fixes #53, Add support to interact with private docker registry (#54)

* fixes #53, Add support to interact with private Docker registry
ExpediaGroup · Apr 2, 2019 · 91d0168 · 91d0168
1 parent 1d66d0e
commit 91d0168
Show file tree

Hide file tree

Showing 7 changed files with 37 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) a
 
 ### Added
 - Improved error handling in scripts/endpoint_dns_name.sh - see [#17](https://github.com/ExpediaInc/apiary-federation/issues/17).
+- Support for Docker private registry.
 
 
 ## [1.0.5] - 2019-03-12

diff --git a/README.md b/README.md
@@ -10,6 +10,7 @@ For more information please refer to the main [Apiary](https://github.com/Expedi
 | bastion_ssh_key_secret_name | Secret name in AWS Secrets Manager which stores the private key used to log in to bastions. The secret's key should be `private_key` and the value should be stored as a base64 encoded string. Max character limit for a secret's value is 4096. | string | `` | no |
 | cpu | The number of CPU units to reserve for the Waggle Dance container. Valid values can be 256, 512, 1024, 2048 and 4096. Reference: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html | string | `1024` | no |
 | docker_image | Full path Waggle Dance Docker image. | string | - | yes |
+| docker_registry_auth_secret_name | Docker Registry authentication SecretManager secret name. | string | `` | no |
 | docker_version | Waggle Dance Docker image version. | string | - | yes |
 | domain_extension | Domain name to use for Route 53 entry and service discovery. | string | `lcl` | no |
 | enable_remote_metastore_dns | Option to enable creating DNS records for remote metastores. | string | `` | no |
@@ -24,7 +25,7 @@ For more information please refer to the main [Apiary](https://github.com/Expedi
 | primary_metastore_port | Primary Hive Metastore port | string | `9083` | no |
 | primary_metastore_whitelist | List of Hive databases to whitelist on primary Metastore. | list | `<list>` | no |
 | remote_metastores | List of VPC endpoint services to federate Metastores in other accounts. | list | `<list>` | no |
-| secondary_vpcs | List of VPCs to associate with Service Discovery namespace | list | `<list>` | no |
+| secondary_vpcs | List of VPCs to associate with Service Discovery namespace. | list | `<list>` | no |
 | ssh_metastores | List of federated Metastores to connect to over SSH via bastion. | list | `<list>` | no |
 | subnets | ECS container subnets. | list | - | yes |
 | tags | A map of tags to apply to resources. | map | `<map>` | no |

diff --git a/common.tf b/common.tf
@@ -17,3 +17,8 @@ data "aws_secretsmanager_secret" "bastion_ssh_key" {
   count = "${ var.bastion_ssh_key_secret_name == "" ? 0 : 1}"
   name  = "${var.bastion_ssh_key_secret_name}"
 }
+
+data "aws_secretsmanager_secret" "docker_registry" {
+  count = "${ var.docker_registry_auth_secret_name == "" ? 0 : 1 }"
+  name  = "${ var.docker_registry_auth_secret_name }"
+}
diff --git a/main.tf b/main.tf
@@ -36,6 +36,23 @@ resource "aws_iam_role_policy_attachment" "task_exec_managed" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
+resource "aws_iam_role_policy" "secretsmanager_for_ecs_task_exec" {
+  count = "${var.docker_registry_auth_secret_name == "" ? 0 : 1}"
+  name  = "secretsmanager-exec"
+  role  = "${aws_iam_role.waggledance_task_exec.id}"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Effect": "Allow",
+        "Action": "secretsmanager:GetSecretValue",
+        "Resource": [ "${join("\",\"",concat(data.aws_secretsmanager_secret.docker_registry.*.arn))}" ]
+    }
+}
+EOF
+}
+
 resource "aws_iam_role" "waggledance_task" {
   name = "${local.instance_alias}-ecs-task-${var.aws_region}"
 
@@ -148,6 +165,7 @@ data "template_file" "waggledance" {
     server_yaml         = "${base64encode(data.template_file.server_yaml.rendered)}"
     federation_yaml     = "${base64encode(data.template_file.federation_yaml.rendered)}"
     bastion_ssh_key_arn = "${var.bastion_ssh_key_secret_name == "" ? "" : join("",data.aws_secretsmanager_secret.bastion_ssh_key.*.arn)}"
+    docker_auth         = "${ var.docker_registry_auth_secret_name == "" ? "" : format("\"repositoryCredentials\" :{\n \"credentialsParameter\":\"%s\"\n},",join("\",\"",concat(data.aws_secretsmanager_secret.docker_registry.*.arn)))}"
   }
 }
 

diff --git a/templates/waggledance.json b/templates/waggledance.json
@@ -2,6 +2,7 @@
   {
     "name": "waggledance",
     "image": "${docker_image}:${docker_version}",
+    ${docker_auth}
     "essential": true,
     "logConfiguration": {
         "logDriver": "awslogs",

diff --git a/variables.tf b/variables.tf
@@ -160,7 +160,13 @@ variable "domain_extension" {
 }
 
 variable "secondary_vpcs" {
-  description = "List of VPCs to associate with Service Discovery namespace"
+  description = "List of VPCs to associate with Service Discovery namespace."
   type        = "list"
   default     = []
 }
+
+variable "docker_registry_auth_secret_name" {
+  description = "Docker Registry authentication SecretManager secret name."
+  type        = "string"
+  default     = ""
+}
diff --git a/version.tf b/version.tf
@@ -6,8 +6,8 @@
 
 terraform {
   required_version = "~> 0.11.1"
-}
 
-provider "aws" {
-  version = "~> 1.60.0"
+  required_providers = {
+    aws = "~> 1.60.0"
+  }
 }