Merge pull request #37 from MITLibraries/dev

cabutlermit · web-flow · commit 1774d3357306 · 2023-08-31T10:46:34.000-04:00
Dev-to-Stage: ECR for new Bursar Transfer Application
* Create all the appropriate ECR bits for a new containerized Python application
* Add checkov skips for encryption warnings about ssm_outputs
diff --git a/README.md b/README.md
@@ -75,6 +75,7 @@ then replace all the ssm parameter references for `oidc_arn` with `aws_iam_openi
 | Name | Source | Version |
 |------|--------|---------|
 | ecr\_alma\_webhook\_lambdas | ./modules/ecr | n/a |
+| ecr\_bursar | ./modules/ecr | n/a |
 | ecr\_carbon | ./modules/ecr | n/a |
 | ecr\_creditcardslips | ./modules/ecr | n/a |
 | ecr\_dss | ./modules/ecr | n/a |
@@ -122,6 +123,10 @@ then replace all the ssm parameter references for `oidc_arn` with `aws_iam_openi
 | alma\_webhook\_lambdas\_makefile | Full contents of the Makefile for the alma-webhook-lambdas repo (allows devs to push to Dev account only) |
 | alma\_webhook\_lambdas\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the alma-webhook-lambdas repo |
 | alma\_webhook\_lambdas\_stage\_build\_workflow | Full contents of the stage-build.yml for the alma-webhook-lambdas repo |
+| bursar\_dev\_build\_workflow | Full contents of the dev-build.yml for the alma-bursartransfer repo |
+| bursar\_makefile | Full contents of the Makefile for the alma-bursartransfer repo (allows devs to push to Dev account only) |
+| bursar\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the alma-bursartransfer repo |
+| bursar\_stage\_build\_workflow | Full contents of the stage-build.yml for the alma-bursartransfer repo |
 | carbon\_dev\_build\_workflow | Full contents of the dev-build.yml for the carbon repo |
 | carbon\_makefile | Full contents of the Makefile for the carbon repo (allows devs to push to Dev account only) |
 | carbon\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the carbon repo |
diff --git a/almaintegrations-ecrs.tf b/almaintegrations-ecrs.tf
@@ -185,3 +185,65 @@ output "sapinvoices_prod_promote_workflow" {
   )
   description = "Full contents of the prod-promote.yml for the alma-sapinvoices repo"
 }
+
+
+################################################################################
+## bursar transfer app
+module "ecr_bursar" {
+  source            = "./modules/ecr"
+  repo_name         = "alma-bursartransfer"
+  login_policy_arn  = aws_iam_policy.login.arn
+  oidc_arn          = data.aws_ssm_parameter.oidc_arn.value
+  environment       = var.environment
+  tfoutput_ssm_path = var.tfoutput_ssm_path
+  tags = {
+    app-repo = "alma-bursartransfer"
+  }
+}
+
+# Outputs in dev
+output "bursar_dev_build_workflow" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_bursar.gha_role
+    ecr      = module.ecr_bursar.repository_name
+    function = ""
+    }
+  )
+  description = "Full contents of the dev-build.yml for the alma-bursartransfer repo"
+}
+output "bursar_makefile" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", {
+    ecr_name = module.ecr_bursar.repository_name
+    ecr_url  = module.ecr_bursar.repository_url
+    function = ""
+    }
+  )
+  description = "Full contents of the Makefile for the alma-bursartransfer repo (allows devs to push to Dev account only)"
+}
+
+# Outputs in stage
+output "bursar_stage_build_workflow" {
+  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_bursar.gha_role
+    ecr      = module.ecr_bursar.repository_name
+    function = ""
+    }
+  )
+  description = "Full contents of the stage-build.yml for the alma-bursartransfer repo"
+}
+
+# Outputs after promotion to prod
+output "bursar_prod_promote_workflow" {
+  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", {
+    region     = var.aws_region
+    role_stage = "${module.ecr_bursar.repo_name}-gha-stage"
+    role_prod  = "${module.ecr_bursar.repo_name}-gha-prod"
+    ecr_stage  = "${module.ecr_bursar.repo_name}-stage"
+    ecr_prod   = "${module.ecr_bursar.repo_name}-prod"
+    function   = ""
+    }
+  )
+  description = "Full contents of the prod-promote.yml for the alma-bursartransfer repo"
+}
diff --git a/modules/ecr/ssm_outputs.tf b/modules/ecr/ssm_outputs.tf
@@ -3,6 +3,7 @@
 # ecr repository_name
 # Type:string datatype:text format:string
 resource "aws_ssm_parameter" "ecr_repository_name" {
+  #checkov:skip=CKV_AWS_337:By default we are not encrypting parameters in tfoutput_ssm_path
   #checkov:skip=CKV2_AWS_34:By default we are not encrypting parameters in tfoutput_ssm_path
   type        = "String"
   name        = "${var.tfoutput_ssm_path}/${var.repo_name}/ecr-repository-name"
@@ -16,6 +17,7 @@ resource "aws_ssm_parameter" "ecr_repository_name" {
 # ecr repository_url
 # Type:string datatype:text format:string
 resource "aws_ssm_parameter" "ecr_repository_url" {
+  #checkov:skip=CKV_AWS_337:By default we are not encrypting parameters in tfoutput_ssm_path
   #checkov:skip=CKV2_AWS_34:By default we are not encrypting parameters in tfoutput_ssm_path
   type        = "String"
   name        = "${var.tfoutput_ssm_path}/${var.repo_name}/ecr-repository-url"
@@ -29,6 +31,7 @@ resource "aws_ssm_parameter" "ecr_repository_url" {
 # ecr role so that we can add the updatefunctioncode to it after the lambda itself is created
 # Type:string datatype:text format:string
 resource "aws_ssm_parameter" "gha_role" {
+  #checkov:skip=CKV_AWS_337:By default we are not encrypting parameters in tfoutput_ssm_path
   #checkov:skip=CKV2_AWS_34:By default we are not encrypting parameters in tfoutput_ssm_path
   type        = "String"
   name        = "${var.tfoutput_ssm_path}/${var.repo_name}/gha-role"
