feat: Add credentials_arn to support ECR pull through cache (#30)

Author: JoseAlvarezSonos

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.2
+    rev: v1.88.3
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each

README.md

@@ -111,6 +111,19 @@ module "ecr_registry" {
         Resource = [
           "arn:aws:ecr:us-east-1:012345678901:repository/*"
         ]
+      }, {
+        Sid    = "dockerhub",
+        Effect = "Allow",
+        Principal = {
+          "AWS" : "arn:aws:iam::012345678901:root"
+        },
+        Action = [
+          "ecr:CreateRepository",
+          "ecr:BatchImportUpstreamImage"
+        ],
+        Resource = [
+          "arn:aws:ecr:us-east-1:012345678901:repository/dockerhub/*"
+        ]
       }
     ]
   })
@@ -121,6 +134,11 @@ module "ecr_registry" {
       ecr_repository_prefix = "ecr-public"
       upstream_registry_url = "public.ecr.aws"
     }
+    dockerhub = {
+      ecr_repository_prefix = "dockerhub"
+      upstream_registry_url = "registry-1.docker.io"
+      credential_arn        = "arn:aws:secretsmanager:us-east-1:123456789:secret:ecr-pullthroughcache/dockerhub"
+    }
   }
 
   # Registry Scanning Configuration
@@ -193,13 +211,13 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.37 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.37 |
 
 ## Modules
 

examples/complete/README.md

@@ -28,13 +28,13 @@ Note that this example may create resources which will incur monetary charges on
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.37 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.37 |
 
 ## Modules
 
@@ -44,14 +44,14 @@ Note that this example may create resources which will incur monetary charges on
 | <a name="module_ecr_disabled"></a> [ecr\_disabled](#module\_ecr\_disabled) | ../.. | n/a |
 | <a name="module_ecr_registry"></a> [ecr\_registry](#module\_ecr\_registry) | ../.. | n/a |
 | <a name="module_public_ecr"></a> [public\_ecr](#module\_public\_ecr) | ../.. | n/a |
+| <a name="module_secrets_manager_dockerhub_credentials"></a> [secrets\_manager\_dockerhub\_credentials](#module\_secrets\_manager\_dockerhub\_credentials) | terraform-aws-modules/secrets-manager/aws | ~> 1.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ## Inputs
 

examples/complete/main.tf

@@ -6,6 +6,8 @@ locals {
   region = "us-east-1"
   name   = "ecr-ex-${replace(basename(path.cwd), "_", "-")}"
 
+  account_id = data.aws_caller_identity.current.account_id
+
   tags = {
     Name       = local.name
     Example    = local.name
@@ -14,7 +16,6 @@ locals {
 }
 
 data "aws_caller_identity" "current" {}
-data "aws_partition" "current" {}
 
 ################################################################################
 # ECR Repository
@@ -101,16 +102,25 @@ data "aws_iam_policy_document" "registry" {
   statement {
     principals {
       type        = "AWS"
-      identifiers = ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"]
+      identifiers = ["arn:aws:iam::${local.account_id}:root"]
     }
 
-    actions = [
-      "ecr:ReplicateImage",
-    ]
+    actions   = ["ecr:ReplicateImage"]
+    resources = [module.ecr.repository_arn]
+  }
+
+  statement {
+    sid = "dockerhub"
 
-    resources = [
-      module.ecr.repository_arn,
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${local.account_id}:root"]
+    }
+    actions = [
+      "ecr:CreateRepository",
+      "ecr:BatchImportUpstreamImage"
     ]
+    resources = ["arn:aws:ecr-public::${local.account_id}:repository/dockerhub/*"]
   }
 }
 
@@ -129,6 +139,11 @@ module "ecr_registry" {
       ecr_repository_prefix = "ecr-public"
       upstream_registry_url = "public.ecr.aws"
     }
+    dockerhub = {
+      ecr_repository_prefix = "dockerhub"
+      upstream_registry_url = "registry-1.docker.io"
+      credential_arn        = module.secrets_manager_dockerhub_credentials.secret_arn
+    }
   }
 
   # Registry Scanning Configuration
@@ -159,22 +174,53 @@ module "ecr_registry" {
 
   # Registry Replication Configuration
   create_registry_replication_configuration = true
-  registry_replication_rules = [
-    {
-      destinations = [{
-        region      = "us-west-2"
-        registry_id = data.aws_caller_identity.current.account_id
-        }, {
-        region      = "eu-west-1"
-        registry_id = data.aws_caller_identity.current.account_id
-      }]
+  registry_replication_rules = [{
+    destinations = [{
+      region      = "us-west-2"
+      registry_id = local.account_id
+      }, {
+      region      = "eu-west-1"
+      registry_id = local.account_id
+    }]
+
+    repository_filters = [{
+      filter      = "prod-microservice"
+      filter_type = "PREFIX_MATCH"
+    }]
+  }]
+
+  tags = local.tags
+}
 
-      repository_filters = [{
-        filter      = "prod-microservice"
-        filter_type = "PREFIX_MATCH"
+module "secrets_manager_dockerhub_credentials" {
+  source  = "terraform-aws-modules/secrets-manager/aws"
+  version = "~> 1.0"
+
+  # Secret names must contain 1-512 Unicode characters and be prefixed with ecr-pullthroughcache/
+  name_prefix = "ecr-pullthroughcache/dockerhub-credentials"
+  description = "Dockerhub credentials"
+
+  # For example only
+  recovery_window_in_days = 0
+  secret_string = jsonencode({
+    username    = "example"
+    accessToken = "YouShouldNotStoreThisInPlainText"
+  })
+
+  # Policy
+  create_policy       = true
+  block_public_policy = true
+  policy_statements = {
+    read = {
+      sid = "AllowAccountRead"
+      principals = [{
+        type        = "AWS"
+        identifiers = ["arn:aws:iam::${local.account_id}:root"]
       }]
+      actions   = ["secretsmanager:GetSecretValue"]
+      resources = ["*"]
     }
-  ]
+  }
 
   tags = local.tags
 }

examples/complete/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 5.37"
     }
   }
 }

main.tf

@@ -270,6 +270,7 @@ resource "aws_ecr_pull_through_cache_rule" "this" {
 
   ecr_repository_prefix = each.value.ecr_repository_prefix
   upstream_registry_url = each.value.upstream_registry_url
+  credential_arn        = try(each.value.credentials_arn, null)
 }
 
 ################################################################################

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 5.37"
     }
   }
 }