TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / ci / terraform / 2e0a7334e6537de0782e8a3f5528fee4a396def2 / . / ecr.tf
blob: 103f9aa7ea10b0bd6491e6db44c85873b348a5c2 [file] [log] [blame]
Riku Voipio19fadfa2020-07-02 09:05:50 +0300[diff] [blame]1resource "aws_ecr_repository" "trustedfirmware_fvp" {
2 name = "fvp"
3 image_tag_mutability = "MUTABLE"
4}
5
6
7resource "aws_iam_role" "ecr_pushpull_role" {
8 name = "ecr_pushpull_role"
9 description = "Read/Write access to ECR"
10 assume_role_policy = <<EOF
11{
12 "Version": "2012-10-17",
13 "Statement": [
14 {
15 "Effect": "Allow",
16 "Principal": {
Kelley Spoond02b92b2021-08-02 21:38:51 -0500[diff] [blame]17 "AWS": [
18 "987685672616",
19 "arn:aws:iam::487149096843:user/vault"
20 ],
21 "Service": "ec2.amazonaws.com"
Riku Voipio19fadfa2020-07-02 09:05:50 +0300[diff] [blame]22 },
23 "Action": "sts:AssumeRole"
24 }
25 ]
26}
27EOF
28}
29
30resource "aws_iam_role_policy" "ecr_pushpull_policy" {
31 name = "ecr_pushpull_policy"
32 role = aws_iam_role.ecr_pushpull_role.id
33
34 policy = <<EOF
35{
36 "Version": "2008-10-17",
37 "Statement": [
38 {
39 "Sid": "AllowPushPull",
40 "Effect": "Allow",
41 "Resource": "*",
42 "Action": [
Riku Voipio19fadfa2020-07-02 09:05:50 +0300[diff] [blame]43 "ecr:BatchGetImage",
44 "ecr:BatchCheckLayerAvailability",
Riku Voipioa4e6f592020-10-06 17:49:49 +0300[diff] [blame]45 "ecr:CompleteLayerUpload",
Riku Voipio19fadfa2020-07-02 09:05:50 +0300[diff] [blame]46 "ecr:GetAuthorizationToken",
Riku Voipioa4e6f592020-10-06 17:49:49 +0300[diff] [blame]47 "ecr:GetDownloadUrlForLayer",
Riku Voipio19fadfa2020-07-02 09:05:50 +0300[diff] [blame]48 "ecr:InitiateLayerUpload",
Riku Voipioa4e6f592020-10-06 17:49:49 +0300[diff] [blame]49 "ecr:ListImages",
50 "ecr:PutImage",
51 "ecr:UploadLayerPart"
Riku Voipio19fadfa2020-07-02 09:05:50 +0300[diff] [blame]52 ]
53 }
54 ]
55}
56EOF
57}
58
Riku Voipiob138c6b2021-06-11 14:36:05 +0300[diff] [blame]59module "trustedfirmware_fvp_storage" {
60 source = "./modules/resources/s3"
61 bucket = "trustedfirmware-fvp"
62 acl = "private"
63}
64
65module "s3_fvp_policy" {
66 source = "./modules/resources/role_policy"
67 role_id = aws_iam_role.ecr_pushpull_role.id
68 policy_file = "templates/role_policy.tmpl"
69 actions = [
70 "s3:AbortMultipartUpload",
Riku Voipiob138c6b2021-06-11 14:36:05 +0300[diff] [blame]71 "s3:ListBucket",
72 "s3:PutObject",
73 "s3:GetObject",
74 "s3:DeleteObject",
75 "s3:PutObjectAcl"
76 ]
77 resources = [
Riku Voipio3f372ce2021-07-22 13:41:48 +0300[diff] [blame]78 "arn:aws:s3:::trustedfirmware-fvp/*",
79 "arn:aws:s3:::trustedfirmware-fvp"
Riku Voipiob138c6b2021-06-11 14:36:05 +0300[diff] [blame]80 ]
81}
82
Riku Voipio2e0a7332021-10-12 15:00:03 +0300[diff] [blame^]83module "packer_policy" {
84 source = "./modules/resources/role_policy"
85 role_id = aws_iam_role.ecr_pushpull_role.id
86 policy_file = "templates/role_policy.tmpl"
87 actions = [
88 "ec2:AttachVolume",
89 "ec2:AuthorizeSecurityGroupIngress",
90 "ec2:CopyImage",
91 "ec2:CreateImage",
92 "ec2:CreateKeypair",
93 "ec2:CreateSecurityGroup",
94 "ec2:CreateSnapshot",
95 "ec2:CreateTags",
96 "ec2:CreateVolume",
97 "ec2:DeleteKeyPair",
98 "ec2:DeleteSecurityGroup",
99 "ec2:DeleteSnapshot",
100 "ec2:DeleteVolume",
101 "ec2:DeregisterImage",
102 "ec2:DescribeImageAttribute",
103 "ec2:DescribeImages",
104 "ec2:DescribeInstances",
105 "ec2:DescribeInstanceStatus",
106 "ec2:DescribeRegions",
107 "ec2:DescribeSecurityGroups",
108 "ec2:DescribeSnapshots",
109 "ec2:DescribeSubnets",
110 "ec2:DescribeTags",
111 "ec2:DescribeVolumes",
112 "ec2:DetachVolume",
113 "ec2:GetPasswordData",
114 "ec2:ModifyImageAttribute",
115 "ec2:ModifyInstanceAttribute",
116 "ec2:ModifySnapshotAttribute",
117 "ec2:RegisterImage",
118 "ec2:RunInstances",
119 "ec2:StopInstances",
120 "ec2:TerminateInstances"
121 ]
122 resources = [
123 "*"
124 ]
125}
Riku Voipiob138c6b2021-06-11 14:36:05 +0300[diff] [blame]126
127module "jenkins_instance_profile" {
128 source = "./modules/resources/instance_profile"
129 name = "jenkins_instance_profile"
130 role_name = aws_iam_role.ecr_pushpull_role.name
131}
132
133