From 8a9d112e2b3097f85a288ec07496acb0f42872c3 Mon Sep 17 00:00:00 2001 From: Ravi Singh Date: Mon, 29 Jan 2024 23:12:26 +0000 Subject: [PATCH 1/3] exposing ecr lifecycle policy as variable --- .../container_registry/locals.tf | 33 +++++++++++++++++++ .../container_registry/main.tf | 33 +------------------ .../container_registry/variables.tf | 6 ++++ 3 files changed, 40 insertions(+), 32 deletions(-) diff --git a/aws/modules/infrastructure_modules/container_registry/locals.tf b/aws/modules/infrastructure_modules/container_registry/locals.tf index 36c94014..04dc1832 100644 --- a/aws/modules/infrastructure_modules/container_registry/locals.tf +++ b/aws/modules/infrastructure_modules/container_registry/locals.tf @@ -1,3 +1,36 @@ locals { pull_through_cache_accounts = length(var.pull_through_cache_accounts) > 0 ? var.pull_through_cache_accounts : ["arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"] + + repository_lifecycle_default_policy = jsonencode({ + rules = [ + { + rulePriority = 1 + description = "Keep the last '${var.max_untagged_image_count}' untagged images" + + selection = { + tagStatus = "untagged" + countType = "imageCountMoreThan" + countNumber = var.max_untagged_image_count + } + + action = { + type = "expire" + } + }, + { + rulePriority = 2, + description = "Keep the last '${var.max_tagged_image_count}' tagged images" + + selection = { + tagStatus = "any" + countType = "imageCountMoreThan" + countNumber = var.max_tagged_image_count + } + + action = { + type = "expire" + } + }, + ] + }) } diff --git a/aws/modules/infrastructure_modules/container_registry/main.tf b/aws/modules/infrastructure_modules/container_registry/main.tf index f2984b0d..f4dd781d 100644 --- a/aws/modules/infrastructure_modules/container_registry/main.tf +++ b/aws/modules/infrastructure_modules/container_registry/main.tf @@ -15,38 +15,7 @@ module "ecr" { # Managed below in `ecr_registry_scanning_rules` manage_registry_scanning_configuration = false - repository_lifecycle_policy = jsonencode({ - rules = [ - { - rulePriority = 1 - description = "Keep the last '${var.max_untagged_image_count}' untagged images" - - selection = { - tagStatus = "untagged" - countType = "imageCountMoreThan" - countNumber = var.max_untagged_image_count - } - - action = { - type = "expire" - } - }, - { - rulePriority = 2, - description = "Keep the last '${var.max_tagged_image_count}' tagged images" - - selection = { - tagStatus = "any" - countType = "imageCountMoreThan" - countNumber = var.max_tagged_image_count - } - - action = { - type = "expire" - } - }, - ] - }) + repository_lifecycle_policy = var.repository_lifecycle_policy == "default-policy" ? local.repository_lifecycle_default_policy : var.repository_lifecycle_policy } ## Pull Through Cache diff --git a/aws/modules/infrastructure_modules/container_registry/variables.tf b/aws/modules/infrastructure_modules/container_registry/variables.tf index a6b3a71e..f50f91eb 100644 --- a/aws/modules/infrastructure_modules/container_registry/variables.tf +++ b/aws/modules/infrastructure_modules/container_registry/variables.tf @@ -64,3 +64,9 @@ variable "pull_through_cache_accounts" { description = "A default list of accounts for the Pull Through Cache if not configured in the `pull_through_cache_setup`. Defaults to the calling account root" default = [] } + +variable "repository_lifecycle_policy" { + type = any + description = "ECR repository lifestyle policy rules" + default = "default-policy" +} From 54ea543368219b6bbc279d25778ae54be3308960 Mon Sep 17 00:00:00 2001 From: Ravi Singh Date: Tue, 30 Jan 2024 08:31:45 +0000 Subject: [PATCH 2/3] updating ReadMe and making max_tagged_image_count optional --- .../infrastructure_modules/container_registry/README.md | 5 ++--- .../infrastructure_modules/container_registry/variables.tf | 2 ++ 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/aws/modules/infrastructure_modules/container_registry/README.md b/aws/modules/infrastructure_modules/container_registry/README.md index e929c9ed..741429bc 100644 --- a/aws/modules/infrastructure_modules/container_registry/README.md +++ b/aws/modules/infrastructure_modules/container_registry/README.md @@ -57,13 +57,12 @@ data "aws_iam_policy_document" "additional_eks" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [enable\_registry\_scanning](#input\_enable\_registry\_scanning) | Whether to enable continuous registry scanning | `bool` | n/a | yes | -| [max\_tagged\_image\_count](#input\_max\_tagged\_image\_count) | The maximum number of tagged images to keep for each repository | `number` | n/a | yes | +| [max\_tagged\_image\_count](#input\_max\_tagged\_image\_count) | The maximum number of tagged images