From 207007b1d73123e5c23bb3e13a76d60c0da0ffcc Mon Sep 17 00:00:00 2001 From: AJ Sanon Date: Mon, 21 Nov 2022 14:10:10 -0500 Subject: [PATCH 01/14] Lambda Reg UX changes to simplify for users --- examples/lambda/README.md | 49 ++------------------- examples/lambda/registrator.tf | 2 +- examples/lambda/variables.tf | 5 ++- modules/lambda-registrator/main.tf | 58 ++++++++++++++++++++++++- modules/lambda-registrator/variables.tf | 39 ++++++++++++----- 5 files changed, 93 insertions(+), 60 deletions(-) diff --git a/examples/lambda/README.md b/examples/lambda/README.md index d85b4f8..17c95f5 100644 --- a/examples/lambda/README.md +++ b/examples/lambda/README.md @@ -51,57 +51,16 @@ cd terraform-aws-consul-lambda/examples/lambda git checkout v${VERSION} ``` -## Set your AWS account ID and region +## Set your AWS region -Subsequent steps require knowledge of your AWS account ID and the AWS region that you want to deploy the example resources to. +Subsequent steps require knowledge of the AWS region that you want to deploy the example resources to. Export these values to environment variables using the commands below. -Replace `` and `` with your AWS account ID and region, respectively. +Replace `` with your AWS region. ```shell -export AWS_ACCOUNT_ID= export AWS_REGION= ``` -## Publish `consul-lambda-registrator` - -In this section you will pull the `consul-lambda-registrator` image from the AWS Public ECR Gallery and publish it to a private ECR repository using `docker`. This is required because AWS Lambda functions must use images from a private ECR repository. They are not able to use images from the Public ECR Gallery. - -### Pull `consul-lambda-registrator` - -Use the following command to pull the `consul-lambda-registrator` from the AWS Public ECR to your local machine. - -```shell -docker pull public.ecr.aws/hashicorp/consul-lambda-registrator:${VERSION} -``` - -### Log in to AWS ECR - -```shell -aws ecr get-login-password --region ${AWS_REGION} | docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com -``` - -### Create a private ECR repository - -Use the following command to create a private ECR repository for `consul-lambda-registrator`. - -```shell -aws ecr create-repository \ - --repository-name consul-lambda-registrator \ - --image-scanning-configuration scanOnPush=true \ - --region ${AWS_REGION} -``` - -### Push `consul-lambda-registrator` - -Use the following commands to push the `consul-lambda-registrator` image to the private ECR repository you created in the previous step. - -```shell -docker tag \ - public.ecr.aws/hashicorp/consul-lambda-registrator:${VERSION} \ - ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/consul-lambda-registrator:${VERSION} - -docker push ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/consul-lambda-registrator:${VERSION} -``` ## Download the `consul-lambda-extension` @@ -139,7 +98,6 @@ terraform init terraform apply \ -var "name=${USER}" \ -var "region=${AWS_REGION}" \ - -var "ecr_image_uri=${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/consul-lambda-registrator:${VERSION}" \ -var "ingress_cidrs=[\"${MY_IP}\"]" ``` @@ -261,7 +219,6 @@ Use the following command to clean up the resources managed by Terraform. terraform destroy \ -var "name=${USER}" \ -var "region=${AWS_REGION}" \ - -var "ecr_image_uri=${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/consul-lambda-registrator:${VERSION}" \ -var "ingress_cidrs=[\"${MY_IP}\"]" ``` diff --git a/examples/lambda/registrator.tf b/examples/lambda/registrator.tf index 274195e..8eb8408 100644 --- a/examples/lambda/registrator.tf +++ b/examples/lambda/registrator.tf @@ -4,10 +4,10 @@ module "consul_lambda_registrator" { source = "../../modules/lambda-registrator" name = "${var.name}-lambda-registrator" - ecr_image_uri = var.ecr_image_uri consul_http_addr = "http://${module.dev_consul_server.server_dns}:8500" consul_extension_data_prefix = "/${var.name}" subnet_ids = module.vpc.private_subnets security_group_ids = [module.vpc.default_security_group_id] sync_frequency_in_minutes = 1 + pull_through = false } diff --git a/examples/lambda/variables.tf b/examples/lambda/variables.tf index 0084d75..4290485 100644 --- a/examples/lambda/variables.tf +++ b/examples/lambda/variables.tf @@ -6,9 +6,10 @@ variable "name" { type = string } -variable "ecr_image_uri" { - description = "The private ECR image URI for consul-lambda-registrator." +variable "lambda_registrator_image" { + description = "The Consul Lambda Registrator image for consul-lambda-registrator." type = string + default = "public.ecr.aws/hashicorp/consul-lambda-registrator:0.1.0-beta2" } variable "region" { diff --git a/modules/lambda-registrator/main.tf b/modules/lambda-registrator/main.tf index 0a5b868..fd2c5fa 100644 --- a/modules/lambda-registrator/main.tf +++ b/modules/lambda-registrator/main.tf @@ -9,7 +9,12 @@ locals { }] : [] cron_key = "${var.name}-cron" lambda_events_key = "${var.name}-lambda_events" + image_tag = split(":", var.consul_lambda_registrator_image)[1] + ecr_image_uri = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.private_repo_name}:${local.image_tag}" + //See comment in line 157 for explanation +// ecr_image_uri_pull-through = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/ecr-public/hashicorp/${var.private_repo_name}:${local.image_tag}" } +data "aws_caller_identity" "current" {} resource "aws_iam_role" "registration" { name = var.name @@ -127,8 +132,54 @@ resource "aws_iam_role_policy_attachment" "lambda_logs" { policy_arn = aws_iam_policy.policy.arn } +resource "aws_ecr_repository" "lambda-registrator" { + name = var.private_repo_name + force_delete = true +} + +resource "null_resource" "pull_and_republish_ecr_image" { + count = var.pull_through ? 0 : 1 + triggers = { + always_run = timestamp() + } + + provisioner "local-exec" { + command = < Date: Tue, 29 Aug 2023 23:08:17 +0530 Subject: [PATCH 02/14] - added pull through cache - removed all provisioners and used providers --- modules/lambda-registrator/main.tf | 101 +++++++++++++++--------- modules/lambda-registrator/variables.tf | 7 +- 2 files changed, 64 insertions(+), 44 deletions(-) diff --git a/modules/lambda-registrator/main.tf b/modules/lambda-registrator/main.tf index fd2c5fa..71e782e 100644 --- a/modules/lambda-registrator/main.tf +++ b/modules/lambda-registrator/main.tf @@ -1,6 +1,19 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 +terraform { + required_providers { + docker = { + source = "kreuzwerker/docker" + version = "3.0.2" + } + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} + locals { on_vpc = length(var.subnet_ids) > 0 && length(var.security_group_ids) > 0 vpc_config = local.on_vpc ? [{ @@ -11,11 +24,14 @@ locals { lambda_events_key = "${var.name}-lambda_events" image_tag = split(":", var.consul_lambda_registrator_image)[1] ecr_image_uri = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.private_repo_name}:${local.image_tag}" - //See comment in line 157 for explanation -// ecr_image_uri_pull-through = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/ecr-public/hashicorp/${var.private_repo_name}:${local.image_tag}" + ecr_image_uri_pull-through = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/ecr-public/hashicorp/${var.private_repo_name}:${local.image_tag}" } + data "aws_caller_identity" "current" {} +provider "aws" { + region = var.region +} resource "aws_iam_role" "registration" { name = var.name @@ -133,53 +149,62 @@ resource "aws_iam_role_policy_attachment" "lambda_logs" { } resource "aws_ecr_repository" "lambda-registrator" { + count = var.pull_through ? 0 : 1 name = var.private_repo_name force_delete = true } -resource "null_resource" "pull_and_republish_ecr_image" { - count = var.pull_through ? 0 : 1 - triggers = { - always_run = timestamp() +# Equivalent of aws ecr get-login +data "aws_ecr_authorization_token" "ecr_auth" {} + +provider "docker" { + host = "unix:///var/run/docker.sock" # Use the appropriate Docker socket for your system + registry_auth { + username = data.aws_ecr_authorization_token.ecr_auth.user_name + password = data.aws_ecr_authorization_token.ecr_auth.password + address = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com" } +} + + +resource "aws_ecr_pull_through_cache_rule" "pull_through_cache_rule" { + count = var.pull_through ? 1 : 0 + ecr_repository_prefix = "ecr-public" + upstream_registry_url = "public.ecr.aws" +} + +resource "docker_image" "lambda_registrator" { + name = var.pull_through ? local.ecr_image_uri_pull-through : var.consul_lambda_registrator_image + depends_on = [ + aws_ecr_pull_through_cache_rule.pull_through_cache_rule + ] +} + +resource "docker_tag" "lambda_registrator_tag" { + count = var.pull_through ? 0 : 1 + source_image = docker_image.lambda_registrator.name + target_image = local.ecr_image_uri +} + +resource "null_resource" "push_image" { + count = var.pull_through ? 0 : 1 provisioner "local-exec" { - command = < Date: Tue, 29 Aug 2023 23:46:25 +0530 Subject: [PATCH 03/14] bumped lambda_registrator_image tag --- examples/lambda/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/lambda/variables.tf b/examples/lambda/variables.tf index 4290485..a971edb 100644 --- a/examples/lambda/variables.tf +++ b/examples/lambda/variables.tf @@ -9,7 +9,7 @@ variable "name" { variable "lambda_registrator_image" { description = "The Consul Lambda Registrator image for consul-lambda-registrator." type = string - default = "public.ecr.aws/hashicorp/consul-lambda-registrator:0.1.0-beta2" + default = "public.ecr.aws/hashicorp/consul-lambda-registrator:0.1.0-beta4" } variable "region" { From 88af71fbfa6771b2c7f3c8eb0ea31fadaf0d26a5 Mon