Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rgl/terramate-aws-ecr-example

an example private container image repository hosted in the AWS Elastic Container Registry (ECR) of your AWS Account using terramate with terraform
https://github.com/rgl/terramate-aws-ecr-example

aws container-registry ecr terraform terramate

Last synced: 13 days ago
JSON representation

an example private container image repository hosted in the AWS Elastic Container Registry (ECR) of your AWS Account using terramate with terraform

Host: GitHub
URL: https://github.com/rgl/terramate-aws-ecr-example
Owner: rgl
Created: 2024-03-02T16:17:46.000Z (8 months ago)
Default Branch: main
Last Pushed: 2024-03-31T12:28:44.000Z (7 months ago)
Last Synced: 2024-03-31T13:32:13.749Z (7 months ago)
Topics: aws, container-registry, ecr, terraform, terramate
Language: Shell
Homepage:
Size: 43.9 KB
Stars: 5
Watchers: 1
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # About

[![Lint](https://github.com/rgl/terramate-aws-ecr-example/actions/workflows/lint.yml/badge.svg)](https://github.com/rgl/terramate-aws-ecr-example/actions/workflows/lint.yml)

This creates private container image repositories hosted in the [AWS Elastic Container Registry (ECR)](https://aws.amazon.com/ecr/) of your AWS Account using a Terramate project.

For equivalent examples see:

* [terraform](https://github.com/rgl/terraform-aws-ecr-example)

* [pulumi (aws classic provider)](https://github.com/rgl/pulumi-typescript-aws-classic-ecr-example)

* [pulumi (aws native provider)](https://github.com/rgl/pulumi-typescript-aws-native-ecr-example)

# Usage (on a Ubuntu Desktop)

Install the dependencies:

* [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).

* [Terraform](https://www.terraform.io/downloads.html).

* [Terramate](https://terramate.io/docs/cli/installation).

* [Crane](https://github.com/google/go-containerregistry/releases).

* [Docker](https://docs.docker.com/engine/install/).

Set the AWS Account credentials using SSO, e.g.:

```bash

# set the account credentials.

# NB the aws cli stores these at ~/.aws/config.

# NB this is equivalent to manually configuring SSO using aws configure sso.

# see https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-manual

# see https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-auto-sso

cat >secrets-example.sh <<'EOF'

# set the environment variables to use a specific profile.

# NB use aws configure sso to configure these manually.

# e.g. use the pattern --

export aws_sso_session='example'

export aws_sso_start_url='https://example.awsapps.com/start'

export aws_sso_region='eu-west-1'

export aws_sso_account_id='123456'

export aws_sso_role_name='AdministratorAccess'

export AWS_PROFILE="$aws_sso_session-$aws_sso_account_id-$aws_sso_role_name"

unset AWS_ACCESS_KEY_ID

unset AWS_SECRET_ACCESS_KEY

unset AWS_DEFAULT_REGION

# configure the ~/.aws/config file.

# NB unfortunately, I did not find a way to create the [sso-session] section

#    inside the ~/.aws/config file using the aws cli. so, instead, manage that

#    file using python.

python3 <<'PY_EOF'

import configparser

import os

aws_sso_session = os.getenv('aws_sso_session')

aws_sso_start_url = os.getenv('aws_sso_start_url')

aws_sso_region = os.getenv('aws_sso_region')

aws_sso_account_id = os.getenv('aws_sso_account_id')

aws_sso_role_name = os.getenv('aws_sso_role_name')

aws_profile = os.getenv('AWS_PROFILE')

config = configparser.ConfigParser()

aws_config_directory_path = os.path.expanduser('~/.aws')

aws_config_path = os.path.join(aws_config_directory_path, 'config')

if os.path.exists(aws_config_path):

  config.read(aws_config_path)

config[f'sso-session {aws_sso_session}'] = {

  'sso_start_url': aws_sso_start_url,

  'sso_region': aws_sso_region,

  'sso_registration_scopes': 'sso:account:access',

}

config[f'profile {aws_profile}'] = {

  'sso_session': aws_sso_session,

  'sso_account_id': aws_sso_account_id,

  'sso_role_name': aws_sso_role_name,

  'region': aws_sso_region,

}

os.makedirs(aws_config_directory_path, mode=0o700, exist_ok=True)

with open(aws_config_path, 'w') as f:

  config.write(f)

PY_EOF

unset aws_sso_start_url

unset aws_sso_region

unset aws_sso_session

unset aws_sso_account_id

unset aws_sso_role_name

# show the user, user amazon resource name (arn), and the account id, of the

# profile set in the AWS_PROFILE environment variable.

if ! aws sts get-caller-identity >/dev/null 2>&1; then

  aws sso login

fi

aws sts get-caller-identity

EOF

