Add support for pushing consul-lambda-registrator public image to p… (#82)

* Add support for pushing `consul-lambda-registrator` public image to private ecr repo through terraform

* fmt tf

* minor readme fix

* addressed review comments

* added fixes and fixed acceptance test

* updated aws provider version

* updated aws provider version

* added force_delete to aws_ecr_repository in test

* fmt tf

* Update modules/lambda-registrator/main.tf

Co-authored-by: Chris Thain <[email protected]>

* Update modules/lambda-registrator/main.tf

Co-authored-by: Chris Thain <[email protected]>

* Update modules/lambda-registrator/variables.tf

Co-authored-by: Chris Thain <[email protected]>

* grouped data sources together

* added review changes

* add some fixes

* test fixes

* minor test fix

* added default "" to test ecr_image_uri

* fmt tf

* Update modules/lambda-registrator/main.tf

Co-authored-by: Chris Thain <[email protected]>

* added validation test

* fixed tf fmt and made validation test parallel

* removed validation test from basic test

* added test case to validate when privateEcrReponame is set

* updated enable_auto_publish_ecr_image var description

* fixed tf fmt

* Update modules/lambda-registrator/variables.tf

Co-authored-by: Chris Thain <[email protected]>

* changed consul_image version in basic_test

---------

Co-authored-by: Chris Thain <[email protected]>

Author: aahel

CHANGELOG.md

@@ -4,6 +4,9 @@ FEATURES
 * Add support for storing parameter values greater than 4 KB. The `lambda-registrator` module and source code have been updated to accept a configurable value for the [SSM parameter tier](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-advanced-parameters.html). This allows users to choose if they want to use the `Advanced` tier feature. Charges apply for the `Advanved` tier so if the tier is not expressly set to `Advanced`, then the `Standard` tier will be used. Using the `Advanced` tier allows for parameter values up to 8 KB. The Lambda-registrator Terraform module can be configured using the new `consul_extension_data_tier` variable.
   [[GH-78]](https://github.com/hashicorp/terraform-aws-consul-lambda/pull/78)
 
+* Add support for pushing `consul-lambda-registrator` public image to private ecr repo through terraform.
+  [[GH-82]](https://github.com/hashicorp/terraform-aws-consul-lambda/pull/82)
+
 ## 0.1.0-beta4 (Apr 28, 2023)
 
 IMPROVEMENTS

examples/lambda/README.md

@@ -110,7 +110,7 @@ This example Terraform workspace will use the zip package to deploy the `consul-
 add it to the `lambda-app-2` function so that it can call services within the Consul service mesh.
 
 ```shell
-curl -o consul-lambda-extension.zip https://releases.hashicorp.com/consul-lambda-extension/${VERSION}/consul-lambda-extension_${VERSION}_linux_amd64.zip
+curl -o consul-lambda-extension.zip "https://releases.hashicorp.com/consul-lambda-extension/${VERSION}/consul-lambda-extension_${VERSION}_linux_amd64.zip"
 ```
 
 ## Build the example Lambda function

examples/lambda/lambda/variables.tf

@@ -94,7 +94,7 @@ variable "invocation_mode" {
   default     = "SYNCHRONOUS"
   validation {
     condition     = contains(["SYNCHRONOUS", "ASYNCHRONOUS"], var.invocation_mode)
-    error_message = "invocation_mode must be one of SYNCHRONOUS or ASYNCHRONOUS"
+    error_message = "Variable invocation_mode must be one of SYNCHRONOUS or ASYNCHRONOUS."
   }
 }
 

examples/lambda/providers.tf

@@ -5,7 +5,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "4.25.0"
+      version = "4.67.0"
     }
     random = {
       source  = "hashicorp/random"

examples/lambda/variables.tf

@@ -38,3 +38,14 @@ variable "consul_lambda_extension_arn" {
   type        = string
   default     = ""
 }
+
+variable "consul_lambda_registrator_image" {
+  description = "The Lambda registrator image to use. Must be provided as <registry/repository:tag>"
+  type        = string
+  default     = "public.ecr.aws/hashicorp/consul-lambda-registrator:0.1.0-beta4"
+
+  validation {
+    condition     = can(regex("^[a-zA-Z0-9_.-]+/[a-z0-9_.-]+/[a-z0-9_.-]+:[a-zA-Z0-9_.-]+$", var.consul_lambda_registrator_image))
+    error_message = "Image format of 'consul_lambda_registrator_image' is invalid. It should be in the format 'registry/repository:tag'."
+  }
+}

modules/lambda-registrator/main.tf

@@ -1,6 +1,16 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
+terraform {
+  required_providers {
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "3.0.2"
+    }
+
+  }
+}
+
 locals {
   on_vpc = length(var.subnet_ids) > 0 && length(var.security_group_ids) > 0
   vpc_config = local.on_vpc ? [{
@@ -9,6 +19,25 @@ locals {
   }] : []
   cron_key          = "${var.name}-cron"
   lambda_events_key = "${var.name}-lambda_events"
+  image_parts       = split(":", var.consul_lambda_registrator_image)
+  image_tag         = local.image_parts[1]
+  ecr_repo_name     = var.private_ecr_repo_name == "" ? "consul-lambda-registrator-${random_id.repo_id.hex}" : var.private_ecr_repo_name
+  # generated_ecr_image_uri is used when we want to automatically push the public image to a private ecr repo using docker.
+  generated_ecr_image_uri = "${data.aws_caller_identity.current_identity.account_id}.dkr.ecr.${data.aws_region.current_region.name}.amazonaws.com/${local.ecr_repo_name}:${local.image_tag}"
+}
+
+# Equivalent of aws ecr get-login
+data "aws_ecr_authorization_token" "ecr_auth" {}
+data "aws_region" "current_region" {}
+data "aws_caller_identity" "current_identity" {}
+
+provider "docker" {
+  host = var.docker_host
+  registry_auth {
+    username = data.aws_ecr_authorization_token.ecr_auth.user_name
+    password = data.aws_ecr_authorization_token.ecr_auth.password
+    address  = "${data.aws_caller_identity.current_identity.account_id}.dkr.ecr.${data.aws_region.current_region.name}.amazonaws.com"
+  }
 }
 
