diff --git a/README.md b/README.md
index 8e14576..4d5c74a 100644
--- a/README.md
+++ b/README.md
@@ -28,8 +28,9 @@ No requirements.
| docker\_images\_defaults | Default values for the docker images variable. | object({
image_name = string
repo_prefix = string
include_tags = list(string)
exclude_tags = list(string)
}) | {
"exclude_tags": [],
"image_name": null,
"include_tags": [],
"repo_prefix": null
} | no |
| dockerhub\_credentials\_sm | AWS secretsmanager item name containing dockerhub credentials (keys:username and password). | `string` | `null` | no |
| dockerhub\_credentials\_ssm | AWS SSM parameter store items containing dockerhub credentials. | object({
username_item = string
password_item = string
}) | {
"password_item": null,
"username_item": null
} | no |
-| lambda\_function\_container | Ecr url of the docker container for the lambda function. | `string` | `null` | no |
+| lambda\_function\_container\_uri | Ecr url of the docker container for the lambda function. | `string` | `null` | no |
| lambda\_function\_name | Name of the lambda function. | `string` | `"ecr-image-sync"` | no |
+| lambda\_function\_zipfile\_folder | Folder containing the zip file for the lambda function. | `string` | `"dist"` | no |
| s3\_bucket | S3 bucket name for the storage of the csv file with the list of images to be synced. | `string` | `"ecr-image-sync"` | no |
| schedule\_expression | Cloudwatch schedule event for the image synchronization in cron notation (UTC). | `string` | `"cron(0 6 * * ? *)"` | no |
| tags | A mapping of tags assigned to the resources. | `map(string)` | `null` | no |
diff --git a/dist/dist.txt b/dist/dist.txt
new file mode 100644
index 0000000..8558b88
--- /dev/null
+++ b/dist/dist.txt
@@ -0,0 +1 @@
+folder for the lambda function zip file
\ No newline at end of file
diff --git a/dist/lambda-ecr-image-sync_0.0.1_Linux_x86_64.zip b/dist/lambda-ecr-image-sync_0.0.1_Linux_x86_64.zip
deleted file mode 100644
index 67a8800..0000000
Binary files a/dist/lambda-ecr-image-sync_0.0.1_Linux_x86_64.zip and /dev/null differ
diff --git a/dist/lambda-ecr-image-sync_0.0.2_Linux_x86_64.zip b/dist/lambda-ecr-image-sync_0.0.2_Linux_x86_64.zip
new file mode 100644
index 0000000..9fe2442
Binary files /dev/null and b/dist/lambda-ecr-image-sync_0.0.2_Linux_x86_64.zip differ
diff --git a/example/example.tf b/example/example.tf
index 70b19b1..02db0b3 100644
--- a/example/example.tf
+++ b/example/example.tf
@@ -1,9 +1,10 @@
module "ecr-image-sync" {
- source = "../"
- dockerhub_credentials_sm = "aws_ssm_secret_name" //optional name of the aws secret item with dockerhub credentials , keys username & password
- debug = true //optional turn on debug logging
- default_repo_prefix = "/default/prefix" //optional default repo prefix for all images , is overridden by the individual setting
- lambda_function_container = "aws/ecr/location/ecr-image-sync:latest" // optional if not using a container the function zip file should be in modulepath/dist
+ source = "../"
+ dockerhub_credentials_sm = "aws_ssm_secret_name" // optional name of the aws secret item with dockerhub credentials , keys username & password
+ debug = true // optional turn on debug logging
+ default_repo_prefix = "/default/prefix" // optional default repo prefix for all images , is overridden by the individual setting
+ lambda_function_container_uri = "1111111111.dkr.ecr.eu-west-1.amazonaws.com/aws/ecr/location/ecr-image-sync:latest" // optional the function container aws ecr location
+ lambda_function_zipfile_folder = "dist" // optional folfer containing the function zip file
dockerhub_credentials_ssm = { // optional AWS SSM parameter store item names for dockerhub username and password
username_item = "/dockerhub/username"
