change

marcoacierno · marcoacierno · commit d9a6ddc42594 · 2025-01-05T03:27:17.000+01:00
diff --git a/.github/workflows/build-backend.yml b/.github/workflows/build-backend.yml
@@ -10,19 +10,6 @@ jobs:
     name: Build
     runs-on: ${{ format('arm64-fargate-{0}{1}{2}', github.run_id, github.run_number, github.run_attempt) }}
     steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.ref }}
-          fetch-depth: 0
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-access-key-id: ${{ secrets.aws_access_key_id }}
-          aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
-          aws-region: eu-central-1
-      - name: Login to Amazon ECR
-        uses: aws-actions/amazon-ecr-login@v2
-      # - run: tail -f /dev/null
       - name: Run kaniko
         run: |
           /kaniko/executor \
diff --git a/infrastructure/global/.terraform.lock.hcl b/infrastructure/global/.terraform.lock.hcl
diff --git a/infrastructure/global/ecr_repos/main.tf b/infrastructure/global/ecr_repos/main.tf
@@ -1,11 +1,21 @@
 locals {
   services = [
     "pycon-backend",
+    "pycon-backend/cache",
     "pycon-frontend",
-    "pretix"
+    "pycon-frontend/cache",
+    "pretix",
+    "pretix/cache",
   ]
+  infrastructure_tools_account_id = [
+    for account in data.aws_organizations_organization.organization.non_master_accounts :
+    account.id
+    if account.name == "Infrastructure Tools"
+  ][0]
 }
 
+data "aws_organizations_organization" "organization" {}
+
 resource "aws_ecr_repository" "service_repo" {
   for_each             = toset(local.services)
   name                 = "pythonit/${each.key}"
@@ -15,3 +25,35 @@ resource "aws_ecr_repository" "service_repo" {
     scan_on_push = false
   }
 }
+
+data "aws_iam_policy_document" "access_from_infrastructure_account" {
+  statement {
+    sid    = "access from infrastructure account"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = [local.infrastructure_tools_account_id]
+    }
+
+    actions = [
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:PutImage",
+      "ecr:InitiateLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload",
+      "ecr:DescribeRepositories",
+      "ecr:GetRepositoryPolicy",
+      "ecr:ListImages",
+      "ecr:BatchDeleteImage",
+    ]
+  }
+}
+
+resource "aws_ecr_repository_policy" "access_from_infrastructure_account" {
+  for_each             = toset(local.services)
+  repository = aws_ecr_repository.service_repo[each.key].name
+  policy     = data.aws_iam_policy_document.access_from_infrastructure_account.json
+}
diff --git a/infrastructure/global/main.tf b/infrastructure/global/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "5.64.0"
+      version = "5.82.2"
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ terraform {`
`2`	`2`	`required_providers {`
`3`	`3`	`aws = {`
`4`	`4`	`source = "hashicorp/aws"`
`5`		`- version = "5.64.0"`
	`5`	`+ version = "5.82.2"`
`6`	`6`	`}`
`7`	`7`	`}`
`8`	`8`