diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index 370d37e..d76d788 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -2,25 +2,25 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.63.0" + version = "5.65.0" constraints = ">= 4.20.1" hashes = [ - "h1:mhVxzwfSZVxPJNZsr1fvKZe51+48BdM7pzWChVQ4v68=", - "zh:21f3a6870dd80b8312b6aac28784b29a7c2cf072175f0de943f09bddbf14cad6", - "zh:28feb0621baeaa9b6992a6209fd0d7ad1c665b1dd895123f2fd36d91d69d116f", - "zh:301d51b398c3e3488ea2b63defeb254436854c83046d9fc5ca129b13faaa4319", - "zh:343e89645a2b23363226e2e0571639637ac1ddf7fa8c562bf883b17c8ad30d7d", - "zh:56c89148fc105a1bf32ffcd574ec1e679144377ea26c9ae4211dd491a3def358", - "zh:5e3b88e3eb28b23819126d43b191a2bda28a09d7690aee7e577b3b6235c4824a", - "zh:64c21f3b38a8f0f0ef8b938df71cde76d77e010236bb6a0b46f66daa6cab6f99", - "zh:6869e5fafe6535954ac75ece63e9765d6b12d1752b54cf9639a01585f1a5583e", - "zh:90a6894868c585a5abf00e784723d74ea80aff3d0403b36028c4b08c5c4894d6", - "zh:92e9e4b7c183e518c1decd0fbc780e9f1941d05710c9c20329c78556a7f0adac", + "h1:LTqvpg2APqTRPmQIkOAFwn7Q8rXTXazDXIBaYSfLIm4=", + "zh:036f8557c8c9b58656e1ec08ed5702e44bd338fda17dc4b2add40b234102e29a", + "zh:0ba0708ece98735540070899a916b7a90c5c887be31ffd693ee1359e40245978", + "zh:12d82a82ae0e3bc580f2be961078e89d129e12df7dd82a6ec610a2b945bba1a4", + "zh:1ed0ee17df8807aef64976e2a4276d2a3e1d54efeae2a86f596d12eccb94dc83", + "zh:36b7c61a83d24f612156b4648027ba8bd5727f0ed57183cbad0e6c93b7503aa2", + "zh:496d06a089b1bc8d60995e8dddfe1d87c605a208f377a60b17987e89381dafda", + "zh:4e9aba435994589befe4279927c71a461a52e6cd96b8f0437295c18c50f6baff", + "zh:71134031288a312db1804d4798b10f106a843c36aafd7b8fe8f4859156d7df93", + "zh:748d0dbdfbe8df4b516a09b23b3981c19cef9a255c1ca0187e84ab424e6bd845", + "zh:783541ff77f4e7c74c817e0e2989ebdb45dd6e2c9853a8cccbcf5f1976736a76", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:bbc053d060d4f6e95ef60549a0e92487fbbd88807f8161507cc389edc7dde0f7", - "zh:cfd8e88029a2fdafdfa77688f966705ade9211d173cbb6aa1552839c9993c19a", - "zh:d291875c26a6a05b60e02f1481c296269080232fa0ae86cce5caa04a6df82ed6", - "zh:f42f0b81587de0c51859e37cd671c442d8eaf42558d83c6421b1e46549576f89", + "zh:af3f080975d5ed79917b8238cc0ae3150da688bc89e12dcc3ee85134b29857d0", + "zh:ec542372c3ffbfc3df6966f77357f8af7319d4bd956ff8e9fde0bbd124352e34", + "zh:f3dc7b2b5b55173207c2fd35ed6bb8cc66b06af777e221060ca2f0c0afdecbb5", + "zh:f9631ecc21d6e5cf82ef6ef8d14c39e1dfb2a52cc8f0abb684311885ffdb79a1", ] } diff --git a/docker.tf b/docker.tf index 951851c..64ca39a 100644 --- a/docker.tf +++ b/docker.tf @@ -1,42 +1,36 @@ -resource "aws_ecr_repository" "repo" { - name = "csvd-census-docker-repo" - image_tag_mutability = "MUTABLE" - - image_scanning_configuration { - scan_on_push = true - } -} - locals { + # public.ecr.aws/ubuntu/nginx:1.18-20.04_beta + # public.ecr.aws/ubuntu/ubuntu:22.04_edge + # public.ecr.aws/ubuntu/ubuntu:24.10 + ubuntu_images = [ + "22.04_edge", "23.10", "24.10", "22.04_stable" + ] image_config = [ - { + for image in local.ubuntu_images : { enabled = true dest_path = null - name = "ubuntu/ubuntu" + name = "ubuntu" source_image = "ubuntu/ubuntu" source_registry = "public.ecr.aws" - source_tag = "edge" - tag = "edge" - }, + source_tag = image + tag = image + } ] } -module "images" { - source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/?ref=tf-upgrade" - - profile = "docker-image-pipeline" +module "ecr-clone" { + source = "HappyPathway/ecr-clone/aws" application_name = "docker-image-pipeline" - image_config = local.image_config - tags = {} - - enable_lifecycle_policy = true - lifecycle_policy_all = true - force_delete = true + application_list = [ + "pipeline-test" + ] + image_config = local.image_config + tags = {} } module "docker" { source = "HappyPathway/image-pipeline/aws" - project_name = "docker-image-pipeline" + project_name = "pipeline-test" builder_image = "aws/codebuild/standard:7.0" create_new_repo = false create_new_role = true @@ -53,6 +47,7 @@ module "docker" { } ] packer_source_type = "S3" + packer_config = "docker-base.pkr.hcl" packer_bucket = { name = aws_s3_bucket.assets_bucket.bucket key = "docker-image-pipeline.zip" @@ -62,22 +57,24 @@ module "docker" { name = aws_s3_bucket.assets_bucket.bucket key = "image-pipeline-ansible-playbooks.zip" } - playbook = "hello-world.yaml" + playbook = "ubuntu-base.yaml" + goss_profile = "docker-base" goss_source_type = "S3" goss_bucket = { name = aws_s3_bucket.assets_bucket.bucket key = "image-pipeline-goss-testing.zip" } - goss_profile = "base-test" - state = local.state_config - vpc_config = local.vpc_config + docker_test_enabled = true + state = local.state_config + vpc_config = local.vpc_config image = { - repo = aws_ecr_repository.repo.name - tag = "latest" - source_image = "public.ecr.aws/ubuntu/ubuntu:edge" + # source image metadata + source_image = "ubuntu" + source_tag = "24.10" + source_docker_repo = "docker-image-pipeline" + # destination image metadata + dest_image = "pipeline-test" + dest_tag = "latest" + dest_docker_repo = "docker-image-pipeline" } } - -output docker_repo { - value = aws_ecr_repository.repo -} diff --git a/linux.tf b/linux.tf index 33cc29c..85ee8a5 100644 --- a/linux.tf +++ b/linux.tf @@ -13,6 +13,7 @@ module "amazon_linux" { ssh_user = "ec2-user" terraform_version = "1.8.5" build_permissions_iam_doc = data.aws_iam_policy_document.s3_access + build_user_iam_policy = data.aws_iam_policy_document.build_user_policy_document.json build_environment_variables = [ for proxy_var in keys(local.proxy_env_vars) : { @@ -50,8 +51,8 @@ output "linux_iam_arn" { value = module.amazon_linux.iam_arn } -output "linux_parameters" { - value = keys(module.amazon_linux.parameters) +output "linux_managed_parameters" { + value = keys(module.amazon_linux.managed_parameters) sensitive = true } diff --git a/main.tf b/main.tf index e77926c..3652db5 100644 --- a/main.tf +++ b/main.tf @@ -20,6 +20,7 @@ data "aws_iam_policy_document" "assets_bucket_policy_document" { type = "AWS" identifiers = [ module.amazon_linux.iam_arn, + module.rhel.iam_arn, module.docker.iam_arn ] } @@ -43,6 +44,27 @@ data "aws_iam_policy_document" "assets_bucket_policy_document" { } +data "aws_iam_policy_document" "build_user_policy_document" { + statement { + actions = [ + "s3:Get*", + "s3:List*", + "s3:ReplicateObject", + "s3:PutObject", + "s3:RestoreObject", + "s3:PutObjectVersionTagging", + "s3:PutObjectTagging", + "s3:PutObjectAcl" + ] + + resources = [ + aws_s3_bucket.assets_bucket.arn, + "${aws_s3_bucket.assets_bucket.arn}/*", + ] + } +} + + resource "aws_s3_bucket_server_side_encryption_configuration" "state_bucket_encryption" { for_each = tomap({ state_bucket = aws_s3_bucket.state_bucket.bucket diff --git a/rhel.tf b/rhel.tf index 0b2e5bf..86a043b 100644 --- a/rhel.tf +++ b/rhel.tf @@ -18,9 +18,21 @@ module "rhel" { type = "PLAINTEXT" } ] - packer_repo = data.aws_codecommit_repository.linux - ansible_repo = data.aws_codecommit_repository.ansible - goss_repo = data.aws_codecommit_repository.goss + packer_source_type = "S3" + packer_bucket = { + name = aws_s3_bucket.assets_bucket.bucket + key = "linux-image-pipeline.zip" + } + ansible_source_type = "S3" + ansible_bucket = { + name = aws_s3_bucket.assets_bucket.bucket + key = "image-pipeline-ansible-playbooks.zip" + } + goss_source_type = "S3" + goss_bucket = { + name = aws_s3_bucket.assets_bucket.bucket + key = "image-pipeline-goss-testing.zip" + } goss_profile = "rhel-base-test" # goss_profile = "base-test" state = local.state_config