Update Embedded Module for Multi-Region

cabutlermit · cabutlermit · commit 53d4c9c59b94 · 2025-05-07T09:11:49.000-04:00
Why these changes are being introduced: We need to ensure that the embedded module can correctly create resources in multiple regions. Since IAM Roles/Policies are "global" we only want to create those resources in the default `us-east-1` region. The ECR Repository is regional, so we create it each time the module is called based on the submitted provider. How this addresses that need: * Add the `aws_region.current` data object so that we can track the region provided when the module is called * Add conditionals to all the "global" resources so that they only get created when the module is called for the us-east-1 region * Reorganize the resource creation in the embedded module slightly Side effects of this change: None Relevant ticket(s): * https://mitlibraries.atlassian.net/browse/IR-238
diff --git a/modules/ecr/README.md b/modules/ecr/README.md
@@ -1,3 +1,16 @@
+# Embedded ECR Creation Module
+
+Creates the ECR Repository and all the necessary infrastructure glue around it.
+
+## What is created
+
+The following resources are generated when this module is called
+
+* an ECR repository with a lifecycle policy to only store the five (5) most recent containers
+* an IAM Policy providing read/write access to the ECR Repository
+* a trust policy for OIDC connections from GitHub Actions that is tightly coupled to the GitHub repository name
+* an IAM Role for GitHub Actions OIDC connections to AWS
+
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
@@ -29,8 +42,10 @@ No modules.
 | [aws_ssm_parameter.ecr_repository_name](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [aws_ssm_parameter.ecr_repository_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [aws_ssm_parameter.gha_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.gh_trust](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.rw_this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
diff --git a/modules/ecr/ecr.tf b/modules/ecr/ecr.tf
@@ -0,0 +1,127 @@
+##############################################################################
+##############################################################################
+# Create the ECR repository to store the ECS image(s) along with a lifecycle 
+# policy.
+resource "aws_ecr_repository" "this" {
+  #checkov:skip=CKV_AWS_51:We do not currently use releases for this, but may choose to turn this on in the future
+  #checkov:skip=CKV_AWS_136:We do not store any private information in our images, encryption is unnecessary
+  name = "${var.repo_name}-${var.environment}"
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+  tags = var.tags
+}
+
+resource "aws_ecr_lifecycle_policy" "this" {
+  #checkov:skip=CKV_AWS_136:We do not store any private information in our images, encryption is unnecessary 
+  #checkov:skip=CKV_AWS_163:We do not use image scanning by AWS right now
+  #checkov:skip=CKV_AWS_51:We do not currently use releases for this, but may choose to turn this on in the future
+  repository = aws_ecr_repository.this.name
+  policy = jsonencode({
+    rules = [{
+      rulePriority = 1
+      description  = "keep last 5 images"
+      action = {
+        type = "expire"
+      }
+      selection = {
+        tagStatus   = "any"
+        countType   = "imageCountMoreThan"
+        countNumber = 5
+      }
+    }]
+  })
+}
+
+### Read-write permissions ECR repository
+### Since IAM Policies are "global" we ONLY create the policy statement if this
+### module is called with the "default" us-east-1 AWS Provider so that we only
+### have one IAM Policy that is good for all regions.
