add asati app container

Why these changes are being introduced:

This commit creates the ArchivesSpace AirTable Integration (ASATI)
application container infrastructure. The application source code is
located in the https://github.com/MITLibraries/asati repository. ASATI
is an AWS Fargate application.

How this addresses that need:

* Add a standard ECR for an ECS w/ Fargate launch type
* Update terraform.lock.hcl file
* Update the shared workflow for pre-commit configurations
* Supress checkov policy warning

Side effects of this change:

None

Relevant ticket(s):
https://mitlibraries.atlassian.net/browse/IN-1147
Changes to be committed:
      modified:   .pre-commit-config.yaml
      modified:   .terraform.lock.hcl
      modified:   README.md
      new file:   asati_ecr.tf
      modified:   modules/ecr/.terraform.lock.hcl
      modified:   modules/ecr/main.tf

Author: vab

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: "v1.92.1"
+    rev: "v1.97.0"
     hooks:
       - id: terraform_fmt
         args:
@@ -12,7 +12,7 @@ repos:
       - id: terraform-docs-go
         args: ["markdown", "table", "--config", "./.terraform-docs.yaml", "--recursive", "--output-file", "README.md", "./"]
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: '3.2.219'
+    rev: '3.2.353'
     hooks:
       - id: checkov
         language_version: python3.11

.terraform.lock.hcl

@@ -110,6 +110,7 @@ then replace all the ssm parameter references for `oidc_arn` with `aws_iam_openi
 | Name | Source | Version |
 |------|--------|---------|
 | ecr\_alma\_webhook\_lambdas | ./modules/ecr | n/a |
+| ecr\_asati | ./modules/ecr | n/a |
 | ecr\_bursar | ./modules/ecr | n/a |
 | ecr\_carbon | ./modules/ecr | n/a |
 | ecr\_creditcardslips | ./modules/ecr | n/a |
@@ -158,6 +159,10 @@ then replace all the ssm parameter references for `oidc_arn` with `aws_iam_openi
 | alma\_webhook\_lambdas\_makefile | Full contents of the Makefile for the alma-webhook-lambdas repo (allows devs to push to Dev account only) |
 | alma\_webhook\_lambdas\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the alma-webhook-lambdas repo |
 | alma\_webhook\_lambdas\_stage\_build\_workflow | Full contents of the stage-build.yml for the alma-webhook-lambdas repo |
+| asati\_fargate\_dev\_build\_workflow | Full contents of the dev-build.yml for the asati repo |
+| asati\_fargate\_makefile | Full contents of the Makefile for the asati repo (allows devs to push to Dev account only) |
+| asati\_fargate\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the asati repo |
+| asati\_fargate\_stage\_build\_workflow | Full contents of the stage-build.yml for the asati repo |
 | browsertrix\_dev\_build\_workflow | Full contents of the dev-build.yml for the browsertrix-harvester repo |
 | browsertrix\_makefile | Full contents of the Makefile for the browsertrix-harvester repo (allows devs to push to Dev account only) |
 | browsertrix\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the browsertrix-harvester repo |

README.md

@@ -0,0 +1,66 @@
+# ArchiveSpace AirTable Integration (asati) containers
+# This is a standard ECR for an ECS with a Fargate launch type
+locals {
+  ecr_asati = "asati-${var.environment}"
+}
+module "ecr_asati" {
+  source            = "./modules/ecr"
+  repo_name         = "docker-asati"
+  login_policy_arn  = aws_iam_policy.login.arn
+  oidc_arn          = data.aws_ssm_parameter.oidc_arn.value
+  environment       = var.environment
+  tfoutput_ssm_path = var.tfoutput_ssm_path
+  tags = {
+    app-repo = "docker-asati"
+  }
+}
+
+## Outputs to Terraform Cloud for devs ##
+
+## For asati application repo and ECR repository
+# Outputs in dev
+output "asati_fargate_dev_build_workflow" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_asati.gha_role
+    ecr      = module.ecr_asati.repository_name
+    function = ""
+    }
+  )
+  description = "Full contents of the dev-build.yml for the asati repo"
+}
+output "asati_fargate_makefile" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", {
+    ecr_name = module.ecr_asati.repository_name
+    ecr_url  = module.ecr_asati.repository_url
+    function = ""
+    }
+  )
+  description = "Full contents of the Makefile for the asati repo (allows devs to push to Dev account only)"
+}
+
+# Outputs in stage
+output "asati_fargate_stage_build_workflow" {
+  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_asati.gha_role
+    ecr      = module.ecr_asati.repository_name
+    function = ""
+    }
+  )
+  description = "Full contents of the stage-build.yml for the asati repo"
+}
+
+# Outputs after promotion to prod
+output "asati_fargate_prod_promote_workflow" {
+  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", {
+    region     = var.aws_region
+    role_stage = "${module.ecr_asati.repo_name}-gha-stage"
+    role_prod  = "${module.ecr_asati.repo_name}-gha-prod"
+    ecr_stage  = "${module.ecr_asati.repo_name}-stage"
+    ecr_prod   = "${module.ecr_asati.repo_name}-prod"
+    function   = ""
+    }
+  )
+  description = "Full contents of the prod-promote.yml for the asati repo"
+}

asati_ecr.tf

@@ -38,6 +38,7 @@ resource "aws_ecr_lifecycle_policy" "this" {
 ### Read-write permissions ECR repository
 data "aws_iam_policy_document" "rw_this" {
   #checkov:skip=CKV_AWS_111:This policy needs unconstrained CreateRepository privileges
+  #checkov:skip=CKV_AWS_356:This policy should allow "*" as a resource for restrictable actions
   statement {
     actions = [
       "ecr:CreateRepository",