Merge pull request #47 from MITLibraries/dev

Dev-to-Stage: Add ECR Repository for SAP Invoices UI

Author: cabutlermit

.github/workflows/tf-shared-workflows.yml

@@ -10,6 +10,8 @@ on:
     paths:
       - '**/*.tf'
 
+permissions: read-all
+
 jobs:
   validate:
     name: Validate Terraform
@@ -19,6 +21,6 @@ jobs:
     name: Checkov Tests
     uses: mitlibraries/.github/.github/workflows/tf-checkov-shared.yml@main
 
-  docs-update:
-    name: Update README
-    uses: mitlibraries/.github/.github/workflows/tf-docs-gen-shared.yml@main
+  docs:
+    name: Terraform Docs
+    uses: mitlibraries/.github/.github/workflows/tf-docs-shared.yml@main

.pre-commit-config.yaml

@@ -0,0 +1,19 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: "v1.92.1"
+    hooks:
+      - id: terraform_fmt
+        args:
+          - --args=-recursive
+      - id: terraform_validate
+  - repo: https://github.com/terraform-docs/terraform-docs
+    rev: "v0.18.0"
+    hooks:
+      - id: terraform-docs-go
+        args: ["markdown", "table", "--config", "./.terraform-docs.yaml", "--recursive", "--output-file", "README.md", "./"]
+  - repo: https://github.com/bridgecrewio/checkov.git
+    rev: '3.2.219'
+    hooks:
+      - id: checkov
+        language_version: python3.11
+        verbose: false

.terraform-docs.yaml

@@ -0,0 +1,5 @@
+formatter: "" # this is required
+
+settings:
+  anchor: false
+  html: false

.terraform.lock.hcl

@@ -10,6 +10,41 @@ This repo builds the ECR (Elastic Container Registry) repositories for container
 
 The only dependency is the ARN of the OpenID Connect Provider (placed in Parameter Store by the [mitlib-tf-workloads-init](https://github.com/MITLibraries/mitlib-tf-workloads-init) repo).
 
+### Pre-Commit Hooks
+
+For proper linting and checking, this repo uses pre-commit hooks. The following should be installed in the local workstation
+
+* [pre-commit](https://pre-commit.com/)
+* [terraform cli](https://developer.hashicorp.com/terraform/downloads)
+* [terraform-docs](https://terraform-docs.io/)
+* [checkov](https://github.com/bridgecrewio/checkov)
+
+After the first checkout locally, run the following command to initialize the pre-commit hooks.
+
+```bash
+pre-commit install  --hook-type pre-push
+```
+
+It is possible to run the pre-commit hooks manually. To run all the pre-commit hooks for this repo, run
+
+```bash
+pre-commit run --all-files
+```
+
+To run just the checkov checker, run
+
+```bash
+pre-commit run checkov
+```
+
+To run just the `terraform-docs` hook to update the README, run
+
+```bash
+pre-commit run terraform-docs-go
+```
+
+See [.pre-commit-config.yaml](./.pre-commit-config.yaml) for other pre-commit hooks that can be run.
+
 ## Usage
 
 There is a tight relationship between ECR repositories created here and the associated application repositories in GitHub due to the use of OIDC in the GitHub Actions in those application repositories. Make sure to coordinate any new ECR repositories with the developers building the applications that will be published there.
@@ -61,14 +96,14 @@ then replace all the ssm parameter references for `oidc_arn` with `aws_iam_openi
 
 | Name | Version |
 |------|---------|
-| terraform | ~> 1.2 |
-| aws | ~> 4.0 |
+| terraform | ~> 1.5 |
+| aws | ~> 5.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | 4.37.0 |
+| aws | 5.62.0 |
 
 ## Modules
 
@@ -85,6 +120,7 @@ then replace all the ssm parameter references for `oidc_arn` with `aws_iam_openi
 | ecr\_patronload | ./modules/ecr | n/a |
 | ecr\_ppod | ./modules/ecr | n/a |
 | ecr\_sapinvoices | ./modules/ecr | n/a |
+| ecr\_sapinvoices\_ui | ./modules/ecr | n/a |
 | ecr\_timdex\_browsertrix | ./modules/ecr | n/a |
 | ecr\_timdex\_geo | ./modules/ecr | n/a |
 | ecr\_timdex\_lambdas | ./modules/ecr | n/a |
@@ -170,6 +206,10 @@ then replace all the ssm parameter references for `oidc_arn` with `aws_iam_openi
 | sapinvoices\_makefile | Full contents of the Makefile for the alma-sapinvoices repo (allows devs to push to Dev account only) |
 | sapinvoices\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the alma-sapinvoices repo |
 | sapinvoices\_stage\_build\_workflow | Full contents of the stage-build.yml for the alma-sapinvoices repo |
+| sapinvoices\_ui\_dev\_build\_workflow | Full contents of the dev-build.yml for the alma-sapinvoices-ui repo |
+| sapinvoices\_ui\_makefile | Full contents of the Makefile for the alma-sapinvoices-ui repo (allows devs to push to Dev account only) |
+| sapinvoices\_ui\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the alma-sapinvoices-ui repo |
+| sapinvoices\_ui\_stage\_build\_workflow | Full contents of the stage-build.yml for the alma-sapinvoices-ui repo |
 | tim\_dev\_build\_workflow | Full contents of the dev-build.yml for the timdex-index-manager repo |
 | tim\_makefile | Full contents of the Makefile for the timdex-index-manager repo (allows devs to push to Dev account only) |
 | tim\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the timdex-index-manager repo |

