Skip to content

Commit

Permalink
Merge pull request #87 from ministryofjustice/rm-access-keys
Browse files Browse the repository at this point in the history
Remove access keys
  • Loading branch information
jakemulley authored Jul 27, 2023
2 parents 2f18810 + 3a640e8 commit 190ee3b
Show file tree
Hide file tree
Showing 4 changed files with 0 additions and 183 deletions.
19 changes: 0 additions & 19 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,40 +62,27 @@ No modules.
| [aws_ecr_lifecycle_policy.canned](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
| [aws_ecr_lifecycle_policy.lifecycle_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
| [aws_ecr_repository.repo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
| [aws_iam_access_key.key_2023](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_policy.ecr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.circleci](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.circleci_ecr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.github_ecr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_user.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
| [github_actions_environment_secret.ecr_access_key](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
| [github_actions_environment_secret.ecr_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
| [github_actions_environment_secret.ecr_role_to_assume](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
| [github_actions_environment_secret.ecr_secret_key](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
| [github_actions_environment_secret.ecr_url](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
| [github_actions_environment_variable.ecr_region](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_variable) | resource |
| [github_actions_environment_variable.ecr_repository](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_variable) | resource |
| [github_actions_secret.ecr_access_key](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
| [github_actions_secret.ecr_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
| [github_actions_secret.ecr_role_to_assume](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
| [github_actions_secret.ecr_secret_key](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
| [github_actions_secret.ecr_url](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
| [github_actions_variable.ecr_region](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource |
| [github_actions_variable.ecr_repository](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource |
| [kubernetes_config_map_v1.circleci_oidc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1) | resource |
| [random_id.oidc](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [random_id.user](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_openid_connect_provider.circleci](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
| [aws_iam_openid_connect_provider.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source |
| [aws_iam_policy_document.base](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.circleci](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_secretsmanager_secret.circleci](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
| [aws_secretsmanager_secret_version.circleci](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |
Expand All @@ -107,10 +94,6 @@ No modules.
| <a name="input_canned_lifecycle_policy"></a> [canned\_lifecycle\_policy](#input\_canned\_lifecycle\_policy) | A canned lifecycle policy to remove tagged or untagged images | `map(any)` | `null` | no |
| <a name="input_deletion_protection"></a> [deletion\_protection](#input\_deletion\_protection) | (Optional) Whether the ECR should have deletion protection enabled for non-empty registry. Set this to false if you intend to delete your ECR resource or namespace. NOTE: PR owner has responsibility to ensure that no other environments are sharing this ECR. Defaults to true. | `bool` | `true` | no |
| <a name="input_github_actions_prefix"></a> [github\_actions\_prefix](#input\_github\_actions\_prefix) | String prefix for GitHub Actions variable and secrets key | `string` | `""` | no |
| <a name="input_github_actions_secret_ecr_access_key"></a> [github\_actions\_secret\_ecr\_access\_key](#input\_github\_actions\_secret\_ecr\_access\_key) | The name of the github actions secret containing the ECR AWS access key | `string` | `"ECR_AWS_ACCESS_KEY_ID"` | no |
| <a name="input_github_actions_secret_ecr_name"></a> [github\_actions\_secret\_ecr\_name](#input\_github\_actions\_secret\_ecr\_name) | The name of the github actions secret containing the ECR name | `string` | `"ECR_NAME"` | no |
| <a name="input_github_actions_secret_ecr_secret_key"></a> [github\_actions\_secret\_ecr\_secret\_key](#input\_github\_actions\_secret\_ecr\_secret\_key) | The name of the github actions secret containing the ECR AWS secret key | `string` | `"ECR_AWS_SECRET_ACCESS_KEY"` | no |
| <a name="input_github_actions_secret_ecr_url"></a> [github\_actions\_secret\_ecr\_url](#input\_github\_actions\_secret\_ecr\_url) | The name of the github actions secret containing the ECR URL | `string` | `"ECR_URL"` | no |
| <a name="input_github_environments"></a> [github\_environments](#input\_github\_environments) | GitHub environment in which to create github actions secrets | `list(string)` | `[]` | no |
| <a name="input_github_repositories"></a> [github\_repositories](#input\_github\_repositories) | GitHub repositories in which to create github actions secrets | `list(string)` | `[]` | no |
| <a name="input_lifecycle_policy"></a> [lifecycle\_policy](#input\_lifecycle\_policy) | A lifecycle policy consists of one or more rules that determine which images in a repository should be expired. | `string` | `null` | no |
Expand All @@ -123,11 +106,9 @@ No modules.

| Name | Description |
|------|-------------|
| <a name="output_access_key_id"></a> [access\_key\_id](#output\_access\_key\_id) | Access key id for the credentials |
| <a name="output_irsa_policy_arn"></a> [irsa\_policy\_arn](#output\_irsa\_policy\_arn) | n/a |
| <a name="output_repo_arn"></a> [repo\_arn](#output\_repo\_arn) | ECR repository ARN |
| <a name="output_repo_url"></a> [repo\_url](#output\_repo\_url) | ECR repository URL |
| <a name="output_secret_access_key"></a> [secret\_access\_key](#output\_secret\_access\_key) | Secret for the new credentials |
<!-- END_TF_DOCS -->

