Skip to content

Commit

Permalink
Merge pull request #6 from martijnvdp/update
Browse files Browse the repository at this point in the history 
update
  • Loading branch information
@martijnvdp
martijnvdp authored Apr 7, 2021
2 parents 1801249 + 79b5731 commit 871801c
Show file tree
Hide file tree
Showing 7 changed files with 87 additions and 76 deletions.
5 changes: 3 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,15 @@ No requirements.

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| docker\_images | List of docker images to sync from Docker Hub to ECR. | <pre>list(object({<br> image_name = string<br> repo_prefix = string<br> include_tags = list(string)<br> exclude_tags = list(string)<br> }))</pre> | n/a | yes |
| tags | A mapping of tags assigned to the resources. | `map(string)` | n/a | yes |
| codebuild\_project\_name | Name of the codebuild project. | `string` | `"ecr-image-sync"` | no |
| codepipeline\_name | Name of the codepipeline. | `string` | `"ecr-image-sync"` | no |
| create\_bucket | Whether or not or not to create the s3 bucket. | `bool` | `true` | no |
| docker\_images | List of docker images to sync from Docker Hub to ECR. | `any` | `{}` | no |
| docker\_images\_defaults | Default values for the docker images variable. | <pre>object({<br> image_name = string<br> repo_prefix = string<br> include_tags = list(string)<br> exclude_tags = list(string)<br> })</pre> | <pre>{<br> "exclude_tags": [],<br> "image_name": null,<br> "include_tags": [],<br> "repo_prefix": null<br>}</pre> | no |
| lambda\_function\_name | Name of the lambda function. | `string` | `"ecr-image-sync"` | no |
| s3\_bucket | S3 bucket name for the storage of the csv file with the list of images to be synced. | `string` | `"ecr-image-sync"` | no |
| schedule | Cloudwatch schedule event for the image synchronization in cron notation (UTC). | <pre>object({<br> name = string<br> expression = string<br> description = string<br> })</pre> | <pre>{<br> "description": "Synchronization cloudwatch schedule of the public docker images.",<br> "expression": "cron(0 6 * * ? *)",<br> "name": "ecr-schedule-public-images-sync"<br>}</pre> | no |
| schedule\_expression | Cloudwatch schedule event for the image synchronization in cron notation (UTC). | `string` | `"cron(0 6 * * ? *)"` | no |

## Outputs

Expand Down
Binary file added dist/lambda-ecr-image-sync_0.0.1_Linux_x86_64.zip
View file
Binary file not shown.
Binary file removed dist/main.zip
View file
Binary file not shown.
20 changes: 8 additions & 12 deletions example/example.tf
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,14 @@
// all 4 fields are required for the docker images https://github.com/hashicorp/terraform/issues/19898
module "ecr-image-sync" {
source = "../"
docker_images = [
{
image_name = "hashicorp/tfc-agent" // full image name on docker
repo_prefix = "int/ecr" // ecr repo prefix
include_tags = ["latest"] // list of tags to be included
exclude_tags = [] // list of tags to be excluded
},
{
image_name = "datadog/agent"
docker_images = {
"hashicorp/tfc-agent" = { // full image name on docker
repo_prefix = "int/ecr" // ecr repo prefix
include_tags = ["latest"] // list of tags to be included
exclude_tags = [] // list of tags to be excluded
}
"datadog/agent" = {
repo_prefix = "int/ecr"
include_tags = []
exclude_tags = ["latest", "6.27.0-rc.1"]
}
]
}
}
38 changes: 20 additions & 18 deletions iam.tf
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
data "aws_iam_policy_document" "lambda_assume_role" {

statement {
actions = ["sts:AssumeRole"]
effect = "Allow"
Expand All @@ -12,39 +11,40 @@ data "aws_iam_policy_document" "lambda_assume_role" {
}

data "aws_iam_policy_document" "lambda" {

statement {
effect = "Allow"
effect = "Allow"
resources = ["arn:aws:logs:*:*:*", ]

actions = [
"logs:PutLogEvents",
"logs:CreateLogGroup",
"logs:CreateLogStream",
]
resources = ["arn:aws:logs:*:*:*", ]
}

statement {
effect = "Allow"
effect = "Allow"
resources = ["${local.bucket_arn}/*", ]

