Adding encryption_type to allow using kms without passing key id and …

…adding ecr:ListImages for argocd-image-updater (#21) * Adding encryption_type to allow using kms without passing key id and adding ecr:ListImages for argocd-image-updater * terraform-docs: automated update action --------- Co-authored-by: adenot <adenot@users.noreply.github.com>
DNXLabs · Dec 11, 2024 · 83830eb · 83830eb
1 parent 6c06ca0
commit 83830eb
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -31,6 +31,7 @@ The following resources will be created:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| encryption\_type | Encryption type, KMS or AES256. When kms\_key\_arn is passed, encryption\_type is always KMS | `string` | `"KMS"` | no |
 | image\_tag\_mutability | The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE. Defaults to MUTABLE. | `string` | `"MUTABLE"` | no |
 | kms\_key\_arn | KMS Key ARN to use a CMK instead of default key | `string` | `""` | no |
 | lifecycle\_policy | JSON formatted string ECR repository lifecycle policy. | `string` | `""` | no |

diff --git a/_variables.tf b/_variables.tf
@@ -7,6 +7,12 @@ variable "trust_accounts" {
   description = "Accounts to trust and allow ECR fetch"
 }
 
+variable "encryption_type" {
+  type        = string
+  description = "Encryption type, KMS or AES256. When kms_key_arn is passed, encryption_type is always KMS"
+  default     = "KMS"
+}
+
 variable "kms_key_arn" {
   type        = string
   description = "KMS Key ARN to use a CMK instead of default key"
@@ -35,4 +41,4 @@ variable "tags" {
   description = "Map of tags that will be added to created resources. By default resources will be tagged with name and environment."
   type        = map(string)
   default     = {}
-}
+}
diff --git a/ecr-policies.tf b/ecr-policies.tf
@@ -21,7 +21,8 @@ data "aws_iam_policy_document" "default" {
         "ecr:GetDownloadUrlForLayer",
         "ecr:BatchGetImage",
         "ecr:BatchCheckLayerAvailability",
-        "ecr:DescribeImageScanFindings"
+        "ecr:DescribeImageScanFindings",
+        "ecr:ListImages"
       ]
     }
   }

diff --git a/ecr-repositories.tf b/ecr-repositories.tf
@@ -3,7 +3,7 @@ resource "aws_ecr_repository" "default" {
   image_tag_mutability = var.image_tag_mutability
 
   encryption_configuration {
-    encryption_type = var.kms_key_arn != "" ? "KMS" : "AES256"
+    encryption_type = var.kms_key_arn != "" ? "KMS" : var.encryption_type
     kms_key         = var.kms_key_arn
   }