From 93b2aa3dbaca742e6ed627256f747c9b3326d43d Mon Sep 17 00:00:00 2001 From: Gu Date: Mon, 19 Dec 2022 15:35:19 -0600 Subject: [PATCH 1/6] add ecr user and token as variables --- README.md | 2 ++ examples/complete/main.tf | 17 +++++++++++++++++ main.tf | 30 +++++++++++++++--------------- variables.tf | 10 ++++++++++ 4 files changed, 44 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 11a2b2f..cb9a5df 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,8 @@ module "eks_ack_addons" { source = "aws-ia/eks-ack-addons/aws" cluster_id = "example-ack" + ecrpublic_username = local.ecrpublic_username + ecrpublic_token = local.ecrpublic_token enable_api_gatewayv2 = true enable_dynamodb = true diff --git a/examples/complete/main.tf b/examples/complete/main.tf index db12d8d..9a4d106 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -2,6 +2,17 @@ provider "aws" { region = var.aws_region } +# This provider is required for ECR to autheticate with public repos. Please note ECR authetication requires us-east-1 as region hence its hardcoded below. +# If your region is same as us-east-1 then you can just use one aws provider +provider "aws" { + alias = ecr + region = "us-east-1" +} + +data "aws_ecrpublic_authorization_token" "token" { + provider = aws.ecr +} + provider "kubernetes" { host = module.eks_blueprints.eks_cluster_endpoint cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data) @@ -26,6 +37,9 @@ data "aws_partition" "current" {} locals { name = "ack-eks-${basename(path.cwd)}" + ecrpublic_username = data.aws_ecrpublic_authorization_token.token.user_name + ecrpublic_token = data.aws_ecrpublic_authorization_token.token.password + vpc_cidr = "10.0.0.0/16" azs = slice(data.aws_availability_zones.available.names, 0, 3) @@ -92,6 +106,9 @@ module "eks_ack_addons" { source = "../../" cluster_id = module.eks_blueprints.eks_cluster_id + ecrpublic_username = local.ecrpublic_username + ecrpublic_token = local.ecrpublic_token + # Wait for data plane to be ready data_plane_wait_arn = module.eks_blueprints.managed_node_group_arn[0] diff --git a/main.tf b/main.tf index 3c6299c..b6be4d0 100644 --- a/main.tf +++ b/main.tf @@ -6,15 +6,15 @@ data "aws_eks_cluster" "this" { name = local.cluster_id } -# Equivalent of aws ecr get-login -data "aws_ecrpublic_authorization_token" "token" {} - locals { # this makes downstream resources wait for data plane to be ready cluster_id = time_sleep.dataplane.triggers["cluster_id"] region = data.aws_region.current.name eks_oidc_issuer_url = replace(data.aws_eks_cluster.this.identity[0].oidc[0].issuer, "https://", "") + + ecrpublic_username = var.ecrpublic_username + ecrpublic_token = var.ecrpublic_token addon_context = { aws_caller_identity_account_id = data.aws_caller_identity.current.account_id @@ -60,8 +60,8 @@ module "api_gatewayv2" { repository = "oci://public.ecr.aws/aws-controllers-k8s" version = "v0.1.4" namespace = local.api_gatewayv2_name - repository_username = data.aws_ecrpublic_authorization_token.token.user_name - repository_password = data.aws_ecrpublic_authorization_token.token.password + repository_username = local.ecrpublic_username + repository_password = local.ecrpublic_token description = "ACK API Gateway Controller v2 Helm chart deployment configuration" values = [ # shortens pod name from `ack-api-gatewayv2-apigatewayv2-chart-xxxxxxxxxxxxx` to `ack-api-gatewayv2-xxxxxxxxxxxxx` @@ -136,8 +136,8 @@ module "dynamodb" { repository = "oci://public.ecr.aws/aws-controllers-k8s" version = "v0-stable" namespace = local.dynamodb_name - repository_username = data.aws_ecrpublic_authorization_token.token.user_name - repository_password = data.aws_ecrpublic_authorization_token.token.password + repository_username = local.ecrpublic_username + repository_password = local.ecrpublic_token description = "ACK DynamoDB Controller v2 Helm chart deployment configuration" values = [ # shortens pod name from `ack-dynamodb-dynamodb-chart-xxxxxxxxxxxxx` to `ack-dynamodb-xxxxxxxxxxxxx` @@ -203,8 +203,8 @@ module "s3" { repository = "oci://public.ecr.aws/aws-controllers-k8s" version = "v0.1.5" namespace = local.s3_name - repository_username = data.aws_ecrpublic_authorization_token.token.user_name - repository_password = data.aws_ecrpublic_authorization_token.token.password + repository_username = local.ecrpublic_username + repository_password = local.ecrpublic_token description = "ACK S3 Controller v2 Helm chart deployment configuration" values = [ # shortens pod name from `ack-s3-s3-chart-xxxxxxxxxxxxx` to `ack-s3-xxxxxxxxxxxxx` @@ -270,8 +270,8 @@ module "rds" { repository = "oci://public.ecr.aws/aws-controllers-k8s" version = "v0.1.1" namespace = local.rds_name - repository_username = data.aws_ecrpublic_authorization_token.token.user_name - repository_password = data.aws_ecrpublic_authorization_token.token.password + repository_username = local.ecrpublic_username + repository_password = local.ecrpublic_token create_namespace = true description = "ACK RDS Controller v2 Helm chart deployment configuration" values = [ @@ -338,8 +338,8 @@ module "amp" { repository = "oci://public.ecr.aws/aws-controllers-k8s" version = "v0.1.1" namespace = local.amp_name - repository_username = data.aws_ecrpublic_authorization_token.token.user_name - repository_password = data.aws_ecrpublic_authorization_token.token.password + repository_username = local.ecrpublic_username + repository_password = local.ecrpublic_token create_namespace = true description = "ACK amp Controller v2 Helm chart deployment configuration" values = [ @@ -406,8 +406,8 @@ module "emrcontainers" { repository = "oci://public.ecr.aws/aws-controllers-k8s" version = "v0-stable" namespace = local.emr_name - repository_username = data.aws_ecrpublic_authorization_token.token.user_name - repository_password = data.aws_ecrpublic_authorization_token.token.password + repository_username = local.ecrpublic_username + repository_password = local.ecrpublic_token description = "Helm Charts for the emrcontainers controller for AWS Controllers for Kubernetes (ACK)" values = [ # shortens pod name from `ack-emrcontainers-emrcontainers-chart-xxxxxxxxxxxxx` to `ack-emrcontainers-xxxxxxxxxxxxx` diff --git a/variables.tf b/variables.tf index 9559be6..6bd8f94 100644 --- a/variables.tf +++ b/variables.tf @@ -3,6 +3,16 @@ variable "cluster_id" { type = string } +variable "ecrpublic_username" { + description = "EKS Cluster Id" + type = string +} + +variable "ecrpublic_token" { + description = "EKS Cluster Id" + type = string +} + variable "data_plane_wait_arn" { description = "Addon deployment will not proceed until this value is known. Set to node group/Fargate profile ARN to wait for data plane to be ready before provisioning addons" type = string From a0695b43c1b8b894301673ad501fa184e4b7424a Mon Sep 17 00:00:00 2001 From: Gu Date: Mon, 19 Dec 2022 15:41:41 -0600 Subject: [PATCH 2/6] add ecr user and token as variables --- examples/complete/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 9a4d106..be860e5 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -5,7 +5,7 @@ provider "aws" { # This provider is required for ECR to autheticate with public repos. Please note ECR authetication requires us-east-1 as region hence its hardcoded below. # If your region is same as us-east-1 then you can just use one aws provider provider "aws" { - alias = ecr + alias = "ecr" region = "us-east-1" } From 50cceba199b7b9c318505d7ef2a0aa30bd002af3 Mon Sep 17 00:00:00 2001 From: EC2 Default User Date: Mon, 19 Dec 2022 21:45:46 +0000 Subject: [PATCH 3/6] precommit fix --- examples/complete/main.