[INFRANG-6860] Only push ECR images to us-west-2 (#186)

* ci now only pushes to us-west-2 for ecr. images are replicated to all other regions.

* fix syntax error

* only use OIDC auth for docker image push

Author: andruwm

circleci/docker-publish

@@ -5,7 +5,7 @@
 #
 # Usage:
 #
-#   docker-publish 
+#   docker-publish
 #   optional flag "-r private-repos" enables Docker Build Kit to allow ssh socket mounting to pull private modules/repos
 
 
@@ -42,17 +42,11 @@ image_exists() {
 }
 
 check_ecr_vars() {
-  # ECR required env vars. If OIDC_ECR_UPLOAD_ROLE is defined via context, then use it to login to aws. 
-  if [[ -z $OIDC_ECR_UPLOAD_ROLE ]]; then
-    if [[ -z $ECR_ACCOUNT_ID ]]; then echo "Missing var for ECR: ECR_ACCOUNT_ID" && exit 1; fi
-    if [[ -z $ECR_PUSH_SECRET ]]; then echo "Missing var for ECR: ECR_PUSH_SECRET" && exit 1; fi
-  else
-    if [ -z "${CIRCLE_OIDC_TOKEN_V2}" ]; then
-      echo "OIDC Token cannot be found. A CircleCI context must be specified."
-      exit 1
-    fi
-    echo "Using AWS role defined in \$OIDC_ECR_UPLOAD_ROLE to login to aws ecr"
+  if [ -z "${CIRCLE_OIDC_TOKEN_V2}" ]; then
+    echo "OIDC Token cannot be found. A CircleCI context must be specified."
+    exit 1
   fi
+  echo "Using AWS role defined in \$OIDC_ECR_UPLOAD_ROLE to login to aws ecr"
 }
 
 ecr_login(){
@@ -86,9 +80,9 @@ SHORT_SHA=${CIRCLE_SHA1:0:7}
 
 ORG=clever
 
-ECR_REGION_US_WEST_1=us-west-1
+# Only push to us-west-2, images are replicated to other regions
 ECR_REGION_US_WEST_2=us-west-2
-ECR_REGION_US_EAST_1=us-east-1
+ECR_REGION_US_WEST_1=us-west-1
 AWS_ECR_PROFILE=oidc-ecr-profile
 
 echo "Docker version..."
@@ -99,47 +93,32 @@ check_ecr_vars
 
 install_awscli
 
-# Some Dockerfiles for private repos depend on public images (and vice versa) in us-west-1
-echo "If necessary, add the ECR_BUILD_ID and ECR_BUILD_SECRET env vars to circle manually."
-echo "They can be found in init-service as CI_ECR_XXX_KEY and CI_ECR_XXX_SECRET."
+# Some Dockerfiles for private repos depend on public images (and vice
+# versa) in us-west-1. This login allows us to pull the images for the
+# final image build.
+echo "If necessary, add the ECR_BUILD_ID env var to circle manually."
 if [[ -n $ECR_BUILD_ID ]]; then
-  if [[ -z $OIDC_ECR_UPLOAD_ROLE ]]; then
-    echo "Logging into ECR in us-west-1 using static credentials..."
-    ecr_login us-west-1 $ECR_BUILD_ID $ECR_BUILD_SECRET
-  else
-    echo "Logging into ECR using role credentials..."
-    assume_role_with_web_identity $OIDC_ECR_UPLOAD_ROLE $AWS_ECR_PROFILE 
-    ecr_login_with_profile $ECR_REGION_US_WEST_1
-  fi
+  echo "Logging into ECR using role credentials..."
+  assume_role_with_web_identity $OIDC_ECR_UPLOAD_ROLE $AWS_ECR_PROFILE
+  ecr_login_with_profile $ECR_REGION_US_WEST_1
 fi
 
