Merge pull request #30 from MITLibraries/update-ecr-outputs

Update Terraform Outputs to use new shared workflows

Author: cabutlermit

.terraform.lock.hcl

@@ -33,23 +33,26 @@ The [ppod_ecr.tf](./ppod_ecr.tf) is a good example of a single ECR repository fo
 
 A quick note for application developers and the integration of workflows to automate the deployment of their containerized application to either Fargate or Lambda. When this code is deployed in Terraform Cloud, it generates outputs that contain the caller workflows code as well as the `Makefile` code for their application. Those outputs are accessible to the developers via Terraform Cloud -- they can go into TfC, find the correct Terraform Output, and then copy that text into their application repository.
 
-## Making this work in your environment outside of MIT libraries:
-This repository is a part of an ecosystem of components designed to work in our AWS organization.  This component is responsible for a standardized setup of ECR repositories and a build process that goes in github actions and makefiles.  On its own, this repository could be useful to you if you want to emulate how we deploy and promote containers across our AWS accounts, or utilize github OIDC connections for depositing ECR containers to AWS.  Before this will deploy in your environment, you will need an OpenID Connect Provider.  We generate this in our "init" repo, but you could just as easily place it here and reference it directly.  
+## Making this work in your environment outside of MIT libraries
+
+This repository is a part of an ecosystem of components designed to work in our AWS organization.  This component is responsible for a standardized setup of ECR repositories and a build process that goes in Github Actions and Makefiles.  On its own, this repository could be useful to you if you want to emulate how we deploy and promote containers across our AWS accounts, or utilize GitHub OIDC connections for depositing ECR containers to AWS.  Before this will deploy in your environment, you will need an OpenID Connect Provider.  We generate this in our "init" repo, but you could just as easily place it here and reference it directly.  
 
 An example of that infrastructure is:
-```
+
+```terraform
 resource "aws_iam_openid_connect_provider" "github" {
   url             = "https://token.actions.githubusercontent.com"
   client_id_list  = ["sts.amazonaws.com"]
   thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"]
 }
 ```
+
 then replace all the ssm parameter references for `oidc_arn` with `aws_iam_openid_connect_provider.github.arn`
 
 ## Additional Reference
 
-* https://blog.tedivm.com/guides/2021/10/github-actions-push-to-aws-ecr-without-credentials-oidc/
-* https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims
+* [github-actions-push-to-aws-ecr-without-credentials-oidc](https://blog.tedivm.com/guides/2021/10/github-actions-push-to-aws-ecr-without-credentials-oidc/)
+* [about-security-hardening-with-openid-connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims)
 
 ## TF markdown is automatically inserted at the bottom of this file, nothing should be written beyond this point
 
@@ -65,7 +68,7 @@ then replace all the ssm parameter references for `oidc_arn` with `aws_iam_openi
 
 | Name | Version |
 |------|---------|
-| aws | 4.26.0 |
+| aws | 4.37.0 |
 
 ## Modules
 

README.md

@@ -22,7 +22,7 @@ module "ecr_alma_webhook_lambdas" {
 ## For alma-webhook-lambdas application repo and ECR repository
 # Outputs in dev
 output "alma_webhook_lambdas_dev_build_workflow" {
-  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/lambda-dev-build.tpl", {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", {
     region   = var.aws_region
     role     = module.ecr_alma_webhook_lambdas.gha_role
     ecr      = module.ecr_alma_webhook_lambdas.repository_name
@@ -32,7 +32,7 @@ output "alma_webhook_lambdas_dev_build_workflow" {
   description = "Full contents of the dev-build.yml for the alma-webhook-lambdas repo"
 }
 output "alma_webhook_lambdas_makefile" {
-  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/lambda-makefile.tpl", {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", {
     ecr_name = module.ecr_alma_webhook_lambdas.repository_name
     ecr_url  = module.ecr_alma_webhook_lambdas.repository_url
     function = local.ecr_alma_webhook_lambdas_function_name
@@ -43,7 +43,7 @@ output "alma_webhook_lambdas_makefile" {
 
 # Outputs in stage
 output "alma_webhook_lambdas_stage_build_workflow" {
-  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/lambda-stage-build.tpl", {
+  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", {
     region   = var.aws_region
     role     = module.ecr_alma_webhook_lambdas.gha_role
     ecr      = module.ecr_alma_webhook_lambdas.repository_name
@@ -55,7 +55,7 @@ output "alma_webhook_lambdas_stage_build_workflow" {
 
 # Outputs after promotion to prod
 output "alma_webhook_lambdas_prod_promote_workflow" {
-  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/lambda-prod-promote.tpl", {
+  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", {
     region     = var.aws_region
     role_stage = "${module.ecr_alma_webhook_lambdas.repo_name}-gha-stage"
     role_prod  = "${module.ecr_alma_webhook_lambdas.repo_name}-gha-prod"

almahook_ecr.tf

@@ -21,42 +21,46 @@ module "ecr_dss" {
 ## For dss application repo and ECR repository
 # Outputs in dev
 output "dss_fargate_dev_build_workflow" {
-  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/fargate-dev-build.tpl", {
-    region = var.aws_region
-    role   = module.ecr_dss.gha_role
-    ecr    = module.ecr_dss.repository_name
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_dss.gha_role
+    ecr      = module.ecr_dss.repository_name
+    function = ""
     }
   )
   description = "Full contents of the dev-build.yml for the dss repo"
 }
 output "dss_fargate_makefile" {
-  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/fargate-makefile.tpl", {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", {
     ecr_name = module.ecr_dss.repository_name
     ecr_url  = module.ecr_dss.repository_url
+    function = ""
     }
   )
   description = "Full contents of the Makefile for the dss repo (allows devs to push to Dev account only)"
 }
 
 # Outputs in stage
 output "dss_fargate_stage_build_workflow" {
-  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/fargate-stage-build.tpl", {
-    region = var.aws_region
-    role   = module.ecr_dss.gha_role
-    ecr    = module.ecr_dss.repository_name
+  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_dss.gha_role
+    ecr      = module.ecr_dss.repository_name
+    function = ""
     }
   )
   description = "Full contents of the stage-build.yml for the dss repo"
 }
 
 # Outputs after promotion to prod
 output "dss_fargate_prod_promote_workflow" {
-  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/fargate-prod-promote.tpl", {
+  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", {
     region     = var.aws_region
     role_stage = "${module.ecr_dss.repo_name}-gha-stage"
     role_prod  = "${module.ecr_dss.repo_name}-gha-prod"
     ecr_stage  = "${module.ecr_dss.repo_name}-stage"
     ecr_prod   = "${module.ecr_dss.repo_name}-prod"
+    function   = ""
     }
   )
   description = "Full contents of the prod-promote.yml for the dss repo"