fix: Make ecr user and token as variables (#37)

Co-authored-by: Gu <victorgw@amazon.com> Co-authored-by: EC2 Default User <ec2-user@ip-10-1-1-8.us-west-2.compute.internal>
aws-ia · Dec 19, 2022 · 215648e · 215648e
1 parent b9e31e3
commit 215648e
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -9,6 +9,8 @@ module "eks_ack_addons" {
   source = "aws-ia/eks-ack-addons/aws"
 
   cluster_id = "example-ack"
+  ecrpublic_username = local.ecrpublic_username
+  ecrpublic_token = local.ecrpublic_token
 
   enable_api_gatewayv2 = true
   enable_dynamodb      = true
@@ -63,7 +65,6 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws
 | [aws_iam_policy.emrcontainers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [time_sleep.dataplane](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_ecrpublic_authorization_token.token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecrpublic_authorization_token) | data source |
 | [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
 | [aws_iam_policy.amp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy.api_gatewayv2_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
@@ -84,6 +85,8 @@ Examples codified under the [`examples`](https://github.com/aws-ia/terraform-aws
 | <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | EKS Cluster Id | `string` | n/a | yes |
 | <a name="input_data_plane_wait_arn"></a> [data\_plane\_wait\_arn](#input\_data\_plane\_wait\_arn) | Addon deployment will not proceed until this value is known. Set to node group/Fargate profile ARN to wait for data plane to be ready before provisioning addons | `string` | `""` | no |
 | <a name="input_dynamodb_helm_config"></a> [dynamodb\_helm\_config](#input\_dynamodb\_helm\_config) | ACK dynamodb Helm Chart config | `any` | `{}` | no |
+| <a name="input_ecrpublic_token"></a> [ecrpublic\_token](#input\_ecrpublic\_token) | Password decoded from the authorization token for accessing public ECR | `string` | n/a | yes |
+| <a name="input_ecrpublic_username"></a> [ecrpublic\_username](#input\_ecrpublic\_username) | User name decoded from the authorization token for accessing public ECR | `string` | n/a | yes |
 | <a name="input_emrcontainers_helm_config"></a> [emrcontainers\_helm\_config](#input\_emrcontainers\_helm\_config) | ACK EMR container Helm Chart config | `any` | `{}` | no |
 | <a name="input_enable_amp"></a> [enable\_amp](#input\_enable\_amp) | Enable ACK amp add-on | `bool` | `false` | no |
 | <a name="input_enable_api_gatewayv2"></a> [enable\_api\_gatewayv2](#input\_enable\_api\_gatewayv2) | Enable ACK API gateway v2 add-on | `bool` | `false` | no |

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -2,6 +2,17 @@ provider "aws" {
   region = var.aws_region
 }
 
+# This provider is required for ECR to autheticate with public repos. Please note ECR authetication requires us-east-1 as region hence its hardcoded below.
+# If your region is same as us-east-1 then you can just use one aws provider
+provider "aws" {
+  alias  = "ecr"
+  region = "us-east-1"
+}
+
+data "aws_ecrpublic_authorization_token" "token" {
+  provider = aws.ecr
+}
+
 provider "kubernetes" {
   host                   = module.eks_blueprints.eks_cluster_endpoint
   cluster_ca_certificate = base64decode(module.eks_blueprints.eks_cluster_certificate_authority_data)
@@ -91,7 +102,10 @@ module "eks_blueprints_kubernetes_addons" {
 module "eks_ack_addons" {
   source = "../../"
 
-  cluster_id = module.eks_blueprints.eks_cluster_id
+  cluster_id         = module.eks_blueprints.eks_cluster_id
+  ecrpublic_username = data.aws_ecrpublic_authorization_token.token.user_name
+  ecrpublic_token    = data.aws_ecrpublic_authorization_token.token.password
+
 
   # Wait for data plane to be ready
   data_plane_wait_arn = module.eks_blueprints.managed_node_group_arn[0]

diff --git a/main.tf b/main.tf
@@ -6,9 +6,6 @@ data "aws_eks_cluster" "this" {
   name = local.cluster_id
 }
 