-if [ -z "$(docker images -q $ORG/$REPO:$SHORT_SHA)" ]; then 
-  echo "Building docker image..." 
+if [ -z "$(docker images -q $ORG/$REPO:$SHORT_SHA)" ]; then
+  echo "Building docker image..."
   if [ $readopt == "private-repos" ]; then
     echo "With Private Repos..."
-    DOCKER_BUILDKIT=1 docker build --ssh default -t $ORG/$REPO:$SHORT_SHA . 
+    DOCKER_BUILDKIT=1 docker build --ssh default -t $ORG/$REPO:$SHORT_SHA .
   else
     docker build -t $ORG/$REPO:$SHORT_SHA .
   fi
 else
   echo "Image already exists... skipping build"
 fi
 
-# ECR login.
-if [[ -z $OIDC_ECR_UPLOAD_ROLE ]]; then
-  echo "Logging into ECR using static credentials..."
-  ecr_login $ECR_REGION_US_WEST_1 $ECR_PUSH_ID $ECR_PUSH_SECRET
-  ecr_login $ECR_REGION_US_WEST_2 $ECR_PUSH_ID $ECR_PUSH_SECRET
-  ecr_login $ECR_REGION_US_EAST_1 $ECR_PUSH_ID $ECR_PUSH_SECRET
-else
-  echo "Logging into ECR using role credentials..."
-  assume_role_with_web_identity $OIDC_ECR_UPLOAD_ROLE $AWS_ECR_PROFILE 
-  ecr_login_with_profile $ECR_REGION_US_WEST_1
-  ecr_login_with_profile $ECR_REGION_US_WEST_2
-  ecr_login_with_profile $ECR_REGION_US_EAST_1
-fi
+# ECR login. Only push to us-west-2, images are replicated to other regions.
+echo "Logging into ECR using role credentials..."
+assume_role_with_web_identity $OIDC_ECR_UPLOAD_ROLE $AWS_ECR_PROFILE
+ecr_login_with_profile $ECR_REGION_US_WEST_2
 
-echo "Pushing to ECR..."
-push_ecr_image $ECR_REGION_US_WEST_1
+echo "Pushing to ECR (us-west-2 only, images replicated to other regions)..."
 push_ecr_image $ECR_REGION_US_WEST_2
-push_ecr_image $ECR_REGION_US_EAST_1

internal/docker/docker.go

@@ -24,6 +24,8 @@ import (
 	"github.com/Clever/ci-scripts/internal/environment"
 )
 
+const ecrRootRegion = "us-west-2"
+
 // Dockers documentation doesn't provide any examples for using their
 // daemon client. This blog post is very helpful for reference:
 // https://www.loginradius.com/blog/engineering/build-push-docker-images-golang/
@@ -32,12 +34,12 @@ import (
 // complexity in a simple API.
 type Docker struct {
 	cli      *client.Client
-	ecrCreds map[string]types.AuthConfig
+	ecrCreds types.AuthConfig
 	awsCfg   aws.Config
 }
 
 // New initializes a new docker daemon client and caches ecr credentials
-// for all 4 regions.
+// for us-west-2 (images are replicated to other regions).
 func New(ctx context.Context, ecrUploadRole string) (*Docker, error) {
 	cl, err := client.NewClientWithOpts(client.WithAPIVersionNegotiation())
 	if err != nil {
@@ -48,14 +50,8 @@ func New(ctx context.Context, ecrUploadRole string) (*Docker, error) {
 		awsCfg: environment.AWSCfg(ctx, ecrUploadRole),
 	}
 
-	grp, ctx := errgroup.WithContext(ctx)
-	d.ecrCreds = map[string]types.AuthConfig{}
-	for _, r := range environment.Regions {
-		r := r
-		grp.Go(func() error { return d.ecrCredentials(ctx, r) })
-	}
-
-	if err := grp.Wait(); err != nil {
+	// Only fetch credentials for us-west-2, images are replicated to other regions
+	if err := d.ecrCredentials(ctx, ecrRootRegion); err != nil {
 		return nil, err
 	}
 
