Merge pull request #15 from martijnvdp/refactor

refactor
martijnvdp · Mar 3, 2023 · c162bdb · c162bdb
2 parents 5dd5361 + 5ce2818
commit c162bdb
Show file tree

Hide file tree

Showing 5 changed files with 195 additions and 244 deletions.
diff --git a/eventbridge.tf b/eventbridge.tf
@@ -1,9 +1,9 @@
 locals {
-  scheduled_event_name = "ECRImageSyncScheduledEvent"
 
   event_rules = {
     ECRImageSyncRepoCreatedRule = {
-      description   = "Capture each ECR repository created event"
+      description   = var.lambda.event_rules.repository_created.description
+      is_enabled    = var.lambda.event_rules.repository_created.is_enabled
       event_pattern = <<-EOF
       {
         "source": ["aws.ecr"],
@@ -15,12 +15,14 @@ locals {
       }
       EOF
     }
-    "${local.scheduled_event_name}" = {
-      description         = "CloudWatch schedule for synchronization of the public Docker images."
-      schedule_expression = var.schedule_expression
+    ECRImageSyncScheduledEvent = {
+      description         = var.lambda.event_rules.scheduled_event.description
+      is_enabled          = var.lambda.event_rules.scheduled_event.is_enabled
+      schedule_expression = var.lambda.event_rules.scheduled_event.schedule_expression
     }
     ECRImageSyncUpdatedInputJson = {
-      description   = "Capture all updated input JSON events: ${local.scheduled_event_name}"
+      description   = var.lambda.event_rules.payload_updated.description
+      is_enabled    = var.lambda.event_rules.payload_updated.is_enabled
       event_pattern = <<-EOF
       {
         "source": ["aws.events"],
@@ -29,14 +31,15 @@ locals {
           "eventName": ["PutTargets"],
           "eventSource": ["events.amazonaws.com"],
           "requestParameters": {
-            "rule": ["${local.scheduled_event_name}"]
+            "rule": ["ECRImageSyncScheduledEvent"]
           }
         }
       }
       EOF
     }
     ECRImageSyncChangedTagOnECRRepo = {
-      description   = "Capture each ECR repository tag changed event"
+      description   = var.lambda.event_rules.repository_tags.description
+      is_enabled    = var.lambda.event_rules.repository_tags.is_enabled
       event_pattern = <<-EOF
       {
         "source": ["aws.tag"],
@@ -61,8 +64,8 @@ locals {
         {
           "check_digest": ${local.settings.check_digest},
           "ecr_repo_prefix": "${local.settings.ecr_repo_prefix}",
-          "event_resource": <resource>,
-          "max_results": ${local.settings.max_results}
+          "max_results": ${local.settings.max_results},
+          "repository_arn": <resource>
         }
         EOF
       }
@@ -73,10 +76,11 @@ locals {
 resource "aws_cloudwatch_event_rule" "trigger" {
   for_each = local.event_rules
 
-  name                = each.key
+  description         = each.value.description
   event_pattern       = try(each.value.event_pattern, null)
+  is_enabled          = try(each.value.is_enabled, true)
+  name                = each.key
   schedule_expression = try(each.value.schedule_expression, null)
-  description         = each.value.description
   tags                = var.tags
 }
 
@@ -86,7 +90,7 @@ resource "aws_cloudwatch_event_target" "trigger" {
   arn       = aws_lambda_function.ecr_image_sync.arn
   input     = try(each.value.input_transformer, {}) == {} ? jsonencode(local.settings) : null
   rule      = aws_cloudwatch_event_rule.trigger[each.key].name
-  target_id = var.lambda_function_name
+  target_id = var.lambda.name
 
   dynamic "input_transformer" {
     for_each = try(each.value.input_transformer, {}) != {} ? [1] : []
@@ -101,8 +105,8 @@ resource "aws_lambda_permission" "trigger" {
   for_each = local.event_rules
 
   action        = "lambda:InvokeFunction"
-  function_name = var.lambda_function_name
+  function_name = var.lambda.name
   principal     = "events.amazonaws.com"
-  statement_id  = "AllowExecutionFromEventBridge${each.key}"
   source_arn    = aws_cloudwatch_event_rule.trigger[each.key].arn
+  statement_id  = "AllowExecutionFromEventBridge${each.key}"
 }
diff --git a/examples/full.tf b/examples/full.tf
@@ -1,33 +1,15 @@
 locals {
 
