TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / ci / terraform / refs/heads/master / . / ecr.tf
blob: 8b8b70004a113ee32b1c84f0b802a6173cdec3f1 [file] [log] [blame]
Riku Voipio19fadfa2020-07-02 09:05:50 +0300[diff] [blame]1resource "aws_ecr_repository" "trustedfirmware_fvp" {
2 name = "fvp"
3 image_tag_mutability = "MUTABLE"
4}
5
Kelley Spoond9ae15d2022-07-14 03:55:20 -0500[diff] [blame]6resource "aws_ecr_repository" "trustedfirmware_misra" {
7 name = "misra"
8 image_tag_mutability = "MUTABLE"
9}
10
Riku Voipio19fadfa2020-07-02 09:05:50 +0300[diff] [blame]11
12resource "aws_iam_role" "ecr_pushpull_role" {
13 name = "ecr_pushpull_role"
14 description = "Read/Write access to ECR"
15 assume_role_policy = <<EOF
16{
17 "Version": "2012-10-17",
18 "Statement": [
19 {
20 "Effect": "Allow",
21 "Principal": {
Kelley Spoond02b92b2021-08-02 21:38:51 -0500[diff] [blame]22 "AWS": [
23 "987685672616",
Kelley Spoond9ae15d2022-07-14 03:55:20 -0500[diff] [blame]24 "arn:aws:iam::487149096843:user/vault",
25 "arn:aws:iam::987685672616:user/arm-dev",
26 "arn:aws:iam::987685672616:user/paul.sokolovsky"
Kelley Spoond02b92b2021-08-02 21:38:51 -0500[diff] [blame]27 ],
28 "Service": "ec2.amazonaws.com"
Riku Voipio19fadfa2020-07-02 09:05:50 +0300[diff] [blame]29 },
30 "Action": "sts:AssumeRole"
31 }
32 ]
33}
34EOF
35}
36
37resource "aws_iam_role_policy" "ecr_pushpull_policy" {
38 name = "ecr_pushpull_policy"
39 role = aws_iam_role.ecr_pushpull_role.id
40
41 policy = <<EOF
42{
43 "Version": "2008-10-17",
44 "Statement": [
45 {
46 "Sid": "AllowPushPull",
47 "Effect": "Allow",
48 "Resource": "*",
49 "Action": [
Riku Voipio19fadfa2020-07-02 09:05:50 +0300[diff] [blame]50 "ecr:BatchGetImage",
51 "ecr:BatchCheckLayerAvailability",
Riku Voipioa4e6f592020-10-06 17:49:49 +0300[diff] [blame]52 "ecr:CompleteLayerUpload",
Riku Voipio19fadfa2020-07-02 09:05:50 +0300[diff] [blame]53 "ecr:GetAuthorizationToken",
Riku Voipioa4e6f592020-10-06 17:49:49 +0300[diff] [blame]54 "ecr:GetDownloadUrlForLayer",
Riku Voipio19fadfa2020-07-02 09:05:50 +0300[diff] [blame]55 "ecr:InitiateLayerUpload",
Riku Voipioa4e6f592020-10-06 17:49:49 +0300[diff] [blame]56 "ecr:ListImages",
57 "ecr:PutImage",
58 "ecr:UploadLayerPart"
Riku Voipio19fadfa2020-07-02 09:05:50 +0300[diff] [blame]59 ]
60 }
61 ]
62}
63EOF
64}
65
Kelley Spoond9ae15d2022-07-14 03:55:20 -0500[diff] [blame]66
Riku Voipiob138c6b2021-06-11 14:36:05 +0300[diff] [blame]67module "trustedfirmware_fvp_storage" {
68 source = "./modules/resources/s3"
69 bucket = "trustedfirmware-fvp"
70 acl = "private"
71}
72
73module "s3_fvp_policy" {
74 source = "./modules/resources/role_policy"
75 role_id = aws_iam_role.ecr_pushpull_role.id
76 policy_file = "templates/role_policy.tmpl"
77 actions = [
78 "s3:AbortMultipartUpload",
Riku Voipiob138c6b2021-06-11 14:36:05 +0300[diff] [blame]79 "s3:ListBucket",
80 "s3:PutObject",
81 "s3:GetObject",
82 "s3:DeleteObject",
83 "s3:PutObjectAcl"
84 ]
85 resources = [