Sep 17 00:00:00 2001 From: aahel Date: Tue, 29 Aug 2023 23:50:27 +0530 Subject: [PATCH 04/14] fixed terraform fmt --- examples/lambda/variables.tf | 2 +- modules/lambda-registrator/main.tf | 26 ++++++++++++------------- modules/lambda-registrator/variables.tf | 16 +++++++-------- 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/examples/lambda/variables.tf b/examples/lambda/variables.tf index a971edb..dd369da 100644 --- a/examples/lambda/variables.tf +++ b/examples/lambda/variables.tf @@ -9,7 +9,7 @@ variable "name" { variable "lambda_registrator_image" { description = "The Consul Lambda Registrator image for consul-lambda-registrator." type = string - default = "public.ecr.aws/hashicorp/consul-lambda-registrator:0.1.0-beta4" + default = "public.ecr.aws/hashicorp/consul-lambda-registrator:0.1.0-beta4" } variable "region" { diff --git a/modules/lambda-registrator/main.tf b/modules/lambda-registrator/main.tf index 71e782e..80d0226 100644 --- a/modules/lambda-registrator/main.tf +++ b/modules/lambda-registrator/main.tf @@ -20,10 +20,10 @@ locals { subnet_ids = var.subnet_ids security_group_ids = var.security_group_ids }] : [] - cron_key = "${var.name}-cron" - lambda_events_key = "${var.name}-lambda_events" - image_tag = split(":", var.consul_lambda_registrator_image)[1] - ecr_image_uri = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.private_repo_name}:${local.image_tag}" + cron_key = "${var.name}-cron" + lambda_events_key = "${var.name}-lambda_events" + image_tag = split(":", var.consul_lambda_registrator_image)[1] + ecr_image_uri = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.private_repo_name}:${local.image_tag}" ecr_image_uri_pull-through = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/ecr-public/hashicorp/${var.private_repo_name}:${local.image_tag}" } @@ -149,8 +149,8 @@ resource "aws_iam_role_policy_attachment" "lambda_logs" { } resource "aws_ecr_repository" "lambda-registrator" { - count = var.pull_through ? 0 : 1 - name = var.private_repo_name + count = var.pull_through ? 0 : 1 + name = var.private_repo_name force_delete = true } @@ -158,30 +158,30 @@ resource "aws_ecr_repository" "lambda-registrator" { data "aws_ecr_authorization_token" "ecr_auth" {} provider "docker" { - host = "unix:///var/run/docker.sock" # Use the appropriate Docker socket for your system + host = "unix:///var/run/docker.sock" # Use the appropriate Docker socket for your system registry_auth { username = data.aws_ecr_authorization_token.ecr_auth.user_name password = data.aws_ecr_authorization_token.ecr_auth.password - address = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com" + address = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com" } } resource "aws_ecr_pull_through_cache_rule" "pull_through_cache_rule" { - count = var.pull_through ? 1 : 0 + count = var.pull_through ? 1 : 0 ecr_repository_prefix = "ecr-public" upstream_registry_url = "public.ecr.aws" } resource "docker_image" "lambda_registrator" { - name = var.pull_through ? local.ecr_image_uri_pull-through : var.consul_lambda_registrator_image + name = var.pull_through ? local.ecr_image_uri_pull-through : var.consul_lambda_registrator_image depends_on = [ aws_ecr_pull_through_cache_rule.pull_through_cache_rule ] } resource "docker_tag" "lambda_registrator_tag" { - count = var.pull_through ? 0 : 1 + count = var.pull_through ? 0 : 1 source_image = docker_image.lambda_registrator.name target_image = local.ecr_image_uri } @@ -198,7 +198,7 @@ resource "null_resource" "push_image" { ] } resource "time_sleep" "wait_30_seconds" { - count = var.pull_through ? 1 : 0 + count = var.pull_through ? 1 : 0 depends_on = [docker_image.lambda_registrator] create_duration = "30s" @@ -248,7 +248,7 @@ resource "aws_lambda_function" "registration" { null_resource.push_image, time_sleep.wait_30_seconds, ] - + } module "eventbridge" { diff --git a/modules/lambda-registrator/variables.tf b/modules/lambda-registrator/variables.tf index f7ca129..cfbd69c 100644 --- a/modules/lambda-registrator/variables.tf +++ b/modules/lambda-registrator/variables.tf @@ -100,26 +100,26 @@ variable "tags" { default = {} } variable "region" { - type = string + type = string description = "AWS region for private repository" default = "us-east-2" } variable "private_repo_name" { description = "The name of the repository to republish the ECR image if one exists. If no name is passed, it is assumed that no repository exists and one needs to be created." - type = string - default = "consul-lambda-registrator" + type = string + default = "consul-lambda-registrator" } variable "pull_through" { description = "Flag to determine if a pull-through cache method will be used to obtain the appropriate ECR image" - type = bool - default = false + type = bool + default = false } -variable "consul_lambda_registrator_image"{ +variable "consul_lambda_registrator_image" { description = "The Lambda registrator image to be used, either the latest L.R. image or a user specified prior version" - type = string - default = "public.ecr.aws/hashicorp/consul-lambda-registrator:0.1.0-beta4" + type = string + default = "public.ecr.aws/hashicorp/consul-lambda-registrator:0.1.0-beta4" } From 9b2b9a501665c17b903da86a2722831dc65f5761 Mon Sep 17 00:00:00 2001 From: aahel Date: Wed, 30 Aug 2023 16:35:58 +0530 Subject: [PATCH 05/14] moved providers to examples/lambda providers.tf --- examples/lambda/providers.tf | 17 +++++++++++++++++ modules/lambda-registrator/main.tf | 29 ----------------------------- 2 files changed, 17 insertions(+), 29 deletions(-) diff --git a/examples/lambda/providers.tf b/examples/lambda/providers.tf index 5721691..274639b 100644 --- a/examples/lambda/providers.tf +++ b/examples/lambda/providers.tf @@ -15,9 +15,26 @@ terraform { source = "hashicorp/tls" version = "4.0.3" } + + docker = { + source = "kreuzwerker/docker" + version = "3.0.2" + } } } provider "aws" { region = var.region } + +# Equivalent of aws ecr get-login +data "aws_ecr_authorization_token" "ecr_auth" {} + +provider "docker" { + host = "unix:///var/run/docker.sock" # Use the appropriate Docker socket for your system + registry_auth { + username = data.aws_ecr_authorization_token.ecr_auth.user_name + password = data.aws_ecr_authorization_token.ecr_auth.password + address = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com" + } +} diff --git a/modules/lambda-registrator/main.tf b/modules/lambda-registrator/main.tf index 80d0226..3e16f07 100644 --- a/modules/lambda-registrator/main.tf +++ b/modules/lambda-registrator/main.tf @@ -1,19 +1,5 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 - -terraform { - required_providers { - docker = { - source = "kreuzwerker/docker" - version = "3.0.2" - } - aws = { - source = "hashicorp/aws" - version = "~> 5.0" - } - } -} - locals { on_vpc = length(var.subnet_ids) > 0 && length(var.security_group_ids) > 0 vpc_config = local.on_vpc ? [{ @@ -29,9 +15,6 @@ locals { data "aws_caller_identity" "current" {} -provider "aws" { - region = var.region -} resource "aws_iam_role" "registration" { name = var.name @@ -154,18 +137,6 @@ resource "aws_ecr_repository" "lambda-registrator" { force_delete = true } -# Equivalent of aws ecr get-login -data "aws_ecr_authorization_token" "ecr_auth" {} - -provider "docker" { - host = "unix:///var/run/docker.sock" # Use the appropriate Docker socket for your system - registry_auth { - username = data.aws_ecr_authorization_token.ecr_auth.user_name - password = data.aws_ecr_authorization_token.ecr_auth.password - address = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com" - } -} - resource "aws_ecr_pull_through_cache_rule" "pull_through_cache_rule" { count = var.pull_through ? 1 : 0 From cbe084d0e95f1fbf0e23caa9907f7881c4d4df67 Mon Sep 17 00:00:00 2001 From: aahel Date: Wed, 30 Aug 2023 19:46:19 +0530 Subject: [PATCH 06/14] fixed provider and other minor fixes --- examples/lambda/README.md | 2 +- examples/lambda/lambda/variables.tf | 2 +- examples/lambda/providers.tf | 15 --------------- modules/lambda-registrator/main.tf | 21 +++++++++++++++++++++ 4 files changed, 23 insertions(+), 17 deletions(-) diff --git a/examples/lambda/README.md b/examples/lambda/README.md index 17c95f5..f8dee15 100644 --- a/examples/lambda/README.md +++ b/examples/lambda/README.md @@ -69,7 +69,7 @@ This example Terraform workspace will use the zip package to deploy the `consul- add it to the `lambda-app-2` function so that it can call services within the Consul service mesh. ```shell -curl -o consul-lambda-extension.zip https://releases.hashicorp.com/consul-lambda-extension/${VERSION}/consul-lambda-extension_${VERSION}_linux_amd64.zip +curl -o consul-lambda-extension.zip "https://releases.hashicorp.com/consul-lambda-extension/${VERSION}-beta4/consul-lambda-extension_${VERSION}-beta4_linux_amd64.zip" ``` ## Build the example Lambda function diff --git a/examples/lambda/lambda/variables.tf b/examples/lambda/lambda/variables.tf index 1285fb7..fcc823b 100644 --- a/examples/lambda/lambda/variables.tf +++ b/examples/lambda/lambda/variables.tf @@ -94,7 +94,7 @@ variable "invocation_mode" { default = "SYNCHRONOUS" validation { condition = contains(["SYNCHRONOUS", "ASYNCHRONOUS"], var.invocation_mode) - error_message = "invocation_mode must be one of SYNCHRONOUS or ASYNCHRONOUS" + error_message = "Invocation_mode must be one of SYNCHRONOUS or ASYNCHRONOUS." } } diff --git a/examples/lambda/providers.tf b/examples/lambda/providers.tf index 274639b..07cac4a 100644 --- a/examples/lambda/providers.tf +++ b/examples/lambda/providers.tf @@ -16,10 +16,6 @@ terraform { version = "4.0.3" } - docker = { - source = "kreuzwerker/docker" - version = "3.0.2" - } } } @@ -27,14 +23,3 @@ provider "aws" { region = var.region } -# Equivalent of aws ecr get-login -data "aws_ecr_authorization_token" "ecr_auth" {} - -provider "docker" { - host = "unix:///var/run/docker.sock" # Use the appropriate Docker socket for your system - registry_auth { - username = data.aws_ecr_authorization_token.ecr_auth.user_name - password = data.aws_ecr_authorization_token.ecr_auth.password - address = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com" - } -} diff --git a/modules/lambda-registrator/main.tf b/modules/lambda-registrator/main.tf index 3e16f07..3cd23d2 100644 --- a/modules/lambda-registrator/main.tf +++ b/modules/lambda-registrator/main.tf @@ -1,5 +1,14 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 + +terraform { + required_providers { + docker = { + source = "kreuzwerker/docker" + version = "3.0.2" + } + } +} locals { on_vpc = length(var.subnet_ids) > 0 && length(var.security_group_ids) > 0 vpc_config = local.on_vpc ? [{ @@ -13,6 +22,18 @@ locals { ecr_image_uri_pull-through = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/ecr-public/hashicorp/${var.private_repo_name}:${local.image_tag}" } +# Equivalent of aws ecr get-login +data "aws_ecr_authorization_token" "ecr_auth" {} + +provider "docker" { + host = "unix:///var/run/docker.sock" # Use the appropriate Docker socket for your system + registry_auth { + username = data.aws_ecr_authorization_token.ecr_auth.user_name + password = data.aws_ecr_authorization_token.ecr_auth.password + address = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com" + } +} + data "aws_caller_identity" "current" {} resource "aws_iam_role" "registration" { From baa6a034bb14049c4b3acfb845007ef33f36a7e1 Mon Sep 17 00:00:00 2001 From: aahel Date: Wed, 30 Aug 2023 20:26:59 +0530 Subject: [PATCH 07/14] added pull_through var in examples --- examples/lambda/registrator.tf | 2 +- examples/lambda/variables.tf | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/examples/lambda/registrator.tf b/examples/lambda/registrator.tf index 8eb8408..a2f28ba 100644 --- a/examples/lambda/registrator.tf +++ b/examples/lambda/registrator.tf @@ -9,5 +9,5 @@ module "consul_lambda_registrator" { subnet_ids = module.vpc.private_subnets security_group_ids = [module.vpc.default_security_group_id] sync_frequency_in_minutes = 1 - pull_through = false + pull_through = var.pull_through } diff --git a/examples/lambda/variables.tf b/examples/lambda/variables.tf index dd369da..d9e8bad 100644 --- a/examples/lambda/variables.tf +++ b/examples/lambda/variables.tf @@ -39,3 +39,9 @@ variable "consul_lambda_extension_arn" { type = string default = "" } + +variable "pull_through" { + description = "Flag to determine if a pull-through cache method will be used to obtain the appropriate ECR image" + type = bool + default = false +} \ No newline at end of file From 1df29260dea2eb0fa2ffc5323385ff226a0a5be9 Mon Sep 17 00:00:00 2001 From: aahel Date: Wed, 30 Aug 2023 20:28:39 +0530 Subject: [PATCH 08/14] fixed terraform lint --- modules/lambda-registrator/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/lambda-registrator/main.tf b/modules/lambda-registrator/main.tf index 3cd23d2..9c3e0b1 100644 --- a/modules/lambda-registrator/main.tf +++ b/modules/lambda-registrator/main.tf @@ -3,7 +3,7 @@ terraform { required_providers { - docker = { + docker = { source = "kreuzwerker/docker" version = "3.0.2" } From 1074f078245df3c54d39ba7b60c1838b5be8abef Mon Sep 17 00:00:00 2001 From: aahel Date: Wed, 30 Aug 2023 20:32:30 +0530 Subject: [PATCH 09/14] fix minor fmt issues --- examples/lambda/providers.tf | 2 -- examples/lambda/variables.tf | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/examples/lambda/providers.tf b/examples/lambda/providers.tf index 07cac4a..5721691 100644 --- a/examples/lambda/providers.tf +++ b/examples/lambda/providers.tf @@ -15,11 +15,9 @@ terraform { source = "hashicorp/tls" version = "4.0.3" } - } } provider "aws" { region = var.region } - diff --git a/examples/lambda/variables.tf b/examples/lambda/variables.tf index d9e8bad..88cb3e4 100644 --- a/examples/lambda/variables.tf +++ b/examples/lambda/variables.tf @@ -44,4 +44,4 @@ variable "pull_through" { description = "Flag to determine if a pull-through cache method will be used to obtain the appropriate ECR image" type = bool default = false -} \ No newline at end of file +} From c0b1e34191b971f238fa7c6a54b2a52da01f46a5 Mon Sep 17 00:00:00 2001 From: aahel Date: Thu, 31 Aug 2023 16:11:50 +0530 Subject: [PATCH 10/14] review fixes --- examples/lambda/README.md | 2 +- examples/lambda/lambda/variables.tf | 2 +- modules/lambda-registrator/main.tf | 28 ++++++++++++---------- modules/lambda-registrator/variables.tf | 32 +++++++++++++++++++++---- 4 files changed, 45 insertions(+), 19 deletions(-) diff --git a/examples/lambda/README.md