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index be860e5..814de8f 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -9,7 +9,7 @@ provider "aws" { region = "us-east-1" } -data "aws_ecrpublic_authorization_token" "token" { +data "aws_ecrpublic_authorization_token" "token" { provider = aws.ecr } @@ -36,9 +36,9 @@ data "aws_caller_identity" "current" {} data "aws_partition" "current" {} locals { - name = "ack-eks-${basename(path.cwd)}" + name = "ack-eks-${basename(path.cwd)}" ecrpublic_username = data.aws_ecrpublic_authorization_token.token.user_name - ecrpublic_token = data.aws_ecrpublic_authorization_token.token.password + ecrpublic_token = data.aws_ecrpublic_authorization_token.token.password vpc_cidr = "10.0.0.0/16" @@ -105,9 +105,9 @@ module "eks_blueprints_kubernetes_addons" { module "eks_ack_addons" { source = "../../" - cluster_id = module.eks_blueprints.eks_cluster_id + cluster_id = module.eks_blueprints.eks_cluster_id ecrpublic_username = local.ecrpublic_username - ecrpublic_token = local.ecrpublic_token + ecrpublic_token = local.ecrpublic_token # Wait for data plane to be ready From b1c23539fc0cc3fe1adf3ca3ed77ec98885bab94 Mon Sep 17 00:00:00 2001 From: EC2 Default User Date: Mon, 19 Dec 2022 21:47:29 +0000 Subject: [PATCH 4/6] precommit fix --- README.md | 3 ++- main.tf | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index cb9a5df..8a7320e 100644 --- a/README.md +++ b/README.md @@ -65,7 +65,6 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [aws_iam_policy.emrcontainers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [time_sleep.dataplane](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_ecrpublic_authorization_token.token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecrpublic_authorization_token) | data source | | [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | | [aws_iam_policy.amp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | | [aws_iam_policy.api_gatewayv2_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | @@ -86,6 +85,8 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [cluster\_id](#input\_cluster\_id) | EKS Cluster Id | `string` | n/a | yes | | [data\_plane\_wait\_arn](#input\_data\_plane\_wait\_arn) | Addon deployment will not proceed until this value is known. Set to node group/Fargate profile ARN to wait for data plane to be ready before provisioning addons | `string` | `""` | no | | [dynamodb\_helm\_config](#input\_dynamodb\_helm\_config) | ACK dynamodb Helm Chart config | `any` | `{}` | no | +| [ecrpublic\_token](#input\_ecrpublic\_token) | EKS Cluster Id | `string` | n/a | yes | +| [ecrpublic\_username](#input\_ecrpublic\_username) | EKS Cluster Id | `string` | n/a | yes | | [emrcontainers\_helm\_config](#input\_emrcontainers\_helm\_config) | ACK EMR container Helm Chart config | `any` | `{}` | no | | [enable\_amp](#input\_enable\_amp) | Enable ACK amp add-on | `bool` | `false` | no | | [enable\_api\_gatewayv2](#input\_enable\_api\_gatewayv2) | Enable ACK API gateway v2 add-on | `bool` | `false` | no | diff --git a/main.tf b/main.tf index b6be4d0..0940a4a 100644 --- a/main.tf +++ b/main.tf @@ -12,7 +12,7 @@ locals { region = data.aws_region.current.name eks_oidc_issuer_url = replace(data.aws_eks_cluster.this.identity[0].oidc[0].issuer, "https://", "") - + ecrpublic_username = var.ecrpublic_username ecrpublic_token = var.ecrpublic_token From eaaf065313fea78f237d3ea6f56e2b929aee991b Mon Sep 17 00:00:00 2001 From: Gu Date: Mon, 19 Dec 2022 16:09:28 -0600 Subject: [PATCH 5/6] use var instead of local --- examples/complete/main.tf | 7 ++----- main.tf | 27 ++++++++++++--------------- variables.tf | 4 ++-- 3 files changed, 16 insertions(+), 22 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 814de8f..1432faf 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -37,9 +37,6 @@ data "aws_partition" "current" {} locals { name = "ack-eks-${basename(path.cwd)}" - ecrpublic_username = data.aws_ecrpublic_authorization_token.token.user_name - ecrpublic_token = data.aws_ecrpublic_authorization_token.token.password - vpc_cidr = "10.0.0.0/16" azs = slice(data.aws_availability_zones.available.names, 0, 3) @@ -106,8 +103,8 @@ module "eks_ack_addons" { source = "../../" cluster_id = module.eks_blueprints.eks_cluster_id - ecrpublic_username = local.ecrpublic_username - ecrpublic_token = local.ecrpublic_token + ecrpublic_username = data.aws_ecrpublic_authorization_token.token.user_name + ecrpublic_token = data.aws_ecrpublic_authorization_token.token.password # Wait for data plane to be ready diff --git a/main.tf b/main.tf index 0940a4a..82d3c20 100644 --- a/main.tf +++ b/main.tf @@ -13,9 +13,6 @@ locals { eks_oidc_issuer_url = replace(data.aws_eks_cluster.this.identity[0].oidc[0].issuer, "https://", "") - ecrpublic_username = var.ecrpublic_username - ecrpublic_token = var.ecrpublic_token - addon_context = { aws_caller_identity_account_id = data.aws_caller_identity.current.account_id aws_caller_identity_arn = data.aws_caller_identity.current.arn @@ -60,8 +57,8 @@ module "api_gatewayv2" { repository = "oci://public.ecr.aws/aws-controllers-k8s" version = "v0.1.4" namespace = local.api_gatewayv2_name - repository_username = local.ecrpublic_username - repository_password = local.ecrpublic_token + repository_username = var.ecrpublic_username + repository_password = var.ecrpublic_token description = "ACK API Gateway Controller v2 Helm chart deployment configuration" values = [ # shortens pod name from `ack-api-gatewayv2-apigatewayv2-chart-xxxxxxxxxxxxx` to `ack-api-gatewayv2-xxxxxxxxxxxxx` @@ -136,8 +133,8 @@ module "dynamodb" { repository = "oci://public.ecr.aws/aws-controllers-k8s" version = "v0-stable" namespace = local.dynamodb_name - repository_username = local.ecrpublic_username - repository_password = local.ecrpublic_token + repository_username = var.ecrpublic_username + repository_password = var.ecrpublic_token description = "ACK DynamoDB Controller v2 Helm chart deployment configuration" values = [ # shortens pod name from `ack-dynamodb-dynamodb-chart-xxxxxxxxxxxxx` to `ack-dynamodb-xxxxxxxxxxxxx` @@ -203,8 +200,8 @@ module "s3" { repository = "oci://public.ecr.aws/aws-controllers-k8s" version = "v0.1.5" namespace = local.s3_name - repository_username = local.ecrpublic_username - repository_password = local.ecrpublic_token + repository_username = var.ecrpublic_username + repository_password = var.ecrpublic_token description = "ACK S3 Controller v2 Helm chart deployment configuration" values = [ # shortens pod name from `ack-s3-s3-chart-xxxxxxxxxxxxx` to `ack-s3-xxxxxxxxxxxxx` @@ -270,8 +267,8 @@ module "rds" { repository = "oci://public.ecr.aws/aws-controllers-k8s" version = "v0.1.1" namespace = local.rds_name - repository_username = local.ecrpublic_username - repository_password = local.ecrpublic_token + repository_username = var.ecrpublic_username + repository_password = var.ecrpublic_token create_namespace = true