Merge pull request #63 from MITLibraries/dev

cabutlermit · web-flow · commit 7b073d9c314a · 2025-06-09T10:22:21.000-04:00
Dev-to-Stage: Create ECR for TACOS Detectors
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,18 +1,18 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: "v1.98.0"
+    rev: "v1.99.3"
     hooks:
       - id: terraform_fmt
         args:
           - --args=-recursive
       - id: terraform_validate
   - repo: https://github.com/terraform-docs/terraform-docs
-    rev: "v0.19.0"
+    rev: "v0.20.0"
     hooks:
       - id: terraform-docs-go
         args: ["markdown", "table", "--config", "./.terraform-docs.yaml", "--recursive", "--output-file", "README.md", "./"]
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: '3.2.395'
+    rev: '3.2.437'
     hooks:
       - id: checkov
         language_version: python3.12
diff --git a/README.md b/README.md
@@ -116,6 +116,8 @@ This is a core infrastructure repository that defines infrastructure related to
   * [Matomo Application Container](https://github.com/MITLibraries/docker-matomo)
 * [PPOD](https://github.com/MITLibraries/mitlib-tf-workloads-ppod)
   * [PPOD Application Container](https://github.com/MITLibraries/ppod)
+* [TACOS](https://github.com/MITLibraries/mitlib-tf-workloads-tacos)
+  * [tacos-detectors-lambdas](https://github.com/MITLibraries/tacos-detectors-lambdas)
 * [TIMDEX](https://github.com/MITLibraries/mitlib-tf-workloads-timdex-infrastructure)
   * [TIMDEX Application Container](https://github.com/MITLibraries/timdex)
   * [TIMDEX Dataset API](https://github.com/MITLibraries/timdex-dataset-api)
@@ -132,7 +134,7 @@ This is a core infrastructure repository that defines infrastructure related to
 
 * Owner: See [CODEOWNERS](./.github/CODEOWNERS)
 * Team: See [CODEOWNERS](./.github/CODEOWNERS)
-* Last Maintenance: 2025-05
+* Last Maintenance: 2025-06
 
 ## TF markdown is automatically inserted at the bottom of this file, nothing should be written beyond this point
 
@@ -172,6 +174,7 @@ This is a core infrastructure repository that defines infrastructure related to
 | ecr\_ppod | ./modules/ecr | n/a |
 | ecr\_sapinvoices | ./modules/ecr | n/a |
 | ecr\_sapinvoices\_ui | ./modules/ecr | n/a |
+| ecr\_tacos\_detectors | ./modules/ecr | n/a |
 | ecr\_timdex\_browsertrix | ./modules/ecr | n/a |
 | ecr\_timdex\_geo | ./modules/ecr | n/a |
 | ecr\_timdex\_lambdas | ./modules/ecr | n/a |
@@ -209,10 +212,10 @@ This is a core infrastructure repository that defines infrastructure related to
 | alma\_webhook\_lambdas\_makefile | Full contents of the Makefile for the alma-webhook-lambdas repo (allows devs to push to Dev account only) |
 | alma\_webhook\_lambdas\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the alma-webhook-lambdas repo |
 | alma\_webhook\_lambdas\_stage\_build\_workflow | Full contents of the stage-build.yml for the alma-webhook-lambdas repo |
-| apt\_fargate\_dev\_build\_workflow | Full contents of the dev-build.yml for the archival-packaging-tool repo |
-| apt\_fargate\_makefile | Full contents of the Makefile for the archival-packaging-tool repo (allows devs to push to Dev account only) |
-| apt\_fargate\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the archival-packaging-tool repo |
-| apt\_fargate\_stage\_build\_workflow | Full contents of the stage-build.yml for the archival-packaging-tool repo |
+| apt\_dev\_build\_workflow | Full contents of the dev-build.yml for the archival-packaging-tool repo |
+| apt\_makefile | Full contents of the Makefile for the archival-packaging-tool repo (allows devs to push to Dev account only) |
+| apt\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the archival-packaging-tool repo |
+| apt\_stage\_build\_workflow | Full contents of the stage-build.yml for the archival-packaging-tool repo |
 | asati\_fargate\_dev\_build\_workflow | Full contents of the dev-build.yml for the asati repo |
 | asati\_fargate\_makefile | Full contents of the Makefile for the asati repo (allows devs to push to Dev account only) |
 | asati\_fargate\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the asati repo |
@@ -285,6 +288,10 @@ This is a core infrastructure repository that defines infrastructure related to
 | sapinvoices\_ui\_makefile | Full contents of the Makefile for the alma-sapinvoices-ui repo (allows devs to push to Dev account only) |
 | sapinvoices\_ui\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the alma-sapinvoices-ui repo |
 | sapinvoices\_ui\_stage\_build\_workflow | Full contents of the stage-build.yml for the alma-sapinvoices-ui repo |
+| tacos\_detectors\_dev\_build\_workflow | Full contents of the dev-build.yml for the tacos-detectors-lambdas repo |
+| tacos\_detectors\_makefile | Full contents of the Makefile for the tacos-detectors-lambdas repo (allows devs to push to Dev account only) |
+| tacos\_detectors\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the tacos-detectors-lambdas repo |
+| tacos\_detectors\_stage\_build\_workflow | Full contents of the stage-build.yml for the tacos-detectors-lambdas repo |
 | tim\_dev\_build\_workflow | Full contents of the dev-build.yml for the timdex-index-manager repo |
 | tim\_makefile | Full contents of the Makefile for the timdex-index-manager repo (allows devs to push to Dev account only) |
 | tim\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the timdex-index-manager repo |
diff --git a/apt_ecr.tf b/apt_ecr.tf
@@ -21,47 +21,47 @@ module "ecr_apt" {
 
