add ECR repo for finch rootfs image

Add an ECR repo to Finch infrastructure. this repository is where the image used as the basis for the Finch VM rootfs will live. Signed-off-by: Gavin Inglis <giinglis@amazon.com>
runfinch · Jul 21, 2023 · f58533c · f58533c
1 parent ebb2573
commit f58533c
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 2 deletions.
diff --git a/lib/continuous-integration-stack.ts b/lib/continuous-integration-stack.ts
@@ -1,13 +1,18 @@
 import * as cdk from 'aws-cdk-lib';
+import * as ecr from 'aws-cdk-lib/aws-ecr';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import { Construct } from 'constructs';
 
 import { CloudfrontCdn } from './cloudfront_cdn';
 
+interface ContinuousIntegrationStackProps extends cdk.StackProps {
+  rootfsEcrRepository: ecr.Repository;
+}
+
 // ContinuousIntegrationStack - AWS stack for supporting Finch's continuous integration process
 export class ContinuousIntegrationStack extends cdk.Stack {
-  constructor(scope: Construct, id: string, stage: string, props?: cdk.StackProps) {
+  constructor(scope: Construct, id: string, stage: string, props: ContinuousIntegrationStackProps) {
     super(scope, id, props);
 
     const githubDomain = 'token.actions.githubusercontent.com';
@@ -43,6 +48,9 @@ export class ContinuousIntegrationStack extends cdk.Stack {
     });
     bucket.grantReadWrite(githubActionsRole);
 
+    const repo = props.rootfsEcrRepository;
+    repo.grantPullPush(githubActionsRole);
+
     new CloudfrontCdn(this, 'DependenciesCloudfrontCdn', {
       bucket
     });

diff --git a/lib/ecr-repo-stack.ts b/lib/ecr-repo-stack.ts
@@ -0,0 +1,24 @@
+import * as cdk from 'aws-cdk-lib';
+import { CfnOutput } from 'aws-cdk-lib';
+import * as ecr from 'aws-cdk-lib/aws-ecr';
+import { Construct } from 'constructs';
+
+export class ECRRepositoryStack extends cdk.Stack {
+  public readonly repositoryOutput: CfnOutput;
+  public readonly repository: ecr.Repository;
+  constructor(scope: Construct, id: string, stage: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+    const repoName = `finch-rootfs-image-${stage.toLowerCase()}`;
+    const ecrRepository = new ecr.Repository(this, 'finch-rootfs', {
+        repositoryName:repoName,
+        imageTagMutability: ecr.TagMutability.IMMUTABLE,
+        // TODO: CFN does not provide APIs for enhanced image scanning.
+        // create a custom stack that uses the AWS sdk to change the account ECR 
+        // scanning settings to enhanced.
+        imageScanOnPush: true,
+    });
+
+    this.repository = ecrRepository
+    this.repositoryOutput = new CfnOutput(this, 'ECR repository', { value: ecrRepository.repositoryName });
+  }
+}
diff --git a/lib/finch-pipeline-app-stage.ts b/lib/finch-pipeline-app-stage.ts
@@ -2,9 +2,11 @@ import * as cdk from 'aws-cdk-lib';
 import { CfnOutput } from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 import { ArtifactBucketCloudfrontStack } from './artifact-bucket-cloudfront';
+import * as ecr from 'aws-cdk-lib/aws-ecr';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import { ASGRunnerStack } from './asg-runner-stack';
 import { ContinuousIntegrationStack } from './continuous-integration-stack';
+import { ECRRepositoryStack } from './ecr-repo-stack';
 import { PVREReportingStack } from './pvre-reporting-stack';
 import { RunnerProps } from '../config/runner-config';
 
@@ -21,7 +23,9 @@ interface FinchPipelineAppStageProps extends cdk.StageProps {
 
 export class FinchPipelineAppStage extends cdk.Stage {
   artifactBucketCloudfrontUrlOutput: CfnOutput;
+  ecrRepositoryOutput: CfnOutput;
   public readonly cloudfrontBucket: s3.Bucket;
+  public readonly ecrRepository: ecr.Repository;
 
   constructor(scope: Construct, id: string, props: FinchPipelineAppStageProps) {
     super(scope, id, props);
@@ -44,7 +48,21 @@ export class FinchPipelineAppStage extends cdk.Stage {
       this.artifactBucketCloudfrontUrlOutput = artifactBucketCloudfrontStack.urlOutput;
       this.cloudfrontBucket = artifactBucketCloudfrontStack.bucket;
 
-      new ContinuousIntegrationStack(this, 'FinchContinuousIntegrationStack', this.stageName);
+      const ecrRepositoryCloudfrontStack = new ECRRepositoryStack(
+        this,
+        'ECRRepositoryStack',
+        this.stageName
+      );
+
+      this.ecrRepositoryOutput = ecrRepositoryCloudfrontStack.repositoryOutput;
+      this.ecrRepository = ecrRepositoryCloudfrontStack.repository;
+
+      new ContinuousIntegrationStack(
+        this, 
+        'FinchContinuousIntegrationStack', 
+        this.stageName, 
+        {rootfsEcrRepository: this.ecrRepository}
+      );
     }
 
     new PVREReportingStack(this, 'PVREReportingStack');

diff --git a/test/ecr-repo-stack.test.ts b/test/ecr-repo-stack.test.ts
@@ -0,0 +1,25 @@
+import * as cdk from 'aws-cdk-lib';
+import { Template, Match } from 'aws-cdk-lib/assertions';
+import { ECRRepositoryStack } from '../lib/ecr-repo-stack';
+
+describe('ECRRepositoryStack', () => {
+  test('synthesizes the way we expect', () => {
+    const app = new cdk.App();
+    const ecrRepo = new ECRRepositoryStack(app, 'ECRRepositoryStack', 'test');
+
+    // prepare the ECRRepositoryStack template for assertions
+    const template = Template.fromStack(ecrRepo);
+
+    // assert it creates the ecr repo with properties set.
+    template.resourceCountIs('AWS::ECR::Repository', 1);
+    template.hasResource('AWS::ECR::Repository', {
+      Properties: {
+        RepositoryName: Match.anyValue(),
+        ImageTagMutability: "IMMUTABLE",
+        ImageScanningConfiguration: {
+          ScanOnPush: true,
+        },
+      },
+    });
+  });
+})