feat: Add support for repository creation template (#46)

* feat: Add support for repository creation template

* chore: Fix example after another round of validation

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.89.0
+    rev: v1.94.1
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each

README.md

@@ -1,6 +1,6 @@
-# AWS ECR Terraform module
+# Amazon ECR Terraform module
 
-Terraform module which creates AWS ECR resources.
+Terraform module which creates Amazon ECR resources.
 
 ## Usage
 
@@ -187,20 +187,21 @@ Users of Terragrunt can achieve similar results by using modules provided in the
 Examples codified under the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-ecr/tree/master/examples) are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
 
 - [Complete](https://github.com/terraform-aws-modules/terraform-aws-ecr/tree/master/examples/complete)
+- [Repository Template](https://github.com/terraform-aws-modules/terraform-aws-ecr/tree/master/examples/repository-template)
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.37 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.61 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.37 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.61 |
 
 ## Modules
 
@@ -264,7 +265,7 @@ No modules.
 | <a name="output_repository_name"></a> [repository\_name](#output\_repository\_name) | Name of the repository |
 | <a name="output_repository_registry_id"></a> [repository\_registry\_id](#output\_repository\_registry\_id) | The registry ID where the repository was created |
 | <a name="output_repository_url"></a> [repository\_url](#output\_repository\_url) | The URL of the repository |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 
 ## License
 

examples/README.md

@@ -1,3 +1,4 @@
-# Terraform AWS ECR Examples
+# Terraform Amazon ECR Examples
 
 - [Complete](https://github.com/terraform-aws-modules/terraform-aws-ecr/tree/master/examples/complete)
+- [Repository Template](https://github.com/terraform-aws-modules/terraform-aws-ecr/tree/master/examples/repository-template)

examples/complete/README.md

@@ -1,4 +1,4 @@
-# Complete AWS ECR Example
+# Amazon ECR Complete Example
 
 Configuration in this directory creates:
 
@@ -22,19 +22,19 @@ $ terraform apply
 
 Note that this example may create resources which will incur monetary charges on your AWS bill. Run `terraform destroy` when you no longer need these resources.
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.37 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.61 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.37 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.61 |
 
 ## Modules
 
@@ -69,6 +69,6 @@ No inputs.
 | <a name="output_repository_name"></a> [repository\_name](#output\_repository\_name) | Name of the repository |
 | <a name="output_repository_registry_id"></a> [repository\_registry\_id](#output\_repository\_registry\_id) | The registry ID where the repository was created |
 | <a name="output_repository_url"></a> [repository\_url](#output\_repository\_url) | The URL of the repository (in the form `aws_account_id.dkr.ecr.region.amazonaws.com/repositoryName`) |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 
 Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-ecr/blob/master/LICENSE).

examples/complete/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.37"
+      version = ">= 5.61"
     }
   }
 }

examples/repository-template/README.md

@@ -0,0 +1,62 @@
+# Amazon ECR Repository Template Example
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+You can validate this example by running the commands generated in the `example_docker_pull_commands` output value.
+
+Note that this example may create resources which will incur monetary charges on your AWS bill. Run `terraform destroy` when you no longer need these resources.
+
+If you validate the example by using the pull-through cache, you will need to manually clean up these repositories within ECR since they are not manage by Terraform.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.61 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.61 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_disabled"></a> [disabled](#module\_disabled) | ../../modules/repository-template | n/a |
+| <a name="module_dockerhub_pull_through_cache_repository_template"></a> [dockerhub\_pull\_through\_cache\_repository\_template](#module\_dockerhub\_pull\_through\_cache\_repository\_template) | ../../modules/repository-template | n/a |
+| <a name="module_public_ecr_pull_through_cache_repository_template"></a> [public\_ecr\_pull\_through\_cache\_repository\_template](#module\_public\_ecr\_pull\_through\_cache\_repository\_template) | ../../modules/repository-template | n/a |
+| <a name="module_secrets_manager_dockerhub_credentials"></a> [secrets\_manager\_dockerhub\_credentials](#module\_secrets\_manager\_dockerhub\_credentials) | terraform-aws-modules/secrets-manager/aws | ~> 1.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_example_docker_pull_commands"></a> [example\_docker\_pull\_commands](#output\_example\_docker\_pull\_commands) | Example docker pull commands to test and validate the example |
+| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | IAM role ARN |
+| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | IAM role name |
+| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+<!-- END_TF_DOCS -->
+
+Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-ecr/blob/master/LICENSE).