b/examples/lambda/README.md index f8dee15..6d06248 100644 --- a/examples/lambda/README.md +++ b/examples/lambda/README.md @@ -69,7 +69,7 @@ This example Terraform workspace will use the zip package to deploy the `consul- add it to the `lambda-app-2` function so that it can call services within the Consul service mesh. ```shell -curl -o consul-lambda-extension.zip "https://releases.hashicorp.com/consul-lambda-extension/${VERSION}-beta4/consul-lambda-extension_${VERSION}-beta4_linux_amd64.zip" +curl -o consul-lambda-extension.zip "https://releases.hashicorp.com/consul-lambda-extension/${VERSION}/consul-lambda-extension_${VERSION}-beta4_linux_amd64.zip" ``` ## Build the example Lambda function diff --git a/examples/lambda/lambda/variables.tf b/examples/lambda/lambda/variables.tf index fcc823b..aa76627 100644 --- a/examples/lambda/lambda/variables.tf +++ b/examples/lambda/lambda/variables.tf @@ -94,7 +94,7 @@ variable "invocation_mode" { default = "SYNCHRONOUS" validation { condition = contains(["SYNCHRONOUS", "ASYNCHRONOUS"], var.invocation_mode) - error_message = "Invocation_mode must be one of SYNCHRONOUS or ASYNCHRONOUS." + error_message = "Variable invocation_mode must be one of SYNCHRONOUS or ASYNCHRONOUS." } } diff --git a/modules/lambda-registrator/main.tf b/modules/lambda-registrator/main.tf index 9c3e0b1..dd1c196 100644 --- a/modules/lambda-registrator/main.tf +++ b/modules/lambda-registrator/main.tf @@ -17,16 +17,20 @@ locals { }] : [] cron_key = "${var.name}-cron" lambda_events_key = "${var.name}-lambda_events" - image_tag = split(":", var.consul_lambda_registrator_image)[1] + image_parts = split(":", var.consul_lambda_registrator_image) + image_tag = local.image_parts[1] + image_path_parts = split("/",local.image_parts[0]) + image_username = local.image_path_parts[1] + image_name = local.image_path_parts[2] ecr_image_uri = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.private_repo_name}:${local.image_tag}" - ecr_image_uri_pull-through = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/ecr-public/hashicorp/${var.private_repo_name}:${local.image_tag}" + ecr_image_uri_pull_through = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.ecr_repository_prefix}/${local.image_username}/${local.image_name}:${local.image_tag}" } # Equivalent of aws ecr get-login data "aws_ecr_authorization_token" "ecr_auth" {} provider "docker" { - host = "unix:///var/run/docker.sock" # Use the appropriate Docker socket for your system + host = var.docker_host registry_auth { username = data.aws_ecr_authorization_token.ecr_auth.user_name password = data.aws_ecr_authorization_token.ecr_auth.password @@ -153,33 +157,33 @@ resource "aws_iam_role_policy_attachment" "lambda_logs" { } resource "aws_ecr_repository" "lambda-registrator" { - count = var.pull_through ? 0 : 1 + count = var.enable_pull_through_cache ? 0 : 1 name = var.private_repo_name force_delete = true } resource "aws_ecr_pull_through_cache_rule" "pull_through_cache_rule" { - count = var.pull_through ? 1 : 0 - ecr_repository_prefix = "ecr-public" - upstream_registry_url = "public.ecr.aws" + count = var.enable_pull_through_cache ? 1 : 0 + ecr_repository_prefix = var.ecr_repository_prefix + upstream_registry_url = var.upstream_registry_url } resource "docker_image" "lambda_registrator" { - name = var.pull_through ? local.ecr_image_uri_pull-through : var.consul_lambda_registrator_image + name = var.enable_pull_through_cache ? local.ecr_image_uri_pull_through : var.consul_lambda_registrator_image depends_on = [ aws_ecr_pull_through_cache_rule.pull_through_cache_rule ] } resource "docker_tag" "lambda_registrator_tag" { - count = var.pull_through ? 0 : 1 + count = var.enable_pull_through_cache ? 0 : 1 source_image = docker_image.lambda_registrator.name target_image = local.ecr_image_uri } resource "null_resource" "push_image" { - count = var.pull_through ? 0 : 1 + count = var.enable_pull_through_cache ? 0 : 1 provisioner "local-exec" { command = "docker push ${local.ecr_image_uri}" @@ -190,13 +194,13 @@ resource "null_resource" "push_image" { ] } resource "time_sleep" "wait_30_seconds" { - count = var.pull_through ? 1 : 0 + count = var.enable_pull_through_cache ? 