines image scanning configuration for the repository. | `bool` | `true` | no |
 | tags | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | `map(string)` | `{}` | no |
 | trust\_accounts | Accounts to trust and allow ECR fetch | `list(string)` | n/a | yes |
 

_variables.tf

@@ -10,6 +10,7 @@ variable "trust_accounts" {
 variable "kms_key_arn" {
   type        = string
   description = "KMS Key ARN to use a CMK instead of default key"
+  default     = ""
 }
 
 variable "image_tag_mutability" {
@@ -18,6 +19,18 @@ variable "image_tag_mutability" {
   default     = "MUTABLE"
 }
 
+variable "scan_on_push" {
+  description = "Configuration block that defines image scanning configuration for the repository."
+  type        = bool
+  default     = true
+}
+
+variable "lifecycle_policy" {
+  description = "JSON formatted string ECR repository lifecycle policy."
+  type        = string
+  default     = ""
+}
+
 variable "tags" {
   description = "Map of tags that will be added to created resources. By default resources will be tagged with name and environment."
   type        = map(string)

ecr-lifecycle.tf

@@ -1,59 +1,6 @@
-# resource "aws_ecr_lifecycle_policy" "default" {
-#   repository = "${aws_ecr_repository.default.name}"
+resource "aws_ecr_lifecycle_policy" "default" {
+  count      = var.lifecycle_policy != "" ? 1 : 0
+  repository = aws_ecr_repository.default.name
 
-#   policy = <<EOF
-# {
-#   "rules": [
-#     {
-#       "rulePriority": 1,
-#       "description": "Expire images older than 14 days",
-#       "selection": {
-#         "countUnit": "days",
-#         "countType": "sinceImagePushed",
-#         "countNumber": 14,
-#         "tagStatus": "untagged"
-#       },
-#       "action": {
-#         "type": "expire"
-#       }
-#     },
-#     {
-#       "rulePriority": 2,
-#       "description": "Expire images with feature tag",
-#       "selection": {
-#         "countType": "imageCountMoreThan",
-#         "tagPrefixList": [
-#           "feature",
-#           "prod",
-#           "deploy",
-#           "qa",
-#           "nonprod",
-#           "staging",
-#           "preprod",
-#           "dev",
-#           "test",
-#           "production"
-#         ],
-#         "countNumber": 1,
-#         "tagStatus": "tagged"
-#       },
-#       "action": {
-#         "type": "expire"
-#       }
-#     },
-#     {
-#       "rulePriority": 3,
-#       "description": "Expire images with the same tag",
-#       "selection": {
-#         "countType": "imageCountMoreThan",
-#         "countNumber": 1,
-#         "tagStatus": "any"
-#       },
-#       "action": {
-#         "type": "expire"
-#       }
-#     }
-#   ]
-# }
-# EOF
-# }
+  policy = var.lifecycle_policy
+}

ecr-repositories.tf

@@ -3,14 +3,18 @@ resource "aws_ecr_repository" "default" {
   image_tag_mutability = var.image_tag_mutability
 
   encryption_configuration {
-    encryption_type = "KMS"
-    kms_key         = length(var.kms_key_arn) > 0 ? var.kms_key_arn : ""
+    encryption_type = var.kms_key_arn != "" ? "KMS" : "AES256"
+    kms_key         = var.kms_key_arn
+  }
+
+  image_scanning_configuration {
+    scan_on_push = var.scan_on_push
   }
 
   tags = merge(
     var.tags,
     {
-      "Name" = "${var.name}"
+      "Name" = var.name
     },
   )