TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / ci / terraform / d9ae15da07db42127ec5883a678180a492705ade^! / .
commitd9ae15da07db42127ec5883a678180a492705ade[log] [tgz]
authorKelley Spoon <kelley.spoon@linaro.org>Thu Jul 14 03:55:20 2022 -0500
committerKelley Spoon <kelley.spoon@linaro.org>Mon Aug 29 06:01:39 2022 -0500
treeb0e911a184bed9d047d78ee311dbb262c74dc9f0
parent191e45f6b15501480e4e9b26fef8f0f7caee580c [diff]
ecr.tf: setup a second ECR for MISRA

We need to establish anothr ECR to hold docker images using
the proprietary software (eclair) being used to implement
MISRA testing in Jenkins.

This establishes the ECR, a private S3 bucket for holding
files required to build the docker images, and adds role
policies to grant access to them to the ECR_pushpull_role,
LAVA vault user, and IAM accounts for developer access.

Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Change-Id: I0e023c1d92353d2d4678f914fb8056dd5d7dc4b8

diff --git a/ecr.tf b/ecr.tf
index 9e7940a..8b8b700 100644
--- a/ecr.tf
+++ b/ecr.tf

@@ -3,6 +3,11 @@
   image_tag_mutability = "MUTABLE"
 }
 
+resource "aws_ecr_repository" "trustedfirmware_misra" {
+  name                 = "misra"
+  image_tag_mutability = "MUTABLE"
+}
+
 
 resource "aws_iam_role" "ecr_pushpull_role" {
     name = "ecr_pushpull_role"
@@ -16,7 +21,9 @@
       "Principal": {
         "AWS": [
             "987685672616",
-            "arn:aws:iam::487149096843:user/vault"
+            "arn:aws:iam::487149096843:user/vault",
+            "arn:aws:iam::987685672616:user/arm-dev",
+            "arn:aws:iam::987685672616:user/paul.sokolovsky"
         ],
         "Service": "ec2.amazonaws.com"
       },
@@ -56,6 +63,7 @@
 EOF
 }
 
+
 module "trustedfirmware_fvp_storage" {
   source = "./modules/resources/s3"
   bucket = "trustedfirmware-fvp"
@@ -80,6 +88,31 @@
   ]
 }
 
+module "trustedfirmware_misra_storage" {
+  source = "./modules/resources/s3"
+  bucket = "trustedfirmware-misra"
+  acl = "private"
+}
+
+module "s3_misra_policy" {
+  source      = "./modules/resources/role_policy"
+  role_id     = aws_iam_role.ecr_pushpull_role.id
+  policy_file = "templates/role_policy.tmpl"
+  actions = [
+                "s3:AbortMultipartUpload",
+                "s3:ListBucket",
+                "s3:PutObject",
+                "s3:GetObject",
+                "s3:DeleteObject",
+                "s3:ListObjectsV2",
+                "s3:PutObjectAcl"
+  ]
+  resources = [
+                "arn:aws:s3:::trustedfirmware-misra/*",
+                "arn:aws:s3:::trustedfirmware-misra"
+  ]
+}
+
 module "packer_policy" {
   source      = "./modules/resources/role_policy"
   role_id     = aws_iam_role.ecr_pushpull_role.id
@@ -143,5 +176,3 @@
   name      = "jenkins_instance_profile"
   role_name =  aws_iam_role.ecr_pushpull_role.name
 }
-
-