From 46e0cadf1e0a43ed7311ffac6547b5313ee43fd3 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 9 Jul 2024 17:10:29 -0400 Subject: [PATCH] * 2.2.0 -- 2024-07-03 - add feature for doing ecr lifecycle policy for image_config - variable enable_lifecycle_policy_image_config - variable lifecycle_policy_keep_count --- CHANGELOG.md | 5 ++ README.md | 15 ++++++ ecr-lifecycle.tf | 8 ++- .../images.import.tf | 6 +++ .../lifecycle-policy-eks-cluster/images.tf | 35 +++++++++++++ main.tf | 52 ++++++++++++++++++- variables.tf | 12 +++++ version.tf | 2 +- 8 files changed, 132 insertions(+), 3 deletions(-) create mode 100644 examples/lifecycle-policy-eks-cluster/images.import.tf create mode 100644 examples/lifecycle-policy-eks-cluster/images.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index be97082..7631398 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,3 +28,8 @@ - add feature to create lifecycle policy - variable enable_lifecycle_policy - variables for specifying policies per specific repo + +* 2.2.0 -- 2024-07-03 + - add feature for doing ecr lifecycle policy for image_config + - variable enable_lifecycle_policy_image_config + - variable lifecycle_policy_keep_count diff --git a/README.md b/README.md index 29f7632..86b2745 100644 --- a/README.md +++ b/README.md @@ -176,6 +176,16 @@ This is an object with several keys: This will apply a custom policy `data.aws_ecr_lifecycle_policy_document.pushed.json` to the repo `subapp/new1app3`. +## enable\_lifecycle\_policy\_image\_config + +If set to true (default), it will enable a lifecycle policy with the count (`lifecycle_policy_keep_count` default of 5) for +repositories created through the `image_config`. This does not allow any pattern or prefix tag selcetion. + +## lifecycle\_policy\_keep\_count + +This will set a default keep count for all lifecycle policies (5) if not explictly set within the pattern, prefix, or default selections +(see above). + # Examples * [Simple](examples/simple) * [Lifecycle Policy](examples/lifecycle-policy) @@ -209,9 +219,11 @@ No modules. | [aws_ecr_lifecycle_policy.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource | | [aws_ecr_lifecycle_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource | | [aws_ecr_lifecycle_policy.explicit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource | +| [aws_ecr_lifecycle_policy.images_all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource | | [aws_ecr_lifecycle_policy.patterns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource | | [aws_ecr_lifecycle_policy.prefixes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource | | [aws_ecr_repository.apps_repos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource | +| [aws_ecr_repository.image_repos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource | | [null_resource.copy_images](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_availability_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zone) | data source | @@ -236,10 +248,12 @@ No modules. | [destination\_password](#input\_destination\_password) | OCI destination repository password | `string` | `null` | no | | [destination\_username](#input\_destination\_username) | OCI destination repository username | `string` | `null` | no | | [enable\_lifecycle\_policy](#input\_enable\_lifecycle\_policy) | Flag to enable/disable ECR lifecycle policy. If enabled, default is 5 most recent images (count) | `bool` | `false` | no | +| [enable\_lifecycle\_policy\_image\_config](#input\_enable\_lifecycle\_policy\_image\_config) | Flag to enable/disable ECR lifecycle policy for images in the image\_config. If enabled, it will keep lifecycle\_policy\_keep\_count (default: 5) images | `bool` | `true` | no | | [image\_config](#input\_image\_config) | List of image configuration objects to copy from SOURCE to DESTINATION | 
list(object({
    name            = string,
    tag             = string,
    dest_path       = string,
    source_registry = string,
    source_image    = string,
    source_tag      = string,
    enabled         = bool,
  }))
