Improve ecr-repository module (#52)

tedilabs · May 15, 2024 · 210d65b · 210d65b
1 parent ce2df04
commit 210d65b
Show file tree

Hide file tree

Showing 4 changed files with 117 additions and 60 deletions.
diff --git a/modules/ecr-repository/main.tf b/modules/ecr-repository/main.tf
@@ -14,6 +14,11 @@ locals {
   } : {}
 }
 
+
+###################################################
+# ECR Repository
+###################################################
+
 resource "aws_ecr_repository" "this" {
   name = local.metadata.name
 
@@ -25,8 +30,8 @@ resource "aws_ecr_repository" "this" {
   }
 
   encryption_configuration {
-    encryption_type = var.encryption_type
-    kms_key         = var.encryption_kms_key
+    encryption_type = var.encryption.type
+    kms_key         = var.encryption.kms_key
   }
 
   tags = merge(
@@ -44,10 +49,10 @@ resource "aws_ecr_repository" "this" {
 ###################################################
 
 resource "aws_ecr_repository_policy" "this" {
-  count = length(var.repository_policy) > 0 ? 1 : 0
+  count = length(var.policy) > 0 ? 1 : 0
 
   repository = aws_ecr_repository.this.name
-  policy     = var.repository_policy
+  policy     = var.policy
 }
 
 
@@ -58,30 +63,36 @@ resource "aws_ecr_repository_policy" "this" {
 locals {
   lifecycle_rules = [
     for rule in var.lifecycle_rules : {
-      rulePriority = tonumber(rule.priority)
+      rulePriority = rule.priority
       description  = rule.description
-      selection = merge(
-        {
-          tagStatus = rule.type
-        },
-        try(
-          {
-            tagPrefixList = rule.tag_prefixes
-          },
-          {}
-        ),
-        try(
-          {
-            countType   = "imageCountMoreThan"
-            countNumber = tonumber(rule.expiration_count)
-          },
-          {
-            countType   = "sinceImagePushed"
-            countUnit   = "days"
-            countNumber = tonumber(rule.expiration_days)
-          }
-        )
-      )
+      selection = {
+        for k, v in {
+          tagStatus = rule.target.status
+          tagPatternList = (rule.target.status == "tagged" && length(rule.target.tag_patterns) > 0
+            ? rule.target.tag_patterns
+            : null
+          )
+          tagPrefixList = (rule.target.status == "tagged" && length(rule.target.tag_prefixes) > 0
+            ? rule.target.tag_prefixes
+            : null
+          )
+
+          countType = (rule.expiration.count != null
+            ? "imageCountMoreThan"
+            : "sinceImagePushed"
+          )
+          countUnit = (rule.expiration.count != null
+            ? null
+            : "days"
+          )
+          countNumber = (rule.expiration.count != null
+            ? rule.expiration.count
+            : rule.expiration.days
+          )
+        } :
+        k => v
+        if v != null
+      }
       action = {
         type = "expire"
       }

diff --git a/modules/ecr-repository/outputs.tf b/modules/ecr-repository/outputs.tf
@@ -28,8 +28,13 @@ output "image_scan_on_push_enabled" {
   value       = aws_ecr_repository.this.image_scanning_configuration[0].scan_on_push
 }
 
+output "lifecycle_rules" {
+  description = "The lifecycle rules for the repository."
+  value       = var.lifecycle_rules
+}
+
 output "encryption" {
-  description = "The configuration for the encryption of repository."
+  description = "The encryption configuration of the repository."
   value = {
     type    = aws_ecr_repository.this.encryption_configuration[0].encryption_type
     kms_key = aws_ecr_repository.this.encryption_configuration[0].kms_key

diff --git a/modules/ecr-repository/variables.tf b/modules/ecr-repository/variables.tf
@@ -1,71 +1,109 @@
 variable "name" {
   description = "(Required) Desired name for the repository."
   type        = string
+  nullable    = false
 }
 
-variable "image_tag_immutable_enabled" {
-  description = "(Optional) Enable tag immutability to prevent image tags from being overwritten by subsequent image pushes using the same tag. Disable tag immutability to allow image tags to be overwritten."
+variable "force_delete" {
+  description = "(Optional) If `true`, will delete the repository even if it contains images. Defaults to `true`."
   type        = bool
-  default     = false
+  default     = true
   nullable    = false
 }
 
-variable "image_scan_on_push_enabled" {
-  description = "(Optional, Deprecated) Indicates whether images are scanned after being pushed to the repository or not scanned."
+variable "policy" {
+  description = "(Optional) The policy document for ECR Repository. This is a JSON formatted string."
+  type        = string
+  default     = ""
+  nullable    = false
+}
+
+variable "image_tag_immutable_enabled" {
+  description = "(Optional) Whether to enable the image tag immutability setting for the repository. Enable tag immutability to prevent image tags from being overwritten by subsequent image pushes using the same tag. Disable tag immutability to allow image tags to be overwritten. Defaults to `false`."
   type        = bool
   default     = false
   nullable    = false
 }
 