1 : 0 depends_on = [docker_image.lambda_registrator] create_duration = "30s" } resource "aws_lambda_function" "registration" { - image_uri = var.pull_through ? local.ecr_image_uri_pull-through : local.ecr_image_uri + image_uri = var.enable_pull_through_cache ? local.ecr_image_uri_pull_through : local.ecr_image_uri package_type = "Image" function_name = var.name role = aws_iam_role.registration.arn diff --git a/modules/lambda-registrator/variables.tf b/modules/lambda-registrator/variables.tf index cfbd69c..f1512c6 100644 --- a/modules/lambda-registrator/variables.tf +++ b/modules/lambda-registrator/variables.tf @@ -101,17 +101,16 @@ variable "tags" { } variable "region" { type = string - description = "AWS region for private repository" - default = "us-east-2" + description = "AWS region to deploy Lambda registrator." } variable "private_repo_name" { - description = "The name of the repository to republish the ECR image if one exists. If no name is passed, it is assumed that no repository exists and one needs to be created." + description = "The name of the repository to republish the ECR image if one exists. If no name is passed, it is assumed that no repository exists and one needs to be created. Note :- If 'pull_through' is true this variable is ignored." type = string default = "consul-lambda-registrator" } -variable "pull_through" { +variable "enable_pull_through_cache" { description = "Flag to determine if a pull-through cache method will be used to obtain the appropriate ECR image" type = bool default = false @@ -119,7 +118,30 @@ variable "pull_through" { variable "consul_lambda_registrator_image" { - description = "The Lambda registrator image to be used, either the latest L.R. image or a user specified prior version" + description = "The Lambda registrator image to use. Must be provided as " type = string default = "public.ecr.aws/hashicorp/consul-lambda-registrator:0.1.0-beta4" + + validation { + condition = can(regex("^[a-zA-Z0-9_.-]+/[a-z0-9_.-]+/[a-z0-9_.-]+:[a-zA-Z0-9_.-]+$", var.consul_lambda_registrator_image)) + error_message = "Image format of 'consul_lambda_registrator_image' is invalid. It should be in the format 'registry/repository:tag'." + } } + +variable "docker_host" { + description = "The docker socket for your system" + type = string + default = "unix:///var/run/docker.sock" +} + +variable ecr_repository_prefix { + description = "The repository namespace to use when caching images from the source registry" + type = string + default = "ecr-public" +} + +variable upstream_registry_url { + description = "The public registry url" + type = string + default = "public.ecr.aws" +} \ No newline at end of file From 24a0457fe516a488c76df34b6e6d1da92d73aa6e Mon Sep 17 00:00:00 2001 From: aahel Date: Thu, 31 Aug 2023 16:16:03 +0530 Subject: [PATCH 11/14] minor name change --- modules/lambda-registrator/main.tf | 4 ++-- modules/lambda-registrator/variables.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/lambda-registrator/main.tf b/modules/lambda-registrator/main.tf index dd1c196..8cdeb7a 100644 --- a/modules/lambda-registrator/main.tf +++ b/modules/lambda-registrator/main.tf @@ -22,7 +22,7 @@ locals { image_path_parts = split("/",local.image_parts[0]) image_username = local.image_path_parts[1] image_name = local.image_path_parts[2] - ecr_image_uri = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.private_repo_name}:${local.image_tag}" + ecr_image_uri = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.private_ecr_repo_name}:${local.image_tag}" ecr_image_uri_pull_through = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.ecr_repository_prefix}/${local.image_username}/${local.image_name}:${local.image_tag}" } @@ -158,7 +158,7 @@ resource "aws_iam_role_policy_attachment" "lambda_logs" { resource "aws_ecr_repository" "lambda-registrator" { count = var.enable_pull_through_cache ? 0 : 1 - name = var.private_repo_name + name = var.private_ecr_repo_name force_delete = true } diff --git a/modules/lambda-registrator/variables.tf b/modules/lambda-registrator/variables.tf index f1512c6..216b8c0 100644 --- a/modules/lambda-registrator/variables.tf +++ b/modules/lambda-registrator/variables.tf @@ -104,7 +104,7 @@ variable "region" { description = "AWS region to deploy Lambda registrator." } -variable "private_repo_name" { +variable "private_ecr_repo_name" { description = "The name of the repository to republish the ECR image if one exists. If no name is passed, it is assumed that no repository exists and one needs to be created. Note :- If 'pull_through' is true this variable is ignored." type = string default = "consul-lambda-registrator" From 76e6c918fd3cd0b18fb713e3979c2aec2ca08593 Mon Sep 17 00:00:00 2001 From: aahel Date: Thu, 31 Aug 2023 19:26:09 +0530 Subject: [PATCH 12/14] fix tf lint --- modules/lambda-registrator/main.tf | 2 +- modules/lambda-registrator/variables.tf | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/lambda-registrator/main.tf b/modules/lambda-registrator/main.tf index 8cdeb7a..37dc6fb 100644 --- a/modules/lambda-registrator/main.tf +++ b/modules/lambda-registrator/main.tf @@ -19,7 +19,7 @@ locals { lambda_events_key = "${var.name}-lambda_events" image_parts = split(":", var.consul_lambda_registrator_image) image_tag = local.image_parts[1] - image_path_parts = split("/",local.image_parts[0]) + image_path_parts = split("/", local.image_parts[0]) image_username = local.image_path_parts[1] image_name = local.image_path_parts[2] ecr_image_uri = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.private_ecr_repo_name}:${local.image_tag}" diff --git a/modules/lambda-registrator/variables.tf b/modules/lambda-registrator/variables.tf index 216b8c0..f9be7d5 100644 --- a/modules/lambda-registrator/variables.tf +++ b/modules/lambda-registrator/variables.tf @@ -122,7 +122,7 @@ variable "consul_lambda_registrator_image" { type = string default = "public.ecr.aws/hashicorp/consul-lambda-registrator:0.1.0-beta4" - validation { + validation { condition = can(regex("^[a-zA-Z0-9_.