feat: Pull Through Cache for ECR (#15)

milldr · web-flow · commit 0a87adf49b75 · 2025-01-13T15:01:26.000-05:00
* pull through cache for ECR

* Add pull through cache configuration for Docker Hub
diff --git a/.gitignore b/.gitignore
@@ -36,6 +36,9 @@ aws-assumed-role/
 **/.module/
 **/.helmfile/
 
+# We pull account-map from a remote repository in Github Actions
+# However, we want to locally to validate tflint
+account-map/
 
 # Draft or auto-saved version
 # Note that the leading "**/" appears necessary for Docker even if not for Git
diff --git a/src/README.md b/src/README.md
diff --git a/src/main.tf b/src/main.tf
@@ -1,3 +1,7 @@
+locals {
+  enabled = module.this.enabled
+}
+
 module "full_access" {
   source = "../account-map/modules/roles-to-principals"
 
@@ -15,7 +19,7 @@ module "readonly_access" {
 }
 
 locals {
-  ecr_user_arn = join("", aws_iam_user.ecr.*.arn)
+  ecr_user_arn = join("", aws_iam_user.ecr[*].arn)
 }
 
 module "ecr" {
@@ -35,3 +39,21 @@ module "ecr" {
 
   context = module.this.context
 }
+
+data "aws_secretsmanager_secret" "cache_credentials" {
+  for_each = local.enabled ? {
+    for key, rule in var.pull_through_cache_rules :
+    key => rule.secret
+    if length(rule.secret) > 0
+  } : {}
+
+  name = each.value
+}
+
+resource "aws_ecr_pull_through_cache_rule" "this" {
+  for_each = local.enabled ? var.pull_through_cache_rules : {}
+
+  ecr_repository_prefix = each.key
+  upstream_registry_url = each.value.registry
+  credential_arn        = length(each.value.secret) > 0 ? data.aws_secretsmanager_secret.cache_credentials[each.key].arn : null
+}
diff --git a/src/outputs.tf b/src/outputs.tf
@@ -14,16 +14,16 @@ output "ecr_repo_url_map" {
 }
 
 output "ecr_user_name" {
-  value       = join("", aws_iam_user.ecr.*.name)
+  value       = join("", aws_iam_user.ecr[*].name)
   description = "ECR user name"
 }
 
 output "ecr_user_arn" {
-  value       = join("", aws_iam_user.ecr.*.arn)
+  value       = join("", aws_iam_user.ecr[*].arn)
   description = "ECR user ARN"
 }
 
 output "ecr_user_unique_id" {
-  value       = join("", aws_iam_user.ecr.*.unique_id)
+  value       = join("", aws_iam_user.ecr[*].unique_id)
   description = "ECR user unique ID assigned by AWS"
 }
diff --git a/src/variables.tf b/src/variables.tf
@@ -58,3 +58,12 @@ variable "principals_lambda" {
   description = "Principal account IDs of Lambdas allowed to consume ECR"
   default     = []
 }
+
+variable "pull_through_cache_rules" {
+  type = map(object({
+    registry = string
+    secret   = optional(string, "")
+  }))
+  description = "Map of pull through cache rules to configure"
+  default     = {}
+}

Original file line number	Diff line number	Diff line change
`@@ -14,16 +14,16 @@ output "ecr_repo_url_map" {`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`output "ecr_user_name" {`
`17`		`- value = join("", aws_iam_user.ecr.*.name)`
	`17`	`+ value = join("", aws_iam_user.ecr[*].name)`
`18`	`18`	`description = "ECR user name"`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`output "ecr_user_arn" {`
`22`		`- value = join("", aws_iam_user.ecr.*.arn)`
	`22`	`+ value = join("", aws_iam_user.ecr[*].arn)`
`23`	`23`	`description = "ECR user ARN"`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`output "ecr_user_unique_id" {`
`27`		`- value = join("", aws_iam_user.ecr.*.unique_id)`
	`27`	`+ value = join("", aws_iam_user.ecr[*].unique_id)`
`28`	`28`	`description = "ECR user unique ID assigned by AWS"`
`29`	`29`	`}`