fix: DBTP-1789 - Remove required pipelines config

codebase-pipelines/artifactstore.tf

@@ -52,11 +52,16 @@ data "aws_iam_policy_document" "artifact_store_bucket_policy" {
   statement {
     effect = "Allow"
     principals {
-      type = "AWS"
-      identifiers = [
-        for env in local.pipeline_environments :
-        "arn:aws:iam::${env.account}:role/${var.application}-${env.name}-codebase-pipeline-deploy"
+      type        = "AWS"
+      identifiers = [for id in local.deploy_account_ids : "arn:aws:iam::${id}:root"]
+    }
+    condition {
+      test = "ArnLike"
+      values = [
+        for id in local.deploy_account_ids :
+        "arn:aws:iam::${id}:role/${var.application}-*-codebase-pipeline-deploy"
       ]
+      variable = "aws:PrincipalArn"
     }
     actions = [
       "s3:*"

codebase-pipelines/buildspec-deploy.yml

@@ -18,9 +18,10 @@ phases:
       - set -e
 
       # Check if the specified image tag exists
+      - aws ecr get-login-password --region ${AWS_REGION} | docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com
       - |
-        if ! aws ecr describe-images --repository-name "${REPOSITORY_NAME}" --image-ids "imageTag=${IMAGE_TAG}" > /dev/null 2>&1; then
-          echo "Error: image tag ${IMAGE_TAG} not found in repository ${REPOSITORY_NAME}"
+        if ! docker manifest inspect "${REPOSITORY_URL}:${IMAGE_TAG}" > /dev/null 2>&1; then
+          echo "Error: image tag ${IMAGE_TAG} not found in repository ${REPOSITORY_URL}"
           exit 1
         fi
 
@@ -31,9 +32,6 @@ phases:
           exit 1
         fi
 
-      # Extract timestamp from image config and check if it exists
-      - aws ecr get-login-password --region ${AWS_REGION} | docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com
-
       # Construct Slack message env vars
       - SLACK_REF=$(regctl image config "${REPOSITORY_URL}:${IMAGE_TAG}" | jq -r '.config.Labels."uk.gov.trade.digital.build.timestamp"')
       - |

codebase-pipelines/codepipeline.tf

@@ -80,9 +80,7 @@ resource "aws_codepipeline" "codebase_pipeline" {
               { name : "ENVIRONMENT", value : stage.value.name },
               { name : "IMAGE_TAG", value : "#{variables.IMAGE_TAG}" },
               { name : "PIPELINE_EXECUTION_ID", value : "#{codepipeline.PipelineExecutionId}" },
-              { name : "PREFIXED_REPOSITORY_NAME", value : local.prefixed_repository_name },
               { name : "REPOSITORY_URL", value : local.repository_url },
-              { name : "REPOSITORY_NAME", value : local.ecr_name },
               { name : "SERVICE", value : action.value.name },
               { name : "SLACK_CHANNEL_ID", value : var.slack_channel, type : "PARAMETER_STORE" },
             ])
@@ -168,9 +166,7 @@ resource "aws_codepipeline" "manual_release_pipeline" {
             { name : "ENVIRONMENT", value : "#{variables.ENVIRONMENT}" },
             { name : "IMAGE_TAG", value : "#{variables.IMAGE_TAG}" },
             { name : "PIPELINE_EXECUTION_ID", value : "#{codepipeline.PipelineExecutionId}" },
-            { name : "PREFIXED_REPOSITORY_NAME", value : local.prefixed_repository_name },
             { name : "REPOSITORY_URL", value : local.repository_url },
-            { name : "REPOSITORY_NAME", value : local.ecr_name },
             { name : "SERVICE", value : action.value.name },
             { name : "SLACK_CHANNEL_ID", value : var.slack_channel, type : "PARAMETER_STORE" },
           ])

codebase-pipelines/eventbridge.tf

@@ -19,19 +19,21 @@ resource "aws_cloudwatch_event_target" "codepipeline" {
   for_each = local.pipeline_map
   rule     = aws_cloudwatch_event_rule.ecr_image_publish[each.key].name
   arn      = aws_codepipeline.codebase_pipeline[each.key].arn
-  role_arn = aws_iam_role.event_bridge_pipeline_trigger.arn
+  role_arn = aws_iam_role.event_bridge_pipeline_trigger[""].arn
 }
 
 resource "aws_iam_role" "event_bridge_pipeline_trigger" {
+  for_each           = toset(length(local.pipeline_map) > 0 ? [""] : [])
   name               = "${var.application}-${var.codebase}-event-bridge-pipeline-trigger"
   assume_role_policy = data.aws_iam_policy_document.assume_event_bridge_policy.json
   tags               = local.tags
 }
 
 resource "aws_iam_role_policy" "event_bridge_pipeline_trigger" {
-  name   = "event-bridge-access"
-  role   = aws_iam_role.event_bridge_pipeline_trigger.name
-  policy = data.aws_iam_policy_document.event_bridge_pipeline_trigger.json
+  for_each = toset(length(local.pipeline_map) > 0 ? [""] : [])
+  name     = "event-bridge-access"
+  role     = aws_iam_role.event_bridge_pipeline_trigger[""].name
+  policy   = data.aws_iam_policy_document.event_bridge_pipeline_trigger.json
 }
 
 data "aws_iam_policy_document" "assume_event_bridge_policy" {

codebase-pipelines/iam.tf

@@ -73,32 +73,6 @@ data "aws_iam_policy_document" "ecr_access_for_codebuild_images" {
     ]
   }
 