to keep for each repository | `number` | `100` | no | | [max\_untagged\_image\_count](#input\_max\_untagged\_image\_count) | The maximum number of untagged images to keep for each repository | `number` | `1` | no | | [pull\_accounts](#input\_pull\_accounts) | List of accounts that can pull | `list(string)` | n/a | yes | | [pull\_and\_push\_accounts](#input\_pull\_and\_push\_accounts) | List of accounts that can pull and push | `list(string)` | n/a | yes | | [pull\_through\_cache\_accounts](#input\_pull\_through\_cache\_accounts) | A default list of accounts for the Pull Through Cache if not configured in the `pull_through_cache_setup`. Defaults to the calling account root | `list(string)` | `[]` | no | -| [pull\_through\_cache\_setup](#input\_pull\_through\_cache\_setup) | The set-up for the Pull Through Cache, an object like {ecr-public = {images = ["foo"] upstream\_registry\_url = "public.ecr.aws"}} | 
map(
      object({
      upstream_registry_url = string
      images
-     = list(string)
      accounts              = optional(list(string))
    })
  )
| n/a | yes | +| [pull\_through\_cache\_setup](#input\_pull\_through\_cache\_setup) | The set-up for the Pull Through Cache, an object like `{ecr-public = {images = ["foo"] upstream_registry_url = "public.ecr.aws"}}` | `
map(
      object({
      upstream_registry_url = string
      images = list(string)
      accounts              = optional(list(string))
    })
  )
` | n/a | yes | | [region](#input\_region) | The name of the region to use | `string` | n/a | yes | | [repositories](#input\_repositories) | A list of the repositories to create | `list(string)` | n/a | yes | | [repository\_image\_tag\_mutability](#input\_repository\_image\_tag\_mutability) | Whether the repositories are MUTABLE or IMMUTABLE. Best choice is IMMUTABLE | `string` | `"IMMUTABLE"` | no | diff --git a/aws/modules/infrastructure_modules/container_registry/variables.tf b/aws/modules/infrastructure_modules/container_registry/variables.tf index f50f91eb..6041dab3 100644 --- a/aws/modules/infrastructure_modules/container_registry/variables.tf +++ b/aws/modules/infrastructure_modules/container_registry/variables.tf @@ -23,6 +23,8 @@ variable "max_untagged_image_count" { variable "max_tagged_image_count" { type = number description = "The maximum number of tagged images to keep for each repository" + + default = 100 } variable "pull_accounts" { From ec9ae1954d1876ba9508941f2f994af281f52f64 Mon Sep 17 00:00:00 2001 From: Ravi Singh Date: Tue, 30 Jan 2024 08:42:24 +0000 Subject: [PATCH 3/3] updating readme --- .../infrastructure_modules/container_registry/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/aws/modules/infrastructure_modules/container_registry/README.md b/aws/modules/infrastructure_modules/container_registry/README.md index 741429bc..25c3bad6 100644 --- a/aws/modules/infrastructure_modules/container_registry/README.md +++ b/aws/modules/infrastructure_modules/container_registry/README.md @@ -62,7 +62,8 @@ data "aws_iam_policy_document" "additional_eks" { | [pull\_accounts](#input\_pull\_accounts) | List of accounts that can pull | `list(string)` | n/a | yes | | [pull\_and\_push\_accounts](#input\_pull\_and\_push\_accounts) | List of accounts that can pull and push | `list(string)` | n/a | yes | | [pull\_through\_cache\_accounts](#input\_pull\_through\_cache\_accounts) | A default list of accounts for the Pull Through Cache if not configured in the `pull_through_cache_setup`. Defaults to the calling account root | `list(string)` | `[]` | no | -| [pull\_through\_cache\_setup](#input\_pull\_through\_cache\_setup) | The set-up for the Pull Through Cache, an object like `{ecr-public = {images = ["foo"] upstream_registry_url = "public.ecr.aws"}}` | `
map(
      object({
      upstream_registry_url = string
      images = list(string)
      accounts              = optional(list(string))
    })
  )
` | n/a | yes | +| [pull\_through\_cache\_setup](#input\_pull\_through\_cache\_setup) | The set-up for the Pull Through Cache, an object like {ecr-public = {images = ["foo"] upstream\_registry\_url = "public.ecr.aws"}} | 
map(
      object({
      upstream_registry_url = string
      images
+     = list(string)
      accounts              = optional(list(string))
    })
  )
| n/a | yes | | [region](#input\_region) | The name of the region to use | `string` | n/a | yes | | [repositories](#input\_repositories) | A list of the repositories to create | `list(string)` | n/a | yes | | [repository\_image\_tag\_mutability](#input\_repository\_image\_tag\_mutability) | Whether the repositories are MUTABLE or IMMUTABLE. Best choice is IMMUTABLE | `string` | `"IMMUTABLE"` | no |