README.md

@@ -187,6 +187,71 @@ output "sapinvoices_prod_promote_workflow" {
 }
 
 
+################################################################################
+## sapinvoices-ui
+locals {
+  ecr_sapinvoices_ui_function_name = "alma-sapinvoices-ui-${var.environment}"
+}
+module "ecr_sapinvoices_ui" {
+  source            = "./modules/ecr"
+  repo_name         = "alma-sapinvoices-ui"
+  login_policy_arn  = aws_iam_policy.login.arn
+  oidc_arn          = data.aws_ssm_parameter.oidc_arn.value
+  environment       = var.environment
+  tfoutput_ssm_path = var.tfoutput_ssm_path
+  tags = {
+    app-repo = "alma-sapinvoices-ui"
+  }
+}
+
+# Outputs in dev
+output "sapinvoices_ui_dev_build_workflow" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_sapinvoices_ui.gha_role
+    ecr      = module.ecr_sapinvoices_ui.repository_name
+    function = local.ecr_sapinvoices_ui_function_name
+    }
+  )
+  description = "Full contents of the dev-build.yml for the alma-sapinvoices-ui repo"
+}
+output "sapinvoices_ui_makefile" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", {
+    ecr_name = module.ecr_sapinvoices_ui.repository_name
+    ecr_url  = module.ecr_sapinvoices_ui.repository_url
+    function = local.ecr_sapinvoices_ui_function_name
+    }
+  )
+  description = "Full contents of the Makefile for the alma-sapinvoices-ui repo (allows devs to push to Dev account only)"
+}
+
+# Outputs in stage
+output "sapinvoices_ui_stage_build_workflow" {
+  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_sapinvoices_ui.gha_role
+    ecr      = module.ecr_sapinvoices_ui.repository_name
+    function = local.ecr_sapinvoices_ui_function_name
+    }
+  )
+  description = "Full contents of the stage-build.yml for the alma-sapinvoices-ui repo"
+}
+
+# Outputs after promotion to prod
+output "sapinvoices_ui_prod_promote_workflow" {
+  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", {
+    region     = var.aws_region
+    role_stage = "${module.ecr_sapinvoices_ui.repo_name}-gha-stage"
+    role_prod  = "${module.ecr_sapinvoices_ui.repo_name}-gha-prod"
+    ecr_stage  = "${module.ecr_sapinvoices_ui.repo_name}-stage"
+    ecr_prod   = "${module.ecr_sapinvoices_ui.repo_name}-prod"
+    function   = local.ecr_sapinvoices_ui_function_name
+    }
+  )
+  description = "Full contents of the prod-promote.yml for the alma-sapinvoices-ui repo"
+}
+
+
 ################################################################################
 ## bursar transfer app
 module "ecr_bursar" {

almaintegrations-ecrs.tf

@@ -0,0 +1,55 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | ~> 1.5 |
+| aws | ~> 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | 5.62.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ecr_lifecycle_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
+| [aws_ecr_repository.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
+| [aws_iam_policy.rw_this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.gha_this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.gha_ecr_login](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.gha_ecr_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_ssm_parameter.ecr_repository_name](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
+| [aws_ssm_parameter.ecr_repository_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
+| [aws_ssm_parameter.gha_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
+| [aws_iam_policy_document.gh_trust](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.rw_this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| environment | The environment (dev, stage, or prod) | `string` | n/a | yes |
+| gh\_organization | The name of the GitHub Organization. | `string` | `"MITLibraries"` | no |
+| login\_policy\_arn | The ARN of the shared ECR login policy | `string` | n/a | yes |
+| oidc\_arn | The ARN of the OIDC profile | `string` | n/a | yes |
+| repo\_name | The name used for part of the ECR repo name - should be same as app repo name | `string` | n/a | yes |
+| tags | The additional app-repo name | `map(any)` | n/a | yes |
+| tfoutput\_ssm\_path | The Parameter Store output path loaded in the root module | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| gha\_role | Github action role used to update the ECR repository |
+| repo\_name | The repo\_name that was passed in to the module for naming purposes |
+| repository\_name | The name of the ECR repository |
+| repository\_url | The URL of the ECR repository |
+<!-- END_TF_DOCS -->

modules/ecr/.terraform.lock.hcl

@@ -3,12 +3,12 @@
 # Providers themselves are set in the `providers.tf` file.
 
 terraform {
-  required_version = "~> 1.2"
+  required_version = "~> 1.5"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = "~> 5.0"
     }
   }
 }

modules/ecr/README.md

@@ -3,12 +3,12 @@
 # Providers themselves are set in the `providers.tf` file.
 
 terraform {
-  required_version = "~> 1.2"
+  required_version = "~> 1.5"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = "~> 5.0"
     }
   }
 }