actions = [
"s3:GetObject",
"s3:PutObject",
]
resources = ["${local.bucket_arn}/*", ]
}

statement {
effect = "Allow"
effect = "Allow"
resources = ["*", ]

actions = [
"ecr:DescribeRepositories",
"ecr:ListTagsForResource",
"ecr:ListImages"
]
resources = ["*", ]
}
}

data "aws_iam_policy_document" "codebuild_assume_role" {

statement {
actions = ["sts:AssumeRole"]
effect = "Allow"
Expand All @@ -57,38 +57,39 @@ data "aws_iam_policy_document" "codebuild_assume_role" {
}

data "aws_iam_policy_document" "codebuild" {

statement {
effect = "Allow"
effect = "Allow"
resources = ["*", ]

actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
resources = ["*", ]
}

statement {
effect = "Allow"

actions = [
"s3:GetObject",
"s3:PutObject"
]

resources = [
local.bucket_arn,
"${local.bucket_arn}/*",
]
}

statement {
effect = "Allow"
actions = ["ecr:*"]
effect = "Allow"
resources = ["*", ]
}
}

data "aws_iam_policy_document" "codepipeline_assume_role" {

statement {
actions = ["sts:AssumeRole"]
effect = "Allow"
Expand All @@ -101,28 +102,30 @@ data "aws_iam_policy_document" "codepipeline_assume_role" {
}

data "aws_iam_policy_document" "codepipeline" {

statement {
effect = "Allow"

actions = [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning",
"s3:PutObject"
]

resources = [
local.bucket_arn,
"${local.bucket_arn}/*"
]
}

statement {
effect = "Allow"
effect = "Allow"
resources = ["*", ]

actions = [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
]
resources = ["*", ]
}
}

Expand Down Expand Up @@ -155,4 +158,3 @@ resource "aws_iam_role_policy" "codepipeline_role" {
role = aws_iam_role.codepipeline_assume_role.name
policy = data.aws_iam_policy_document.codepipeline.json
}

68 changes: 38 additions & 30 deletions main.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,18 @@
locals {
bucket_arn = var.create_bucket ? module.lambda_bucket[0].arn : data.aws_s3_bucket.existing[0].arn
bucket_name = var.create_bucket ? module.lambda_bucket[0].name : data.aws_s3_bucket.existing[0].id
images = flatten([
for k, v in var.docker_images : [{
image_name = k
repo_prefix = try(v.repo_prefix, var.docker_images_defaults.repo_prefix)
include_tags = try(v.include_tags, var.docker_images_defaults.include_tags)
exclude_tags = try(v.exclude_tags, var.docker_images_defaults.exclude_tags)
}
]
])
lambda_zip = "${path.module}/${[for f in fileset(path.module, "dist/*.zip") : f][0]}"
}

data "aws_caller_identity" "current" {}

data "aws_region" "current" {}
Expand All @@ -11,60 +26,54 @@ data "aws_s3_bucket" "existing" {
bucket = var.s3_bucket
}

locals {
bucket_name = var.create_bucket ? module.lambda_bucket[0].name : data.aws_s3_bucket.existing[0].id
bucket_arn = var.create_bucket ? module.lambda_bucket[0].arn : data.aws_s3_bucket.existing[0].arn
}

module "lambda_bucket" {
count = var.create_bucket ? 1 : 0
source = "github.com/schubergphilis/terraform-aws-mcaf-s3?ref=v0.1.10"
name = var.s3_bucket
tags = var.tags
versioning = true
name = "${var.s3_bucket}-${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}"
force_destroy = true
kms_key_id = data.aws_kms_alias.s3.target_key_arn
versioning = true
tags = var.tags
}

resource "aws_lambda_function" "lambda_function" {
function_name = var.lambda_function_name
filename = local.lambda_zip
handler = "main"
runtime = "go1.x"
role = aws_iam_role.lambda_assume_role.arn
filename = "${path.module}/dist/main.zip"
source_code_hash = filebase64sha256("${path.module}/dist/main.zip")
timeout = 820
runtime = "go1.x"
source_code_hash = filebase64sha256(local.lambda_zip)
tags = var.tags