+data "aws_iam_policy_document" "rw_this" {
+  #checkov:skip=CKV_AWS_111:This policy needs unconstrained CreateRepository privileges
+  #checkov:skip=CKV_AWS_356:This policy should allow "*" as a resource for restrictable actions
+  count = data.aws_region.current.name == "us-east-1" ? 1 : 0
+  statement {
+    actions = [
+      "ecr:CreateRepository",
+      "ecr:GetAuthorizationToken",
+    ]
+    resources = ["*"]
+  }
+  statement {
+    actions = [
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:BatchGetImage",
+      "ecr:CompleteLayerUpload",
+      "ecr:DeleteRepository",
+      "ecr:DescribeImages",
+      "ecr:DescribeImageScanFindings",
+      "ecr:DescribeRepositories",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:GetLifecyclePolicy",
+      "ecr:GetLifecyclePolicyPreview",
+      "ecr:InitiateLayerUpload",
+      "ecr:ListImages",
+      "ecr:ListTagsForResource",
+      "ecr:PutImage",
+      "ecr:TagResource",
+      "ecr:UntagResource",
+      "ecr:UploadLayerPart",
+    ]
+    resources = [
+      "arn:aws:ecr:*:${data.aws_caller_identity.current.account_id}:repository/${aws_ecr_repository.this.name}"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "rw_this" {
+  count       = data.aws_region.current.name == "us-east-1" ? 1 : 0
+  name        = "${var.repo_name}-ecr-rw-${var.environment}"
+  description = "policy to allow read/write into ${var.repo_name} ECR"
+  policy      = data.aws_iam_policy_document.rw_this[0].json
+
+  tags = var.tags
+}
+
+# The trust policy that allows GitHub Actions OIDC-based connections from the 
+# repository. The definition is explicitly linked to the name of the GitHub repo. 
+data "aws_iam_policy_document" "gh_trust" {
+  count = data.aws_region.current.name == "us-east-1" ? 1 : 0
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    principals {
+      type        = "Federated"
+      identifiers = [var.oidc_arn]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:${var.gh_organization}/${var.repo_name}:*"] # "repo:MITLibraries//<repo-name>:ref:refs/branch/${var.environment}" eventually
+    }
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+  }
+}
+
+# Role for GitHub Action OIDC connections from the lambdas repository
+resource "aws_iam_role" "gha_this" {
+  count              = data.aws_region.current.name == "us-east-1" ? 1 : 0
+  name               = "${var.repo_name}-gha-${var.environment}"
+  assume_role_policy = data.aws_iam_policy_document.gh_trust[0].json
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "gha_ecr_rw" {
+  count      = data.aws_region.current.name == "us-east-1" ? 1 : 0
+  role       = aws_iam_role.gha_this[0].name
+  policy_arn = aws_iam_policy.rw_this[0].arn
+}
+resource "aws_iam_role_policy_attachment" "gha_ecr_login" {
+  count      = data.aws_region.current.name == "us-east-1" ? 1 : 0
+  role       = aws_iam_role.gha_this[0].name
+  policy_arn = var.login_policy_arn
+}
diff --git a/modules/ecr/main.tf b/modules/ecr/main.tf
@@ -1,118 +1,7 @@
-##############################################################################
-##############################################################################
-# Create the ECR repository to store the ECS image(s) along with a lifecycle 
-# policy.
-resource "aws_ecr_repository" "this" {
-  #checkov:skip=CKV_AWS_51:We do not currently use releases for this, but may choose to turn this on in the future
-  #checkov:skip=CKV_AWS_136:We do not store any private information in our images, encryption is unnecessary
-  name = "${var.repo_name}-${var.environment}"
-  image_scanning_configuration {
-    scan_on_push = true
-  }
+# Not much here other than capturing the caller_identity and aws_region
 
