ECRs for Alma Integrations

cabutlermit · cabutlermit · commit a4d174666dfc · 2023-02-09T13:21:58.000-05:00
Why these changes are being introduced: Three Alma integrations (patron load, credit card slips, and SAP invoices) are going to be containerized workflows in the new AWS Organization. This sets up the ECRs for those containers. How this addresses that need: * Create the ECR, OIDC role, and various permissions for the three Alma-related app repos (alma-patronload, alma-creditcardslips, alma-sapinvoices) * Update README Side effects of this change: None. * https://mitlibraries.atlassian.net/browse/IN-647 * https://mitlibraries.atlassian.net/browse/IN-651 * https://mitlibraries.atlassian.net/browse/IN-656 terraform-docs: automated action
diff --git a/README.md b/README.md
@@ -76,14 +76,17 @@ then replace all the ssm parameter references for `oidc_arn` with `aws_iam_openi
 |------|--------|---------|
 | ecr\_alma\_webhook\_lambdas | ./modules/ecr | n/a |
 | ecr\_carbon | ./modules/ecr | n/a |
+| ecr\_creditcardslips | ./modules/ecr | n/a |
 | ecr\_dss | ./modules/ecr | n/a |
 | ecr\_geoserver | ./modules/ecr | n/a |
 | ecr\_geosolr | ./modules/ecr | n/a |
 | ecr\_geoweb | ./modules/ecr | n/a |
 | ecr\_mario | ./modules/ecr | n/a |
 | ecr\_matomo | ./modules/ecr | n/a |
 | ecr\_oaiharvester | ./modules/ecr | n/a |
+| ecr\_patronload | ./modules/ecr | n/a |
 | ecr\_ppod | ./modules/ecr | n/a |
+| ecr\_sapinvoices | ./modules/ecr | n/a |
 | ecr\_slingshot | ./modules/ecr | n/a |
 | ecr\_timdex\_lambdas | ./modules/ecr | n/a |
 | ecr\_timdex\_tim | ./modules/ecr | n/a |
@@ -124,6 +127,10 @@ then replace all the ssm parameter references for `oidc_arn` with `aws_iam_openi
 | carbon\_makefile | Full contents of the Makefile for the carbon repo (allows devs to push to Dev account only) |
 | carbon\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the carbon repo |
 | carbon\_stage\_build\_workflow | Full contents of the stage-build.yml for the carbon repo |
+| creditcardslips\_dev\_build\_workflow | Full contents of the dev-build.yml for the alma-creditcardslips repo |
+| creditcardslips\_makefile | Full contents of the Makefile for the alma-creditcardslips repo (allows devs to push to Dev account only) |
+| creditcardslips\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the alma-creditcardslips repo |
+| creditcardslips\_stage\_build\_workflow | Full contents of the stage-build.yml for the alma-creditcardslips repo |
 | dss\_fargate\_dev\_build\_workflow | Full contents of the dev-build.yml for the dss repo |
 | dss\_fargate\_makefile | Full contents of the Makefile for the dss repo (allows devs to push to Dev account only) |
 | dss\_fargate\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the dss repo |
@@ -152,10 +159,18 @@ then replace all the ssm parameter references for `oidc_arn` with `aws_iam_openi
 | oaiharvester\_makefile | Full contents of the Makefile for the oaiharvester repo (allows devs to push to Dev account only) |
 | oaiharvester\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the oaiharvester repo |
 | oaiharvester\_stage\_build\_workflow | Full contents of the stage-build.yml for the oaiharvester repo |
+| patronload\_dev\_build\_workflow | Full contents of the dev-build.yml for the alma-patronload repo |
+| patronload\_makefile | Full contents of the Makefile for the alma-patronload repo (allows devs to push to Dev account only) |
+| patronload\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the alma-patronload repo |
+| patronload\_stage\_build\_workflow | Full contents of the stage-build.yml for the alma-patronload repo |
 | ppod\_dev\_build\_workflow | Full contents of the dev-build.yml for the ppod repo |
 | ppod\_makefile | Full contents of the Makefile for the ppod repo (allows devs to push to Dev account only) |
 | ppod\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the ppod repo |
 | ppod\_stage\_build\_workflow | Full contents of the stage-build.yml for the ppod repo |
+| sapinvoices\_dev\_build\_workflow | Full contents of the dev-build.yml for the alma-sapinvoices repo |
+| sapinvoices\_makefile | Full contents of the Makefile for the alma-sapinvoices repo (allows devs to push to Dev account only) |
+| sapinvoices\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the alma-sapinvoices repo |
+| sapinvoices\_stage\_build\_workflow | Full contents of the stage-build.yml for the alma-sapinvoices repo |
 | slingshot\_fargate\_dev\_build\_workflow | Full contents of the dev-build.yml for the slingshot-deposits repo |
 | slingshot\_fargate\_makefile | Full contents of the Makefile for the slingshot-deposits repo (allows devs to push to Dev account only) |
 | slingshot\_fargate\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the slingshot-deposits repo |
diff --git a/almaintegrations-ecrs.tf b/almaintegrations-ecrs.tf
@@ -0,0 +1,187 @@
+###
+### ECRs for the various Alma integrations
+###
+
+################################################################################
+## patronload
+module "ecr_patronload" {
+  source            = "./modules/ecr"
+  repo_name         = "alma-patronload"
+  login_policy_arn  = aws_iam_policy.login.arn
+  oidc_arn          = data.aws_ssm_parameter.oidc_arn.value
+  environment       = var.environment
+  tfoutput_ssm_path = var.tfoutput_ssm_path
+  tags = {
+    app-repo = "alma-patronload"
+  }
+}
+
+# Outputs in dev
+output "patronload_dev_build_workflow" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_patronload.gha_role