-  ecr_lambda_repositories = ["images/lambda-ecr-image-sync"]
-  deploy_ecr_sync         = true
-
   # The equality operators are equal (-eq), greater than (-gt), greater than or equal (-ge), less than (-lt), and less than or equal (-le)
-  image_sync_images = {
-    "dev" = {
-      "quay.io/isovalent/cilium"                       = { ecr_sync_constraint = "-ge v1.10.3", ecr_sync_include_rls = "cee", ecr_sync_include_tags = "current" }
-      "docker.io/openpolicyagent/gatekeeper"           = { ecr_sync_constraint = "-ge v3.9.0" }
-      "docker.io/otel/opentelemetry-collector-contrib" = { ecr_sync_constraint = "-ge 0.66.0" }
-      "docker.io/grafana/grafana"                      = { ecr_sync_constraint = "-ge 9.3.1" }
-      "docker.io/redis"                                = { ecr_sync_constraint = "-ge 7.0.4", ecr_sync_include_rls = "alpine", ecr_sync_release_only = "true" }
-    }
-    "test" = {
-      "docker.io/nginx" = { ecr_sync_constraint = "-ge 1.21" }
-    }
+  ecr_repositories = {
+    "images/lambda-ecr-image-sync"             = {}
+    "dev/isovalent/cilium"                     = { source = "quay.io/isovalent/cilium", constraint = "-ge v1.10.3", include_rls = "cee", include_tags = "current" }
+    "dev/openpolicyagent/gatekeeper"           = { source = "docker.io/openpolicyagent/gatekeeper", constraint = "-ge v3.9.0" }
+    "dev/otel/opentelemetry-collector-contrib" = { source = "docker.io/otel/opentelemetry-collector-contrib", constraint = "-ge 0.66.0" }
+    "dev/grafana/grafana"                      = { source = "docker.io/grafana/grafana", constraint = "-ge 9.3.1" }
+    "dev/redis"                                = { source = "docker.io/redis", constraint = "-ge 7.0.4", include_rls = "alpine", release_only = "true" }
+    "test/nginx"                               = { source = "docker.io/nginx", constraint = "-ge 1.21" }
   }
-
-  image_sync_ecr_map = flatten([
-    for repo, v in local.image_sync_images : [
-      for name, options in v : {
-        repository_name = length(split("/", name)) == 3 ? "${repo}/${split("/", name)[1]}/${split("/", name)[2]}" : "${repo}/${split("/", name)[1]}"
-        tags = merge(options, {
-          ecr_sync_opt    = "in"
-          ecr_sync_source = name
-        })
-      }
-    ]
-  ])
 }
 
 data "aws_kms_key" "cmk" {
@@ -41,67 +23,40 @@ data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
 
 module "ecr" {
-  count  = 1
   source = "github.com/martijnvdp/terraform-aws-mcaf-ecr?ref=repository-tags"
 
   image_tag_mutability       = "MUTABLE"
-  principals_readonly_access = [data.aws_caller_identity.current.account_id]
-  repository_names           = [for k, v in local.image_sync_ecr_map : v.repository_name]
   kms_key_arn                = data.aws_kms_key.cmk.arn
-
-  repository_tags = { for _, v in local.image_sync_ecr_map : v.repository_name => try(v.tags, {})
-    if try(v.tags.ecr_sync_opt, "") == "in"
-  }
+  principals_readonly_access = [data.aws_caller_identity.current.account_id]
+  repository_names           = [for k, _ in local.ecr_repositories : k]
+  repository_tags            = { for name, tags in local.ecr_repositories : name => merge({ ecr_sync_opt = "in" }, { for k, v in tags : "ecr_sync_${k}" => v }) if try(tags.source, "") != "" }
 }
 
 // ECR Image Sync Lambda function
 module "ecrImageSync" {
   source = "../"
 
   // docker_hub_credentials        = var.docker_hub_credentials
-  // source container image: docker pull ghcr.io/martijnvdp/ecr-image-sync:latest
-  lambda_function_container_uri = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/images/lambda-ecr-image-sync:v1.0.1"
-  schedule_expression           = "cron(0 7 * * ? *)"
-
-  lambda_function_settings = {
-    check_digest    = true
-    ecr_repo_prefix = ""
-    max_results     = 10
-  }
+  ecr_repository_prefixes = distinct([for repo, tags in local.ecr_repositories : regex("^(\\w+)/.*$", repo)[0] if try(tags.source, "") != ""])
 
-  providers = {
-    aws = aws
-  }
-
-  s3_workflow = {
-    enabled = false
-  }
-}
-
-// ECR for the Lambda function container image
-module "ecrLambda" {
-  count  = length(local.ecr_lambda_repositories) > 0 && local.deploy_ecr_sync ? 1 : 0
-  source = "github.com/schubergphilis/terraform-aws-mcaf-ecr?ref=v1.1.0"
+  // source container image: docker pull ghcr.io/martijnvdp/ecr-image-sync:latest
+  lambda = {
+    container_uri = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/base/infra/ecr-image-sync:v1.0.0"
 
-  image_tag_mutability       = "MUTABLE"
-  kms_key_arn                = data.aws_kms_key.cmk.arn
-  principals_readonly_access = [data.aws_caller_identity.current.account_id]
-  repository_names           = local.ecr_lambda_repositories
+    event_rules = {
+      repository_tags = {
+        is_enabled = false
+      }
 
-  additional_ecr_policy_statements = {
-    LambdaECRImageRetrievalPolicy = {
-      effect = "allow"
-      principal = {
-        type        = "service"
-        identifiers = ["lambda.amazonaws.com"]
+      scheduled_event = {
+        schedule_expression = "cron(0 7 * * ? *)"
       }
-      actions = [
-        "ecr:BatchGetImage",
-        "ecr:DeleteRepositoryPolicy",
-        "ecr:GetDownloadUrlForLayer",
-        "ecr:GetRepositoryPolicy",
-        "ecr:SetRepositoryPolicy"
-      ]
+    }
+
+    settings = {
+      check_digest    = true
+      ecr_repo_prefix = ""
+      max_results     = 5
     }
   }
 }