move ecr to other modules

briskt · briskt · commit 0fff0d39d90f · 2025-10-22T16:12:13.000+08:00
diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf
@@ -221,7 +221,7 @@ module "ecsservice" {
   cluster_id         = var.ecs_cluster_id
   service_name       = "${var.idp_name}-${var.app_name}"
   service_env        = var.app_env
-  ecsServiceRole_arn = var.ecsServiceRole_arn
+  ecsServiceRole_arn = var.ecs_service_role_arn
   container_def_json = local.task_def
   desired_count      = var.desired_count
   tg_arn             = aws_alb_target_group.broker.arn
@@ -403,6 +403,16 @@ resource "aws_iam_policy" "cd" {
   })
 }
 
+module "ecr" {
+  source                = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.13.2"
+  repo_name             = "${var.idp_name}/id-broker"
+  ecsInstanceRole_arn   = var.ecs_instance_role_arn
+  ecsServiceRole_arn    = var.ecs_service_role_arn
+  cd_user_arn           = var.cd_principal_arn
+  image_retention_count = 10
+  image_retention_tags  = ["latest"]
+}
+
 /*
  * AWS data
  */
diff --git a/terraform/050-pw-manager/main.tf b/terraform/050-pw-manager/main.tf
@@ -128,7 +128,7 @@ module "ecsservice" {
   tg_arn             = aws_alb_target_group.pwmanager.arn
   lb_container_name  = "web"
   lb_container_port  = "80"
-  ecsServiceRole_arn = var.ecsServiceRole_arn
+  ecsServiceRole_arn = var.ecs_service_role_arn
   task_role_arn      = module.ecs_role.role_arn
 }
 
@@ -222,6 +222,16 @@ resource "aws_iam_policy" "cd" {
   })
 }
 
+module "ecr" {
+  source                = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.13.2"
+  repo_name             = "${var.idp_name}/pw-api"
+  ecsInstanceRole_arn   = var.ecs_instance_role_arn
+  ecsServiceRole_arn    = var.ecs_service_role_arn
+  cd_user_arn           = var.cd_principal_arn
+  image_retention_count = 10
+  image_retention_tags  = ["latest"]
+}
+
 /*
  * AWS data
  */
diff --git a/terraform/050-pw-manager/variables.tf b/terraform/050-pw-manager/variables.tf
@@ -131,6 +131,19 @@ variable "ecs_cluster_id" {
 variable "ecsServiceRole_arn" {
   description = "ARN for ECS Service Role"
   type        = string
+variable "cd_principal_arn" {
+  description = "The ARN of the user or role that will push images to ECR for this service."
+  type        = string
+}
+
+variable "ecs_instance_role_arn" {
+  description = "The ARN of the role that will be passed to ECS and ECR as the instance role."
+  type        = string
+}
+
+variable "ecs_service_role_arn" {
+  description = "The ARN of the role that will be passed to ECR as the service role."
+  type        = string
 }
 
 variable "email_signature" {
diff --git a/terraform/060-simplesamlphp/main.tf b/terraform/060-simplesamlphp/main.tf
@@ -121,7 +121,7 @@ module "ecsservice" {
   tg_arn             = aws_alb_target_group.ssp.arn
   lb_container_name  = "web"
   lb_container_port  = "80"
-  ecsServiceRole_arn = var.ecsServiceRole_arn
+  ecsServiceRole_arn = var.ecs_service_role_arn
   task_role_arn      = module.ecs_role.role_arn
 }
 
@@ -215,6 +215,16 @@ resource "aws_iam_policy" "cd" {
   })
 }
 
+module "ecr_simplesamlphp" {
+  source                = "github.com/silinternational/terraform-modules//aws/ecr?ref=8.13.2"
+  repo_name             = "${var.idp_name}/simplesamlphp"
+  ecsInstanceRole_arn   = var.ecs_instance_role_arn
+  ecsServiceRole_arn    = var.ecs_service_role_arn
+  cd_user_arn           = var.cd_principal_arn
+  image_retention_count = 10
+  image_retention_tags  = ["latest"]
+}
+
 /*
  * AWS data
  */
diff --git a/test/040-id-broker.tf b/test/040-id-broker.tf
@@ -6,6 +6,7 @@ module "broker" {
   abandoned_user_deactivate_instructions_url = ""
   app_env                                    = ""
   app_name                                   = ""
+  cd_principal_arn                           = ""
   cloudflare_domain                          = ""
   cloudwatch_log_group_name                  = ""
   contingent_user_duration                   = ""
@@ -14,7 +15,6 @@ module "broker" {
   db_name                                    = ""
   desired_count                              = 1
   docker_image                               = ""
-  ecsServiceRole_arn                         = ""
   ecs_cluster_id                             = ""
   email_repeat_delay_days                    = 1
   email_signature                            = ""
diff --git a/test/050-pw-manager.tf b/test/050-pw-manager.tf
@@ -13,6 +13,7 @@ module "pw" {
   auth_saml_signRequest               = true
   auth_saml_spCertificate             = ""
   auth_saml_spPrivateKey              = ""
+  cd_principal_arn                    = ""
   cloudflare_domain                   = ""
   cloudwatch_log_group_name           = ""
   code_length                         = 1
@@ -21,8 +22,9 @@ module "pw" {
   db_name                             = ""
   desired_count                       = 1
   docker_image                        = ""
-  ecsServiceRole_arn                  = ""
   ecs_cluster_id                      = ""
+  ecs_instance_role_arn               = ""
+  ecs_service_role_arn                = ""
   email_signature                     = ""
   extra_hosts                         = ""
   help_center_url                     = ""
diff --git a/test/060-simplesamlphp.tf b/test/060-simplesamlphp.tf
@@ -8,15 +8,14 @@ module "ssp" {
   analytics_id                = ""
   app_env                     = ""
   app_name                    = ""
-  cduser_username             = ""
+  cd_principal_arn            = ""
   cloudflare_domain           = ""
   cloudwatch_log_group_name   = ""
   cpu                         = 1
   create_dns_record           = true
   db_name                     = ""
   desired_count               = 1
   docker_image                = ""
-  ecsServiceRole_arn          = ""
   ecs_cluster_id              = ""
   enable_debug                = true
   help_center_url             = ""