@@ -104,14 +100,12 @@ func (d *Docker) Push(ctx context.Context, tags []string) error {
 	for _, tag := range tags {
 		tag := tag
 		fmt.Println("pushing", tag)
-		parts := strings.Split(tag, ".")
-		region := parts[3]
 
 		grp.Go(func() error {
 			// TODO: check if the repository exists, if it doesn't this just
 			// nondescriptly endlessly retries.
 			res, err := d.cli.ImagePush(grpCtx, tag, types.ImagePushOptions{
-				RegistryAuth: encodeCreds(d.ecrCreds[region]),
+				RegistryAuth: encodeCreds(d.ecrCreds),
 			})
 			if err != nil {
 				return fmt.Errorf("unable to push image: %v", err)
@@ -154,7 +148,7 @@ func (d *Docker) ecrCredentials(ctx context.Context, region string) error {
 		return fmt.Errorf("invalid token: expected two parts, got %d", len(parts))
 	}
 
-	d.ecrCreds[region] = types.AuthConfig{
+	d.ecrCreds = types.AuthConfig{
 		Username:      parts[0],
 		Password:      parts[1],
 		ServerAddress: *auth.ProxyEndpoint,

internal/docker/targets.go

@@ -56,13 +56,12 @@ func BuildTargets(apps map[string]*models.LaunchConfig) (map[string]DockerTarget
 		done[artifact] = struct{}{}
 
 		tags := []string{}
-		for _, region := range environment.Regions {
-			tag := fmt.Sprintf(
-				"%s.dkr.ecr.%s.amazonaws.com/%s:%s",
-				environment.ECRAccountID(), region, artifact, environment.ShortSHA1(),
-			)
-			tags = append(tags, tag)
-		}
+		// Only push to ecrRootRegion, images are replicated to other regions
+		tag := fmt.Sprintf(
+			"%s.dkr.ecr.%s.amazonaws.com/%s:%s",
+			environment.ECRAccountID(), ecrRootRegion, artifact, environment.ShortSHA1(),
+		)
+		tags = append(tags, tag)
 
 		targets[repo.Dockerfile(launch)] = DockerTarget{
 			Tags:    tags,

internal/environment/environment.go

@@ -56,9 +56,9 @@ var (
 	// upload role.
 	oidcEcrUploadRole = ""
 
-	// Regions is the set of regions this app should perform
-	// operations in.
-	Regions = []string{"us-west-1", "us-west-2", "us-east-1"}
+	// LambdaRegions is the set of regions to upload Lambda artifacts to.
+	// Lambda artifacts are not replicated and must be uploaded to each region.
+	LambdaRegions = []string{"us-west-1", "us-west-2", "us-east-1"}
 
 	// Local is a boolean which should be set to true when running
 	// locally on a developers machine.

internal/lambda/lambda.go

@@ -27,11 +27,11 @@ func New(ctx context.Context, bucketPrefix string) *Lambda {
 }
 
 // Publish an already built lambda artifact archive to s3 using the
-// artifact name as the key. The archive is pushed to each of the 4 aws
+// artifact name as the key. The archive is pushed to each of the aws
 // regions. Each region is pushed in it's own goroutine.
 func (l *Lambda) Publish(ctx context.Context, binaryPath, artifactName string) error {
 	grp, grpCtx := errgroup.WithContext(ctx)
-	for _, region := range environment.Regions {
+	for _, region := range environment.LambdaRegions {
 		region := region
 		bucket := fmt.Sprintf("%s-%s", l.artifactBucketPrefix, region)
 		key := s3Key(artifactName)

internal/lambda/targets.go

@@ -66,7 +66,7 @@ func s3Key(artifactName string) string {
 
 func s3Buckets() string {
 	out := []string{}
-	for _, r := range environment.Regions {
+	for _, r := range environment.LambdaRegions {
 		out = append(out, fmt.Sprintf("S3Buckets={%[1]s=\"%[2]s-%[1]s", r, environment.LambdaArtifactBucketPrefix()))
 	}
 	return strings.Join(out, ",")