From c151b3453ac1f84ab1887e8f5ccb43a309a0117d Mon Sep 17 00:00:00 2001 From: jakemulley Date: Wed, 26 Jul 2023 18:31:54 +0100 Subject: [PATCH 1/2] Add tags to resources --- README.md | 9 +++++-- examples/ecr.tf | 11 ++++++-- examples/variables.tf | 51 ++++++++++++------------------------- main.tf | 23 +++++++++++++++++ test/unit-test/main.tf | 14 +++++++--- test/unit-test/variables.tf | 37 +++++++++++++++++++++++++++ test/unit-test/versions.tf | 4 +-- variables.tf | 49 +++++++++++++++++++++++++++-------- 8 files changed, 143 insertions(+), 55 deletions(-) create mode 100644 test/unit-test/variables.tf diff --git a/README.md b/README.md index 6c44a02..644134e 100644 --- a/README.md +++ b/README.md @@ -85,8 +85,11 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [application](#input\_application) | Application name | `string` | n/a | yes | +| [business\_unit](#input\_business\_unit) | Area of the MOJ responsible for the service | `string` | n/a | yes | | [canned\_lifecycle\_policy](#input\_canned\_lifecycle\_policy) | A canned lifecycle policy to remove tagged or untagged images | `map(any)` | `null` | no | | [deletion\_protection](#input\_deletion\_protection) | (Optional) Whether the ECR should have deletion protection enabled for non-empty registry. Set this to false if you intend to delete your ECR resource or namespace. NOTE: PR owner has responsibility to ensure that no other environments are sharing this ECR. Defaults to true. | `bool` | `true` | no | +| [environment\_name](#input\_environment\_name) | Environment name | `string` | n/a | yes | | [github\_actions\_prefix](#input\_github\_actions\_prefix) | String prefix for GitHub Actions variable and secrets key | `string` | `""` | no | | [github\_actions\_secret\_ecr\_access\_key](#input\_github\_actions\_secret\_ecr\_access\_key) | The name of the github actions secret containing the ECR AWS access key | `string` | `"ECR_AWS_ACCESS_KEY_ID"` | no | | [github\_actions\_secret\_ecr\_name](#input\_github\_actions\_secret\_ecr\_name) | The name of the github actions secret containing the ECR name | `string` | `"ECR_NAME"` | no | @@ -94,12 +97,14 @@ No modules. | [github\_actions\_secret\_ecr\_url](#input\_github\_actions\_secret\_ecr\_url) | The name of the github actions secret containing the ECR URL | `string` | `"ECR_URL"` | no | | [github\_environments](#input\_github\_environments) | GitHub environment in which to create github actions secrets | `list(string)` | `[]` | no | | [github\_repositories](#input\_github\_repositories) | GitHub repositories in which to create github actions secrets | `list(string)` | `[]` | no | +| [infrastructure\_support](#input\_infrastructure\_support) | The team responsible for managing the infrastructure. Should be of the form () | `string` | n/a | yes | +| [is\_production](#input\_is\_production) | Whether this is used for production or not | `string` | n/a | yes | | [lifecycle\_policy](#input\_lifecycle\_policy) | A lifecycle policy consists of one or more rules that determine which images in a repository should be expired. | `string` | `null` | no | -| [namespace](#input\_namespace) | Namespace name | `string` | `null` | no | +| [namespace](#input\_namespace) | Namespace name | `string` | n/a | yes | | [oidc\_providers](#input\_oidc\_providers) | OIDC providers for this ECR repository, valid values are "github" or "circleci" | `list(string)` | `[]` | no | | [repo\_name](#input\_repo\_name) | Name of the repository to be created | `string` | n/a | yes | | [scan\_on\_push](#input\_scan\_on\_push) | Whether images are scanned after being pushed to the repository (true) or not (false) | `bool` | `true` | no | -| [team\_name](#input\_team\_name) | Name of the team creating the credentials | `string` | n/a | yes | +| [team\_name](#input\_team\_name) | Team name | `string` | n/a | yes | ## Outputs diff --git a/examples/ecr.tf b/examples/ecr.tf index 3f0a9af..75bfa32 100644 --- a/examples/ecr.tf +++ b/examples/ecr.tf @@ -8,9 +8,7 @@ module "ecr" { source = "github.com/ministryofjustice/cloud-platform-terraform-ecr-credentials?ref=5.3.0" # REQUIRED: Repository configuration - team_name = var.team_name repo_name = var.namespace - namespace = var.namespace # REQUIRED: OIDC providers to configure, either "github", "circleci", or