fix(CO-740): Encrypt ECR

geekcell · Jul 2, 2024 · 922201d · 922201d
1 parent dcff901
commit 922201d
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 11 deletions.
diff --git a/examples/basic-example/main.tf b/examples/basic-example/main.tf
@@ -1,5 +1,5 @@
 module "basic_example" {
-  source = "../../"
+  source = "../.."
 
   name = var.name
 }
diff --git a/main.tf b/main.tf
@@ -21,6 +21,11 @@ resource "aws_ecr_repository" "main" {
   image_tag_mutability = var.image_tag_mutability
   force_delete         = var.force_delete
 
+  encryption_configuration {
+    encryption_type = var.encryption_type
+    kms_key         = var.kms_key
+  }
+
   image_scanning_configuration {
     scan_on_push = var.scan_on_push
   }
@@ -46,7 +51,7 @@ resource "aws_ecr_lifecycle_policy" "main" {
 # to remove any null values from the JSON before sending it to AWS.
 data "jq_query" "main" {
   query = "del(..|nulls)"
-  data = jsonencode({
+  data  = jsonencode({
     rules = [
       for index, rule in var.lifecycle_rules : {
         rulePriority = index + 1

diff --git a/variables.tf b/variables.tf
@@ -11,33 +11,33 @@ variable "tags" {
 }
 
 ## REPOSITORY
+variable "encryption_type" {
+  description = "The encryption type to use for the repository."
+  default     = "AES256"
+  type        = string
+}
+
 variable "image_tag_mutability" {
   description = "The tag mutability setting for the repository."
   default     = "MUTABLE"
   type        = string
 }
 
-variable "scan_on_push" {
-  description = "Indicates whether images are scanned after being pushed to the repository."
-  default     = true
-  type        = bool
-}
-
 variable "force_delete" {
   description = "Delete the repository even if it contains images."
   default     = false
   type        = bool
 }
 
-variable "policy" {
-  description = "Repository policy document in JSON format."
+variable "kms_key" {
+  description = "The ARN of the KMS key to use for encryption."
   default     = null
   type        = string
 }
 
 variable "lifecycle_rules" {
   description = "Lifecycle policy rules for expiring images."
-  default = [
+  default     = [
     {
       description     = "Keep the last 30 tagged images"
       tag_status      = "tagged"
@@ -62,3 +62,17 @@ variable "lifecycle_rules" {
     count_number    = number
   }))
 }
+
+variable "policy" {
+  description = "Repository policy document in JSON format."
+  default     = null
+  type        = string
+}
+
+variable "scan_on_push" {
+  description = "Indicates whether images are scanned after being pushed to the repository."
+  default     = true
+  type        = bool
+}
+
+