Riku Voipio3f372ce2021-07-22 13:41:48 +0300[diff] [blame]86 "arn:aws:s3:::trustedfirmware-fvp/*",
87 "arn:aws:s3:::trustedfirmware-fvp"
Riku Voipiob138c6b2021-06-11 14:36:05 +0300[diff] [blame]88 ]
89}
90
Kelley Spoond9ae15d2022-07-14 03:55:20 -0500[diff] [blame]91module "trustedfirmware_misra_storage" {
92 source = "./modules/resources/s3"
93 bucket = "trustedfirmware-misra"
94 acl = "private"
95}
96
97module "s3_misra_policy" {
98 source = "./modules/resources/role_policy"
99 role_id = aws_iam_role.ecr_pushpull_role.id
100 policy_file = "templates/role_policy.tmpl"
101 actions = [
102 "s3:AbortMultipartUpload",
103 "s3:ListBucket",
104 "s3:PutObject",
105 "s3:GetObject",
106 "s3:DeleteObject",
107 "s3:ListObjectsV2",
108 "s3:PutObjectAcl"
109 ]
110 resources = [
111 "arn:aws:s3:::trustedfirmware-misra/*",
112 "arn:aws:s3:::trustedfirmware-misra"
113 ]
114}
115
Riku Voipio2e0a7332021-10-12 15:00:03 +0300[diff] [blame]116module "packer_policy" {
117 source = "./modules/resources/role_policy"
118 role_id = aws_iam_role.ecr_pushpull_role.id
119 policy_file = "templates/role_policy.tmpl"
120 actions = [
121 "ec2:AttachVolume",
122 "ec2:AuthorizeSecurityGroupIngress",
123 "ec2:CopyImage",
124 "ec2:CreateImage",
125 "ec2:CreateKeypair",
126 "ec2:CreateSecurityGroup",
127 "ec2:CreateSnapshot",
128 "ec2:CreateTags",
129 "ec2:CreateVolume",
130 "ec2:DeleteKeyPair",
131 "ec2:DeleteSecurityGroup",
132 "ec2:DeleteSnapshot",
133 "ec2:DeleteVolume",
134 "ec2:DeregisterImage",
135 "ec2:DescribeImageAttribute",
136 "ec2:DescribeImages",
137 "ec2:DescribeInstances",
138 "ec2:DescribeInstanceStatus",
139 "ec2:DescribeRegions",
140 "ec2:DescribeSecurityGroups",
141 "ec2:DescribeSnapshots",
142 "ec2:DescribeSubnets",
143 "ec2:DescribeTags",
144 "ec2:DescribeVolumes",
145 "ec2:DetachVolume",
146 "ec2:GetPasswordData",
147 "ec2:ModifyImageAttribute",
148 "ec2:ModifyInstanceAttribute",
149 "ec2:ModifySnapshotAttribute",
150 "ec2:RegisterImage",
151 "ec2:RunInstances",
Kelley Spoon87817212022-07-19 06:24:17 -0500[diff] [blame]152 "ec2:RunInstances*",
Riku Voipio2e0a7332021-10-12 15:00:03 +0300[diff] [blame]153 "ec2:StopInstances",
Kelley Spoon87817212022-07-19 06:24:17 -0500[diff] [blame]154 "ec2:TerminateInstances",
155 "ec2:DescribeSpotInstanceRequests",
156 "ec2:CancelSpotInstanceRequests",
157 "ec2:GetConsoleOutput",
158 "ec2:RequestSpotInstances",
159 "ec2:RunInstances",
160 "ec2:StartInstances",
161 "ec2:DeleteTags",
162 "ec2:DescribeInstanceTypes",
163 "ec2:DescribeKeyPairs",
164 "ec2:DescribeAvailabilityZones",
165 "iam:ListInstanceProfilesForRole",
166 "iam:PassRole",
167
Riku Voipio2e0a7332021-10-12 15:00:03 +0300[diff] [blame]168 ]
169 resources = [
170 "*"
171 ]
172}
Riku Voipiob138c6b2021-06-11 14:36:05 +0300[diff] [blame]173
174module "jenkins_instance_profile" {
175 source = "./modules/resources/instance_profile"
176 name = "jenkins_instance_profile"
177 role_name = aws_iam_role.ecr_pushpull_role.name
178}