feat: add ecr_proxy support, documentation improvements

kvendingoldo · May 24, 2024 · 69e50f0 · 69e50f0
1 parent 41aa6ab
commit 69e50f0
Show file tree

Hide file tree

Showing 11 changed files with 163 additions and 7 deletions.
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,30 @@
+# EditorConfig is awesome: http://EditorConfig.org
+# Uses editorconfig to maintain consistent coding styles
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 2
+indent_style = space
+insert_final_newline = true
+max_line_length = 80
+trim_trailing_whitespace = true
+
+[*.{tf,tfvars}]
+indent_size = 2
+indent_style = space
+
+[*.md]
+max_line_length = 0
+trim_trailing_whitespace = false
+
+[Makefile]
+tab_width = 2
+indent_style = tab
+
+[COMMIT_EDITMSG]
+max_line_length = 0
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
-# aws-letsencrypt-lambda
+<!-- BADGES -->
+[![Github release](https://img.shields.io/github/v/release/kvendingoldo/aws-letsencrypt-lambda?style=for-the-badge)](https://github.com/kvendingoldo/aws-letsencrypt-lambda/releases) [![Contributors](https://img.shields.io/github/contributors/kvendingoldo/aws-letsencrypt-lambda?style=for-the-badge)](https://github.com/kvendingoldo/aws-letsencrypt-lambda/graphs/contributors) ![maintenance status](https://img.shields.io/maintenance/yes/2024.svg?style=for-the-badge) [![Go report](https://img.shields.io/badge/go%20report-A+-brightgreen.svg?style=for-the-badge)](https://goreportcard.com/report/github.com/kvendingoldo/aws-letsencrypt-lambda/) [![OpenTofu support](https://img.shields.io/badge/opentofu-supported-blue.svg?logo=opentofu&style=for-the-badge)](https://opentofu.org/) [![OpenTofu support](https://img.shields.io/badge/terraform-supported-blue.svg?logo=terraform&style=for-the-badge)](https://www.terraform.io/)
 
-[![Github release](https://img.shields.io/github/v/release/kvendingoldo/aws-letsencrypt-lambda?style=for-the-badge)](https://github.com/kvendingoldo/aws-letsencrypt-lambda/releases) [![Contributors](https://img.shields.io/github/contributors/kvendingoldo/aws-letsencrypt-lambda?style=for-the-badge)](https://github.com/kvendingoldo/aws-letsencrypt-lambda/graphs/contributors) ![maintenance status](https://img.shields.io/maintenance/yes/2024.svg?style=for-the-badge)
-[![support opentofu](https://img.shields.io/badge/supports-opentofu-green?style=for-the-badge)](https://opentofu.org/)
+# aws-letsencrypt-lambda
 
 ## Overview
 It's common for people to desire having valid TLS certificates without wanting to pay for them.
@@ -14,4 +14,4 @@ You can review the following documents on the Lambda to learn more:
 * [How to use the Lambda inside of AWS](docs/how_to_use_aws.md)
 * [How to use the Lambda locally](docs/how_to_use_locally.md)
 * [How to use Terraform automation](docs/how_to_use_terraform.md)
-* [Lambda's environment variables](docs/environment_variables.md)
+* [Labmda's environment variables](docs/environment_variables.md)
diff --git a/files/terraform/module/README.md b/files/terraform/module/README.md
@@ -34,7 +34,10 @@ No modules.
 | [aws_cloudwatch_event_rule.schedule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_target.event_target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_log_group.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+<<<<<<< HEAD
 | [aws_ecr_pull_through_cache_rule.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_pull_through_cache_rule) | resource |
+=======
+>>>>>>> 0a93985 (feat: add ecr_proxy support, documentation improvements)
 | [aws_iam_policy.acm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.route53](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |

