Add Private ECR registry support - WIP

README.md

@@ -153,6 +153,7 @@ module "iglu_server" {
 | <a name="input_max_size"></a> [max\_size](#input\_max\_size) | The maximum number of servers in this server-group | `number` | `2` | no |
 | <a name="input_min_size"></a> [min\_size](#input\_min\_size) | The minimum number of servers in this server-group | `number` | `1` | no |
 | <a name="input_patches_allowed"></a> [patches\_allowed](#input\_patches\_allowed) | Whether or not patches are allowed for published Iglu Schemas | `bool` | `true` | no |
+| <a name="input_private_ecr_registry"></a> [private\_ecr\_registry](#input\_private\_ecr\_registry) | The URL of an ECR registry that the sub-account has access to (e.g. '000000000000.dkr.ecr.cn-north-1.amazonaws.com.cn/') | `string` | `""` | no |
 | <a name="input_scale_down_cooldown_sec"></a> [scale\_down\_cooldown\_sec](#input\_scale\_down\_cooldown\_sec) | Time (in seconds) until another scale-down action can occur | `number` | `600` | no |
 | <a name="input_scale_down_cpu_threshold_percentage"></a> [scale\_down\_cpu\_threshold\_percentage](#input\_scale\_down\_cpu\_threshold\_percentage) | The average CPU percentage that we must be below to scale-down | `number` | `20` | no |
 | <a name="input_scale_down_eval_minutes"></a> [scale\_down\_eval\_minutes](#input\_scale\_down\_eval\_minutes) | The number of consecutive minutes that we must be below the threshold to scale-down | `number` | `60` | no |

main.tf

@@ -27,6 +27,20 @@ data "aws_caller_identity" "current" {}
 locals {
   is_aws_global = replace(data.aws_region.current.name, "cn-", "") == data.aws_region.current.name
   iam_partition = local.is_aws_global ? "aws" : "aws-cn"
+
+  is_private_ecr_registry = var.private_ecr_registry != ""
+  private_ecr_registry_statement = [{
+    Action = [
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer"
+    ]
+    Effect = "Allow"
+    Resource = [
+      "*"
+    ]
+  }]
+  private_ecr_registry_statement_final = local.is_private_ecr_registry ? local.private_ecr_registry_statement : []
 }
 
 module "telemetry" {
@@ -81,24 +95,25 @@ EOF
 resource "aws_iam_policy" "iam_policy" {
   name = var.name
 
-  policy = <<EOF
-{
-  "Version" : "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "logs:PutLogEvents",
-        "logs:CreateLogStream",
-        "logs:DescribeLogStreams"
-      ],
-      "Resource": [
-        "arn:${local.iam_partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${local.cloudwatch_log_group_name}:*"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = concat(
+      local.private_ecr_registry_statement_final,
+      [
+        {
+          Effect = "Allow",
+          Action = [
+            "logs:PutLogEvents",
+            "logs:CreateLogStream",
+            "logs:DescribeLogStreams"
+          ],
+          Resource = [
+            "arn:${local.iam_partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${local.cloudwatch_log_group_name}:*"
+          ]
+        }
       ]
-    }
-  ]
-}
-EOF
+    )
+  })
 }
 
 resource "aws_iam_role_policy_attachment" "policy_attachment" {
@@ -240,6 +255,8 @@ locals {
 
     container_memory = "${module.instance_type_metrics.memory_application_mb}m"
     java_opts        = var.java_opts
+
+    private_ecr_registry = var.private_ecr_registry
   })
 }
 

templates/user-data.sh.tmpl

@@ -18,7 +18,7 @@ sudo docker run \
   --mount type=bind,source=$${CONFIG_DIR},target=/snowplow/config \
   --env JDK_JAVA_OPTIONS='${java_opts}' \
   --env ACCEPT_LIMITED_USE_LICENSE=${accept_limited_use_license} \
-  snowplow/iglu-server:${version} \
+  ${private_ecr_registry}snowplow/iglu-server:${version} \
   setup --config /snowplow/config/iglu-server.hocon
 set -e
 
@@ -41,7 +41,7 @@ sudo docker run \
   --env JDK_JAVA_OPTIONS='${java_opts}' \
   --env ACCEPT_LIMITED_USE_LICENSE=${accept_limited_use_license} \
   -p ${port}:${port} \
-  snowplow/iglu-server:${version} \
+  ${private_ecr_registry}snowplow/iglu-server:${version} \
   --config /snowplow/config/iglu-server.hocon
 
 ${telemetry_script}

variables.tf

@@ -218,3 +218,11 @@ variable "user_provided_id" {
   type        = string
   default     = ""
 }
+
+# --- Image Repositories
+
+variable "private_ecr_registry" {
+  description = "The URL of an ECR registry that the sub-account has access to (e.g. '000000000000.dkr.ecr.cn-north-1.amazonaws.com.cn/')"
+  type        = string
+  default     = ""
+}