* 2.2.0 -- 2024-07-03

- add feature for doing ecr lifecycle policy for image_config - variable enable_lifecycle_policy_image_config - variable lifecycle_policy_keep_count
terraform-modules · Jul 9, 2024 · 46e0cad · 46e0cad
1 parent b6addb7
commit 46e0cad
Show file tree

Hide file tree

Showing 8 changed files with 132 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -28,3 +28,8 @@
   - add feature to create lifecycle policy
     - variable enable_lifecycle_policy
     - variables for specifying policies per specific repo
+
+* 2.2.0 -- 2024-07-03
+  - add feature for doing ecr lifecycle policy for image_config
+    - variable enable_lifecycle_policy_image_config
+    - variable lifecycle_policy_keep_count
diff --git a/README.md b/README.md
@@ -176,6 +176,16 @@ This is an object with several keys:
 
 This will apply a custom policy `data.aws_ecr_lifecycle_policy_document.pushed.json` to the repo `subapp/new1app3`.
 
+## enable\_lifecycle\_policy\_image\_config
+
+If set to true (default), it will enable a lifecycle policy with the count (`lifecycle_policy_keep_count` default of 5) for
+repositories created through the `image_config`.  This does not allow any pattern or prefix tag selcetion.
+
+## lifecycle\_policy\_keep\_count
+
+This will set a default keep count for all lifecycle policies (5) if not explictly set within the pattern, prefix, or default selections
+(see above).
+
 # Examples
 * [Simple](examples/simple)
 * [Lifecycle Policy](examples/lifecycle-policy)
@@ -209,9 +219,11 @@ No modules.
 | [aws_ecr_lifecycle_policy.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
 | [aws_ecr_lifecycle_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
 | [aws_ecr_lifecycle_policy.explicit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
+| [aws_ecr_lifecycle_policy.images_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
 | [aws_ecr_lifecycle_policy.patterns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
 | [aws_ecr_lifecycle_policy.prefixes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
 | [aws_ecr_repository.apps_repos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
+| [aws_ecr_repository.image_repos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
 | [null_resource.copy_images](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_availability_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zone) | data source |
@@ -236,10 +248,12 @@ No modules.
 | <a name="input_destination_password"></a> [destination\_password](#input\_destination\_password) | OCI destination repository password | `string` | `null` | no |
 | <a name="input_destination_username"></a> [destination\_username](#input\_destination\_username) | OCI destination repository username | `string` | `null` | no |
 | <a name="input_enable_lifecycle_policy"></a> [enable\_lifecycle\_policy](#input\_enable\_lifecycle\_policy) | Flag to enable/disable ECR lifecycle policy.  If enabled, default is 5 most recent images (count) | `bool` | `false` | no |
+| <a name="input_enable_lifecycle_policy_image_config"></a> [enable\_lifecycle\_policy\_image\_config](#input\_enable\_lifecycle\_policy\_image\_config) | Flag to enable/disable ECR lifecycle policy for images in the image\_config.  If enabled, it will keep lifecycle\_policy\_keep\_count (default: 5) images | `bool` | `true` | no |
 | <a name="input_image_config"></a> [image\_config](#input\_image\_config) | List of image configuration objects to copy from SOURCE to DESTINATION | <pre>list(object({<br>    name            = string,<br>    tag             = string,<br>    dest_path       = string,<br>    source_registry = string,<br>    source_image    = string,<br>    source_tag      = string,<br>    enabled         = bool,<br>  }))</pre> | `[]` | no |
