in cdk/lib/environment-agnostic-resources.ts [15:64]
constructor(scope: App, id: string, props: GuStackProps) {
super(scope, id, props);
const ecrRepository = new Repository(this, 'mobile-fastly-cache-purger-repo', {
repositoryName: 'mobile-fastly-cache-purger',
imageScanOnPush: true,
imageTagMutability: TagMutability.IMMUTABLE
})
new Role(this, 'CIRole', {
assumedBy: new FederatedPrincipal(
`arn:aws:iam::${GuardianAwsAccounts.Mobile}:oidc-provider/token.actions.githubusercontent.com`,
{
"StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" },
"StringLike": { "token.actions.githubusercontent.com:sub": "repo:guardian/mobile-fastly-cache-purger:*"}
},
"sts:AssumeRoleWithWebIdentity"
),
inlinePolicies: {
ecrToken: new PolicyDocument({
statements: [
new PolicyStatement({
actions: ['ecr:GetAuthorizationToken'],
resources: ['*']
})
]
}),
ecrUpload: new PolicyDocument({
statements: [
new PolicyStatement({
actions: [
'ecr:CompleteLayerUpload',
'ecr:UploadLayerPart',
'ecr:InitiateLayerUpload',
'ecr:BatchCheckLayerAvailability',
'ecr:PutImage'
],
resources: [ecrRepository.repositoryArn]
})
]
})
}
})
new CfnOutput(this, "mobile-fastly-cache-purger-repository-arn", {
value: ecrRepository.repositoryArn,
exportName: "mobile-fastly-cache-purger-repository-arn",
});
new CfnOutput(this, "mobile-fastly-cache-purger-repository-name", {
value: ecrRepository.repositoryName,
exportName: "mobile-fastly-cache-purger-repository-name",
});
}