From 922201d341761a3898aaf7e7869be82a0cb1fb7a Mon Sep 17 00:00:00 2001
From: Christian Kappen <christian.kappen@geekcell.io>
Date: Tue, 2 Jul 2024 15:14:07 +0200
Subject: [PATCH] fix(CO-740): Encrypt ECR

---
 examples/basic-example/main.tf |  2 +-
 main.tf                        |  7 ++++++-
 variables.tf                   | 32 +++++++++++++++++++++++---------
 3 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/examples/basic-example/main.tf b/examples/basic-example/main.tf
index 580d95d..c341d0f 100644
--- a/examples/basic-example/main.tf
+++ b/examples/basic-example/main.tf
@@ -1,5 +1,5 @@
 module "basic_example" {
-  source = "../../"
+  source = "../.."
 
   name = var.name
 }
diff --git a/main.tf b/main.tf
index 3fa002a..775a808 100644
--- a/main.tf
+++ b/main.tf
@@ -21,6 +21,11 @@ resource "aws_ecr_repository" "main" {
   image_tag_mutability = var.image_tag_mutability
   force_delete         = var.force_delete
 
+  encryption_configuration {
+    encryption_type = var.encryption_type
+    kms_key         = var.kms_key
+  }
+
   image_scanning_configuration {
     scan_on_push = var.scan_on_push
   }
@@ -46,7 +51,7 @@ resource "aws_ecr_lifecycle_policy" "main" {
 # to remove any null values from the JSON before sending it to AWS.
 data "jq_query" "main" {
   query = "del(..|nulls)"
-  data = jsonencode({
+  data  = jsonencode({
     rules = [
       for index, rule in var.lifecycle_rules : {
         rulePriority = index + 1
diff --git a/variables.tf b/variables.tf
index 578121c..0b8e354 100644
--- a/variables.tf
+++ b/variables.tf
@@ -11,33 +11,33 @@ variable "tags" {
 }
 
 ## REPOSITORY
+variable "encryption_type" {
+  description = "The encryption type to use for the repository."
+  default     = "AES256"
+  type        = string
+}
+
 variable "image_tag_mutability" {
   description = "The tag mutability setting for the repository."
   default     = "MUTABLE"
   type        = string
 }
 
-variable "scan_on_push" {
-  description = "Indicates whether images are scanned after being pushed to the repository."
-  default     = true
-  type        = bool
-}
-
 variable "force_delete" {
   description = "Delete the repository even if it contains images."
   default     = false
   type        = bool
 }
 
-variable "policy" {
-  description = "Repository policy document in JSON format."
+variable "kms_key" {
+  description = "The ARN of the KMS key to use for encryption."
   default     = null
   type        = string
 }
 
 variable "lifecycle_rules" {
   description = "Lifecycle policy rules for expiring images."
-  default = [
+  default     = [
     {
       description     = "Keep the last 30 tagged images"
       tag_status      = "tagged"
@@ -62,3 +62,17 @@ variable "lifecycle_rules" {
     count_number    = number
   }))
 }
+
+variable "policy" {
+  description = "Repository policy document in JSON format."
+  default     = null
+  type        = string
+}
+
+variable "scan_on_push" {
+  description = "Indicates whether images are scanned after being pushed to the repository."
+  default     = true
+  type        = bool
+}
+
+