Create policy document even if there is no principal to attach it to (#…

…30)

.gitignore

@@ -5,9 +5,6 @@
 *.tfstate
 *.tfstate.*
 
-# .tfvars files
-*.tfvars
-
 **/.idea
 **/*.iml
 

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2017-2018 Cloud Posse, LLC
+   Copyright 2017-2019 Cloud Posse, LLC
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -3,7 +3,7 @@
 
 [![Cloud Posse][logo]](https://cpco.io/homepage)
 
-# terraform-aws-ecr [![Build Status](https://travis-ci.org/cloudposse/terraform-aws-ecr.svg?branch=master)](https://travis-ci.org/cloudposse/terraform-aws-ecr) [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-ecr.svg)](https://github.com/cloudposse/terraform-aws-ecr/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)
+# terraform-aws-ecr [![Codefresh Build Status](https://g.codefresh.io/api/badges/pipeline/cloudposse/terraform-modules%2Fterraform-aws-ecr?type=cf-1)](https://g.codefresh.io/public/accounts/cloudposse/pipelines/5d182cb1ac440444a6c0082b) [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-ecr.svg)](https://github.com/cloudposse/terraform-aws-ecr/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)
 
 
 Terraform module to provision an [`AWS ECR Docker Container registry`](https://aws.amazon.com/ecr/).

README.yaml

@@ -32,9 +32,9 @@ github_repo: cloudposse/terraform-aws-ecr
 
 # Badges to display
 badges:
-  - name: "Build Status"
-    image: "https://travis-ci.org/cloudposse/terraform-aws-ecr.svg?branch=master"
-    url: "https://travis-ci.org/cloudposse/terraform-aws-ecr"
+  - name: "Codefresh Build Status"
+    image: "https://g.codefresh.io/api/badges/pipeline/cloudposse/terraform-modules%2Fterraform-aws-ecr?type=cf-1"
+    url: "https://g.codefresh.io/public/accounts/cloudposse/pipelines/5d182cb1ac440444a6c0082b"
   - name: "Latest Release"
     image: "https://img.shields.io/github/release/cloudposse/terraform-aws-ecr.svg"
     url: "https://github.com/cloudposse/terraform-aws-ecr/releases/latest"

codefresh/test.yml

@@ -0,0 +1,68 @@
+version: '1.0'
+
+stages:
+  - Prepare
+  - Test
+
+steps:
+  wait:
+    title: Wait
+    stage: Prepare
+    image: codefresh/cli:latest
+    commands:
+      - codefresh get builds --pipeline=${{CF_REPO_NAME}} --status running --limit 1000 -o json | jq --arg id ${{CF_BUILD_ID}} -ser 'flatten|.[-1].id==$id'
+    retry:
+      maxAttempts: 10
+      delay: 20
+      exponentialFactor: 1.1
+
+  main_clone:
+    title: "Clone repository"
+    type: git-clone
+    stage: Prepare
+    description: "Initialize"
+    repo: ${{CF_REPO_OWNER}}/${{CF_REPO_NAME}}
+    git: CF-default
+    revision: ${{CF_REVISION}}
+
+  clean_init:
+    title: Prepare build-harness and test-harness
+    image: ${{TEST_IMAGE}}
+    stage: Prepare
+    commands:
+      - cf_export PATH="/usr/local/terraform/0.11/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+      - which terraform
+      - terraform version
+      - make init
+      - git -C build-harness checkout master
+      - make -C test/ clean init TEST_HARNESS_BRANCH=master
+      - find . -type d -name '.terraform' | xargs rm -rf
+      - find . -type f -name 'terraform.tfstate*' -exec rm -f {} \;
+
+  test:
+    type: "parallel"
+    title: "Run tests"
+    description: "Run all tests in parallel"
+    stage: Test
+    steps:
+      test_readme_lint:
+        title: "Test README.md updated"
+        stage: "Test"
+        image: ${{TEST_IMAGE}}
+        description: Test "readme/lint"
+        commands:
+          - make readme/lint
+
+      test_module:
+        title: Test module with bats
+        image: ${{TEST_IMAGE}}
+        stage: Test
+        commands:
+          - make -C test/ module
+
+      test_examples_complete:
+        title: Test "examples/complete" with bats
+        image: ${{TEST_IMAGE}}
+        stage: Test
+        commands:
+          - make -C test/ examples/complete

examples/complete/fixtures.us-west-1.tfvars

@@ -0,0 +1,7 @@
+region = "us-west-1"
+
+namespace = "eg"
+
+stage = "test"
+
+name = "ecr-test"

examples/complete/main.tf

@@ -0,0 +1,10 @@
+provider "aws" {
+  region = "${var.region}"
+}
+
+module "ecr" {
+  source    = "../../"
+  namespace = "${var.namespace}"
+  stage     = "${var.stage}"
+  name      = "${var.name}"
+}

