From 75d71f827e5b1ac147392446a419e7baad71d5ef Mon Sep 17 00:00:00 2001 From: jbeemster Date: Wed, 3 Apr 2024 16:51:29 +0200 Subject: [PATCH] Add support for AWS China regions (closes #34) --- README.md | 1 + main.tf | 38 ++++++++++++++++++++++++++++++------- templates/user-data.sh.tmpl | 6 +++++- variables.tf | 8 ++++++++ 4 files changed, 45 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 1450b7a..1991227 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,7 @@ module "transformer_kinesis" { | [kcl\_read\_min\_capacity](#input\_kcl\_read\_min\_capacity) | The minimum READ capacity for the KCL DynamoDB table | `number` | `1` | no | | [kcl\_write\_max\_capacity](#input\_kcl\_write\_max\_capacity) | The maximum WRITE capacity for the KCL DynamoDB table | `number` | `10` | no | | [kcl\_write\_min\_capacity](#input\_kcl\_write\_min\_capacity) | The minimum WRITE capacity for the KCL DynamoDB table | `number` | `1` | no | +| [private\_ecr\_registry](#input\_private\_ecr\_registry) | The URL of an ECR registry that the sub-account has access to (e.g. '000000000000.dkr.ecr.cn-north-1.amazonaws.com.cn/') | `string` | `""` | no | | [schemas\_json](#input\_schemas\_json) | List of schemas to get shredded as JSON | `list(string)` | `[]` | no | | [schemas\_skip](#input\_schemas\_skip) | List of schemas to not get shredded (and thus not loaded) | `list(string)` | `[]` | no | | [schemas\_tsv](#input\_schemas\_tsv) | List of schemas to get shredded as TSV | `list(string)` | `[]` | no | diff --git a/main.tf b/main.tf index 2d090f3..2faf438 100644 --- a/main.tf +++ b/main.tf @@ -37,7 +37,7 @@ locals { "sqs:ChangeMessageVisibilityBatch" ], Resource = [ - "arn:aws:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${var.sqs_queue_name}" + "arn:${local.iam_partition}:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${var.sqs_queue_name}" ] } ] : [ @@ -58,6 +58,25 @@ locals { data "aws_region" "current" {} data "aws_caller_identity" "current" {} +locals { + is_aws_global = replace(data.aws_region.current.name, "cn-", "") == data.aws_region.current.name + iam_partition = local.is_aws_global ? "aws" : "aws-cn" + + is_private_ecr_registry = var.private_ecr_registry != "" + private_ecr_registry_statement = [{ + Action = [ + "ecr:GetAuthorizationToken", + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer" + ] + Effect = "Allow" + Resource = [ + "*" + ] + }] + private_ecr_registry_statement_final = local.is_private_ecr_registry ? local.private_ecr_registry_statement : [] +} + module "telemetry" { source = "snowplow-devops/telemetry/snowplow" version = "0.5.0" @@ -146,6 +165,7 @@ resource "aws_iam_policy" "iam_policy" { Version = "2012-10-17", Statement = concat( local.iam_queue_statement, + local.private_ecr_registry_statement_final, [ { Effect = "Allow", @@ -157,7 +177,7 @@ resource "aws_iam_policy" "iam_policy" { "kinesis:Get*" ], Resource = [ - "arn:aws:kinesis:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stream/${var.stream_name}" + "arn:${local.iam_partition}:kinesis:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stream/${var.stream_name}" ] }, { @@ -167,7 +187,7 @@ resource "aws_iam_policy" "iam_policy" { "kinesis:SubscribeToShard" ], Resource = [ - "arn:aws:kinesis:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stream/${var.stream_name}/consumer/*" + "arn:${local.iam_partition}:kinesis:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stream/${var.stream_name}/consumer/*" ] }, { @@ -193,7 +213,7 @@ resource "aws_iam_policy" "iam_policy" { "logs:DescribeLogStreams" ], Resource = [ - "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${local.cloudwatch_log_group_name}:*" + "arn:${local.iam_partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${local.cloudwatch_log_group_name}:*" ] }, { @@ -210,7 +230,7 @@ resource "aws_iam_policy" "iam_policy" { "s3:ListBucket" ], Resource = [ - "arn:aws:s3:::${var.s3_bucket_name}" + "arn:${local.iam_partition}:s3:::${var.s3_bucket_name}" ] }, { @@ -222,8 +242,8 @@ resource "aws_iam_policy" "iam_policy" { "s3:Delete*" ], Resource = [ - "arn:aws:s3:::${local.s3_path}", - "arn:aws:s3:::${local.s3_path}/*" + "arn:${local.iam_partition}:s3:::${local.s3_path}", + "arn:${local.iam_partition}:s3:::${local.s3_path}/*" ] } ] @@ -378,6 +398,10 @@ locals { container_memory = "${module.instance_type_metrics.memory_application_mb}m" java_opts = var.java_opts + + is_private_ecr_registry = local.is_private_ecr_registry + private_ecr_registry = var.private_ecr_registry + region = data.aws_region.current.name }) } diff --git a/templates/user-data.sh.tmpl b/templates/user-data.sh.tmpl index 277e8ae..36d3160 100644 --- a/templates/user-data.sh.tmpl +++ b/templates/user-data.sh.tmpl @@ -1,3 +1,7 @@ +%{ if is_private_ecr_registry } +aws ecr get-login-password --region ${region} | docker login --username AWS --password-stdin ${private_ecr_registry} +%{ endif ~} + # Launch the loader sudo docker run \ -d \ @@ -16,7 +20,7 @@ sudo docker run \ --env JDK_JAVA_OPTIONS='${java_opts}' \ --env ACCEPT_LIMITED_USE_LICENSE=${accept_limited_use_license} \ --env INSTANCE_ID=$(get_instance_id) \ - snowplow/transformer-kinesis:${version} \ + ${private_ecr_registry}snowplow/transformer-kinesis:${version} \ --config ${config_b64} \ --iglu-config ${iglu_resolver_b64} diff --git a/variables.tf b/variables.tf index 111781d..2da5392 100644 --- a/variables.tf +++ b/variables.tf @@ -255,3 +255,11 @@ variable "user_provided_id" { type = string default = "" } + +# --- Image Repositories + +variable "private_ecr_registry" { + description = "The URL of an ECR registry that the sub-account has access to (e.g. '000000000000.dkr.ecr.cn-north-1.amazonaws.com.cn/')" + type = string + default = "" +}