diff --git a/main.tf b/main.tf
index a7afb5e..5b76337 100644
--- a/main.tf
+++ b/main.tf
@@ -1,6 +1,6 @@
locals {
- bucket_arn = var.create_bucket ? module.lambda_bucket[0].arn : data.aws_s3_bucket.existing[0].arn
- bucket_name = var.create_bucket ? module.lambda_bucket[0].name : data.aws_s3_bucket.existing[0].id
+ bucket_arn = var.create_bucket ? aws_s3_bucket.lambda_bucket[0].arn : data.aws_s3_bucket.existing[0].arn
+ bucket_name = var.create_bucket ? aws_s3_bucket.lambda_bucket[0].id : data.aws_s3_bucket.existing[0].id
images = flatten([
for k, v in var.docker_images : [{
image_name = k
@@ -10,7 +10,7 @@ locals {
}
]
])
- lambda_zip = try("${path.module}/${[for f in fileset(path.module, "dist/*.zip") : f][0]}", "no zip file in dist")
+ lambda_zip = try("${path.module}/${[for f in fileset(path.module, "${var.lambda_function_zipfile_folder}/*.zip") : f][0]}", "no zip file in dist")
}
data "aws_caller_identity" "current" {}
@@ -26,25 +26,38 @@ data "aws_s3_bucket" "existing" {
bucket = var.s3_bucket
}
-module "lambda_bucket" {
+#tfsec:ignore:AWS002
+resource "aws_s3_bucket" "lambda_bucket" {
count = var.create_bucket ? 1 : 0
- source = "github.com/schubergphilis/terraform-aws-mcaf-s3?ref=v0.1.10"
- name = "${var.s3_bucket}-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}"
+ acl = "private"
+ bucket = "${var.s3_bucket}-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}"
force_destroy = true
- kms_key_id = data.aws_kms_alias.s3.target_key_arn
- versioning = true
tags = var.tags
+
+ server_side_encryption_configuration {
+ rule {
+ apply_server_side_encryption_by_default {
+ kms_master_key_id = data.aws_kms_alias.s3.target_key_arn
+ sse_algorithm = "aws:kms"
+ }
+ }
+ }
+
+ versioning {
+ enabled = true
+ }
+
}
resource "aws_lambda_function" "lambda_function" {
function_name = var.lambda_function_name
- filename = var.lambda_function_container == null ? local.lambda_zip : null
- image_uri = var.lambda_function_container != null ? "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/${var.lambda_function_container}" : null
- package_type = var.lambda_function_container != null ? "Image" : "Zip"
- handler = var.lambda_function_container == null ? "main" : null
+ filename = var.lambda_function_container_uri == null ? local.lambda_zip : null
+ handler = var.lambda_function_container_uri == null ? "main" : null
+ image_uri = var.lambda_function_container_uri == null ? null : var.lambda_function_container_uri
+ package_type = var.lambda_function_container_uri == null ? "Zip" : "Image"
role = aws_iam_role.lambda_assume_role.arn
- runtime = var.lambda_function_container == null ? "go1.x" : null
- source_code_hash = var.lambda_function_container == null ? filebase64sha256(local.lambda_zip) : null
+ runtime = var.lambda_function_container_uri == null ? "go1.x" : null
+ source_code_hash = var.lambda_function_container_uri == null ? filebase64sha256(local.lambda_zip) : null
tags = var.tags
environment {
diff --git a/variables.tf b/variables.tf
index 2c8cd16..9d48cb8 100644
--- a/variables.tf
+++ b/variables.tf
@@ -67,7 +67,7 @@ variable "docker_images" {
description = "List of docker images to sync from Docker Hub to ECR."
}
-variable "lambda_function_container" {
+variable "lambda_function_container_uri" {
type = string
description = "Ecr url of the docker container for the lambda function."
default = null
@@ -79,6 +79,12 @@ variable "lambda_function_name" {
default = "ecr-image-sync"
}
+variable "lambda_function_zipfile_folder" {
+ type = string
+ description = "Folder containing the zip file for the lambda function."
+ default = "dist"
+}
+
variable "schedule_expression" {
type = string
description = "Cloudwatch schedule event for the image synchronization in cron notation (UTC)."