fix: Updating ecr pull though cache pattern (#1975)

aws-ia · Jul 11, 2024 · 298317b · 298317b
1 parent fef497e
commit 298317b
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 38 deletions.
diff --git a/docs/images/ecr-template.gif b/docs/images/ecr-template.gif
diff --git a/patterns/ecr-pull-through-cache/README.md b/patterns/ecr-pull-through-cache/README.md
@@ -3,18 +3,12 @@
 This pattern demonstrates how to set up ECR cache pull-through for public images. The Terraform code creates four cache pull-through rules for public image repositories: Docker, Kubernetes, Quay, and ECR. It also configures basic scanning on push for all repositories and includes a creation template. Additionally, it configures the EC2 node role with permissions to pull through images. The setup then installs ALB Controller, Metrics Server, Gatekeeper, ArgoCD, and Prometheus Operator, with their respective Helm charts configured in the values files to pull images through the pull-through cache.
 
 ## Deploy
+Follow the instructions [here](https://aws-ia.github.io/terraform-aws-eks-blueprints/getting-started/#prerequisites) for the prerequisites and steps to deploy this pattern.
 
-Replace `your-docker-username` and `your-docker-password` with your actual Docker credentials and run the following command to create an aws secretmanager secret:
 ```
-aws --region "us-east-1" secretsmanager create-secret --name ecr-pullthroughcache/docker --description "Docker credentials" --secret-string '{"username":"your-docker-username","accessToken":"your-docker-password"}'
+terraform init
+terraform apply -var='docker_secret={"username":"your-docker-username", "accessToken":"your-docker-password"}'
 ```
-Create an ecr creation template trough the AWS Console. Creation templates is in Preview and there is no aws cli command or api to create the template.
-Navigate to ECR -> Private registry -> Settings -> Creation templates -> Create template ->
-Select "Any prefix in your ECR registry" and keep the defaults.
-Official instructions for creating a repository creation template are [here](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-creation-templates-create.html).
-![ecr-createtemplate](../../docs/images/ecr-template.gif)
-
-Follow the instructions [here](https://aws-ia.github.io/terraform-aws-eks-blueprints/getting-started/#prerequisites) for the prerequisites and steps to deploy this pattern.
 
 ## Validate
 Validate the pull trough cache rules connectivity:
@@ -103,6 +97,11 @@ kube-system             metrics-server-5d6489d58d-pbrxv
 ```
 
 ## Destroy
+ECR repositories are automatically created via pull through cache and can be deleted using the following command.
+NOTE: This commands deletes all the ecr repositories in a region.
+```
+for REPO in $(aws ecr describe-repositories --query 'repositories[].repositoryName' --output text); do aws ecr delete-repository --repository-name $REPO --force ; done
+```  
 {%
    include-markdown "../../docs/_partials/destroy.md"
 %}
diff --git a/patterns/ecr-pull-through-cache/ecr.tf b/patterns/ecr-pull-through-cache/ecr.tf
@@ -3,39 +3,51 @@ locals {
   ecr_region      = var.ecr_region != "" ? var.ecr_region : local.region
 }
 
-data "aws_secretsmanager_secret" "docker" {
-  name = "ecr-pullthroughcache/docker"
+module "secrets-manager" {
+  source  = "terraform-aws-modules/secrets-manager/aws"
+  version = "1.1.2"
+
+  name          = "ecr-pullthroughcache/docker"
+  secret_string = jsonencode(var.docker_secret)
 }
 
-resource "aws_ecr_registry_scanning_configuration" "configuration" {
-  scan_type = "BASIC"
+module "ecr" {
+  source  = "terraform-aws-modules/ecr/aws"
+  version = "2.2.1"
+
+  create_repository = false
 
-  rule {
-    scan_frequency = "SCAN_ON_PUSH"
-    repository_filter {
-      filter      = "*"
-      filter_type = "WILDCARD"
+  registry_pull_through_cache_rules = {
+    ecr = {
+      ecr_repository_prefix = "ecr"
+      upstream_registry_url = "public.ecr.aws"
+    }
+    k8s = {
+      ecr_repository_prefix = "k8s"
+      upstream_registry_url = "registry.k8s.io"
+    }
+    quay = {
+      ecr_repository_prefix = "quay"
+      upstream_registry_url = "quay.io"
+    }
+    dockerhub = {
+      ecr_repository_prefix = "docker-hub"
+      upstream_registry_url = "registry-1.docker.io"
+      credential_arn        = module.secrets-manager.secret_arn
     }
   }
-}  
-
-resource "aws_ecr_pull_through_cache_rule" "docker-hub" {
-  ecr_repository_prefix = "docker-hub"
-  upstream_registry_url = "registry-1.docker.io"
-  credential_arn = data.aws_secretsmanager_secret.docker.arn
-}
-
-resource "aws_ecr_pull_through_cache_rule" "ecr" {
-  ecr_repository_prefix = "ecr"
-  upstream_registry_url = "public.ecr.aws"
-}
 
-resource "aws_ecr_pull_through_cache_rule" "k8s" {
-  ecr_repository_prefix = "k8s"
-  upstream_registry_url = "registry.k8s.io"
-}
-
-resource "aws_ecr_pull_through_cache_rule" "quay" {
-  ecr_repository_prefix = "quay"
-  upstream_registry_url = "quay.io"
+  manage_registry_scanning_configuration = true
+  registry_scan_type                     = "BASIC"
+  registry_scan_rules = [
+    {
+      scan_frequency = "SCAN_ON_PUSH"
+      filter = [
+        {
+          filter      = "*"
+          filter_type = "WILDCARD"
+        },
+      ]
+    }
+  ]
 }
diff --git a/patterns/ecr-pull-through-cache/variables.tf b/patterns/ecr-pull-through-cache/variables.tf
@@ -40,3 +40,22 @@ variable "ecr_region" {
   default     = ""
 }
 
+variable "docker_secret" {
+  type = object({
+    username    = string
+    accessToken = string
+  })
+  default = {
+    username    = ""
+    accessToken = ""
+  }
+  sensitive = true
+  validation {
+    condition = !(var.docker_secret.username == "" || var.docker_secret.accessToken == "")
+    error_message = <<EOT
+Both username and accessToken must be provided.
+Use the following command to pass these variables:
+  terraform plan -var='docker_secret={"username":"your_username", "accessToken":"your_access_token"}'
+EOT
+  }
+}