use beta registry for prod

cyber-dojo · Mar 13, 2024 · 7c1cbff · 7c1cbff
1 parent a102117
commit 7c1cbff
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 148 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -56,7 +56,7 @@ jobs:
     secrets:
       KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
     with:
-      tagged_image: 274425519734.dkr.ecr.eu-central-1.amazonaws.com/repler:${{ needs.pre-build.outputs.image_tag }}
+      tagged_image: 244531986313.dkr.ecr.eu-central-1.amazonaws.com/repler:${{ needs.pre-build.outputs.image_tag }}
       AWS_ACCOUNT_ID: 274425519734
       AWS_REGION: eu-central-1
       gh_actions_iam_role_name: gh_actions_services

diff --git a/deployment/terraform/data.tf b/deployment/terraform/data.tf
@@ -0,0 +1 @@
+data "aws_organizations_organization" "org" {}
diff --git a/deployment/terraform/deployment.tf b/deployment/terraform/deployment.tf
@@ -1,5 +1,5 @@
 module "ecs-service" {
-  source                    = "s3::https://s3-eu-central-1.amazonaws.com/terraform-modules-9d7e951c290ec5bbe6506e0ddb064808764bc636/terraform-modules.zip//ecs-service/v3"
+  source                    = "s3::https://s3-eu-central-1.amazonaws.com/terraform-modules-9d7e951c290ec5bbe6506e0ddb064808764bc636/terraform-modules.zip//ecs-service/v4"
   service_name              = var.service_name
   TAGGED_IMAGE              = var.TAGGED_IMAGE
   enable_execute_command    = "true"
@@ -8,8 +8,6 @@ module "ecs-service" {
   mem_reservation           = var.mem_reservation
   mem_limit                 = var.mem_limit
   app_env_vars              = local.app_env_vars
-  ecr_replication_targets   = var.ecr_replication_targets
-  ecr_replication_origin    = var.ecr_replication_origin
   ecs_wait_for_steady_state = true
   desired_count             = 0
   volumes = [

diff --git a/deployment/terraform/ecr.tf b/deployment/terraform/ecr.tf
@@ -0,0 +1,42 @@
+module "aws_ecr_repository" {
+  count               = var.env == "staging" ? 1 : 0
+  source              = "s3::https://s3-eu-central-1.amazonaws.com/terraform-modules-dacef8339fbd41ce31c346f854a85d0c74f7c4e8/terraform-modules.zip//ecr/v6"
+  ecr_repository_name = var.service_name
+  tags                = module.tags.result
+}
+
+# Allow pull dev image for all Kosli org
+data "aws_iam_policy_document" "allow_pull_from_org" {
+  count = var.env == "staging" ? 1 : 0
+  statement {
+    sid    = "AllowPullFromOrg"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = [
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:PutImage",
+      "ecr:InitiateLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload"
+    ]
+
+    condition {
+      test     = "ForAnyValue:StringLike"
+      variable = "aws:PrincipalOrgID"
+      values   = [data.aws_organizations_organization.org.id]
+    }
+  }
+}
+
+resource "aws_ecr_repository_policy" "allow_pull" {
+  count      = var.env == "staging" ? 1 : 0
+  repository = module.aws_ecr_repository[0].ecr_repository_name
+  policy     = data.aws_iam_policy_document.allow_pull_from_org[0].json
+}
diff --git a/deployment/terraform/tf.sh b/deployment/terraform/tf.sh