environment {
variables = {
IMAGES = jsonencode(var.docker_images)
REGION = data.aws_region.current.name
BUCKET_NAME = local.bucket_name
AWS_ACCOUNT_ID = data.aws_caller_identity.current.account_id
BUCKET_NAME = local.bucket_name
IMAGES = jsonencode(local.images)
REGION = data.aws_region.current.name
}
}
}

resource "aws_cloudwatch_event_rule" "event_rule" {
name = var.schedule.name
description = var.schedule.description
schedule_expression = var.schedule.expression
name = "ecr-images-sync-schedule"
description = "Synchronization cloudwatch schedule of the public docker images."
schedule_expression = var.schedule_expression
tags = var.tags
}

resource "aws_cloudwatch_event_target" "event_check" {
arn = aws_lambda_function.lambda_function.arn
rule = aws_cloudwatch_event_rule.event_rule.name
target_id = "ecr-image-sync"
arn = aws_lambda_function.lambda_function.arn
}

resource "aws_lambda_permission" "allow_cloudwatch_to_call_lambda" {
statement_id = "AllowExecutionFromCloudWatch"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.lambda_function.id
action = "lambda:InvokeFunction"
principal = "events.amazonaws.com"
source_arn = aws_cloudwatch_event_rule.event_rule.arn
statement_id = "AllowExecutionFromCloudWatch"
}

resource "aws_codebuild_project" "ecr_pull_push" {
Expand All @@ -78,15 +87,15 @@ resource "aws_codebuild_project" "ecr_pull_push" {
}

cache {
type = "LOCAL"
modes = ["LOCAL_SOURCE_CACHE"]
type = "LOCAL"
}

environment {
compute_type = "BUILD_GENERAL1_MEDIUM"
image = "aws/codebuild/standard:2.0"
type = "LINUX_CONTAINER"
privileged_mode = true
type = "LINUX_CONTAINER"

environment_variable {
name = "AWS_REGION"
Expand All @@ -100,8 +109,8 @@ resource "aws_codebuild_project" "ecr_pull_push" {
}

source {
type = "CODEPIPELINE"
buildspec = file("${path.module}/buildspec.yml")
type = "CODEPIPELINE"
}
}

Expand All @@ -124,16 +133,16 @@ resource "aws_codepipeline" "pl_ecr_pull_push" {
name = "Source"

action {
name = "Source"
category = "Source"
name = "Source"
output_artifacts = ["source"]
owner = "AWS"
provider = "S3"
version = "1"
output_artifacts = ["source"]

configuration = {
S3Bucket = local.bucket_name
PollForSourceChanges = "true"
S3Bucket = local.bucket_name
S3ObjectKey = "images.zip"
}
}
Expand All @@ -143,11 +152,11 @@ resource "aws_codepipeline" "pl_ecr_pull_push" {
name = "Build"

action {
name = "Build"
category = "Build"
input_artifacts = ["source"]
name = "Build"
owner = "AWS"
provider = "CodeBuild"
input_artifacts = ["source"]
version = "1"

configuration = {
Expand All @@ -156,4 +165,3 @@ resource "aws_codepipeline" "pl_ecr_pull_push" {
}
}
}

32 changes: 18 additions & 14 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,26 @@ variable "create_bucket" {
default = true
}

variable "docker_images" {
type = list(object({
variable "docker_images_defaults" {
type = object({
image_name = string
repo_prefix = string
include_tags = list(string)
exclude_tags = list(string)
}))
})
description = "Default values for the docker images variable."
default = {
image_name = null
repo_prefix = null
include_tags = []
exclude_tags = []
}
}

variable "docker_images" {
type = any
description = "List of docker images to sync from Docker Hub to ECR."
default = {}
}

variable "lambda_function_name" {
Expand All @@ -32,18 +44,10 @@ variable "lambda_function_name" {
default = "ecr-image-sync"
}

variable "schedule" {
type = object({
name = string
expression = string
description = string
})
variable "schedule_expression" {
type = string
description = "Cloudwatch schedule event for the image synchronization in cron notation (UTC)."
default = {
name = "ecr-schedule-public-images-sync"
expression = "cron(0 6 * * ? *)"
description = "Synchronization cloudwatch schedule of the public docker images."
}
default = "cron(0 6 * * ? *)"
}

variable "s3_bucket" {
Expand Down

0 comments on commit 871801c

Please sign in to comment.