## Tags
Expand Down
128 changes: 0 additions & 128 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -81,134 +81,6 @@ resource "aws_ecr_lifecycle_policy" "canned" {
policy = (var.canned_lifecycle_policy != null) ? jsonencode(local.canned_lifecycle_policies[var.canned_lifecycle_policy.type]) : null
}

# Legacy access (IAM access keys)
resource "random_id" "user" {
byte_length = 8
}

resource "aws_iam_user" "user" {
name = "ecr-user-${random_id.user.hex}"
path = "/system/ecr-user/${var.team_name}/"
}

resource "aws_iam_access_key" "key_2023" {
user = aws_iam_user.user.name
}

data "aws_iam_policy_document" "policy" {
statement {
actions = [
"ecr:GetAuthorizationToken",
"ecr:DescribeRepositories",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings",
"inspector2:List*",
"inspector2:Get*"
]

resources = [
"*",
]
}

statement {
actions = [
"ecr:CompleteLayerUpload",
"ecr:BatchDeleteImage",
"ecr:UploadLayerPart",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy"
]

resources = [
"arn:aws:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/${var.team_name}/*",
]
}
}

resource "aws_iam_user_policy" "policy" {
name = "ecr-read-write"
policy = data.aws_iam_policy_document.policy.json
user = aws_iam_user.user.name
}

# Legacy GitHub integration: create GitHub Actions secrets
resource "github_actions_secret" "ecr_url" {
for_each = toset(var.github_repositories)
repository = each.key
secret_name = var.github_actions_secret_ecr_url
plaintext_value = trimspace(aws_ecr_repository.repo.repository_url)
}

resource "github_actions_secret" "ecr_name" {
for_each = toset(var.github_repositories)
repository = each.key
secret_name = var.github_actions_secret_ecr_name
plaintext_value = trimspace(aws_ecr_repository.repo.name)
}

resource "github_actions_secret" "ecr_access_key" {
for_each = toset(var.github_repositories)
repository = each.key
secret_name = var.github_actions_secret_ecr_access_key
plaintext_value = aws_iam_access_key.key_2023.id
}

resource "github_actions_secret" "ecr_secret_key" {
for_each = toset(var.github_repositories)
repository = each.key
secret_name = var.github_actions_secret_ecr_secret_key
plaintext_value = aws_iam_access_key.key_2023.secret
}

# Legacy GitHub integration: Create environment secrets
resource "github_actions_environment_secret" "ecr_url" {
for_each = {
for i in local.github_repo_environments : "${i.repository}.${i.environment}" => i
}
repository = each.value.repository
environment = each.value.environment
secret_name = var.github_actions_secret_ecr_url
plaintext_value = trimspace(aws_ecr_repository.repo.repository_url)
}

resource "github_actions_environment_secret" "ecr_name" {
for_each = {
for i in local.github_repo_environments : "${i.repository}.${i.environment}" => i
}
repository = each.value.repository
environment = each.value.environment
secret_name = var.github_actions_secret_ecr_name
plaintext_value = trimspace(aws_ecr_repository.repo.name)
}

resource "github_actions_environment_secret" "ecr_access_key" {
for_each = {
for i in local.github_repo_environments : "${i.repository}.${i.environment}" => i
}
repository = each.value.repository
environment = each.value.environment
secret_name = var.github_actions_secret_ecr_access_key
plaintext_value = aws_iam_access_key.key_2023.id
}

resource "github_actions_environment_secret" "ecr_secret_key" {
for_each = {
for i in local.github_repo_environments : "${i.repository}.${i.environment}" => i
}
repository = each.value.repository
environment = each.value.environment
secret_name = var.github_actions_secret_ecr_secret_key
plaintext_value = aws_iam_access_key.key_2023.secret
}

####################
# IRSA integration #
####################
Expand Down
12 changes: 0 additions & 12 deletions outputs.tf
Original file line number Diff line number Diff line change
@@ -1,15 +1,3 @@
output "access_key_id" {
description = "Access key id for the credentials"
value = aws_iam_access_key.key_2023.id
sensitive = true
}

output "secret_access_key" {
description = "Secret for the new credentials"
value = aws_iam_access_key.key_2023.secret
sensitive = true
}

output "repo_arn" {
description = "ECR repository ARN"
value = aws_ecr_repository.repo.arn
Expand Down
24 changes: 0 additions & 24 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -26,30 +26,6 @@ variable "github_environments" {
default = []
}

variable "github_actions_secret_ecr_name" {
description = "The name of the github actions secret containing the ECR name"
default = "ECR_NAME"
type = string
}

variable "github_actions_secret_ecr_url" {
description = "The name of the github actions secret containing the ECR URL"
default = "ECR_URL"
type = string
}

variable "github_actions_secret_ecr_access_key" {
description = "The name of the github actions secret containing the ECR AWS access key"
default = "ECR_AWS_ACCESS_KEY_ID"
type = string
}

variable "github_actions_secret_ecr_secret_key" {
description = "The name of the github actions secret containing the ECR AWS secret key"
default = "ECR_AWS_SECRET_ACCESS_KEY"
type = string
}

# Lifecycle policy
variable "lifecycle_policy" {
description = "A lifecycle policy consists of one or more rules that determine which images in a repository should be expired."
Expand Down

0 comments on commit 190ee3b

Please sign in to comment.