 ## For archival-packaging-tool application repo and ECR repository
 # Outputs in dev
-output "apt_fargate_dev_build_workflow" {
+output "apt_dev_build_workflow" {
   value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", {
     region   = var.aws_region
     role     = module.ecr_apt.gha_role
     ecr      = module.ecr_apt.repository_name
-    function = ""
+    function = local.ecr_apt
     }
   )
   description = "Full contents of the dev-build.yml for the archival-packaging-tool repo"
 }
-output "apt_fargate_makefile" {
+output "apt_makefile" {
   value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", {
     ecr_name = module.ecr_apt.repository_name
     ecr_url  = module.ecr_apt.repository_url
-    function = ""
+    function = local.ecr_apt
     }
   )
   description = "Full contents of the Makefile for the archival-packaging-tool repo (allows devs to push to Dev account only)"
 }
 
 # Outputs in stage
-output "apt_fargate_stage_build_workflow" {
+output "apt_stage_build_workflow" {
   value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", {
     region   = var.aws_region
     role     = module.ecr_apt.gha_role
     ecr      = module.ecr_apt.repository_name
-    function = ""
+    function = local.ecr_apt
     }
   )
   description = "Full contents of the stage-build.yml for the archival-packaging-tool repo"
 }
 
 # Outputs after promotion to prod
-output "apt_fargate_prod_promote_workflow" {
+output "apt_prod_promote_workflow" {
   value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", {
     region     = var.aws_region
     role_stage = "${module.ecr_apt.repo_name}-gha-stage"
     role_prod  = "${module.ecr_apt.repo_name}-gha-prod"
     ecr_stage  = "${module.ecr_apt.repo_name}-stage"
     ecr_prod   = "${module.ecr_apt.repo_name}-prod"
-    function   = ""
+    function   = local.ecr_apt
     }
   )
   description = "Full contents of the prod-promote.yml for the archival-packaging-tool repo"
diff --git a/files/prod-promote-extra-region.tpl b/files/prod-promote-extra-region.tpl
@@ -1,4 +1,4 @@
-### This should be added to jobs section of the dev-build.yml.
+### This should be added to jobs section of the prod-promote.yml.
 ### If this is a Lambda function, uncomment the FUNCTION: line
 
   deploy-${region}:
diff --git a/tacos_ecr.tf b/tacos_ecr.tf
@@ -0,0 +1,68 @@
+# Tacos Detectors (tacos-detectors-lambdas) containers
+# A standard ECR for an ECS Fargate task
+
+locals {
+  ecr_tacos_detectors = "tacos-detectors-lambdas-${var.environment}"
+}
+
+module "ecr_tacos_detectors" {
+  source            = "./modules/ecr"
+  repo_name         = "tacos-detectors-lambdas"
+  login_policy_arn  = aws_iam_policy.login.arn
+  oidc_arn          = data.aws_ssm_parameter.oidc_arn.value
+  environment       = var.environment
+  tfoutput_ssm_path = var.tfoutput_ssm_path
+  tags = {
+    app-repo = "tacos-detectors-lambdas"
+  }
+}
+
+## Outputs to Terraform Cloud for devs ##
+
+## For tacos-detectors-lambdas application repo and ECR repository
+# Outputs in dev
+output "tacos_detectors_dev_build_workflow" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_tacos_detectors.gha_role
+    ecr      = module.ecr_tacos_detectors.repository_name
+    function = local.ecr_tacos_detectors
+    }
+  )
+  description = "Full contents of the dev-build.yml for the tacos-detectors-lambdas repo"
+}
+output "tacos_detectors_makefile" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", {
+    ecr_name = module.ecr_tacos_detectors.repository_name
+    ecr_url  = module.ecr_tacos_detectors.repository_url
+    function = local.ecr_tacos_detectors
+    }
+  )
+  description = "Full contents of the Makefile for the tacos-detectors-lambdas repo (allows devs to push to Dev account only)"
+}
+
+# Outputs in stage
+output "tacos_detectors_stage_build_workflow" {
+  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_tacos_detectors.gha_role
+    ecr      = module.ecr_tacos_detectors.repository_name
+    function = local.ecr_tacos_detectors
+    }
+  )
+  description = "Full contents of the stage-build.yml for the tacos-detectors-lambdas repo"
+}
+
+# Outputs after promotion to prod
+output "tacos_detectors_prod_promote_workflow" {
+  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", {
+    region     = var.aws_region
+    role_stage = "${module.ecr_tacos_detectors.repo_name}-gha-stage"
+    role_prod  = "${module.ecr_tacos_detectors.repo_name}-gha-prod"
+    ecr_stage  = "${module.ecr_tacos_detectors.repo_name}-stage"
+    ecr_prod   = "${module.ecr_tacos_detectors.repo_name}-prod"
+    function   = local.ecr_tacos_detectors
+    }
+  )
+  description = "Full contents of the prod-promote.yml for the tacos-detectors-lambdas repo"
+}