diff --git a/files/terraform/module/ecr_proxy.tf b/files/terraform/module/ecr_proxy.tf
@@ -0,0 +1,16 @@
+resource "aws_ecr_repository" "lambda_proxy" {
+  count                = var.enable_ecr_proxy  ? 0 : 1
+  name                 = var.ecr_repository_prefix
+  image_tag_mutability = "MUTABLE"
+  force_delete         = true
+  image_scanning_configuration {
+    scan_on_push = false
+  }
+}
+
+resource "aws_ecr_pull_through_cache_rule" "docker_hub" {
+  count                 = var.enable_ecr_proxy  ? 0 : 1
+  ecr_repository_prefix = var.ecr_repository_prefix
+  upstream_registry_url = "registry-1.docker.io"
+  credential_arn        = var.dockerhub_proxy_secret_arn
+}
diff --git a/files/terraform/module/examples/full/main.tf b/files/terraform/module/examples/full/main.tf
@@ -0,0 +1,13 @@
+module "letsencrypt_lambda" {
+  source = "[email protected]:kvendingoldo/aws-letsencrypt-lambda.git//files/terraform/module?ref=rc/0.9.0"
+
+  blank_name = "test-letsencrypt-lambda"
+  tags       = var.tags
+
+  cron_schedule = var.letsencrypt_lambda_cron_schedule
+  image_uri     = var.letsencrypt_lambda_image_uri
+  events        = var.letsencrypt_lambda_events
+
+  enable_ecr_proxy = false
+  ecr_image_uri    = "<YOUR_ACCOUNT_ID>.dkr.ecr.us-east-2.amazonaws.com/aws_letsencrypt_lambda:<VERSION>"
+}
diff --git a/files/terraform/module/examples/full/variables.tf b/files/terraform/module/examples/full/variables.tf
@@ -0,0 +1,31 @@
+variable "tags" {
+  default = {
+    testTagKey : "testTagValue"
+  }
+}
+variable "letsencrypt_lambda_cron_schedule" {
+  default = "rate(168 hours)"
+}
+variable "letsencrypt_lambda_image_uri" {
+  default = "<YOUR_ACCOUNT_ID>.dkr.ecr.us-east-2.amazonaws.com/aws_letsencrypt_lambda:<VERSION>"
+}
+variable "letsencrypt_lambda_events" {
+  default = [
+    {
+      "domainName" : "<TEST_DOMAIN_1>",
+      "acmeUrl" : "stage",
+      "acmeEmail" : "<EMAIL_1>",
+      "reImportThreshold" : 10,
+      "issueType" : "force"
+    },
+    {
+      "acmRegion" : "us-east-2",
+      "route53Region" : "us-east-1",
+      "domainName" : "<TEST_DOMAIN_2>",
+      "acmeUrl" : "prod",
+      "acmeEmail" : "<EMAIL_2>",
+      "reImportThreshold" : 30,
+      "issueType" : "default"
+    }
+  ]
+}
diff --git a/files/terraform/module/examples/simple/main.tf b/files/terraform/module/examples/simple/main.tf
@@ -0,0 +1,10 @@
+module "letsencrypt_lambda" {
+  source = "[email protected]:kvendingoldo/aws-letsencrypt-lambda.git//files/terraform/module?ref=rc/0.9.0"
+
+  blank_name = "test-letsencrypt-lambda"
+  tags       = var.tags
+
+  cron_schedule = var.letsencrypt_lambda_cron_schedule
+  image_uri     = var.letsencrypt_lambda_image_uri
+  events        = var.letsencrypt_lambda_events
+}
diff --git a/files/terraform/module/examples/simple/variables.tf b/files/terraform/module/examples/simple/variables.tf
@@ -0,0 +1,24 @@
+variable "tags" {
+  default = {
+    testTagKey : "testTagValue"
+  }
+}
+variable "letsencrypt_lambda_cron_schedule" {
+  default = "rate(168 hours)"
+}
+variable "letsencrypt_lambda_image_uri" {
+  default = "<YOUR_ACCOUNT_ID>.dkr.ecr.us-east-2.amazonaws.com/aws_letsencrypt_lambda:<VERSION>"
+}
+variable "letsencrypt_lambda_events" {
+  default = [
+    {
+      "acmRegion" : "us-east-2",
+      "route53Region" : "us-east-1",
+      "domainName" : "<TEST_DOMAIN_2>",
+      "acmeUrl" : "prod",
+      "acmeEmail" : "<EMAIL_2>",
+      "reImportThreshold" : 30,
+      "issueType" : "default"
+    }
+  ]
+}
diff --git a/files/terraform/module/locals.tf b/files/terraform/module/locals.tf
@@ -1,4 +1,7 @@
 locals {
-  events = { for event in var.events : event["domainName"] => event if var.cron_enabled }
-  image  = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/${var.ecr_proxy_repository_prefix}/${var.image}"
+  events = {for event in var.events : event["domainName"] => event if var.cron_enabled}
+
+  ecr_domain   = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com"
+  image_prefix = var.enable_ecr_proxy ? "${local.ecr_domain}/${var.ecr_repository_prefix}/" : ""
+  lambda_image = var.enable_ecr_proxy ? "${local.image_prefix}${var.dockerhub_image}" : var.ecr_image_uri
 }
diff --git a/files/terraform/module/main.tf b/files/terraform/module/main.tf
@@ -7,7 +7,7 @@ resource "aws_lambda_function" "main" {
   tags          = var.tags
 
   role         = var.create_iam_role ? aws_iam_role.main[0].arn : var.iam_role_arn
-  image_uri    = local.image
+  image_uri    = local.lambda_image
   package_type = "Image"
   timeout      = var.timeout
   memory_size  = var.memory_size

diff --git a/files/terraform/module/variables.tf b/files/terraform/module/variables.tf
@@ -127,3 +127,29 @@ variable "retention" {
   description = "Number of days to retain log events in the specified log group"
   default     = 7
 }
+
+#
+# Lambda image
+#
+variable "dockerhub_image" {
+  default = "kvendingoldo/aws-letsencrypt-lambda:latest"
+}
+variable "ecr_image_uri" {
+  type        = string
+  description = "ECR image URI containing the function's deployment package. Required only if enable_ecr_proxy is false"
+  default     = null
+}
+
+#
+# ECR proxy for DockerHub
+#
+variable "enable_ecr_proxy" {
+  default = true
+}
+variable "ecr_repository_prefix" {
+  default = "dockerhub-public"
+}
+variable "dockerhub_proxy_secret_arn" {
+  description = "If left empty, image is pulled directly from Docker Hub, which might be throttled."
+  default     = ""
+}