refactor: replace docker pull push with skopeo (#178)

aneoconsulting · Nov 13, 2024 · 147539d · 147539d
2 parents 2f61098 + b173395
commit 147539d
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 37 deletions.
diff --git a/container-registry/aws/ecr/README.md b/container-registry/aws/ecr/README.md
@@ -23,14 +23,16 @@ This module must be used with these constraints:
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.4.0 |
-| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1 |
+| <a name="requirement_generic"></a> [generic](#requirement\_generic) | >= 0.1.1 |
+| <a name="requirement_skopeo2"></a> [skopeo2](#requirement\_skopeo2) | >= 1.1.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.4.0 |
-| <a name="provider_null"></a> [null](#provider\_null) | >= 3.2.1 |
+| <a name="provider_generic"></a> [generic](#provider\_generic) | >= 0.1.1 |
+| <a name="provider_skopeo2"></a> [skopeo2](#provider\_skopeo2) | >= 1.1.1 |
 
 ## Modules
 
@@ -43,8 +45,10 @@ No modules.
 | [aws_ecr_lifecycle_policy.ecr_lifecycle_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
 | [aws_ecr_repository.ecr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
 | [aws_ecr_repository_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy) | resource |
-| [null_resource.copy_images](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| generic_local_cmd.logout_public_ecr_login_private | resource |
+| [skopeo2_copy.copy_images](https://registry.terraform.io/providers/bsquare-corp/skopeo2/latest/docs/resources/copy) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ecr_authorization_token.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
 | [aws_iam_policy_document.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.only_pull](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

diff --git a/container-registry/aws/ecr/main.tf b/container-registry/aws/ecr/main.tf
@@ -1,7 +1,8 @@
 # Current account
 data "aws_caller_identity" "current" {}
 
-# Current AWS region
+data "aws_ecr_authorization_token" "current" {}
+
 data "aws_region" "current" {}
 
 locals {
@@ -119,35 +120,44 @@ resource "aws_ecr_lifecycle_policy" "ecr_lifecycle_policy" {
 }
 
 # Push images
-resource "null_resource" "copy_images" {
-  for_each = aws_ecr_repository.ecr
-  triggers = {
-    state = join("-", [
-      each.key, var.repositories[each.key].image, var.repositories[each.key].tag
-    ])
+resource "skopeo2_copy" "copy_images" {
+  for_each          = aws_ecr_repository.ecr
+  source_image      = "docker://${var.repositories[each.key].image}:${var.repositories[each.key].tag}"
+  destination_image = "docker://${each.value.repository_url}:${var.repositories[each.key].tag}"
+
+  copy_all_images = true
+  retries         = 10
+  retry_delay     = 10
+
+  depends_on = [generic_local_cmd.logout_public_ecr_login_private]
+}
+
+# This is to fix the auth token expired issue describe here: https://docs.aws.amazon.com/AmazonECR/latest/public/public-registries.html
+resource "generic_local_cmd" "logout_public_ecr_login_private" {
+  inputs = {
+    profile         = var.aws_profile
+    region          = local.region
+    current_account = local.current_account
   }
-  provisioner "local-exec" {
-    command = <<-EOT
-aws ecr get-login-password --profile ${var.aws_profile} --region ${local.region}  | docker login --username AWS --password-stdin ${local.current_account}.dkr.ecr.${local.region}.amazonaws.com
-aws ecr-public get-login-password --profile ${var.aws_profile} --region us-east-1  | docker login --username AWS --password-stdin public.ecr.aws
-if [ -z "$(docker images -q '${var.repositories[each.key].image}:${var.repositories[each.key].tag}')" ]
-then
-  if ! docker pull ${var.repositories[each.key].image}:${var.repositories[each.key].tag}
-  then
-    echo "cannot download image ${var.repositories[each.key].image}:${var.repositories[each.key].tag}"
-    exit 1
-  fi
-fi
-if ! docker tag ${var.repositories[each.key].image}:${var.repositories[each.key].tag} ${local.current_account}.dkr.ecr.${local.region}.amazonaws.com/${each.key}:${var.repositories[each.key].tag}
-then
-  echo "cannot tag image ${var.repositories[each.key].image}:${var.repositories[each.key].tag} to ${local.current_account}.dkr.ecr.${local.region}.amazonaws.com/${each.key}:${var.repositories[each.key].tag}"
-  exit 1
-fi
-if ! docker push ${local.current_account}.dkr.ecr.${local.region}.amazonaws.com/${each.key}:${var.repositories[each.key].tag}
-then
-  echo "cannot push image ${local.current_account}.dkr.ecr.${local.region}.amazonaws.com/${each.key}:${var.repositories[each.key].tag}"
-  exit 1
-fi
-EOT
+
+  create {
+    cmd = <<EOT
+      docker logout public.ecr.aws
+      aws ecr get-login-password --profile "$INPUT_profile" --region "$INPUT_region"  | docker login --username AWS --password-stdin "$INPUT_current_account".dkr.ecr."$INPUT_region".amazonaws.com    
+      EOT
+  }
+
+  destroy {
+    cmd = <<EOT
+      docker logout "$INPUT_current_account".dkr.ecr."$INPUT_region".amazonaws.com    
+      EOT
+  }
+
+  update {
+    triggers = []
+    cmd      = <<EOT
+      docker logout public.ecr.aws
+      aws ecr get-login-password --profile "$INPUT_profile" --region "$INPUT_region"  | docker login --username AWS --password-stdin "$INPUT_current_account".dkr.ecr."$INPUT_region".amazonaws.com    
+      EOT
   }
 }
diff --git a/container-registry/aws/ecr/variables.tf b/container-registry/aws/ecr/variables.tf
@@ -3,7 +3,6 @@ variable "aws_profile" {
   description = "AWS Profile used to login and push container images on ECR"
   type        = string
 }
-
 # Tags
 variable "tags" {
   description = "Tags for resource"

diff --git a/container-registry/aws/ecr/versions.tf b/container-registry/aws/ecr/versions.tf
@@ -1,13 +1,24 @@
+provider "skopeo2" {
+  destination {
+    login_username = data.aws_ecr_authorization_token.current.user_name
+    login_password = data.aws_ecr_authorization_token.current.password
+  }
+}
+
 terraform {
   required_version = ">= 1.0"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
       version = ">= 5.4.0"
     }
-    null = {
-      source  = "hashicorp/null"
-      version = ">= 3.2.1"
+    skopeo2 = {
+      source  = "bsquare-corp/skopeo2"
+      version = ">= 1.1.1"
+    }
+    generic = {
+      source  = "aneoconsulting.github.io/aneoconsulting/generic"
+      version = ">= 0.1.1"
     }
   }
 }