-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding Module code for Azure Container Registry
- Loading branch information
0 parents
commit 3988632
Showing
14 changed files
with
414 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
|
||
name: Static security analysis for Terraform | ||
|
||
permissions: read-all | ||
|
||
on: | ||
push: | ||
branches: | ||
- main | ||
pull_request: | ||
branches: | ||
- main | ||
jobs: | ||
checkov-job: | ||
runs-on: ubuntu-latest | ||
name: checkov-action | ||
steps: | ||
- name: Checkout repo | ||
uses: actions/checkout@v2 | ||
|
||
- name: Run Checkov action | ||
id: checkov | ||
uses: bridgecrewio/checkov-action@master | ||
with: | ||
directory: ./ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# Local .terraform directories | ||
**/.terraform/* | ||
|
||
# .tfstate files | ||
*.tfstate | ||
*.tfstate.* | ||
.terraform.* | ||
# Crash log files | ||
crash.log | ||
|
||
# Exclude all .tfvars files, which are likely to contain sentitive data, such as | ||
# password, private keys, and other secrets. These should not be part of version | ||
# control as they are data points which are potentially sensitive and subject | ||
# to change depending on the environment. | ||
# | ||
*.tfvars | ||
|
||
# Ignore override files as they are usually used to override resources locally and so | ||
# are not checked in | ||
override.tf | ||
override.tf.json | ||
*_override.tf | ||
*_override.tf.json | ||
|
||
# Include override files you do wish to add to version control using negated pattern | ||
# | ||
# !example_override.tf | ||
|
||
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan | ||
# example: *tfplan* | ||
|
||
# Ignore CLI configuration files | ||
.terraformrc | ||
terraform.rc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
repos: | ||
- repo: https://github.com/antonbabenko/pre-commit-terraform | ||
rev: v1.77.1 | ||
hooks: | ||
- id: terraform_fmt | ||
- id: terraform_validate | ||
- id: terraform_checkov | ||
- id: terraform_docs | ||
args: | ||
- '--args=--lockfile=false' | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
# Terraform module for Azure ACR | ||
|
||
## How to use it as a module | ||
|
||
```hcl | ||
module "acr" { | ||
source = "./" | ||
name = "iba6yu5bgopi" | ||
resource_group_name = "terraform-test" | ||
location = "East US" | ||
sku = "Premium" | ||
admin_enabled = true | ||
} | ||
``` | ||
|
||
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --> | ||
## Requirements | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 | | ||
| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.0.0 | | ||
|
||
## Providers | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 3.0.0 | | ||
|
||
## Modules | ||
|
||
No modules. | ||
|
||
## Resources | ||
|
||
| Name | Type | | ||
|------|------| | ||
| [azurerm_container_registry.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry) | resource | | ||
|
||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|------|---------|:--------:| | ||
| <a name="input_admin_enabled"></a> [admin\_enabled](#input\_admin\_enabled) | (Optional) Specifies whether the admin user is enabled. Defaults to false. | `bool` | `false` | no | | ||
| <a name="input_anonymous_pull_enabled"></a> [anonymous\_pull\_enabled](#input\_anonymous\_pull\_enabled) | (Optional) Whether allows anonymous (unauthenticated) pull access to this Container Registry? This is only supported on resources with the Standard or Premium SKU. | `bool` | `false` | no | | ||
| <a name="input_create_acr"></a> [create\_acr](#input\_create\_acr) | (Optional) Do you want to create ECR repo | `bool` | `true` | no | | ||
| <a name="input_data_endpoint_enabled"></a> [data\_endpoint\_enabled](#input\_data\_endpoint\_enabled) | (Optional) Whether to enable dedicated data endpoints for this Container Registry? This is only supported on resources with the Premium SKU. | `bool` | `true` | no | | ||
| <a name="input_encryption"></a> [encryption](#input\_encryption) | (Optional) An encryption block | `any` | `[]` | no | | ||
| <a name="input_export_policy_enabled"></a> [export\_policy\_enabled](#input\_export\_policy\_enabled) | (Optional) Boolean value that indicates whether export policy is enabled. Defaults to true. In order to set it to false, make sure the public\_network\_access\_enabled is also set to false. | `bool` | `true` | no | | ||