examples/repository-template/main.tf

@@ -0,0 +1,113 @@
+provider "aws" {
+  region = local.region
+}
+
+locals {
+  region = "us-east-1"
+  name   = "ecr-ex-${basename(path.cwd)}"
+
+  account_id = data.aws_caller_identity.current.account_id
+
+  tags = {
+    Name       = local.name
+    Example    = local.name
+    Repository = "https://github.com/terraform-aws-modules/terraform-aws-ecr"
+  }
+}
+
+data "aws_caller_identity" "current" {}
+
+################################################################################
+# ECR Repository Template
+################################################################################
+
+module "public_ecr_pull_through_cache_repository_template" {
+  source = "../../modules/repository-template"
+
+  # Template
+  description   = "Pull through cache repository template for Public ECR artifacts"
+  prefix        = "ecr-public"
+  resource_tags = local.tags
+  lifecycle_policy = jsonencode({
+    rules = [
+      {
+        rulePriority = 1,
+        description  = "Keep last 30 images",
+        selection = {
+          tagStatus     = "tagged",
+          tagPrefixList = ["v"],
+          countType     = "imageCountMoreThan",
+          countNumber   = 30
+        },
+        action = {
+          type = "expire"
+        }
+      }
+    ]
+  })
+
+  # Pull through cache rule
+  create_pull_through_cache_rule = true
+  upstream_registry_url          = "public.ecr.aws"
+
+  tags = local.tags
+}
+
+module "dockerhub_pull_through_cache_repository_template" {
+  source = "../../modules/repository-template"
+
+  # Template
+  description   = "Pull through cache repository template for Dockerhub artifacts"
+  prefix        = "docker-hub"
+  resource_tags = local.tags
+
+  # Pull through cache rule
+  create_pull_through_cache_rule = true
+  upstream_registry_url          = "registry-1.docker.io"
+  credential_arn                 = module.secrets_manager_dockerhub_credentials.secret_arn
+
+  tags = local.tags
+}
+
+module "disabled" {
+  source = "../../modules/repository-template"
+
+  create = false
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+module "secrets_manager_dockerhub_credentials" {
+  source  = "terraform-aws-modules/secrets-manager/aws"
+  version = "~> 1.0"
+
+  # Secret names must contain 1-512 Unicode characters and be prefixed with ecr-pullthroughcache/
+  name_prefix = "ecr-pullthroughcache/dockerhub-credentials"
+  description = "Dockerhub credentials"
+
+  # For example only
+  recovery_window_in_days = 0
+  secret_string = jsonencode({
+    username    = "example"
+    accessToken = "YouShouldNotStoreThisInPlainText"
+  })
+
+  # Policy
+  create_policy       = true
+  block_public_policy = true
+  policy_statements = {
+    read = {
+      sid = "AllowAccountRead"
+      principals = [{
+        type        = "AWS"
+        identifiers = ["arn:aws:iam::${local.account_id}:root"]
+      }]
+      actions   = ["secretsmanager:GetSecretValue"]
+      resources = ["*"]
+    }
+  }
+
+  tags = local.tags
+}

examples/repository-template/outputs.tf

@@ -0,0 +1,28 @@
+output "iam_role_name" {
+  description = "IAM role name"
+  value       = module.dockerhub_pull_through_cache_repository_template.iam_role_name
+}
+
+output "iam_role_arn" {
+  description = "IAM role ARN"
+  value       = module.dockerhub_pull_through_cache_repository_template.iam_role_arn
+}
+
+output "iam_role_unique_id" {
+  description = "Stable and unique string identifying the IAM role"
+  value       = module.public_ecr_pull_through_cache_repository_template.iam_role_unique_id
+}
+
+output "example_docker_pull_commands" {
+  description = "Example docker pull commands to test and validate the example"
+  value       = <<-EOT
+    # Ensure your local CLI is authenticated with ECR
+    aws ecr get-login-password --region ${local.region} | docker login --username AWS --password-stdin ${local.account_id}.dkr.ecr.${local.region}.amazonaws.com
+
+    # Dockerhub pull through cache and repo creation
+    docker pull ${local.account_id}.dkr.ecr.${local.region}.amazonaws.com/docker-hub/library/nginx:latest
+
+    # Public ECR pull through cache and repo creation
+    docker pull ${local.account_id}.dkr.ecr.${local.region}.amazonaws.com/ecr-public/docker/library/nginx:latest
+  EOT
+}

examples/repository-template/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.61"
+    }
+  }
+}

main.tf

@@ -84,7 +84,6 @@ data "aws_iam_policy_document" "repository" {
 
         values = var.repository_lambda_read_access_arns
       }
-
     }
   }