-  tags = var.tags
-}
+# Capture the AWS account number and capture the default managed key for SSM in KMS
+data "aws_caller_identity" "current" {}
 
-resource "aws_ecr_lifecycle_policy" "this" {
-  #checkov:skip=CKV_AWS_136:We do not store any private information in our images, encryption is unnecessary 
-  #checkov:skip=CKV_AWS_163:We do not use image scanning by AWS right now
-  #checkov:skip=CKV_AWS_51:We do not currently use releases for this, but may choose to turn this on in the future
-  repository = aws_ecr_repository.this.name
-
-  policy = jsonencode({
-    rules = [{
-      rulePriority = 1
-      description  = "keep last 5 images"
-      action = {
-        type = "expire"
-      }
-      selection = {
-        tagStatus   = "any"
-        countType   = "imageCountMoreThan"
-        countNumber = 5
-      }
-    }]
-  })
-}
-
-### Read-write permissions ECR repository
-data "aws_iam_policy_document" "rw_this" {
-  #checkov:skip=CKV_AWS_111:This policy needs unconstrained CreateRepository privileges
-  #checkov:skip=CKV_AWS_356:This policy should allow "*" as a resource for restrictable actions
-  statement {
-    actions = [
-      "ecr:CreateRepository",
-      "ecr:GetAuthorizationToken",
-    ]
-    resources = ["*"]
-  }
-  statement {
-    actions = [
-      "ecr:BatchCheckLayerAvailability",
-      "ecr:BatchGetImage",
-      "ecr:CompleteLayerUpload",
-      "ecr:DeleteRepository",
-      "ecr:DescribeImages",
-      "ecr:DescribeImageScanFindings",
-      "ecr:DescribeRepositories",
-      "ecr:GetDownloadUrlForLayer",
-      "ecr:GetLifecyclePolicy",
-      "ecr:GetLifecyclePolicyPreview",
-      "ecr:InitiateLayerUpload",
-      "ecr:ListImages",
-      "ecr:ListTagsForResource",
-      "ecr:PutImage",
-      "ecr:TagResource",
-      "ecr:UntagResource",
-      "ecr:UploadLayerPart",
-    ]
-    resources = [aws_ecr_repository.this.arn]
-  }
-}
-
-resource "aws_iam_policy" "rw_this" {
-  name        = "${var.repo_name}-ecr-rw-${var.environment}"
-  description = "policy to allow read/write into ${var.repo_name} ECR"
-  policy      = data.aws_iam_policy_document.rw_this.json
-
-  tags = var.tags
-}
-
-# The trust policy that allows GitHub Actions OIDC-based connections from the 
-# repository. The definition is explicitly linked to the name of the GitHub repo. 
-data "aws_iam_policy_document" "gh_trust" {
-  statement {
-    actions = ["sts:AssumeRoleWithWebIdentity"]
-    principals {
-      type        = "Federated"
-      identifiers = [var.oidc_arn]
-    }
-    condition {
-      test     = "StringLike"
-      variable = "token.actions.githubusercontent.com:sub"
-      values   = ["repo:${var.gh_organization}/${var.repo_name}:*"] # "repo:MITLibraries//<repo-name>:ref:refs/branch/${var.environment}" eventually
-    }
-    condition {
-      test     = "StringLike"
-      variable = "token.actions.githubusercontent.com:aud"
-      values   = ["sts.amazonaws.com"]
-    }
-  }
-}
-
-# Role for GitHub Action OIDC connections from the lambdas repository
-resource "aws_iam_role" "gha_this" {
-  name               = "${var.repo_name}-gha-${var.environment}"
-  assume_role_policy = data.aws_iam_policy_document.gh_trust.json
-
-  tags = var.tags
-}
-
-resource "aws_iam_role_policy_attachment" "gha_ecr_rw" {
-  role       = aws_iam_role.gha_this.name
-  policy_arn = aws_iam_policy.rw_this.arn
-}
-resource "aws_iam_role_policy_attachment" "gha_ecr_login" {
-  role       = aws_iam_role.gha_this.name
-  policy_arn = var.login_policy_arn
-}
+# Capture the AWS Region for the provider that was used to invoke this module call
+data "aws_region" "current" {}
diff --git a/modules/ecr/outputs.tf b/modules/ecr/outputs.tf
@@ -1,25 +1,23 @@
-
 ### Outputs
+
 # ecr repository_name
 output "repository_name" {
   description = "The name of the ECR repository"
   value       = aws_ecr_repository.this.name
   sensitive   = false
 }
 
-
 # ecr repository_url
 output "repository_url" {
   description = "The URL of the ECR repository"
   value       = aws_ecr_repository.this.repository_url
   sensitive   = false
 }
 
-
 # ecr role so that we can add the updatefunctioncode to it after the lambda itself is created
 output "gha_role" {
   description = "Github action role used to update the ECR repository"
-  value       = aws_iam_role.gha_this.name
+  value       = data.aws_region.current.name == "us-east-1" ? aws_iam_role.gha_this[0].name : null
   sensitive   = false
 }
 
diff --git a/modules/ecr/ssm_outputs.tf b/modules/ecr/ssm_outputs.tf
@@ -29,9 +29,10 @@ resource "aws_ssm_parameter" "ecr_repository_url" {
 resource "aws_ssm_parameter" "gha_role" {
   #checkov:skip=CKV_AWS_337:By default we are not encrypting parameters in tfoutput_ssm_path
   #checkov:skip=CKV2_AWS_34:By default we are not encrypting parameters in tfoutput_ssm_path
+  count       = data.aws_region.current.name == "us-east-1" ? 1 : 0
   type        = "String"
   name        = "${var.tfoutput_ssm_path}/${var.repo_name}/gha-role"
-  value       = aws_iam_role.gha_this.name
+  value       = aws_iam_role.gha_this[0].name
   description = "Github action role used to update the ${var.repo_name} ECR repository"
   tags        = var.tags
 }