 resource "aws_iam_role" "registration" {
@@ -126,9 +155,35 @@ resource "aws_iam_role_policy_attachment" "lambda_logs" {
   role       = aws_iam_role.registration.name
   policy_arn = aws_iam_policy.policy.arn
 }
+resource "random_id" "repo_id" {
+  byte_length = 4
+}
+
+resource "aws_ecr_repository" "lambda-registrator" {
+  count        = var.enable_auto_publish_ecr_image ? 1 : 0
+  name         = local.ecr_repo_name
+  force_delete = true
+}
+
+resource "docker_image" "lambda_registrator" {
+  count = var.enable_auto_publish_ecr_image ? 1 : 0
+  name  = var.consul_lambda_registrator_image
+}
+
+resource "docker_tag" "lambda_registrator_tag" {
+  count        = var.enable_auto_publish_ecr_image ? 1 : 0
+  source_image = docker_image.lambda_registrator[count.index].name
+  target_image = local.generated_ecr_image_uri
+}
+
+resource "docker_registry_image" "push_image" {
+  count         = var.enable_auto_publish_ecr_image ? 1 : 0
+  name          = docker_tag.lambda_registrator_tag[count.index].target_image
+  keep_remotely = true
+}
 
 resource "aws_lambda_function" "registration" {
-  image_uri                      = var.ecr_image_uri
+  image_uri                      = var.enable_auto_publish_ecr_image ? local.generated_ecr_image_uri : var.ecr_image_uri
   package_type                   = "Image"
   function_name                  = var.name
   role                           = aws_iam_role.registration.arn
@@ -168,6 +223,9 @@ resource "aws_lambda_function" "registration" {
       security_group_ids = vpc_config.value["security_group_ids"]
     }
   }
+  depends_on = [
+    docker_registry_image.push_image
+  ]
 }
 
 module "eventbridge" {

modules/lambda-registrator/validations.tf

@@ -0,0 +1,3 @@
+locals {
+  require_ecr_image_uri_or_enable_auto_publish_ecr_image_set = var.ecr_image_uri == "" && var.enable_auto_publish_ecr_image == false ? file("ERROR: either ecr_image_uri or enable_auto_publish_ecr_image must be set") : null
+}

modules/lambda-registrator/variables.tf

@@ -84,6 +84,7 @@ variable "ecr_image_uri" {
   repository or configuring pull through cache rules (https://docs.aws.amazon.com/AmazonECR/latest/userguide/pull-through-cache.html).
   EOT
   type        = string
+  default     = ""
 }
 
 variable "sync_frequency_in_minutes" {
@@ -109,3 +110,39 @@ variable "tags" {
   type        = map(string)
   default     = {}
 }
+
+variable "private_ecr_repo_name" {
+  description = "The name of the repository to republish the ECR image if one exists. If no name is passed, it is assumed that no repository exists and one needs to be created."
+  type        = string
+  default     = ""
+}
+
+variable "consul_lambda_registrator_image" {
+  description = "The Lambda registrator image to use. Must be provided as <registry/repository:tag>"
+  type        = string
+  default     = "public.ecr.aws/hashicorp/consul-lambda-registrator:0.1.0-beta4"
+
+  validation {
+    condition     = can(regex("^[a-zA-Z0-9_.-]+/[a-z0-9_.-]+/[a-z0-9_.-]+:[a-zA-Z0-9_.-]+$", var.consul_lambda_registrator_image))
+    error_message = "Image format of 'consul_lambda_registrator_image' is invalid. It must be in the format 'registry/repository:tag'."
+  }
+}
+
+variable "docker_host" {
+  description = "The docker socket for your system"
+  type        = string
+  default     = "unix:///var/run/docker.sock"
+}
+
+variable "enable_auto_publish_ecr_image" {
+  description = <<-EOT
+    Enables automatic publishing of a public Lambda Registrator image to a private ECR repository via Docker.
+    When enable_auto_publish_ecr_image is set to true, the image defined by consul_lambda_registrator_image will be pulled and published to a private ECR repository. If private_ecr_repo_name is set, that name will be used to create the private ECR repository, otherwise the default name, consul-lambda-registrator-<random-suffix>, will be used
+    
+    You must set at least one of ecr_image_uri or enable_auto_publish_ecr_image. If enable_auto_publish_ecr_image is set to true then ecr_image_uri is ignored.
+    
+    Using this method to automatically pull the public image and push it to a private ECR repository requires access to the docker command in the local environment.
+    EOT
+  type        = bool
+  default     = false
+}

test/acceptance/setup-terraform/ecr.tf

@@ -8,7 +8,8 @@ locals {
 }
 
 resource "aws_ecr_repository" "lambda-registrator" {
-  name = local.ecr_repository_name
+  name         = local.ecr_repository_name
+  force_delete = true
 }
 
 resource "null_resource" "push-lambda-registrator-to-ecr" {

test/acceptance/setup-terraform/main.tf

@@ -5,7 +5,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "4.14.0"
+      version = "4.67.0"
     }
   }
 }