| `[]` | no | | [lifecycle\_policy\_all](#input\_lifecycle\_policy\_all) | Flag to enable the same default policy (any, count of 5) if true | `bool` | `false` | no | | [lifecycle\_policy\_default](#input\_lifecycle\_policy\_default) | Object with settings for selecting repositories to apply a policy for 'any'. Select repo list and number of images to keep (default: 5). | 
object({
    repos = list(string)
    count = optional(number, 5)
  })
| 
{
  "count": 5,
  "repos": []
}
| no | | [lifecycle\_policy\_explicit](#input\_lifecycle\_policy\_explicit) | Object with settings for selecting repositories to apply a policy for an explicit policy. Select repo list and number of images to keep (default: 5), and a policy defined using `data.aws_ecr_lifecycle_policy_document.{name}.json'` | 
object({
    repos  = list(string)
    policy = string
  })
| 
{
  "policy": null,
  "repos": []
}
| no | +| [lifecycle\_policy\_keep\_count](#input\_lifecycle\_policy\_keep\_count) | Number of images to keep when not specified per type of policy (default: 5) | `number` | `5` | no | | [lifecycle\_policy\_pattern](#input\_lifecycle\_policy\_pattern) | Object with settings for selecting repositories to apply a policy for 'pattern'. Select repo list and number of images to keep (default: 5), and a list of patterns (will create one rule per pattern). | 
object({
    count  = optional(number, 5)
    repos  = list(string)
    values = list(string)
  })
| 
{
  "count": 5,
  "repos": [],
  "values": []
}
| no | | [lifecycle\_policy\_prefix](#input\_lifecycle\_policy\_prefix) | Object with settings for selecting repositories to apply a policy for 'prefix'. Select repo list and number of images to keep (default: 5), and a list of prefixes (will create one rule per prefix). | 
object({
    count  = optional(number, 5)
    repos  = list(string)
    values = list(string)
  })
| 
{
  "count": 5,
  "repos": [],
  "values": []
}
| no | | [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | @@ -256,6 +270,7 @@ No modules. | [availability\_zone\_ids](#output\_availability\_zone\_ids) | VPC Availability zone id list (3) | | [availability\_zone\_names](#output\_availability\_zone\_names) | VPC Availability zone name list (3) | | [availability\_zone\_suffixes](#output\_availability\_zone\_suffixes) | VPC Availability zone suffix list (3) | +| [image\_map](#output\_image\_map) | image\_config map of name => repo to be used for imports | | [images](#output\_images) | Final full merge of images with extra details | | [repository\_names](#output\_repository\_names) | ECR Respository Names | | [repository\_urls](#output\_repository\_urls) | ECR Respository URLs | diff --git a/ecr-lifecycle.tf b/ecr-lifecycle.tf index 0289402..edd9e6c 100644 --- a/ecr-lifecycle.tf +++ b/ecr-lifecycle.tf @@ -1,5 +1,5 @@ locals { - default_count = 5 + default_count = var.lifecycle_policy_keep_count lifecycle_policy_specific_repos = compact(distinct(concat( try(var.lifecycle_policy_default.repos, []), @@ -97,6 +97,12 @@ resource "aws_ecr_lifecycle_policy" "all" { policy = data.aws_ecr_lifecycle_policy_document.any.json } +resource "aws_ecr_lifecycle_policy" "images_all" { + for_each = var.enable_lifecycle_policy_image_config ? aws_ecr_repository.image_repos : {} + repository = each.value.name + policy = data.aws_ecr_lifecycle_policy_document.any.json +} + resource "aws_ecr_lifecycle_policy" "default" { for_each = toset(try(var.lifecycle_policy_default.repos, [])) repository = aws_ecr_repository.apps_repos[each.key].name diff --git a/examples/lifecycle-policy-eks-cluster/images.import.tf b/examples/lifecycle-policy-eks-cluster/images.import.tf new file mode 100644 index 0000000..f4d2f93 --- /dev/null +++ b/examples/lifecycle-policy-eks-cluster/images.import.tf @@ -0,0 +1,6 @@ +## import for bringing in image_config +import { + for_each = module.images.image_map + to = module.images.aws_ecr_repository.image_repos[each.key] + id = each.value +} diff --git a/examples/lifecycle-policy-eks-cluster/images.tf b/examples/lifecycle-policy-eks-cluster/images.tf new file mode 100644 index 0000000..e903db6 --- /dev/null +++ b/examples/lifecycle-policy-eks-cluster/images.tf @@ -0,0 +1,35 @@ +locals { + image_config = [for k, v in var.image_details : v if v.enabled] + image_output = { for k, v in module.images.images : v.name => v } + + charts = { for k, v in var.chart_details : k => v if try(v.enabled, true) } + images = { for k, v in var.image_details : k => v if v.enabled } +} + +module "images" { + source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git?ref=tf-upgrade" + + profile = var.profile + application_list = [] + application_name = format("eks/%v", var.cluster_name) + enable_lifecycle_policy = true + lifecycle_policy_all = true + enable_lifecycle_policy_image_config = true + lifecycle_policy_keep_count = 5 + image_config = local.image_config + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + ) + + ### optional + ## account_alias = "" + ## account_id = "" + ## destination_password = "" + ## destination_username = "" + ## override_prefixes = {} + ## region = "" + ## source_password = "" + ## source_username = "" +} diff --git a/main.tf b/main.tf index 96b2b96..9d1bf3a 100644 --- a/main.tf +++ b/main.tf @@ -175,6 +175,16 @@ * ``` * * This will apply a custom policy `data.aws_ecr_lifecycle_policy_document.pushed.json` to the repo `subapp/new1app3`. +* +* ## enable_lifecycle_policy_image_config +* +* If set to true (default), it will enable a lifecycle policy with the count (`lifecycle_policy_keep_count` default of 5) for +* repositories created through the `image_config`. This does not allow any pattern or prefix tag selcetion. +* +* ## lifecycle_policy_keep_count +* +* This will set a default keep count for all lifecycle policies (5) if not explictly set within the pattern, prefix, or default selections +* (see above). * * # Examples * * [Simple](examples/simple) @@ -253,10 +263,36 @@ locals { dest_full_path = format("%v/%v/%v:%v", local.account_ecr_registry, local.repo_parent_name, i.name, i.tag), dest_repository = format("%v/%v", local.repo_parent_name, i.name), })) } : {} - + image_map = { for k in distinct([for v in var.image_config : v.name]) : k => format("%v/%v", local.repo_parent_name, k) } image_repos = { for k, v in local.images : k => format("%v/%v", local.account_ecr, v.name) } } +#--- +# create repos for image_config +#--- +resource "aws_ecr_repository" "image_repos" { + for_each = local.image_map + name = format("%v/%v", local.repo_parent_name, each.key) + + image_tag_mutability = "IMMUTABLE" + image_scanning_configuration { + scan_on_push = true + } + + encryption_configuration { + encryption_type = "KMS" + } + + tags = merge( + local.base_tags, + { + "Name" = format("ecr_%v/%v", var.application_name, each.key) + "Environment" = "application" + }, + var.tags, + ) +} + resource "null_resource" "copy_images" { triggers = { region = local.region @@ -276,4 +312,18 @@ resource "null_resource" "copy_images" { DESTINATION_PASSWORD = var.destination_password == null ? data.aws_ecr_authorization_token.token.password : var.destination_password } } + depends_on = [aws_ecr_repository.image_repos] +} + +## import for bringing in image_config +# only allowed in root +# import { +# for_each = local.image_map +# to = aws_ecr_repository.image_repos[each.key] +# id = each.value +# } + +output "image_map" { + description = "image_config map of name => repo to be used for imports" + value = local.image_map } diff --git a/variables.tf b/variables.tf index 38aaf41..b64eadb 100644 --- a/variables.tf +++ b/variables.tf @@ -67,12 +67,24 @@ variable "enable_lifecycle_policy" { default = false } +variable "enable_lifecycle_policy_image_config" { + description = "Flag to enable/disable ECR lifecycle policy for images in the image_config. If enabled, it will keep lifecycle_policy_keep_count (default: 5) images" + type = bool + default = true +} + variable "lifecycle_policy_all" { description = "Flag to enable the same default policy (any, count of 5) if true" type = bool default = false } +variable "lifecycle_policy_keep_count" { + description = "Number of images to keep when not specified per type of policy (default: 5)" + type = number + default = 5 +} + variable "lifecycle_policy_default" { description = "Object with settings for selecting repositories to apply a policy for 'any'. Select repo list and number of images to keep (default: 5)." type = object({ diff --git a/version.tf b/version.tf index 0c7da82..ac712ee 100644 --- a/version.tf +++ b/version.tf @@ -1,4 +1,4 @@ locals { _module_name = "aws-ecr-copy-images" - _module_version = "2.1.0" + _module_version = "2.2.0" }