 | <a name="input_lifecycle_policy_all"></a> [lifecycle\_policy\_all](#input\_lifecycle\_policy\_all) | Flag to enable the same default policy (any, count of 5) if true | `bool` | `false` | no |
 | <a name="input_lifecycle_policy_default"></a> [lifecycle\_policy\_default](#input\_lifecycle\_policy\_default) | Object with settings for selecting repositories to apply a policy for 'any'.  Select repo list and number of images to keep (default: 5). | <pre>object({<br>    repos = list(string)<br>    count = optional(number, 5)<br>  })</pre> | <pre>{<br>  "count": 5,<br>  "repos": []<br>}</pre> | no |
 | <a name="input_lifecycle_policy_explicit"></a> [lifecycle\_policy\_explicit](#input\_lifecycle\_policy\_explicit) | Object with settings for selecting repositories to apply a policy for an explicit policy.  Select repo list and number of images to keep (default: 5), and a policy defined using `data.aws_ecr_lifecycle_policy_document.{name}.json'` | <pre>object({<br>    repos  = list(string)<br>    policy = string<br>  })</pre> | <pre>{<br>  "policy": null,<br>  "repos": []<br>}</pre> | no |
+| <a name="input_lifecycle_policy_keep_count"></a> [lifecycle\_policy\_keep\_count](#input\_lifecycle\_policy\_keep\_count) | Number of images to keep when not specified per type of policy (default: 5) | `number` | `5` | no |
 | <a name="input_lifecycle_policy_pattern"></a> [lifecycle\_policy\_pattern](#input\_lifecycle\_policy\_pattern) | Object with settings for selecting repositories to apply a policy for 'pattern'.  Select repo list and number of images to keep (default: 5), and a list of patterns (will create one rule per pattern). | <pre>object({<br>    count  = optional(number, 5)<br>    repos  = list(string)<br>    values = list(string)<br>  })</pre> | <pre>{<br>  "count": 5,<br>  "repos": [],<br>  "values": []<br>}</pre> | no |
 | <a name="input_lifecycle_policy_prefix"></a> [lifecycle\_policy\_prefix](#input\_lifecycle\_policy\_prefix) | Object with settings for selecting repositories to apply a policy for 'prefix'.  Select repo list and number of images to keep (default: 5), and a list of prefixes (will create one rule per prefix). | <pre>object({<br>    count  = optional(number, 5)<br>    repos  = list(string)<br>    values = list(string)<br>  })</pre> | <pre>{<br>  "count": 5,<br>  "repos": [],<br>  "values": []<br>}</pre> | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
@@ -256,6 +270,7 @@ No modules.
 | <a name="output_availability_zone_ids"></a> [availability\_zone\_ids](#output\_availability\_zone\_ids) | VPC Availability zone id list (3) |
 | <a name="output_availability_zone_names"></a> [availability\_zone\_names](#output\_availability\_zone\_names) | VPC Availability zone name list (3) |
 | <a name="output_availability_zone_suffixes"></a> [availability\_zone\_suffixes](#output\_availability\_zone\_suffixes) | VPC Availability zone suffix list (3) |
+| <a name="output_image_map"></a> [image\_map](#output\_image\_map) | image\_config map of name => repo to be used for imports |
 | <a name="output_images"></a> [images](#output\_images) | Final full merge of images with extra details |
 | <a name="output_repository_names"></a> [repository\_names](#output\_repository\_names) | ECR Respository Names |
 | <a name="output_repository_urls"></a> [repository\_urls](#output\_repository\_urls) | ECR Respository URLs |