| <a name="input_georeplications"></a> [georeplications](#input\_georeplications) | A list of Azure locations where the Ccontainer Registry should be geo-replicated. Only activated on Premium SKU.<br> Supported properties are:<br> location = string<br> zone\_redundancy\_enabled = bool<br> regional\_endpoint\_enabled = bool<br> tags = map(string)<br> or this can be a list of `string` (each element is a location) | `any` | `[]` | no | | ||
| <a name="input_identity"></a> [identity](#input\_identity) | (Optional) An identity block | `any` | `[]` | no | | ||
| <a name="input_location"></a> [location](#input\_location) | (Required) Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. | `string` | n/a | yes | | ||
| <a name="input_name"></a> [name](#input\_name) | (Required) Specifies the name of the Container Registry. Only Alphanumeric characters allowed. Changing this forces a new resource to be created. | `string` | n/a | yes | | ||
| <a name="input_network_rule_bypass_option"></a> [network\_rule\_bypass\_option](#input\_network\_rule\_bypass\_option) | (Optional) Whether to allow trusted Azure services to access a network restricted Container Registry? Possible values are None and AzureServices. Defaults to AzureServices. | `string` | `"AzureServices"` | no | | ||
| <a name="input_network_rule_set"></a> [network\_rule\_set](#input\_network\_rule\_set) | A list of Azure locations where the Ccontainer Registry should be geo-replicated. Only activated on Premium SKU.<br> Supported properties are:<br> default\_action = string<br> ip\_rule = list(map(string))<br> virtual\_network = list(map(string)) | `any` | `[]` | no | | ||
| <a name="input_public_network_access_enabled"></a> [public\_network\_access\_enabled](#input\_public\_network\_access\_enabled) | (Optional) Whether public network access is allowed for the container registry. Defaults to true. | `bool` | `false` | no | | ||
| <a name="input_quarantine_policy_enabled"></a> [quarantine\_policy\_enabled](#input\_quarantine\_policy\_enabled) | (Optional) Boolean value that indicates whether quarantine policy is enabled. | `bool` | `false` | no | | ||
| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Required) The name of the resource group in which to create the Container Registry. Changing this forces a new resource to be created. | `string` | n/a | yes | | ||
| <a name="input_retention_policy"></a> [retention\_policy](#input\_retention\_policy) | (Optional) A retention\_policy block | `any` | <pre>[<br> {<br> "days": 30,<br> "enabled": true<br> }<br>]</pre> | no | | ||
| <a name="input_sku"></a> [sku](#input\_sku) | (Optional) The SKU name of the container registry. Possible values are Basic, Standard and Premium.Defaults to Premium. | `string` | `"Premium"` | no | | ||
| <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A mapping of tags to assign to the resource. | `map(string)` | `{}` | no | | ||
| <a name="input_trust_policy"></a> [trust\_policy](#input\_trust\_policy) | (Optional) A trust\_policy block | `any` | <pre>[<br> {<br> "enabled": false<br> }<br>]</pre> | no | | ||
| <a name="input_zone_redundancy_enabled"></a> [zone\_redundancy\_enabled](#input\_zone\_redundancy\_enabled) | (Optional) Whether zone redundancy is enabled for this Container Registry? Changing this forces a new resource to be created. Defaults to false. | `bool` | `false` | no | | ||
|
||
## Outputs | ||
|
||
| Name | Description | | ||
|------|-------------| | ||
| <a name="output_admin_password"></a> [admin\_password](#output\_admin\_password) | The Password associated with the Container Registry Admin account - if the admin account is enabled. | | ||
| <a name="output_admin_username"></a> [admin\_username](#output\_admin\_username) | The Username associated with the Container Registry Admin account - if the admin account is enabled. | | ||
| <a name="output_id"></a> [id](#output\_id) | The ID of the Container Registry. | | ||
| <a name="output_login_server"></a> [login\_server](#output\_login\_server) | The URL that can be used to log into the container registry. | | ||
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --> |
Empty file.
Empty file.
Empty file.
Empty file.
Empty file.
