Add support for AWS China regions (closes #34)

README.md

@@ -138,6 +138,7 @@ module "transformer_kinesis" {
 | <a name="input_kcl_read_min_capacity"></a> [kcl\_read\_min\_capacity](#input\_kcl\_read\_min\_capacity) | The minimum READ capacity for the KCL DynamoDB table | `number` | `1` | no |
 | <a name="input_kcl_write_max_capacity"></a> [kcl\_write\_max\_capacity](#input\_kcl\_write\_max\_capacity) | The maximum WRITE capacity for the KCL DynamoDB table | `number` | `10` | no |
 | <a name="input_kcl_write_min_capacity"></a> [kcl\_write\_min\_capacity](#input\_kcl\_write\_min\_capacity) | The minimum WRITE capacity for the KCL DynamoDB table | `number` | `1` | no |
+| <a name="input_private_ecr_registry"></a> [private\_ecr\_registry](#input\_private\_ecr\_registry) | The URL of an ECR registry that the sub-account has access to (e.g. '000000000000.dkr.ecr.cn-north-1.amazonaws.com.cn/') | `string` | `""` | no |
 | <a name="input_schemas_json"></a> [schemas\_json](#input\_schemas\_json) | List of schemas to get shredded as JSON | `list(string)` | `[]` | no |
 | <a name="input_schemas_skip"></a> [schemas\_skip](#input\_schemas\_skip) | List of schemas to not get shredded (and thus not loaded) | `list(string)` | `[]` | no |
 | <a name="input_schemas_tsv"></a> [schemas\_tsv](#input\_schemas\_tsv) | List of schemas to get shredded as TSV | `list(string)` | `[]` | no |

main.tf

@@ -37,7 +37,7 @@ locals {
         "sqs:ChangeMessageVisibilityBatch"
       ],
       Resource = [
-        "arn:aws:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${var.sqs_queue_name}"
+        "arn:${local.iam_partition}:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${var.sqs_queue_name}"
       ]
     }
     ] : [
@@ -58,6 +58,25 @@ locals {
 data "aws_region" "current" {}
 data "aws_caller_identity" "current" {}
 
+locals {
+  is_aws_global = replace(data.aws_region.current.name, "cn-", "") == data.aws_region.current.name
+  iam_partition = local.is_aws_global ? "aws" : "aws-cn"
+
+  is_private_ecr_registry = var.private_ecr_registry != ""
+  private_ecr_registry_statement = [{
+    Action = [
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer"
+    ]
+    Effect = "Allow"
+    Resource = [
+      "*"
+    ]
+  }]
+  private_ecr_registry_statement_final = local.is_private_ecr_registry ? local.private_ecr_registry_statement : []
+}
+
 module "telemetry" {
   source  = "snowplow-devops/telemetry/snowplow"
   version = "0.5.0"
@@ -146,6 +165,7 @@ resource "aws_iam_policy" "iam_policy" {
     Version = "2012-10-17",
     Statement = concat(
       local.iam_queue_statement,
+      local.private_ecr_registry_statement_final,
       [
         {
           Effect = "Allow",
@@ -157,7 +177,7 @@ resource "aws_iam_policy" "iam_policy" {
             "kinesis:Get*"
           ],
           Resource = [
-            "arn:aws:kinesis:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stream/${var.stream_name}"
+            "arn:${local.iam_partition}:kinesis:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stream/${var.stream_name}"
           ]
         },
         {
@@ -167,7 +187,7 @@ resource "aws_iam_policy" "iam_policy" {
             "kinesis:SubscribeToShard"
           ],
           Resource = [
-            "arn:aws:kinesis:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stream/${var.stream_name}/consumer/*"
+            "arn:${local.iam_partition}:kinesis:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stream/${var.stream_name}/consumer/*"
           ]
         },
         {
@@ -193,7 +213,7 @@ resource "aws_iam_policy" "iam_policy" {
             "logs:DescribeLogStreams"
           ],
           Resource = [
-            "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${local.cloudwatch_log_group_name}:*"
+            "arn:${local.iam_partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${local.cloudwatch_log_group_name}:*"
           ]
         },
         {
@@ -210,7 +230,7 @@ resource "aws_iam_policy" "iam_policy" {
             "s3:ListBucket"
           ],
           Resource = [
-            "arn:aws:s3:::${var.s3_bucket_name}"
+            "arn:${local.iam_partition}:s3:::${var.s3_bucket_name}"
           ]
         },
         {
@@ -222,8 +242,8 @@ resource "aws_iam_policy" "iam_policy" {
             "s3:Delete*"
           ],
           Resource = [
-            "arn:aws:s3:::${local.s3_path}",
-            "arn:aws:s3:::${local.s3_path}/*"
+            "arn:${local.iam_partition}:s3:::${local.s3_path}",
+            "arn:${local.iam_partition}:s3:::${local.s3_path}/*"
           ]
         }
       ]
@@ -378,6 +398,10 @@ locals {
 
     container_memory = "${module.instance_type_metrics.memory_application_mb}m"
     java_opts        = var.java_opts
+
+    is_private_ecr_registry = local.is_private_ecr_registry
+    private_ecr_registry    = var.private_ecr_registry
+    region                  = data.aws_region.current.name
   })
 }
 

templates/user-data.sh.tmpl

@@ -1,3 +1,7 @@
+%{ if is_private_ecr_registry }
+aws ecr get-login-password --region ${region} | docker login --username AWS --password-stdin ${private_ecr_registry}
+%{ endif ~}
+
 # Launch the loader
 sudo docker run \
   -d \
@@ -16,7 +20,7 @@ sudo docker run \
   --env JDK_JAVA_OPTIONS='${java_opts}' \
   --env ACCEPT_LIMITED_USE_LICENSE=${accept_limited_use_license} \
   --env INSTANCE_ID=$(get_instance_id) \
-  snowplow/transformer-kinesis:${version} \
+  ${private_ecr_registry}snowplow/transformer-kinesis:${version} \
   --config ${config_b64} \
   --iglu-config ${iglu_resolver_b64}
 

variables.tf

@@ -255,3 +255,11 @@ variable "user_provided_id" {
   type        = string
   default     = ""
 }
+
+# --- Image Repositories
+
+variable "private_ecr_registry" {
+  description = "The URL of an ECR registry that the sub-account has access to (e.g. '000000000000.dkr.ecr.cn-north-1.amazonaws.com.cn/')"
+  type        = string
+  default     = ""
+}