-  statement {
-    effect = "Allow"
-    actions = [
-      "ecr-public:DescribeImageScanFindings",
-      "ecr-public:GetLifecyclePolicyPreview",
-      "ecr-public:GetDownloadUrlForLayer",
-      "ecr-public:BatchGetImage",
-      "ecr-public:DescribeImages",
-      "ecr-public:ListTagsForResource",
-      "ecr-public:BatchCheckLayerAvailability",
-      "ecr-public:GetLifecyclePolicy",
-      "ecr-public:GetRepositoryPolicy",
-      "ecr-public:PutImage",
-      "ecr-public:InitiateLayerUpload",
-      "ecr-public:UploadLayerPart",
-      "ecr-public:CompleteLayerUpload",
-      "ecr-public:BatchDeleteImage",
-      "ecr-public:DescribeRepositories",
-      "ecr-public:ListImages"
-    ]
-    resources = [
-      # We have to wildcard the repository name because we currently expect the repository URL and it's not possible to get the ARN from that
-      "arn:aws:ecr-public::${data.aws_caller_identity.current.account_id}:repository/*"
-    ]
-  }
-
   statement {
     effect = "Allow"
     actions = [
@@ -119,9 +93,40 @@ data "aws_iam_policy_document" "ecr_access_for_codebuild_images" {
       "ecr:DescribeRepositories",
       "ecr:ListImages"
     ]
-    resources = [
-      aws_ecr_repository.this.arn
-    ]
+    resources = compact([
+      "arn:aws:ecr:${local.account_region}:repository/${local.ecr_name}",
+      local.additional_private_repo_arn
+    ])
+  }
+
+  dynamic "statement" {
+    for_each = toset(local.is_additional_repo_public ? [""] : [])
+
+    content {
+      effect = "Allow"
+      actions = [
+        "ecr-public:DescribeImageScanFindings",
+        "ecr-public:GetLifecyclePolicyPreview",
+        "ecr-public:GetDownloadUrlForLayer",
+        "ecr-public:BatchGetImage",
+        "ecr-public:DescribeImages",
+        "ecr-public:ListTagsForResource",
+        "ecr-public:BatchCheckLayerAvailability",
+        "ecr-public:GetLifecyclePolicy",
+        "ecr-public:GetRepositoryPolicy",
+        "ecr-public:PutImage",
+        "ecr-public:InitiateLayerUpload",
+        "ecr-public:UploadLayerPart",
+        "ecr-public:CompleteLayerUpload",
+        "ecr-public:BatchDeleteImage",
+        "ecr-public:DescribeRepositories",
+        "ecr-public:ListImages"
+      ]
+      resources = [
+        # We have to wildcard the repository name because we currently expect the repository URL and it's not possible to get the ARN from that
+        "arn:aws:ecr-public::${data.aws_caller_identity.current.account_id}:repository/*"
+      ]
+    }
   }
 }
 
@@ -184,9 +189,10 @@ data "aws_iam_policy_document" "ecr_access_for_codebase_pipeline" {
       "ecr:BatchGetImage",
       "ecr:GetDownloadUrlForLayer"
     ]
-    resources = [
-      aws_ecr_repository.this.arn
-    ]
+    resources = compact([
+      "arn:aws:ecr:${local.account_region}:repository/${local.ecr_name}",
+      local.additional_private_repo_arn
+    ])
   }
   statement {
     effect = "Allow"

codebase-pipelines/locals.tf

@@ -7,9 +7,12 @@ locals {
 
   account_region = "${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}"
 
-  ecr_name                 = "${var.application}/${var.codebase}"
-  prefixed_repository_name = "uktrade/${var.application}"
-  repository_url           = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/${local.ecr_name}"
+  ecr_name                    = "${var.application}/${var.codebase}"
+  private_repo_url            = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com"
+  is_additional_repo_public   = var.additional_ecr_repository != null ? strcontains(var.additional_ecr_repository, "public.ecr.aws") : false
+  additional_ecr_url          = var.additional_ecr_repository != null ? local.is_additional_repo_public ? var.additional_ecr_repository : "${local.private_repo_url}/${var.additional_ecr_repository}" : null
+  repository_url              = coalesce(local.additional_ecr_url, "${local.private_repo_url}/${local.ecr_name}")
+  additional_private_repo_arn = var.additional_ecr_repository != null && !local.is_additional_repo_public ? "arn:aws:ecr:${local.account_region}:repository/${var.additional_ecr_repository}" : ""
 
   pipeline_branches = distinct([
     for pipeline in var.pipelines : pipeline.branch if lookup(pipeline, "branch", null) != null
@@ -33,10 +36,6 @@ locals {
     })
   }
 
-  pipeline_environments = distinct(flatten([
-    for pipeline in local.pipeline_map : [for env in pipeline.environments : env]
-  ]))
-
   services = sort(flatten([
     for run_group in var.services : [for service in flatten(values(run_group)) : service]
   ]))