From 752acae08f8b81f84c682f05499ec8fb8a858562 Mon Sep 17 00:00:00 2001
From: Christopher Butler <cabutler@mit.edu>
Date: Fri, 7 Nov 2025 16:32:27 -0500
Subject: [PATCH] Create ECR Repository for timdex-embeddings

Why these changes are being introduced:
The TIMDEX pipeline is getting a new ECS Fargate task using the
timdex-embeddings repository.

How this addresses that need:
* Update `pre-commit` 3rd party dependency versions
* Create ECR Repository for timdex-embeddings
* Update README

Side effects of this change:
None.

Relevant ticket(s):
* https://mitlibraries.atlassian.net/browse/USE-168
---
 .pre-commit-config.yaml |  4 +--
 README.md               |  8 ++++-
 timdex_ecrs.tf          | 65 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 74 insertions(+), 3 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 4c9196e..44dcf72 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: "v1.100.0"
+    rev: "v1.103.0"
     hooks:
       - id: terraform_fmt
         args:
@@ -12,7 +12,7 @@ repos:
       - id: terraform-docs-go
         args: ["markdown", "table", "--config", "./.terraform-docs.yaml", "--recursive", "--output-file", "README.md", "./"]
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: '3.2.471'
+    rev: '3.2.490'
     hooks:
       - id: checkov
         verbose: false
diff --git a/README.md b/README.md
index 45252de..fcb5fe8 100644
--- a/README.md
+++ b/README.md
@@ -130,6 +130,7 @@ This is a core infrastructure repository that defines infrastructure related to
   * [TIMDEX UI](https://github.com/MITLibraries/timdex-ui)
   * [TIMDEX Simulator](https://github.com/MITLibraries/timdex-simulator)
   * [TIMDEX Transmogrifier](https://github.com/MITLibraries/transmogrifier)
+  * [TIMDEX Embeddings](https://github.com/MITLibraries/timdex-embeddings)
 * [WCD2Reshare](https://github.com/MITLibraries/mitlib-tf-workloads-wcd2reshare)
   * [WCD2Reshare Application Container](https://github.com/MITLibraries/wcd2reshare)
 * **DEPRECATED**: [Wiley](https://github.com/MITLibraries/mitlib-tf-workloads-wiley)
@@ -139,7 +140,7 @@ This is a core infrastructure repository that defines infrastructure related to
 
 * Owner: See [CODEOWNERS](./.github/CODEOWNERS)
 * Team: See [CODEOWNERS](./.github/CODEOWNERS)
-* Last Maintenance: 2025-09
+* Last Maintenance: 2025-11
 
 ## TF markdown is automatically inserted at the bottom of this file, nothing should be written beyond this point
 
@@ -182,6 +183,7 @@ This is a core infrastructure repository that defines infrastructure related to
 | ecr\_sapinvoices\_ui | ./modules/ecr | n/a |
 | ecr\_tacos\_detectors | ./modules/ecr | n/a |
 | ecr\_timdex\_browsertrix | ./modules/ecr | n/a |
+| ecr\_timdex\_embeddings | ./modules/ecr | n/a |
 | ecr\_timdex\_geo | ./modules/ecr | n/a |
 | ecr\_timdex\_lambdas | ./modules/ecr | n/a |
 | ecr\_timdex\_tim | ./modules/ecr | n/a |
@@ -307,6 +309,10 @@ This is a core infrastructure repository that defines infrastructure related to
 | tim\_makefile | Full contents of the Makefile for the timdex-index-manager repo (allows devs to push to Dev account only) |
 | tim\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the timdex-index-manager repo |
 | tim\_stage\_build\_workflow | Full contents of the stage-build.yml for the timdex-index-manager repo |
+| timdex\_embeddings\_fargate\_dev\_build\_workflow | Full contents of the dev-build.yml for the timdex-embeddings repo |
+| timdex\_embeddings\_fargate\_makefile | Full contents of the Makefile for the timdex-embeddings repo (allows devs to push to Dev account only) |
+| timdex\_embeddings\_fargate\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the timdex-embeddings repo |
+| timdex\_embeddings\_fargate\_stage\_build\_workflow | Full contents of the stage-build.yml for the timdex-embeddings repo |
 | timdex\_lambdas\_dev\_build\_workflow | Full contents of the dev-build.yml for the timdex-pipeline-lambdas repo |
 | timdex\_lambdas\_makefile | Full contents of the Makefile for the timdex-pipeline-lambdas repo (allows devs to push to Dev account only) |
 | timdex\_lambdas\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the timdex-pipeline-lambdas repo |
diff --git a/timdex_ecrs.tf b/timdex_ecrs.tf
index be33ee6..8274709 100644
--- a/timdex_ecrs.tf
+++ b/timdex_ecrs.tf
@@ -365,3 +365,68 @@ output "geo_prod_promote_workflow" {
   )
   description = "Full contents of the prod-promote.yml for the geo-harvester repo"
 }
+
+
+# timdex-embeddings containers
+# This is a standard ECR for an ECS with a Fargate launch type
+module "ecr_timdex_embeddings" {
+  source            = "./modules/ecr"
+  repo_name         = "timdex-embeddings"
+  login_policy_arn  = aws_iam_policy.login.arn
+  oidc_arn          = data.aws_ssm_parameter.oidc_arn.value
+  environment       = var.environment
+  tfoutput_ssm_path = var.tfoutput_ssm_path
+  tags = {
+    app-repo = "timdex-infrastructure-timdex-embeddings"
+  }
+}
+
+## Outputs to Terraform Cloud for devs ##
+
+## For timdex-embeddings application repo and ECR repository
+# Outputs in dev
+output "timdex_embeddings_fargate_dev_build_workflow" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build-cpu-arch.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_timdex_embeddings.gha_role
+    ecr      = module.ecr_timdex_embeddings.repository_name
+    function = ""
+    }
+  )
+  description = "Full contents of the dev-build.yml for the timdex-embeddings repo"
+}
+output "timdex_embeddings_fargate_makefile" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile-cpu-arch.tpl", {
+    ecr_name = module.ecr_timdex_embeddings.repository_name
+    ecr_url  = module.ecr_timdex_embeddings.repository_url
+    function = ""
+    }
+  )
+  description = "Full contents of the Makefile for the timdex-embeddings repo (allows devs to push to Dev account only)"
+}
+
+# Outputs in stage
+output "timdex_embeddings_fargate_stage_build_workflow" {
+  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build-cpu-arch.tpl", {
+    region   = var.aws_region
+    role     = module.ecr_timdex_embeddings.gha_role
+    ecr      = module.ecr_timdex_embeddings.repository_name
+    function = ""
+    }
+  )
+  description = "Full contents of the stage-build.yml for the timdex-embeddings repo"
+}
+
+# Outputs after promotion to prod
+output "timdex_embeddings_fargate_prod_promote_workflow" {
+  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote-cpu-arch.tpl", {
+    region     = var.aws_region
+    role_stage = "${module.ecr_timdex_embeddings.repo_name}-gha-stage"
+    role_prod  = "${module.ecr_timdex_embeddings.repo_name}-gha-prod"
+    ecr_stage  = "${module.ecr_timdex_embeddings.repo_name}-stage"
+    ecr_prod   = "${module.ecr_timdex_embeddings.repo_name}-prod"
+    function   = ""
+    }
+  )
+  description = "Full contents of the prod-promote.yml for the timdex-embeddings repo"
+}