both oidc_providers = ["github"] @@ -76,4 +74,13 @@ module "ecr" { # Defaults to true # deletion_protection = false + + # Tags (commented out until release) + # business_unit = var.business_unit + # application = var.application + # is_production = var.is_production + team_name = var.team_name # also used for naming the container repository + namespace = var.namespace # also used for creating a Kubernetes ConfigMap + # environment_name = var.environment + # infrastructure_support = var.infrastructure_support } diff --git a/examples/variables.tf b/examples/variables.tf index 7adc2b5..b491f13 100644 --- a/examples/variables.tf +++ b/examples/variables.tf @@ -1,56 +1,37 @@ -/* - * When using this module through the cloud-platform-environments, - * the next 3 variables are automatically supplied by the pipeline. - * -*/ -variable "cluster_name" {} - -variable "kubernetes_cluster" {} - -variable "application" { - description = "Name of Application you are deploying" - default = "example-app" +variable "business_unit" { + default = "Platforms" } -variable "namespace" { - default = "example-team" +variable "application" { + default = "cloud-platform-terraform-ecr-credentials example module" } -variable "business_unit" { - description = "Area of the MOJ responsible for the service." - default = "Example" +variable "is_production" { + default = "false" } variable "team_name" { - description = "The name of your development team" - default = "example" + default = "webops" } -variable "environment_name" { - description = "The type of environment you're deploying to." - default = "development" -} - -variable "infrastructure_support" { - description = "The team responsible for managing the infrastructure. Should be of the form team-email." - default = "example@digital.justice.gov.uk" +variable "namespace" { + default = "cloud-platform-terraform-ecr-credentials-example-module" } -variable "is_production" { - default = "false" +variable "environment" { + default = "non-production" } -variable "slack_channel" { - description = "Team slack channel to use if we need to contact your team" - default = "example" +variable "infrastructure_support" { + default = "Cloud Platform" } variable "github_owner" { - description = "Required by the github terraform provider" + description = "Required by the GitHub terraform provider" default = "ministryofjustice" } variable "github_token" { - description = "Required by the github terraform provider" + description = "Required by the GitHub terraform provider" default = "" -} \ No newline at end of file +} diff --git a/main.tf b/main.tf index 6af0269..9906024 100644 --- a/main.tf +++ b/main.tf @@ -1,4 +1,5 @@ locals { + # GitHub configuration github_repositories = toset([ for repository in var.github_repositories : { repository = repository @@ -15,6 +16,20 @@ locals { environment = pair[1].environment } ] + + # Tags + default_tags = { + # Mandatory + business-unit = var.business_unit + application = var.application + is-production = var.is_production + owner = var.team_name + namespace = var.namespace # for billing and identification purposes + + # Optional + environment-name = var.environment_name + infrastructure-support = var.infrastructure_support + } } data "aws_caller_identity" "current" {} @@ -27,6 +42,8 @@ resource "aws_ecr_repository" "repo" { scan_on_push = var.scan_on_push } force_delete = var.deletion_protection ? false : true + + tags = local.default_tags } # ECR lifecycle policy @@ -260,6 +277,7 @@ resource "aws_iam_policy" "irsa" { name = "${local.oidc_identifier}-irsa" path = "/cloud-platform/ecr/" policy = data.aws_iam_policy_document.irsa.json + tags = local.default_tags } #################### @@ -345,6 +363,7 @@ resource "aws_iam_policy" "ecr" { name = local.oidc_identifier policy = data.aws_iam_policy_document.base.json + tags = local.default_tags } # GitHub: OIDC provider @@ -386,6 +405,8 @@ resource "aws_iam_role" "github" { name = "${local.oidc_identifier}-github" assume_role_policy = data.aws_iam_policy_document.github.json + + tags = local.default_tags } resource "aws_iam_role_policy_attachment" "github_ecr" { @@ -489,6 +510,8 @@ resource "aws_iam_role" "circleci" { name = "${local.oidc_identifier}-circleci" assume_role_policy = data.aws_iam_policy_document.circleci.json + + tags = local.default_tags } resource "aws_iam_role_policy_attachment" "circleci_ecr" { diff --git a/test/unit-test/main.tf b/test/unit-test/main.tf index da50e6b..48642ce 100644 --- a/test/unit-test/main.tf +++ b/test/unit-test/main.tf @@ -5,7 +5,15 @@ provider "aws" { module "ecr" { source = "../.." - repo_name = "ecr-repo-unit-test" - team_name = "cloud-platform" - namespace = "cloud-platform" + # Configuration + repo_name = var.namespace + + # Tags + business_unit = var.business_unit + application = var.application + is_production = var.is_production + team_name = var.team_name # also used for naming the container repository + namespace = var.namespace # also used for creating a Kubernetes ConfigMap + environment_name = var.environment + infrastructure_support = var.infrastructure_support } diff --git a/test/unit-test/variables.tf b/test/unit-test/variables.tf new file mode 100644 index 0000000..b491f13 --- /dev/null +++ b/test/unit-test/variables.tf @@ -0,0 +1,37 @@ +variable "business_unit" { + default = "Platforms" +} + +variable "application" { + default = "cloud-platform-terraform-ecr-credentials example module" +} + +variable "is_production" { + default = "false" +} + +variable "team_name" { + default = "webops" +} + +variable "namespace" { + default = "cloud-platform-terraform-ecr-credentials-example-module" +} + +variable "environment" { + default = "non-production" +} + +variable "infrastructure_support" { + default = "Cloud Platform" +} + +variable "github_owner" { + description = "Required by the GitHub terraform provider" + default = "ministryofjustice" +} + +variable "github_token" { + description = "Required by the GitHub terraform provider" + default = "" +} diff --git a/test/unit-test/versions.tf b/test/unit-test/versions.tf index 95ecfdb..2675d3a 100644 --- a/test/unit-test/versions.tf +++ b/test/unit-test/versions.tf @@ -1,9 +1,9 @@ terraform { + required_version = ">= 1.2.5" required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0.0" + version = ">= 4.0.0" } } - required_version = ">= 1.2.5" } diff --git a/variables.tf b/variables.tf index 2fc4edd..28d779d 100644 --- a/variables.tf +++ b/variables.tf @@ -3,17 +3,6 @@ variable "repo_name" { type = string } -variable "team_name" { - description = "Name of the team creating the credentials" - type = string -} - -variable "namespace" { - description = "Namespace name" - type = string - default = null -} - variable "scan_on_push" { default = true description = "Whether images are scanned after being pushed to the repository (true) or not (false)" @@ -89,3 +78,41 @@ variable "deletion_protection" { type = bool default = true } + +######## +# Tags # +######## +variable "business_unit" { + description = "Area of the MOJ responsible for the service" + type = string +} + +variable "application" { + description = "Application name" + type = string +} + +variable "is_production" { + description = "Whether this is used for production or not" + type = string +} + +variable "team_name" { + description = "Team name" + type = string +} + +variable "namespace" { + description = "Namespace name" + type = string +} + +variable "environment_name" { + description = "Environment name" + type = string +} + +variable "infrastructure_support" { + description = "The team responsible for managing the infrastructure. Should be of the form ()" + type = string +} From 0a7e9b1f0646a4882bd1137f2bee75622bd69137 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 27 Jul 2023 07:37:00 +0000 Subject: [PATCH 2/2] terraform-docs: automated action --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 960cc81..093ad15 100644 --- a/README.md +++ b/README.md @@ -122,7 +122,6 @@ No modules. | [namespace](#input\_namespace) | Namespace name | `string` | n/a | yes | | [oidc\_providers](#input\_oidc\_providers) | OIDC providers for this ECR repository, valid values are "github" or "circleci" | `list(string)` | `[]` | no | | [repo\_name](#input\_repo\_name) | Name of the repository to be created | `string` | n/a | yes | -| [scan\_on\_push](#input\_scan\_on\_push) | Whether images are scanned after being pushed to the repository (true) or not (false) | `bool` | `true` | no | | [team\_name](#input\_team\_name) | Team name | `string` | n/a | yes | ## Outputs