Adding encryption_type to allow using kms without passing key id and adding ecr:ListImages for argocd-image-updater (#21)

adenot · web-flow · commit 83830eb105d5 · 2024-12-11T20:13:31.000+10:00
* Adding encryption_type to allow using kms without passing key id and adding ecr:ListImages for argocd-image-updater

* terraform-docs: automated update action

---------

Co-authored-by: adenot &lt;adenot@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -31,6 +31,7 @@ The following resources will be created:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| encryption\_type | Encryption type, KMS or AES256. When kms\_key\_arn is passed, encryption\_type is always KMS | `string` | `"KMS"` | no |
 | image\_tag\_mutability | The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE. Defaults to MUTABLE. | `string` | `"MUTABLE"` | no |
 | kms\_key\_arn | KMS Key ARN to use a CMK instead of default key | `string` | `""` | no |
 | lifecycle\_policy | JSON formatted string ECR repository lifecycle policy. | `string` | `""` | no |
diff --git a/_variables.tf b/_variables.tf
@@ -7,6 +7,12 @@ variable "trust_accounts" {
   description = "Accounts to trust and allow ECR fetch"
 }
 
+variable "encryption_type" {
+  type        = string
+  description = "Encryption type, KMS or AES256. When kms_key_arn is passed, encryption_type is always KMS"
+  default     = "KMS"
+}
+
 variable "kms_key_arn" {
   type        = string
   description = "KMS Key ARN to use a CMK instead of default key"
@@ -35,4 +41,4 @@ variable "tags" {
   description = "Map of tags that will be added to created resources. By default resources will be tagged with name and environment."
   type        = map(string)
   default     = {}
-}
+}
diff --git a/ecr-policies.tf b/ecr-policies.tf
@@ -21,7 +21,8 @@ data "aws_iam_policy_document" "default" {
         "ecr:GetDownloadUrlForLayer",
         "ecr:BatchGetImage",
         "ecr:BatchCheckLayerAvailability",
-        "ecr:DescribeImageScanFindings"
+        "ecr:DescribeImageScanFindings",
+        "ecr:ListImages"
       ]
     }
   }
diff --git a/ecr-repositories.tf b/ecr-repositories.tf
@@ -3,7 +3,7 @@ resource "aws_ecr_repository" "default" {
   image_tag_mutability = var.image_tag_mutability
 
   encryption_configuration {
-    encryption_type = var.kms_key_arn != "" ? "KMS" : "AES256"
+    encryption_type = var.kms_key_arn != "" ? "KMS" : var.encryption_type
     kms_key         = var.kms_key_arn
   }
 

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,8 @@ data "aws_iam_policy_document" "default" {`
`21`	`21`	`"ecr:GetDownloadUrlForLayer",`
`22`	`22`	`"ecr:BatchGetImage",`
`23`	`23`	`"ecr:BatchCheckLayerAvailability",`
`24`		`- "ecr:DescribeImageScanFindings"`
	`24`	`+ "ecr:DescribeImageScanFindings",`
	`25`	`+ "ecr:ListImages"`
`25`	`26`	`]`
`26`	`27`	`}`
`27`	`28`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ resource "aws_ecr_repository" "default" {`
`3`	`3`	`image_tag_mutability = var.image_tag_mutability`
`4`	`4`
`5`	`5`	`encryption_configuration {`
`6`		`- encryption_type = var.kms_key_arn != "" ? "KMS" : "AES256"`
	`6`	`+ encryption_type = var.kms_key_arn != "" ? "KMS" : var.encryption_type`
`7`	`7`	`kms_key = var.kms_key_arn`
`8`	`8`	`}`
`9`	`9`