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
resource "azurerm_container_registry" "this" { | ||
Check failure on line 1 in main.tf GitHub Actions / checkov-action
Check failure on line 1 in main.tf GitHub Actions / checkov-action
|
||
count = var.create_acr ? 1 : 0 | ||
|
||
name = var.name | ||
resource_group_name = var.resource_group_name | ||
location = var.location | ||
sku = var.sku | ||
admin_enabled = var.admin_enabled | ||
|
||
|
||
/* georeplications { | ||
} */ | ||
dynamic "georeplications" { | ||
for_each = length(var.georeplications) != 0 && var.sku == "Premium" ? var.georeplications : [] | ||
|
||
content { | ||
location = try(georeplications.value.location) | ||
regional_endpoint_enabled = try(georeplications.value.regional_endpoint_enabled, false) | ||
zone_redundancy_enabled = try(georeplications.value.zone_redundancy_enabled, false) | ||
tags = try(georeplications.value.tags, {}) | ||
} | ||
} | ||
|
||
dynamic "network_rule_set" { | ||
for_each = length(var.network_rule_set) != 0 && var.sku == "Premium" ? var.network_rule_set : [] | ||
|
||
content { | ||
default_action = try(network_rule_set.value.default_action, Allow) | ||
|
||
dynamic "ip_rule" { | ||
for_each = try(network_rule_set.value.ip_rule, []) | ||
|
||
content { | ||
action = "Allow" | ||
ip_range = try(ip_rule.value.ip_range) | ||
} | ||
} | ||
|
||
dynamic "virtual_network" { | ||
for_each = try(network_rule_set.value.virtual_network, []) | ||
|
||
content { | ||
action = "Allow" | ||
subnet_id = try(virtual_network.value.subnet_id) | ||
} | ||
} | ||
|
||
} | ||
} | ||
|
||
public_network_access_enabled = var.public_network_access_enabled | ||
quarantine_policy_enabled = var.quarantine_policy_enabled | ||
|
||
|
||
dynamic "retention_policy" { | ||
for_each = length(var.retention_policy) != 0 ? var.retention_policy : [] | ||
|
||
content { | ||
days = try(retention_policy.value.days, 7) | ||
enabled = try(retention_policy.value.enabled, true) | ||
} | ||
|
||
} | ||
|
||
dynamic "trust_policy" { | ||
for_each = var.trust_policy | ||
|
||
content { | ||
enabled = try(trust_policy.value.enabled, true) | ||
} | ||
} | ||
|
||
zone_redundancy_enabled = var.zone_redundancy_enabled | ||
export_policy_enabled = var.export_policy_enabled | ||
|
||
dynamic "identity" { | ||
for_each = length(var.identity) != 0 ? var.identity : [] | ||
|
||
content { | ||
type = try(identity.value.type, "UserAssigned") | ||
identity_ids = try(identity.value.identity_ids, []) | ||
} | ||
} | ||
|
||
dynamic "encryption" { | ||
for_each = length(var.encryption) != 0 && length(var.identity) != 0 ? var.encryption : [] | ||
|
||
content { | ||
enabled = try(encryption.value.enabled, true) | ||
key_vault_key_id = try(encryption.value.key_vault_key_id) | ||
identity_client_id = try(encryption.value.identity_client_id) | ||
} | ||
} | ||
|
||
|
||
anonymous_pull_enabled = var.anonymous_pull_enabled | ||
data_endpoint_enabled = var.data_endpoint_enabled | ||
network_rule_bypass_option = var.network_rule_bypass_option | ||
|
||
tags = var.tags | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
output "id" { | ||
description = "The ID of the Container Registry." | ||
value = try(azurerm_container_registry.this[0].id, "") | ||
} | ||
|
||
output "login_server" { | ||
description = "The URL that can be used to log into the container registry." | ||
value = try(azurerm_container_registry.this[0].login_server, "") | ||
} | ||
|
||
output "admin_username" { | ||
description = "The Username associated with the Container Registry Admin account - if the admin account is enabled." | ||
value = try(azurerm_container_registry.this[0].admin_username, "") | ||
} | ||
|
||
output "admin_password" { | ||
description = "The Password associated with the Container Registry Admin account - if the admin account is enabled." | ||
value = try(azurerm_container_registry.this[0].admin_password, "") | ||
} |
Oops, something went wrong.