diff --git a/app/tf/backend.tf b/app/tf/backend.tf new file mode 100644 index 0000000..78cf275 --- /dev/null +++ b/app/tf/backend.tf @@ -0,0 +1,8 @@ +terraform { + backend "s3" { + bucket = "terraform-remote-state-076680484948" + encrypt = true + key = "tf/add-aws-ecr-ecs-fargate/terraform.tfstate" + region = "us-east-2" + } +} \ No newline at end of file diff --git a/app/tf/ecr.tf b/app/tf/ecr.tf new file mode 100644 index 0000000..ed65b22 --- /dev/null +++ b/app/tf/ecr.tf @@ -0,0 +1,43 @@ +data "aws_caller_identity" "current" {} +locals { + principal_root_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" + development_account = "743794601996" + development_env_root_arn = "arn:aws:iam::${local.development_account}:root" +} +#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository +resource "aws_ecr_repository" "image_repo" { + name = var.name + image_tag_mutability = "IMMUTABLE" + encryption_configuration { + encryption_type = "KMS" + kms_key = aws_kms_key.ecr_kms_key.arn + } + + image_scanning_configuration { + scan_on_push = true + } +} +# ECR Repository policy for cross-account access +#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_registry_policy +resource "aws_ecr_repository_policy" "repository_policy" { + repository = aws_ecr_repository.image_repo.name + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Sid = "AllowCrossAccountPull" + Effect = "Allow" + Principal = { + AWS = "${local.development_env_root_arn}" + } + Action = [ + "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:DescribeImages", + "ecr:GetDownloadUrlForLayer", + "ecr:ListImages" + ] + } + ] + }) +} \ No newline at end of file diff --git a/app/tf/kms.tf b/app/tf/kms.tf new file mode 100644 index 0000000..cf8b3a6 --- /dev/null +++ b/app/tf/kms.tf @@ -0,0 +1,41 @@ +# Create a KMS key for encryption +resource "aws_kms_key" "ecr_kms_key" { + description = "KMS key to encrypt ECR images in central AWS account." + deletion_window_in_days = 7 + enable_key_rotation = true +} +# KMS key policy allowing AccountB to use the key for ECR image encryption/decryption +resource "aws_kms_alias" "ecr_key_alias" { + name = "alias/${var.name}-ecr-repository-key" + target_key_id = aws_kms_key.ecr_kms_key.key_id +} + +resource "aws_kms_key_policy" "ecr_key_policy" { + key_id = aws_kms_key.ecr_kms_key.key_id + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + # Allow Central AWS account to perform any KMS actions + { + Sid = "Enable IAM User Permissions" + Action = ["kms:*"] + Effect = "Allow" + Principal = { + AWS = "${local.principal_root_arn}" + } + Resource = "*" + }, + # Allow Dev environment to use the KMS key for decryption + { + Effect = "Allow" + Principal = { + AWS = "${local.development_env_root_arn}" + } + Action = [ + "kms:Decrypt" + ] + Resource = "*" + } + ] + }) +} \ No newline at end of file diff --git a/app/tf/provider.tf b/app/tf/provider.tf new file mode 100644 index 0000000..a2b24af --- /dev/null +++ b/app/tf/provider.tf @@ -0,0 +1,19 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "5.42.0" + } + } +} + +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key + default_tags { + tags = { + Source = "https://github.com/kunduso/add-aws-ecr-ecs-fargate" + } + } +} \ No newline at end of file diff --git a/app/tf/variables.tf b/app/tf/variables.tf new file mode 100644 index 0000000..31aa377 --- /dev/null +++ b/app/tf/variables.tf @@ -0,0 +1,25 @@ +#Define AWS Region +variable "region" { + description = "Infrastructure region." + type = string + default = "us-east-2" +} +#Define IAM User Access Key +variable "access_key" { + description = "The access_key that belongs to the IAM user." + type = string + sensitive = true + default = "" +} +#Define IAM User Secret Key +variable "secret_key" { + description = "The secret_key that belongs to the IAM user." + type = string + sensitive = true + default = "" +} +variable "name" { + description = "The name of the application." + type = string + default = "app-6" +} \ No newline at end of file