feat: repository encryption parameter (#289)

brivu · fruit · web-flow · commit fb91802997a7 · 2023-07-26T15:09:25.000-07:00
* feat: Adds params to control repo encryption during repo creation (#284) * chore: code cleanup * fix: extra "<" in parameters (#287) * feat: Adds params to control repo encryption during repo creation * fix: extra "<" in parameters --------- Co-authored-by: Brian Vu <64455338+brivu@users.noreply.github.com> * chore: update aws_domain description * chore: update aws_domain description * refactor: add env subst * fix: remove duplicate expansion * fix: address pr issues * chore: rename parameters --------- Co-authored-by: Ilya Sabelnikov <fruit@users.noreply.github.com>
diff --git a/src/commands/build_and_push_image.yml b/src/commands/build_and_push_image.yml
@@ -192,6 +192,19 @@ parameters:
       provide the aws-cli/setup command to authenticate with your preferred method. View examples for more information.
     type: steps
 
+  repo_encryption_type:
+    type: enum
+    description: The encryption type to use.
+    default: "AES256"
+    enum: ["AES256", "KMS"]
+
+  repo_encryption_kms_key:
+    type: string
+    description: >
+      If you use the KMS encryption type, specify the KMS key to use for encryption.
+      The alias, key ID, or full ARN of the KMS key can be specified.
+    default: ""
+
 steps:
   - when:
       condition: <<parameters.checkout>>
@@ -230,6 +243,8 @@ steps:
             repo: <<parameters.repo>>
             repo_scan_on_push: <<parameters.repo_scan_on_push>>
             public_registry: <<parameters.public_registry>>
+            repo_encryption_type: <<parameters.repo_encryption_type>>
+            encryption_kms_key: <<parameters.repo_encryption_kms_key>>
   - when:
       condition: <<parameters.set_repo_policy>>
       steps:
diff --git a/src/commands/create_repo.yml b/src/commands/create_repo.yml
@@ -28,6 +28,19 @@ parameters:
     description: Set to true if building and pushing an image to a Public Registry on ECR.
     default: false
 
+  repo_encryption_type:
+    type: enum
+    description: The encryption type to use.
+    default: "AES256"
+    enum: ["AES256", "KMS"]
+
+  encryption_kms_key:
+    type: string
+    description: >
+      If you use the KMS encryption type, specify the KMS key to use for encryption.
+      The alias, key ID, or full ARN of the KMS key can be specified.
+    default: ""
+
 steps:
   - run:
       name: Create Repository
@@ -37,4 +50,6 @@ steps:
         ORB_STR_REPO: <<parameters.repo>>
         ORB_BOOL_REPO_SCAN_ON_PUSH: <<parameters.repo_scan_on_push>>
         ORB_BOOL_PUBLIC_REGISTRY: <<parameters.public_registry>>
+        ORB_ENUM_ENCRYPTION_TYPE: <<parameters.repo_encryption_type>>
+        ORB_STR_ENCRYPTION_KMS_KEY: <<parameters.encryption_kms_key>>
       command: <<include(scripts/create_repo.sh)>>
diff --git a/src/examples/simple_build_and_push.yml b/src/examples/simple_build_and_push.yml
@@ -83,3 +83,9 @@ usage:
 
             # requires `set_repo_policy: true`, pass in a file with the repo permissions policy
             repo_policy_path: repo-policy.json
+
+            # Switches the default encryption AES256 to KMS
+            repo_encryption_type: KMS
+
+            # Specifies ARN of KMS key
+            repo_encryption_kms_key: arn:aws:kms::123456789012:key/UUID4_OF_KMS_KEY_ID
diff --git a/src/jobs/build_and_push_image.yml b/src/jobs/build_and_push_image.yml
@@ -189,11 +189,26 @@ parameters:
       provide the aws-cli/setup command to authenticate with your preferred method. View examples for more information.
     type: steps
 
