ecr updates

Author: candonov

bootstrap/terraform-fully-private/README.md

@@ -69,19 +69,9 @@ git clone https://github.com/awslabs/crossplane-on-eks.git
 For that reason `upbound_aws_provider.enable` is set to `true` and `aws_provider.enable` is set to `false`. If you use the examples for `aws_provider`, adjust the terraform [main.tf](https://github.com/awslabs/crossplane-on-eks/blob/main/bootstrap/terraform/main.tf) in order install only the necessary CRDs to the Kubernetes cluster.
 
 #### Step 1: ECR settings
-Replace `your-docker-username` and `your-docker-password` with your actual Docker credentials and run the following command to create an aws secretmanager secret:
-```
-aws secretsmanager create-secret --name ecr-pullthroughcache/docker --description "Docker credentials" --secret-string '{"username":"your-docker-username","accessToken":"your-docker-password"}'
-```
-Create an ecr creation template trough the AWS Console. Creation templates is in Preview and there is no aws cli command or api to create the template.
-Navigate to ECR -> Private registry -> Settings -> Creation templates -> Create template ->
-Select "Any prefix in your ECR registry" and keep the defaults.
-
-![ecr-createtemplate](../../docs/images/ecr-template.gif)
-
 Note: You can change the default `us-east-1` region in the following scripts before executing them.
 
-to Create Crossplane private ECR repos, run the following script:
+To Create Crossplane private ECR repos, run the following script:
 
 ```
 ./scripts/create-crossplane-ecr-repos.sh
@@ -105,33 +95,33 @@ terraform init
 ```
 
 #### Step 3: Run Terraform PLAN
-Before running the Terraform plan, ensure you adjust the variables.tf file to include the following required variables:
+If your ECR repo is in different account or region than where the Terraform is pointing to, you can adjust the variables.tf file:
 
 ```
 variable "ecr_account_id" {
   type        = string
-  description = "ECR repository AWS Account ID"
-  default     = ""
+  description = "ECR repository AWS Account ID" 
+  default     = "" #defaults to var.region
 }
 
 variable "ecr_region" {
   type        = string
   description = "ECR repository AWS Region"
-  default     = ""
+  default     = "" #defaults to current account
 }
 ```
-Make sure to replace the default values with your specific AWS Account ID and Region.
 
+Run Terraform plan:
 ```shell script
-export TF_VAR_region=<ENTER YOUR REGION>   # Select your own region
+export TF_VAR_region=<ENTER YOUR REGION>   # if ommited, defaults to var.region
 terraform plan
 ```
 
 #### Step 4: Finally, Terraform APPLY
-to create resources
+To create resources:
 
 ```shell script
-terraform apply --auto-approve
+terraform apply -var='docker_secret={"username":"your-docker-username", "accessToken":"your-docker-password"}' --auto-approve
 ```
 
 ### Configure `kubectl` and test cluster
@@ -142,7 +132,7 @@ This following command used to update the `kubeconfig` in your local machine whe
 
 `~/.kube/config` file gets updated with cluster details and certificate from the below command
 ```shell script
-aws eks --region <enter-your-region> update-kubeconfig --name <cluster-name>
+aws eks --region <enter-your-region> update-kubeconfig --name <cluster-name> --alias <cluster-name>
 ```
 #### Step 6: List all the worker nodes by running the command below
 ```shell script

bootstrap/terraform-fully-private/ecr.tf

@@ -1,36 +1,53 @@
-data "aws_secretsmanager_secret" "docker" {
-  name = "ecr-pullthroughcache/docker"
+locals {
+  ecr_account_id  = var.ecr_account_id != "" ? var.ecr_account_id : data.aws_caller_identity.current.account_id
+  ecr_region      = var.ecr_region != "" ? var.ecr_region : local.region
 }
 
-resource "aws_ecr_registry_scanning_configuration" "configuration" {
-  scan_type = "BASIC"
+module "secrets-manager" {
+  source  = "terraform-aws-modules/secrets-manager/aws"
+  version = "1.1.2"
 
-  rule {
-    scan_frequency = "SCAN_ON_PUSH"
-    repository_filter {
-      filter      = "*"
-      filter_type = "WILDCARD"
-    }
-  }
-}  
-
-resource "aws_ecr_pull_through_cache_rule" "docker-hub" {
-  ecr_repository_prefix = "docker-hub"
-  upstream_registry_url = "registry-1.docker.io"
-  credential_arn = data.aws_secretsmanager_secret.docker.arn
+  name          = "ecr-pullthroughcache/docker"
+  secret_string = jsonencode(var.docker_secret)
 }
 
-resource "aws_ecr_pull_through_cache_rule" "ecr" {
-  ecr_repository_prefix = "ecr"
-  upstream_registry_url = "public.ecr.aws"
-}
+module "ecr" {
+  source  = "terraform-aws-modules/ecr/aws"
+  version = "2.2.1"
 
-resource "aws_ecr_pull_through_cache_rule" "k8s" {
-  ecr_repository_prefix = "k8s"
-  upstream_registry_url = "registry.k8s.io"
-}
+  create_repository = false
 
-resource "aws_ecr_pull_through_cache_rule" "quay" {
-  ecr_repository_prefix = "quay"
-  upstream_registry_url = "quay.io"
-}
+  registry_pull_through_cache_rules = {
+    ecr = {
+      ecr_repository_prefix = "ecr"
+      upstream_registry_url = "public.ecr.aws"
+    }
+    k8s = {
+      ecr_repository_prefix = "k8s"
+      upstream_registry_url = "registry.k8s.io"
+    }
+    quay = {
+      ecr_repository_prefix = "quay"
+      upstream_registry_url = "quay.io"
+    }
+    dockerhub = {
+      ecr_repository_prefix = "docker-hub"
+      upstream_registry_url = "registry-1.docker.io"
+      credential_arn        = module.secrets-manager.secret_arn
+    }
+  }
+
+  manage_registry_scanning_configuration = true
+  registry_scan_type                     = "BASIC"
+  registry_scan_rules = [
+    {
+      scan_frequency = "SCAN_ON_PUSH"
+      filter = [
+        {
+          filter      = "*"
+          filter_type = "WILDCARD"
+        },
+      ]
+    }
+  ]
+}

bootstrap/terraform-fully-private/main.tf

@@ -46,9 +46,6 @@ locals {
   name   = var.name
   region = var.region
 
-  ecr_account_id = var.ecr_account_id != "" ? var.ecr_account_id : data.aws_caller_identity.current.account_id
-  ecr_region     = var.ecr_region != "" ? var.ecr_region : local.region
-
   cluster_version = var.cluster_version
   cluster_name    = local.name
 

bootstrap/terraform-fully-private/variables.tf

@@ -61,3 +61,22 @@ variable "ecr_region" {
   default     = ""
 }
 
+variable "docker_secret" {
+  type = object({
+    username    = string
+    accessToken = string
+  })
+  default = {
+    username    = ""
+    accessToken = ""
+  }
+  sensitive = true
+  validation {
+    condition = !(var.docker_secret.username == "" || var.docker_secret.accessToken == "")
+    error_message = <<EOT
+Both username and accessToken must be provided.
+Use the following command to pass these variables:
+  terraform plan -var='docker_secret={"username":"your_username", "accessToken":"your_access_token"}'
+EOT
+  }
+}