-# Equivalent of aws ecr get-login
-data "aws_ecrpublic_authorization_token" "token" {}
-
 locals {
   # this makes downstream resources wait for data plane to be ready
   cluster_id = time_sleep.dataplane.triggers["cluster_id"]
@@ -60,8 +57,8 @@ module "api_gatewayv2" {
       repository          = "oci://public.ecr.aws/aws-controllers-k8s"
       version             = "v0.1.4"
       namespace           = local.api_gatewayv2_name
-      repository_username = data.aws_ecrpublic_authorization_token.token.user_name
-      repository_password = data.aws_ecrpublic_authorization_token.token.password
+      repository_username = var.ecrpublic_username
+      repository_password = var.ecrpublic_token
       description         = "ACK API Gateway Controller v2 Helm chart deployment configuration"
       values = [
         # shortens pod name from `ack-api-gatewayv2-apigatewayv2-chart-xxxxxxxxxxxxx` to `ack-api-gatewayv2-xxxxxxxxxxxxx`
@@ -136,8 +133,8 @@ module "dynamodb" {
       repository          = "oci://public.ecr.aws/aws-controllers-k8s"
       version             = "v0-stable"
       namespace           = local.dynamodb_name
-      repository_username = data.aws_ecrpublic_authorization_token.token.user_name
-      repository_password = data.aws_ecrpublic_authorization_token.token.password
+      repository_username = var.ecrpublic_username
+      repository_password = var.ecrpublic_token
       description         = "ACK DynamoDB Controller v2 Helm chart deployment configuration"
       values = [
         # shortens pod name from `ack-dynamodb-dynamodb-chart-xxxxxxxxxxxxx` to `ack-dynamodb-xxxxxxxxxxxxx`
@@ -203,8 +200,8 @@ module "s3" {
       repository          = "oci://public.ecr.aws/aws-controllers-k8s"
       version             = "v0.1.5"
       namespace           = local.s3_name
-      repository_username = data.aws_ecrpublic_authorization_token.token.user_name
-      repository_password = data.aws_ecrpublic_authorization_token.token.password
+      repository_username = var.ecrpublic_username
+      repository_password = var.ecrpublic_token
       description         = "ACK S3 Controller v2 Helm chart deployment configuration"
       values = [
         # shortens pod name from `ack-s3-s3-chart-xxxxxxxxxxxxx` to `ack-s3-xxxxxxxxxxxxx`
@@ -270,8 +267,8 @@ module "rds" {
       repository          = "oci://public.ecr.aws/aws-controllers-k8s"
       version             = "v0.1.1"
       namespace           = local.rds_name
-      repository_username = data.aws_ecrpublic_authorization_token.token.user_name
-      repository_password = data.aws_ecrpublic_authorization_token.token.password
+      repository_username = var.ecrpublic_username
+      repository_password = var.ecrpublic_token
       create_namespace    = true
       description         = "ACK RDS Controller v2 Helm chart deployment configuration"
       values = [
@@ -338,8 +335,8 @@ module "amp" {
       repository          = "oci://public.ecr.aws/aws-controllers-k8s"
       version             = "v0.1.1"
       namespace           = local.amp_name
-      repository_username = data.aws_ecrpublic_authorization_token.token.user_name
-      repository_password = data.aws_ecrpublic_authorization_token.token.password
+      repository_username = var.ecrpublic_username
+      repository_password = var.ecrpublic_token
       create_namespace    = true
       description         = "ACK amp Controller v2 Helm chart deployment configuration"
       values = [
@@ -406,8 +403,8 @@ module "emrcontainers" {
       repository          = "oci://public.ecr.aws/aws-controllers-k8s"
       version             = "v0-stable"
       namespace           = local.emr_name
-      repository_username = data.aws_ecrpublic_authorization_token.token.user_name
-      repository_password = data.aws_ecrpublic_authorization_token.token.password
+      repository_username = var.ecrpublic_username
+      repository_password = var.ecrpublic_token
       description         = "Helm Charts for the emrcontainers controller for AWS Controllers for Kubernetes (ACK)"
       values = [
         # shortens pod name from `ack-emrcontainers-emrcontainers-chart-xxxxxxxxxxxxx` to `ack-emrcontainers-xxxxxxxxxxxxx`

diff --git a/variables.tf b/variables.tf
@@ -3,6 +3,16 @@ variable "cluster_id" {
   type        = string
 }
 
+variable "ecrpublic_username" {
+  description = "User name decoded from the authorization token for accessing public ECR"
+  type        = string
+}
+
+variable "ecrpublic_token" {
+  description = "Password decoded from the authorization token for accessing public ECR"
+  type        = string
+}
+
 variable "data_plane_wait_arn" {
   description = "Addon deployment will not proceed until this value is known. Set to node group/Fargate profile ARN to wait for data plane to be ready before provisioning addons"
   type        = string