+  repo_encryption_type:
+    type: enum
+    description: The encryption type to use.
+    default: "AES256"
+    enum: ["AES256", "KMS"]
+
+  repo_encryption_kms_key:
+    type: string
+    description: >
+      If you use the KMS encryption type, specify the KMS key to use for encryption.
+      The alias, key ID, or full ARN of the KMS key can be specified.
+    default: ""
+
   aws_domain:
     type: string
     default: "amazonaws.com"
     description: >
-      AWS domain, China regions will require override.
+      The AWS domain for your region, e.g in China, the AWS domain is amazonaws.com.cn
+      The default value is amazonaws.com
+
 
 steps:
   - build_and_push_image:
@@ -227,4 +242,6 @@ steps:
       repo_policy_path: <<parameters.repo_policy_path>>
       build_path: <<parameters.build_path>>
       auth: <<parameters.auth>>
+      repo_encryption_type: <<parameters.repo_encryption_type>>
+      repo_encryption_kms_key: <<parameters.repo_encryption_kms_key>>
       aws_domain: <<parameters.aws_domain>>
diff --git a/src/scripts/create_repo.sh b/src/scripts/create_repo.sh
@@ -2,15 +2,31 @@
 ORB_STR_REGION="$(circleci env subst "${ORB_STR_REGION}")"
 ORB_STR_REPO="$(circleci env subst "${ORB_STR_REPO}")"
 ORB_STR_PROFILE_NAME="$(circleci env subst "${ORB_STR_PROFILE_NAME}")"
+ORB_STR_ENCRYPTION_KMS_KEY="$(circleci env subst "${ORB_STR_ENCRYPTION_KMS_KEY}")"
 
 if [ "$ORB_BOOL_PUBLIC_REGISTRY" == "1" ]; then
     aws ecr-public describe-repositories --profile "${ORB_STR_PROFILE_NAME}" --region us-east-1 --repository-names "${ORB_STR_REPO}" >/dev/null 2>&1 ||
         aws ecr-public create-repository --profile "${ORB_STR_PROFILE_NAME}" --region us-east-1 --repository-name "${ORB_STR_REPO}"
 else
-    aws ecr describe-repositories --profile "${ORB_STR_PROFILE_NAME}" --region "${ORB_STR_REGION}" --repository-names "${ORB_STR_REPO}" >/dev/null 2>&1 ||
-        if [ "$ORB_BOOL_REPO_SCAN_ON_PUSH" == "1" ]; then
-            aws ecr create-repository --profile "${ORB_STR_PROFILE_NAME}" --region "${ORB_STR_REGION}" --repository-name "${ORB_STR_REPO}" --image-scanning-configuration scanOnPush=true
-        else
-            aws ecr create-repository --profile "${ORB_STR_PROFILE_NAME}" --region "${ORB_STR_REGION}" --repository-name "${ORB_STR_REPO}" --image-scanning-configuration scanOnPush=false
-        fi
+
+    IMAGE_SCANNING_CONFIGURATION="scanOnPush=true"
+    if [ "$ORB_BOOL_REPO_SCAN_ON_PUSH" -ne "1" ]; then
+      IMAGE_SCANNING_CONFIGURATION="scanOnPush=false"
+    fi
+
+    ENCRYPTION_CONFIGURATION="encryptionType=${ORB_ENUM_ENCRYPTION_TYPE}"
+    if [ "$ORB_ENUM_ENCRYPTION_TYPE" == "KMS"  ]; then
+      ENCRYPTION_CONFIGURATION+=",kmsKey=${ORB_STR_ENCRYPTION_KMS_KEY}"
+    fi
+
+    aws ecr describe-repositories \
+      --profile "${ORB_STR_PROFILE_NAME}" \
+      --region "${ORB_STR_REGION}" \
+      --repository-names "${ORB_STR_REPO}" >/dev/null 2>&1 ||
+        aws ecr create-repository \
+          --profile "${ORB_STR_PROFILE_NAME}" \
+          --region "${ORB_STR_REGION}" \
+          --repository-name "${ORB_STR_REPO}" \
+          --image-scanning-configuration "${IMAGE_SCANNING_CONFIGURATION}" \
+          --encryption-configuration "${ENCRYPTION_CONFIGURATION}"
 fi