+    ecr      = module.ecr_patronload.repository_name
+    function = ""
+    }
+  )
+  description = "Full contents of the dev-build.yml for the alma-patronload repo"
+}
+output "patronload_makefile" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", {
+    ecr_name = module.ecr_patronload.repository_name
+    ecr_url  = module.ecr_patronload.repository_url
+    function = ""
+    }
+  )
+  description = "Full contents of the Makefile for the alma-patronload repo (allows devs to push to Dev account only)"
+}
+
+# Outputs in stage
+output "patronload_stage_build_workflow" {
+  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_patronload.gha_role
+    ecr      = module.ecr_patronload.repository_name
+    function = ""
+    }
+  )
+  description = "Full contents of the stage-build.yml for the alma-patronload repo"
+}
+
+# Outputs after promotion to prod
+output "patronload_prod_promote_workflow" {
+  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", {
+    region     = var.aws_region
+    role_stage = "${module.ecr_patronload.repo_name}-gha-stage"
+    role_prod  = "${module.ecr_patronload.repo_name}-gha-prod"
+    ecr_stage  = "${module.ecr_patronload.repo_name}-stage"
+    ecr_prod   = "${module.ecr_patronload.repo_name}-prod"
+    function   = ""
+    }
+  )
+  description = "Full contents of the prod-promote.yml for the alma-patronload repo"
+}
+
+################################################################################
+## creditcardslips
+module "ecr_creditcardslips" {
+  source            = "./modules/ecr"
+  repo_name         = "alma-creditcardslips"
+  login_policy_arn  = aws_iam_policy.login.arn
+  oidc_arn          = data.aws_ssm_parameter.oidc_arn.value
+  environment       = var.environment
+  tfoutput_ssm_path = var.tfoutput_ssm_path
+  tags = {
+    app-repo = "alma-creditcardslips"
+  }
+}
+
+# Outputs in dev
+output "creditcardslips_dev_build_workflow" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_creditcardslips.gha_role
+    ecr      = module.ecr_creditcardslips.repository_name
+    function = ""
+    }
+  )
+  description = "Full contents of the dev-build.yml for the alma-creditcardslips repo"
+}
+output "creditcardslips_makefile" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", {
+    ecr_name = module.ecr_creditcardslips.repository_name
+    ecr_url  = module.ecr_creditcardslips.repository_url
+    function = ""
+    }
+  )
+  description = "Full contents of the Makefile for the alma-creditcardslips repo (allows devs to push to Dev account only)"
+}
+
+# Outputs in stage
+output "creditcardslips_stage_build_workflow" {
+  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_creditcardslips.gha_role
+    ecr      = module.ecr_creditcardslips.repository_name
+    function = ""
+    }
+  )
+  description = "Full contents of the stage-build.yml for the alma-creditcardslips repo"
+}
+
+# Outputs after promotion to prod
+output "creditcardslips_prod_promote_workflow" {
+  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", {
+    region     = var.aws_region
+    role_stage = "${module.ecr_creditcardslips.repo_name}-gha-stage"
+    role_prod  = "${module.ecr_creditcardslips.repo_name}-gha-prod"
+    ecr_stage  = "${module.ecr_creditcardslips.repo_name}-stage"
+    ecr_prod   = "${module.ecr_creditcardslips.repo_name}-prod"
+    function   = ""
+    }
+  )
+  description = "Full contents of the prod-promote.yml for the alma-creditcardslips repo"
+}
+
+
+################################################################################
+## sapinvoices
+module "ecr_sapinvoices" {
+  source            = "./modules/ecr"
+  repo_name         = "alma-sapinvoices"
+  login_policy_arn  = aws_iam_policy.login.arn
+  oidc_arn          = data.aws_ssm_parameter.oidc_arn.value
+  environment       = var.environment
+  tfoutput_ssm_path = var.tfoutput_ssm_path
+  tags = {
+    app-repo = "alma-sapinvoices"
+  }
+}
+
+# Outputs in dev
+output "sapinvoices_dev_build_workflow" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_sapinvoices.gha_role
+    ecr      = module.ecr_sapinvoices.repository_name
+    function = ""
+    }
+  )
+  description = "Full contents of the dev-build.yml for the alma-sapinvoices repo"
+}
+output "sapinvoices_makefile" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", {
+    ecr_name = module.ecr_sapinvoices.repository_name
+    ecr_url  = module.ecr_sapinvoices.repository_url
+    function = ""
+    }
+  )
+  description = "Full contents of the Makefile for the alma-sapinvoices repo (allows devs to push to Dev account only)"
+}
+
+# Outputs in stage
+output "sapinvoices_stage_build_workflow" {
+  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_sapinvoices.gha_role
+    ecr      = module.ecr_sapinvoices.repository_name
+    function = ""
+    }
+  )
+  description = "Full contents of the stage-build.yml for the alma-sapinvoices repo"
+}
+
+# Outputs after promotion to prod
+output "sapinvoices_prod_promote_workflow" {
+  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", {
+    region     = var.aws_region
+    role_stage = "${module.ecr_sapinvoices.repo_name}-gha-stage"
+    role_prod  = "${module.ecr_sapinvoices.repo_name}-gha-prod"
+    ecr_stage  = "${module.ecr_sapinvoices.repo_name}-stage"
+    ecr_prod   = "${module.ecr_sapinvoices.repo_name}-prod"
+    function   = ""
+    }
+  )
+  description = "Full contents of the prod-promote.yml for the alma-sapinvoices repo"
+}
