feat: Add EC2 Container Registry support

aws-ia · Dec 2, 2022 · dc7ad44 · dc7ad44
1 parent 950645c
commit dc7ad44
Show file tree

Hide file tree

Showing 4 changed files with 88 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -15,6 +15,7 @@ module "eks_ack_addons" {
   enable_s3            = true
   enable_rds           = true
   enable_amp           = true
+  enable_ecr           = true
 
   tags = {
     Environment = "dev"
@@ -51,6 +52,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws
 | <a name="module_amp"></a> [amp](#module\_amp) | github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon | v4.12.2 |
 | <a name="module_api_gatewayv2"></a> [api\_gatewayv2](#module\_api\_gatewayv2) | github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon | v4.12.2 |
 | <a name="module_dynamodb"></a> [dynamodb](#module\_dynamodb) | github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon | v4.12.2 |
+| <a name="module_ecr"></a> [ecr](#module\_ecr) | github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon | v4.12.2 |
 | <a name="module_rds"></a> [rds](#module\_rds) | github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon | v4.12.2 |
 | <a name="module_s3"></a> [s3](#module\_s3) | github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon | v4.12.2 |
 
@@ -65,6 +67,7 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws
 | [aws_iam_policy.api_gatewayv2_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy.api_gatewayv2_invoke](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy.ecr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy.rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
@@ -79,9 +82,11 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws
 | <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | EKS Cluster Id | `string` | n/a | yes |
 | <a name="input_data_plane_wait_arn"></a> [data\_plane\_wait\_arn](#input\_data\_plane\_wait\_arn) | Addon deployment will not proceed until this value is known. Set to node group/Fargate profile ARN to wait for data plane to be ready before provisioning addons | `string` | `""` | no |
 | <a name="input_dynamodb_helm_config"></a> [dynamodb\_helm\_config](#input\_dynamodb\_helm\_config) | ACK dynamodb Helm Chart config | `any` | `{}` | no |
+| <a name="input_ecr_helm_config"></a> [ecr\_helm\_config](#input\_ecr\_helm\_config) | ACK ecr Helm Chart config | `any` | `{}` | no |
 | <a name="input_enable_amp"></a> [enable\_amp](#input\_enable\_amp) | Enable ACK amp add-on | `bool` | `false` | no |
 | <a name="input_enable_api_gatewayv2"></a> [enable\_api\_gatewayv2](#input\_enable\_api\_gatewayv2) | Enable ACK API gateway v2 add-on | `bool` | `false` | no |
 | <a name="input_enable_dynamodb"></a> [enable\_dynamodb](#input\_enable\_dynamodb) | Enable ACK dynamodb add-on | `bool` | `false` | no |
+| <a name="input_enable_ecr"></a> [enable\_ecr](#input\_enable\_ecr) | Enable ACK ecr add-on | `bool` | `false` | no |
 | <a name="input_enable_rds"></a> [enable\_rds](#input\_enable\_rds) | Enable ACK rds add-on | `bool` | `false` | no |
 | <a name="input_enable_s3"></a> [enable\_s3](#input\_enable\_s3) | Enable ACK s3 add-on | `bool` | `false` | no |
 | <a name="input_irsa_iam_permissions_boundary"></a> [irsa\_iam\_permissions\_boundary](#input\_irsa\_iam\_permissions\_boundary) | IAM permissions boundary for IRSA roles | `string` | `""` | no |

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -101,6 +101,7 @@ module "eks_ack_addons" {
   enable_s3            = true
   enable_rds           = true
   enable_amp           = true
+  enable_ecr           = true
 
   tags = local.tags
 }

diff --git a/main.tf b/main.tf
@@ -372,3 +372,69 @@ data "aws_iam_policy" "amp" {
 
   name = "AmazonPrometheusFullAccess"
 }
+
+################################################################################
+# EC2 Container Registry
+################################################################################
+
+locals {
+  ecr_name = "ack-ecr"
+}
+
+module "ecr" {
+  source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons/helm-addon?ref=v4.12.2"
+
+  count = var.enable_ecr ? 1 : 0
+
+  helm_config = merge(
+    {
+      name             = local.ecr_name
+      chart            = "ecr-chart"
+      repository       = "oci://public.ecr.aws/aws-controllers-k8s"
+      version          = "v0.1.7"
+      namespace        = local.ecr_name
+      create_namespace = true
+      description      = "ACK ecr Controller v2 Helm chart deployment configuration"
+      values = [
+        # shortens pod name from `ack-ecr-ecr-chart-xxxxxxxxxxxxx` to `ack-ecr-xxxxxxxxxxxxx`
+        <<-EOT
+          nameOverride: ack-ecr
+        EOT
+      ]
+    },
+    var.ecr_helm_config
+  )
+
+  set_values = [
+    {
+      name  = "serviceAccount.name"
+      value = local.ecr_name
+    },
+    {
+      name  = "serviceAccount.create"
+      value = false
+    },
+    {
+      name  = "aws.region"
+      value = local.region
+    }
+  ]
+
+  irsa_config = {
+    create_kubernetes_namespace = true
+    kubernetes_namespace        = try(var.ecr_helm_config.namespace, local.ecr_name)
+
+    create_kubernetes_service_account = true
+    kubernetes_service_account        = local.ecr_name
+
+    irsa_iam_policies = [data.aws_iam_policy.ecr[0].arn]
+  }
+
+  addon_context = local.addon_context
+}
+
+data "aws_iam_policy" "ecr" {
+  count = var.enable_ecr ? 1 : 0
+
+  name = "AmazonEC2ContainerRegistryFullAccess"
+}
diff --git a/variables.tf b/variables.tf
@@ -106,3 +106,19 @@ variable "amp_helm_config" {
   type        = any
   default     = {}
 }
+
+################################################################################
+# ECR
+################################################################################
+
+variable "enable_ecr" {
+  description = "Enable ACK ecr add-on"
+  type        = bool
+  default     = false
+}
+
+variable "ecr_helm_config" {
+  description = "ACK ecr Helm Chart config"
+  type        = any
+  default     = {}
+}