Original file line number	Diff line number	Diff line change
`@@ -21,47 +21,47 @@ module "ecr_apt" {`
`21`	`21`
`22`	`22`	`## For archival-packaging-tool application repo and ECR repository`
`23`	`23`	`# Outputs in dev`
`24`		`-output "apt_fargate_dev_build_workflow" {`
	`24`	`+output "apt_dev_build_workflow" {`
`25`	`25`	`value = var.environment == "prod" \|\| var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", {`
`26`	`26`	`region = var.aws_region`
`27`	`27`	`role = module.ecr_apt.gha_role`
`28`	`28`	`ecr = module.ecr_apt.repository_name`
`29`		`- function = ""`
	`29`	`+ function = local.ecr_apt`
`30`	`30`	`}`
`31`	`31`	`)`
`32`	`32`	`description = "Full contents of the dev-build.yml for the archival-packaging-tool repo"`
`33`	`33`	`}`
`34`		`-output "apt_fargate_makefile" {`
	`34`	`+output "apt_makefile" {`
`35`	`35`	`value = var.environment == "prod" \|\| var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", {`
`36`	`36`	`ecr_name = module.ecr_apt.repository_name`
`37`	`37`	`ecr_url = module.ecr_apt.repository_url`
`38`		`- function = ""`
	`38`	`+ function = local.ecr_apt`
`39`	`39`	`}`
`40`	`40`	`)`
`41`	`41`	`description = "Full contents of the Makefile for the archival-packaging-tool repo (allows devs to push to Dev account only)"`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`# Outputs in stage`
`45`		`-output "apt_fargate_stage_build_workflow" {`
	`45`	`+output "apt_stage_build_workflow" {`
`46`	`46`	`value = var.environment == "prod" \|\| var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", {`
`47`	`47`	`region = var.aws_region`
`48`	`48`	`role = module.ecr_apt.gha_role`
`49`	`49`	`ecr = module.ecr_apt.repository_name`
`50`		`- function = ""`
	`50`	`+ function = local.ecr_apt`
`51`	`51`	`}`
`52`	`52`	`)`
`53`	`53`	`description = "Full contents of the stage-build.yml for the archival-packaging-tool repo"`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`# Outputs after promotion to prod`
`57`		`-output "apt_fargate_prod_promote_workflow" {`
	`57`	`+output "apt_prod_promote_workflow" {`
`58`	`58`	`value = var.environment == "stage" \|\| var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", {`
`59`	`59`	`region = var.aws_region`
`60`	`60`	`role_stage = "${module.ecr_apt.repo_name}-gha-stage"`
`61`	`61`	`role_prod = "${module.ecr_apt.repo_name}-gha-prod"`
`62`	`62`	`ecr_stage = "${module.ecr_apt.repo_name}-stage"`
`63`	`63`	`ecr_prod = "${module.ecr_apt.repo_name}-prod"`
`64`		`- function = ""`
	`64`	`+ function = local.ecr_apt`
`65`	`65`	`}`
`66`	`66`	`)`
`67`	`67`	`description = "Full contents of the prod-promote.yml for the archival-packaging-tool repo"`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-### This should be added to jobs section of the dev-build.yml.`
	`1`	`+### This should be added to jobs section of the prod-promote.yml.`
`2`	`2`	`### If this is a Lambda function, uncomment the FUNCTION: line`
`3`	`3`
`4`	`4`	`deploy-${region}:`