```

Or, set the AWS Account credentials using an Access Key, e.g.:

```bash

# set the account credentials.

# NB get these from your aws account iam console.

#    see Managing access keys (console) at

#        https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey

cat >secrets-example.sh <<'EOF'

export AWS_ACCESS_KEY_ID='TODO'

export AWS_SECRET_ACCESS_KEY='TODO'

unset AWS_PROFILE

# set the default region.

export AWS_DEFAULT_REGION='eu-west-1'

# show the user, user amazon resource name (arn), and the account id.

aws sts get-caller-identity

EOF

```

Load the secrets:

```bash

source secrets-example.sh

```

Review the files:

* [`config.tm.hcl`](config.tm.hcl)

* [`stacks/ecr/main.tf`](stacks/ecr/main.tf)

Initialize the project:

```bash

terramate run terraform init -lockfile=readonly

```

Launch the example:

```bash

terramate run terraform apply

```

Show the terraform state:

```bash

terramate run terraform state list

terramate run terraform show

```

Log in the container registry:

**NB** You are logging in at the registry level. You are not logging in at the

repository level.

```bash

aws ecr get-login-password \

  --region "$(terramate run -C stacks/ecr terraform output -raw registry_region)" \

  | docker login \

      --username AWS \

      --password-stdin \

      "$(terramate run -C stacks/ecr terraform output -raw registry_domain)"

```

**NB** This saves the credentials in the `~/.docker/config.json` local file.

Inspect the created example container image:

```bash

image="$(terramate run -C stacks/ecr terraform output -json images | jq -r .example)"

crane manifest "$image" | jq .

```

Download the created example container image from the created container image

repository, and execute it locally:

```bash

docker run --rm "$image"

```

Delete the local copy of the created container image:

```bash

docker rmi "$image"

```

Log out the container registry:

```bash

docker logout \

  "$(terramate run -C stacks/ecr terraform output -raw registry_domain)"

```

Delete the example image resource:

```bash

terramate run -C stacks/ecr \

  terraform destroy -target='terraform_data.ecr_image["example"]'

```

At the ECR AWS Management Console, verify that the example image no longer

exists (actually, it's the image index/tag that no longer exists).

Do an `terraform apply` to verify that it recreates the example image:

```bash

terramate run terraform apply

```

Destroy the example:

```bash

terramate run --reverse terraform destroy

```

List this repository dependencies (and which have newer versions):

```bash

GITHUB_COM_TOKEN='YOUR_GITHUB_PERSONAL_TOKEN' ./renovate.sh

```

# Notes

* Its not possible to create multiple container image registries.

  * A single registry is automatically created when the AWS Account is created.

  * You have to create a separate repository for each of your container images.

    * A repository name can include several path segments (e.g. `hello/world`).

* Terramate does not support flowing Terraform outputs into other Terraform

  program input variables. Instead, Terraform programs should use Terraform

  data sources to find the resources that are already created. Those resources

  can normally be found by the resource tag (e.g. `stack`) defined in a

  Terramate global.

  * See https://github.com/terramate-io/terramate/discussions/525

  * See https://github.com/terramate-io/terramate/discussions/571#discussioncomment-3542867

  * See https://github.com/terramate-io/terramate/discussions/1090#discussioncomment-6659130

# References

* [Environment variables to configure the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html)

* [Token provider configuration with automatic authentication refresh for AWS IAM Identity Center](https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html) (SSO)

* [Managing access keys (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey)

* [AWS General Reference](https://docs.aws.amazon.com/general/latest/gr/Welcome.html)

  * [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)

* [Amazon ECR private registry](https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html)

  * [Private registry authentication](https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html)

* [terramate-quickstart-aws](https://github.com/terramate-io/terramate-quickstart-aws)