examples/complete/outputs.tf

@@ -0,0 +1,14 @@
+output "registry_id" {
+  value       = "${module.ecr.registry_id}"
+  description = "Registry ID"
+}
+
+output "registry_url" {
+  value       = "${module.ecr.registry_url}"
+  description = "Registry URL"
+}
+
+output "repository_name" {
+  value       = "${module.ecr.repository_name}"
+  description = "Registry name"
+}

examples/complete/variables.tf

@@ -0,0 +1,15 @@
+variable "region" {
+  type = "string"
+}
+
+variable "namespace" {
+  type = "string"
+}
+
+variable "name" {
+  type = "string"
+}
+
+variable "stage" {
+  type = "string"
+}

main.tf

@@ -1,7 +1,10 @@
 locals {
   principals_readonly_access_non_empty = "${signum(length(var.principals_readonly_access))}"
   principals_full_access_non_empty     = "${signum(length(var.principals_full_access))}"
-  ecr_need_policy                      = "${length(var.principals_full_access) + length(var.principals_readonly_access) > 0 ? "true" : "false"}"
+
+  ## ecr_need_policy was intended to prevent creating a policy if we did not have any principals to attach it to,
+  ## but it does not work because Terraform does not pass the lengths of lists across modules.
+  # ecr_need_policy = "${length(var.principals_full_access) + length(var.principals_readonly_access) > 0 ? "true" : "false"}"
 }
 
 module "label" {
@@ -118,11 +121,14 @@ data "aws_iam_policy_document" "resource_full_access" {
 data "aws_iam_policy_document" "resource" {
   source_json   = "${local.principals_readonly_access_non_empty ? data.aws_iam_policy_document.resource_readonly_access.json : data.aws_iam_policy_document.empty.json}"
   override_json = "${local.principals_full_access_non_empty ? data.aws_iam_policy_document.resource_full_access.json : data.aws_iam_policy_document.empty.json}"
-  "statement"   = []
+  statement     = []
 }
 
 resource "aws_ecr_repository_policy" "default" {
-  count      = "${(local.ecr_need_policy == "true" && var.enabled == "true") ? 1 : 0}"
+  ## Unfortunately, ecr_need_policy does not work due to Terraform limitations, so we just leave it out
+  # count      = "${(local.ecr_need_policy == "true" && var.enabled == "true") ? 1 : 0}"
+  count = "${var.enabled == "true" ? 1 : 0}"
+
   repository = "${aws_ecr_repository.default.name}"
   policy     = "${data.aws_iam_policy_document.resource.json}"
 }

test/.gitignore

@@ -0,0 +1 @@
+.test-harness

test/Makefile

@@ -0,0 +1,43 @@
+TEST_HARNESS ?= https://github.com/cloudposse/test-harness.git
+TEST_HARNESS_BRANCH ?= master
+TEST_HARNESS_PATH = $(realpath .test-harness)
+BATS_ARGS ?= --tap
+BATS_LOG ?= test.log
+
+# Define a macro to run the tests
+define RUN_TESTS
+@echo "Running tests in $(1)"
+@cd $(1) && bats $(BATS_ARGS) $(addsuffix .bats,$(addprefix $(TEST_HARNESS_PATH)/test/terraform/,$(TESTS)))
+endef
+
+default: all
+
+-include Makefile.*
+
+## Provision the test-harnesss
+.test-harness:
+	[ -d $@ ] || git clone --depth=1 -b $(TEST_HARNESS_BRANCH) $(TEST_HARNESS) $@
+
+## Initialize the tests
+init: .test-harness
+
+## Install all dependencies (OS specific)
+deps::
+	@exit 0
+
+## Clean up the test harness
+clean:
+	[ "$(TEST_HARNESS_PATH)" == "/" ] || rm -rf $(TEST_HARNESS_PATH)
+
+## Run all tests
+all: module examples/complete
+
+## Run basic sanity checks against the module itself
+module: export TESTS ?= installed lint get-modules module-pinning get-plugins validate terraform-docs input-descriptions output-descriptions
+module: deps
+	$(call RUN_TESTS, ../)
+
+## Run tests against example
+examples/complete: export TESTS ?= installed lint get-modules get-plugins validate
+examples/complete: deps
+	$(call RUN_TESTS, ../$@)

test/Makefile.alpine

@@ -0,0 +1,5 @@
+ifneq (,$(wildcard /sbin/apk))
+## Install all dependencies for alpine
+deps:: init
+	@apk add --update terraform-docs@cloudposse json2hcl@cloudposse
+endif

versions.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = "~> 0.11.0"
+}