diff --git a/ecr-lifecycle.tf b/ecr-lifecycle.tf
@@ -1,5 +1,5 @@
 locals {
-  default_count = 5
+  default_count = var.lifecycle_policy_keep_count
 
   lifecycle_policy_specific_repos = compact(distinct(concat(
     try(var.lifecycle_policy_default.repos, []),
@@ -97,6 +97,12 @@ resource "aws_ecr_lifecycle_policy" "all" {
   policy     = data.aws_ecr_lifecycle_policy_document.any.json
 }
 
+resource "aws_ecr_lifecycle_policy" "images_all" {
+  for_each   = var.enable_lifecycle_policy_image_config ? aws_ecr_repository.image_repos : {}
+  repository = each.value.name
+  policy     = data.aws_ecr_lifecycle_policy_document.any.json
+}
+
 resource "aws_ecr_lifecycle_policy" "default" {
   for_each   = toset(try(var.lifecycle_policy_default.repos, []))
   repository = aws_ecr_repository.apps_repos[each.key].name

diff --git a/examples/lifecycle-policy-eks-cluster/images.import.tf b/examples/lifecycle-policy-eks-cluster/images.import.tf
@@ -0,0 +1,6 @@
+## import for bringing in image_config
+import {
+  for_each = module.images.image_map
+  to       = module.images.aws_ecr_repository.image_repos[each.key]
+  id       = each.value
+}
diff --git a/examples/lifecycle-policy-eks-cluster/images.tf b/examples/lifecycle-policy-eks-cluster/images.tf
@@ -0,0 +1,35 @@
+locals {
+  image_config = [for k, v in var.image_details : v if v.enabled]
+  image_output = { for k, v in module.images.images : v.name => v }
+
+  charts = { for k, v in var.chart_details : k => v if try(v.enabled, true) }
+  images = { for k, v in var.image_details : k => v if v.enabled }
+}
+
+module "images" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git?ref=tf-upgrade"
+
+  profile                              = var.profile
+  application_list                     = []
+  application_name                     = format("eks/%v", var.cluster_name)
+  enable_lifecycle_policy              = true
+  lifecycle_policy_all                 = true
+  enable_lifecycle_policy_image_config = true
+  lifecycle_policy_keep_count          = 5
+  image_config                         = local.image_config
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+
+  ### optional
+  ##  account_alias        = ""
+  ##  account_id           = ""
+  ##  destination_password = ""
+  ##  destination_username = ""
+  ##  override_prefixes    = {}
+  ##  region               = ""
+  ##  source_password      = ""
+  ##  source_username      = ""
+}
diff --git a/main.tf b/main.tf
@@ -175,6 +175,16 @@
 * ```
 * 
 * This will apply a custom policy `data.aws_ecr_lifecycle_policy_document.pushed.json` to the repo `subapp/new1app3`.
+*
+* ## enable_lifecycle_policy_image_config
+* 
+* If set to true (default), it will enable a lifecycle policy with the count (`lifecycle_policy_keep_count` default of 5) for
+* repositories created through the `image_config`.  This does not allow any pattern or prefix tag selcetion.
+* 
+* ## lifecycle_policy_keep_count
+*
+* This will set a default keep count for all lifecycle policies (5) if not explictly set within the pattern, prefix, or default selections
+* (see above).
 * 
 * # Examples
 * * [Simple](examples/simple)
@@ -253,10 +263,36 @@ locals {
       dest_full_path   = format("%v/%v/%v:%v", local.account_ecr_registry, local.repo_parent_name, i.name, i.tag),
       dest_repository  = format("%v/%v", local.repo_parent_name, i.name),
   })) } : {}
-
+  image_map   = { for k in distinct([for v in var.image_config : v.name]) : k => format("%v/%v", local.repo_parent_name, k) }
   image_repos = { for k, v in local.images : k => format("%v/%v", local.account_ecr, v.name) }
 }
 
+#---
+# create repos for image_config
+#---
+resource "aws_ecr_repository" "image_repos" {
+  for_each = local.image_map
+  name     = format("%v/%v", local.repo_parent_name, each.key)
+
+  image_tag_mutability = "IMMUTABLE"
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+
+  encryption_configuration {
+    encryption_type = "KMS"
+  }
+
+  tags = merge(
+    local.base_tags,
+    {
+      "Name"        = format("ecr_%v/%v", var.application_name, each.key)
+      "Environment" = "application"
+    },
+    var.tags,
+  )
+}
+
 resource "null_resource" "copy_images" {
   triggers = {
     region = local.region
@@ -276,4 +312,18 @@ resource "null_resource" "copy_images" {
       DESTINATION_PASSWORD = var.destination_password == null ? data.aws_ecr_authorization_token.token.password : var.destination_password
     }
   }
+  depends_on = [aws_ecr_repository.image_repos]
+}
+
+## import for bringing in image_config
+# only allowed in root
+# import {
+#   for_each = local.image_map
+#   to = aws_ecr_repository.image_repos[each.key]
+#   id = each.value
+# }
+
+output "image_map" {
+  description = "image_config map of name => repo to be used for imports"
+  value       = local.image_map
 }
diff --git a/variables.tf b/variables.tf
@@ -67,12 +67,24 @@ variable "enable_lifecycle_policy" {
   default     = false
 }
 
+variable "enable_lifecycle_policy_image_config" {
+  description = "Flag to enable/disable ECR lifecycle policy for images in the image_config.  If enabled, it will keep lifecycle_policy_keep_count (default: 5) images"
+  type        = bool
+  default     = true
+}
+
 variable "lifecycle_policy_all" {
   description = "Flag to enable the same default policy (any, count of 5) if true"
   type        = bool
   default     = false
 }
 
+variable "lifecycle_policy_keep_count" {
+  description = "Number of images to keep when not specified per type of policy (default: 5)"
+  type        = number
+  default     = 5
+}
+
 variable "lifecycle_policy_default" {
   description = "Object with settings for selecting repositories to apply a policy for 'any'.  Select repo list and number of images to keep (default: 5)."
   type = object({

diff --git a/version.tf b/version.tf
@@ -1,4 +1,4 @@
 locals {
   _module_name    = "aws-ecr-copy-images"
-  _module_version = "2.1.0"
+  _module_version = "2.2.0"
 }