Update S3 bucket references and add new image pipeline configuration

CSVD · Mar 18, 2025 · ccbd683 · ccbd683
1 parent 19f05aa
commit ccbd683
Show file tree

Hide file tree

Showing 6 changed files with 125 additions and 3 deletions.
diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml
@@ -89,4 +89,4 @@ jobs:
         uses: CSVD/s3-cleanup@main
         with:
           cache_key: ${{ steps.terraform_init.outputs.s3_upload_path }}
-          bucket: image-pipeline-assets
+          bucket: csvd-dev-ew-github-actions
diff --git a/.terraform_commits b/.terraform_commits
@@ -0,0 +1,8 @@
+[
+  {
+    "commit_hash": "19f05aa430cb419f892d8485c9755b9b5531ee4b",
+    "commit_message": "working on adding template repo for aws-image-pipeline",
+    "author": "arnol377",
+    "timestamp": "2025-03-18T17:55:41.004668"
+  }
+]
diff --git a/actions-bucket.tf b/actions-bucket.tf
@@ -0,0 +1,103 @@
+locals {
+  bucket_name             = "csvd-dev-ew-github-actions"
+  kms_key_deletion_days   = 30
+  kms_alias_name         = "csvd-dev-ew-github-actions"
+  kms_description        = "KMS key for actions bucket encryption"
+  enable_key_rotation    = true
+
+  # S3 permissions for ECS role
+  ecs_s3_actions = [
+    "s3:GetObject*",
+    "s3:PutObject*",
+    "s3:DeleteObject*",
+    "s3:ListBucket"
+  ]
+}
+
+# Get AWS partition and account ID
+data "aws_partition" "current" {}
+data "aws_caller_identity" "current" {}
+
+# KMS key for bucket encryption
+resource "aws_kms_key" "actions_bucket" {
+  description             = local.kms_description
+  deletion_window_in_days = local.kms_key_deletion_days
+  enable_key_rotation     = local.enable_key_rotation
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "Enable IAM User Permissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_kms_alias" "actions_bucket" {
+  name          = "alias/${local.kms_alias_name}"
+  target_key_id = aws_kms_key.actions_bucket.key_id
+}
+
+# S3 Bucket
+resource "aws_s3_bucket" "actions" {
+  bucket = local.bucket_name
+}
+
+# Bucket versioning
+resource "aws_s3_bucket_versioning" "actions" {
+  bucket = aws_s3_bucket.actions.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+# Bucket encryption
+resource "aws_s3_bucket_server_side_encryption_configuration" "actions" {
+  bucket = aws_s3_bucket.actions.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.actions_bucket.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+# Block public access
+resource "aws_s3_bucket_public_access_block" "actions" {
+  bucket                  = aws_s3_bucket.actions.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+# Bucket policy
+resource "aws_s3_bucket_policy" "actions" {
+  bucket = aws_s3_bucket.actions.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowECSServiceRole"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS"
+        }
+        Action   = local.ecs_s3_actions
+        Resource = [
+          aws_s3_bucket.actions.arn,
+          "${aws_s3_bucket.actions.arn}/*"
+        ]
+      }
+    ]
+  })
+}
diff --git a/image-pipeline.tf b/image-pipeline.tf
@@ -35,7 +35,7 @@ module "image_pipeline_repos" {
         lookup(var.image_pipeline_workflows, each.value, local.s3_upload),
         {
           repo_name    = each.value,
-          bucket_name  = "image-pipeline-assets"
+          bucket_name  = "csvd-dev-ew-github-actions",
           runner_group = "229685449397"
         }
       )

diff --git a/varfiles/default.tfvars b/varfiles/default.tfvars
@@ -253,6 +253,17 @@ repolist = [
       "aws-image-pipeline",
       "terraform"
     ]
+  },
+  {
+    description = "Pip Configuration for Image Pipeline"
+    repo_org    = "CSVD"
+    name        = "aws-image-pipeline-pip-config"
+    is_private  = false
+    is_template = true
+    repo_topics = [
+      "aws-image-pipeline",
+      "terraform"
+    ]
   }
 ]
 
diff --git a/workflows/goss-testing.yaml b/workflows/goss-testing.yaml
@@ -43,4 +43,4 @@ jobs:
         run: |
           rm -rf .terraform update update/.terraform
           zip -r image-pipeline-goss-testing.zip *
-          aws s3 cp image-pipeline-goss-testing.zip s3://image-pipeline-assets
+          aws s3 cp image-pipeline-goss-testing.zip s3://csvd-dev-ew-github-actions