description = "ACK RDS Controller v2 Helm chart deployment configuration" values = [ @@ -338,8 +335,8 @@ module "amp" { repository = "oci://public.ecr.aws/aws-controllers-k8s" version = "v0.1.1" namespace = local.amp_name - repository_username = local.ecrpublic_username - repository_password = local.ecrpublic_token + repository_username = var.ecrpublic_username + repository_password = var.ecrpublic_token create_namespace = true description = "ACK amp Controller v2 Helm chart deployment configuration" values = [ @@ -406,8 +403,8 @@ module "emrcontainers" { repository = "oci://public.ecr.aws/aws-controllers-k8s" version = "v0-stable" namespace = local.emr_name - repository_username = local.ecrpublic_username - repository_password = local.ecrpublic_token + repository_username = var.ecrpublic_username + repository_password = var.ecrpublic_token description = "Helm Charts for the emrcontainers controller for AWS Controllers for Kubernetes (ACK)" values = [ # shortens pod name from `ack-emrcontainers-emrcontainers-chart-xxxxxxxxxxxxx` to `ack-emrcontainers-xxxxxxxxxxxxx` diff --git a/variables.tf b/variables.tf index 6bd8f94..3c92bcf 100644 --- a/variables.tf +++ b/variables.tf @@ -4,12 +4,12 @@ variable "cluster_id" { } variable "ecrpublic_username" { - description = "EKS Cluster Id" + description = "User name decoded from the authorization token for accessing public ECR" type = string } variable "ecrpublic_token" { - description = "EKS Cluster Id" + description = "Password decoded from the authorization token for accessing public ECR" type = string } From 93d69aada56408d928b54751c64e10e637b356af Mon Sep 17 00:00:00 2001 From: EC2 Default User Date: Mon, 19 Dec 2022 22:10:18 +0000 Subject: [PATCH 6/6] precommit fix --- README.md | 4 ++-- examples/complete/main.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 8a7320e..500cb51 100644 --- a/README.md +++ b/README.md @@ -85,8 +85,8 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws | [cluster\_id](#input\_cluster\_id) | EKS Cluster Id | `string` | n/a | yes | | [data\_plane\_wait\_arn](#input\_data\_plane\_wait\_arn) | Addon deployment will not proceed until this value is known. Set to node group/Fargate profile ARN to wait for data plane to be ready before provisioning addons | `string` | `""` | no | | [dynamodb\_helm\_config](#input\_dynamodb\_helm\_config) | ACK dynamodb Helm Chart config | `any` | `{}` | no | -| [ecrpublic\_token](#input\_ecrpublic\_token) | EKS Cluster Id | `string` | n/a | yes | -| [ecrpublic\_username](#input\_ecrpublic\_username) | EKS Cluster Id | `string` | n/a | yes | +| [ecrpublic\_token](#input\_ecrpublic\_token) | Password decoded from the authorization token for accessing public ECR | `string` | n/a | yes | +| [ecrpublic\_username](#input\_ecrpublic\_username) | User name decoded from the authorization token for accessing public ECR | `string` | n/a | yes | | [emrcontainers\_helm\_config](#input\_emrcontainers\_helm\_config) | ACK EMR container Helm Chart config | `any` | `{}` | no | | [enable\_amp](#input\_enable\_amp) | Enable ACK amp add-on | `bool` | `false` | no | | [enable\_api\_gatewayv2](#input\_enable\_api\_gatewayv2) | Enable ACK API gateway v2 add-on | `bool` | `false` | no | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 1432faf..9cbd5a1 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -36,7 +36,7 @@ data "aws_caller_identity" "current" {} data "aws_partition" "current" {} locals { - name = "ack-eks-${basename(path.cwd)}" + name = "ack-eks-${basename(path.cwd)}" vpc_cidr = "10.0.0.0/16" azs = slice(data.aws_availability_zones.available.names, 0, 3)