Merge pull request #21 from MITLibraries/make-public

zotoMIT · web-flow · commit 9535000ffb09 · 2022-09-22T11:54:32.000-04:00
Make public dev
diff --git a/README.md b/README.md
@@ -1,3 +1,5 @@
+# This is a public repo
+
 # Centralized ECR Repository Creation
 
 This repo builds the ECR (Elastic Container Registry) repositories for containers. Most of the heavy lifting is in an embedded module [modules/ecr/main.tf](./modules/ecr/main.tf).
@@ -31,6 +33,24 @@ The [ppod_ecr.tf](./ppod_ecr.tf) is a good example of a single ECR repository fo
 
 A quick note for application developers and the integration of workflows to automate the deployment of their containerized application to either Fargate or Lambda. When this code is deployed in Terraform Cloud, it generates outputs that contain the caller workflows code as well as the `Makefile` code for their application. Those outputs are accessible to the developers via Terraform Cloud -- they can go into TfC, find the correct Terraform Output, and then copy that text into their application repository.
 
+## Making this work in your environment outside of MIT libraries:
+This repository is a part of an ecosystem of components designed to work in our AWS organization.  This component is responsible for a standardized setup of ECR repositories and a build process that goes in github actions and makefiles.  On its own, this repository could be useful to you if you want to emulate how we deploy and promote containers across our AWS accounts, or utilize github OIDC connections for depositing ECR containers to AWS.  Before this will deploy in your environment, you will need an OpenID Connect Provider.  We generate this in our "init" repo, but you could just as easily place it here and reference it directly.  
+
+An example of that infrastructure is:
+```
+resource "aws_iam_openid_connect_provider" "github" {
+  url             = "https://token.actions.githubusercontent.com"
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"]
+}
+```
+then replace all the ssm parameter references for `oidc_arn` with `aws_iam_openid_connect_provider.github.arn`
+
+## Additional Reference
+
+* https://blog.tedivm.com/guides/2021/10/github-actions-push-to-aws-ecr-without-credentials-oidc/
+* https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims
+
 ## TF markdown is automatically inserted at the bottom of this file, nothing should be written beyond this point
 
 <!-- BEGIN_TF_DOCS -->
diff --git a/docs/adrs/0003-make-repo-public.md b/docs/adrs/0003-make-repo-public.md
@@ -0,0 +1,21 @@
+# 3. Make repository public
+
+Date: 2022-09-20
+
+## Status
+
+Accepted
+
+## Context
+
+Infrastructure repositories are by default private, but can be make public with a security review and approval from the team. 
+
+## Decision
+This repository is made public.  It has no sensitive data, and is an example of things we do well including:
+* it shows off OIDC connections to github for actions
+* shows off modules within repos in terraform
+* shows where and how we come up with actions and makefile commands we end up using our public application repos
+
+## Consequences
+
+This repository is in the public record, care should be taken to ensure no sensitive data is committed here.  