-]+/[a-z0-9_.-]+/[a-z0-9_.-]+:[a-zA-Z0-9_.-]+$", var.consul_lambda_registrator_image)) error_message = "Image format of 'consul_lambda_registrator_image' is invalid. It should be in the format 'registry/repository:tag'." } @@ -131,17 +131,17 @@ variable "consul_lambda_registrator_image" { variable "docker_host" { description = "The docker socket for your system" type = string - default = "unix:///var/run/docker.sock" + default = "unix:///var/run/docker.sock" } -variable ecr_repository_prefix { +variable "ecr_repository_prefix" { description = "The repository namespace to use when caching images from the source registry" type = string - default = "ecr-public" + default = "ecr-public" } -variable upstream_registry_url { +variable "upstream_registry_url" { description = "The public registry url" type = string - default = "public.ecr.aws" + default = "public.ecr.aws" } \ No newline at end of file From 4cda76b3cbf35d46c9ed8be598dc6a43dc079122 Mon Sep 17 00:00:00 2001 From: aahel Date: Thu, 31 Aug 2023 19:39:19 +0530 Subject: [PATCH 13/14] variable name changes --- examples/lambda/registrator.tf | 3 ++- examples/lambda/variables.tf | 2 +- modules/lambda-registrator/variables.tf | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/examples/lambda/registrator.tf b/examples/lambda/registrator.tf index a2f28ba..1c9fb94 100644 --- a/examples/lambda/registrator.tf +++ b/examples/lambda/registrator.tf @@ -9,5 +9,6 @@ module "consul_lambda_registrator" { subnet_ids = module.vpc.private_subnets security_group_ids = [module.vpc.default_security_group_id] sync_frequency_in_minutes = 1 - pull_through = var.pull_through + enable_pull_through_cache = var.enable_pull_through_cache + region = var.region } diff --git a/examples/lambda/variables.tf b/examples/lambda/variables.tf index 88cb3e4..04ae5d3 100644 --- a/examples/lambda/variables.tf +++ b/examples/lambda/variables.tf @@ -40,7 +40,7 @@ variable "consul_lambda_extension_arn" { default = "" } -variable "pull_through" { +variable "enable_pull_through_cache" { description = "Flag to determine if a pull-through cache method will be used to obtain the appropriate ECR image" type = bool default = false diff --git a/modules/lambda-registrator/variables.tf b/modules/lambda-registrator/variables.tf index f9be7d5..fd69f23 100644 --- a/modules/lambda-registrator/variables.tf +++ b/modules/lambda-registrator/variables.tf @@ -105,7 +105,7 @@ variable "region" { } variable "private_ecr_repo_name" { - description = "The name of the repository to republish the ECR image if one exists. If no name is passed, it is assumed that no repository exists and one needs to be created. Note :- If 'pull_through' is true this variable is ignored." + description = "The name of the repository to republish the ECR image if one exists. If no name is passed, it is assumed that no repository exists and one needs to be created. Note :- If 'enable_pull_through_cache' is true this variable is ignored." type = string default = "consul-lambda-registrator" } From b4fd515f30746cd428e6551e6d4ea0a5fb13d507 Mon Sep 17 00:00:00 2001 From: aahel Date: Fri, 1 Sep 2023 10:35:37 +0530 Subject: [PATCH 14/14] added changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 37dfb09..263c498 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,9 @@ FEATURES * Add support for storing parameter values greater than 4 KB. The `lambda-registrator` module and source code have been updated to accept a configurable value for the [SSM parameter tier](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-advanced-parameters.html). This allows users to choose if they want to use the `Advanced` tier feature. Charges apply for the `Advanved` tier so if the tier is not expressly set to `Advanced`, then the `Standard` tier will be used. Using the `Advanced` tier allows for parameter values up to 8 KB. The Lambda-registrator Terraform module can be configured using the new `consul_extension_data_tier` variable. [[GH-78]](https://github.com/hashicorp/terraform-aws-consul-lambda/pull/78) +* Add support for pushing `consul-lambda-registrator` public image to private ecr repo through terraform. + [[GH-80]](https://github.com/hashicorp/terraform-aws-consul-lambda/pull/80) + ## 0.1.0-beta4 (Apr 28, 2023) IMPROVEMENTS