-variable "force_delete" {
-  description = "(Optional) If `true`, will delete the repository even if it contains images. Defaults to `false`."
+variable "image_scan_on_push_enabled" {
+  description = "(Optional, Deprecated) Indicates whether images are scanned after being pushed to the repository or not scanned. This configuration is deprecated in favor of registry level scan filters. Defaults to `false`."
   type        = bool
   default     = false
   nullable    = false
 }
 
-variable "encryption_type" {
-  description = "(Optional) The encryption type to use for the repository. Valid values are `AES256` or `KMS`."
-  type        = string
-  default     = "AES256"
-  nullable    = false
+variable "encryption" {
+  description = <<EOF
+  (Optional) The encryption configuration of the repository. `encryption` as defined below.
+    (Optional) `type` - The encryption type to use for the repository. Valid values are `AES256` or `KMS`. Defaults to `AES256`.
+    (Optional) `kms_key` - The ARN of the KMS key to use for encryption of the repository when `type` is `KMS`. If not specified, uses the default AWS managed key for ECR.
+  EOF
+  type = object({
+    type    = optional(string, "AES256")
+    kms_key = optional(string)
+  })
+  default  = {}
+  nullable = false
 
   validation {
-    condition     = contains(["AES256", "KMS"], var.encryption_type)
-    error_message = "Valid values are `AES256`, `KMS`."
+    condition     = contains(["AES256", "KMS"], var.encryption.type)
+    error_message = "Valid values for `type` are `AES256`, `KMS`."
   }
 }
 
-variable "encryption_kms_key" {
-  description = "(Optional) The ARN of the KMS key to use when encryption_type is `KMS`. If not specified, uses the default AWS managed key for ECR."
-  type        = string
-  default     = null
-}
+variable "lifecycle_rules" {
+  description = <<EOF
+  (Optional) A list of Lifecycle rules for ECR repository. Each block of `lifecycle_rules` as defined below.
+    (Required) `priority` - The order in which rules are applied, lowest to highest. A lifecycle policy rule with a priority of `1` will be applied first, a rule with priority of `2` will be next, and so on. Must be unique and do not need to be sequential across rules.
+    (Optional) `descriptoin` - The description of the rule to describe the purpose of a rule within a lifecycle policy.
+    (Required) `target` - The configuration of target images for the rule. `target` as defined below.
 
-variable "repository_policy" {
-  description = "(Optional) The policy document for ECR Repository. This is a JSON formatted string."
-  type        = string
-  default     = ""
-  nullable    = false
-}
+      (Required) `status` - Valid values are `tagged`, `untagged`, or `any`. When you specify `tagged` status, either `tag_patterns` or `tag_prefixes` are required, but not both.
+      (Optional) `tag_patterns` - A list of tag patterns to filter target images. If you specify multiple tags, only the images with all specified tags are selected. There is a maximum limit of four wildcards (*) per string.
+      (Optional) `tag_prefixes` - A list of tag prefixes to filter target images. If you specify multiple prefixes, only the images with all specified prefixes are selected.
+    (Required) `expiration` - The configuration of expiration condition for the rule. `expiration` as defined below.
 
-variable "lifecycle_rules" {
-  description = "(Optional) A list of ECR Repository Lifecycle rules. `priority` must be unique and do not need to be sequential across rules. `descriptoin` is optional. `type` is one of `tagged`, `untagged`, or `any`. `tag_prefixes` is required if you specified `tagged` type. Specify one of `expiration_days` or `expiration_count`"
-  type        = any
-  default     = []
-  nullable    = false
+      (Optional) `count` - The maximum number of images to keep.
+      (Optional) `days` - The maximum age of days to keep images.
+  EOF
+  type = list(object({
+    priority    = number
+    description = optional(string, "Managed by Terraform.")
+
+    target = object({
+      status       = string
+      tag_patterns = optional(list(string), [])
+      tag_prefixes = optional(list(string), [])
+    })
+    expiration = object({
+      count = optional(number)
+      days  = optional(number)
+    })
+  }))
+  default  = []
+  nullable = false
+
+  validation {
+    condition = alltrue([
+      for rule in var.lifecycle_rules :
+      contains(["tagged", "untagged", "any"], rule.target.status)
+    ])
+    error_message = "Valid values for `status` are `tagged`, `untagged`, `any`."
+  }
 }
 
 variable "tags" {
   description = "(Optional) A map of tags to add to all resources."
   type        = map(string)
   default     = {}
+  nullable    = false
 }
 
 variable "module_tags_enabled" {
   description = "(Optional) Whether to create AWS Resource Tags for the module informations."
   type        = bool
   default     = true
+  nullable    = false
 }
 
 
@@ -77,16 +115,19 @@ variable "resource_group_enabled" {
   description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module."
   type        = bool
   default     = true
+  nullable    = false
 }
 
 variable "resource_group_name" {
   description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`."
   type        = string
   default     = ""
+  nullable    = false
 }
 
 variable "resource_group_description" {
   description = "(Optional) The description of Resource Group."
   type        = string
   default     = "Managed by Terraform."
+  nullable    = false
 }
diff --git a/modules/ecr-repository/versions.tf b/modules/ecr-repository/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.5"
+  required_version = ">= 1.6"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.10"
+      version = ">= 5.44"
     }
   }
 }