Skip to content
Permalink
Browse files

Allow pulling images from private Docker registry (#71)

* Allow pulling images from private Docker registry

As per the documentation for Fargate using private docker registries[1]
this commit introduces a new variable
`repository_credentials_secret_arn` used to pass in the AWS Secrets
Manager path to your credentials secret. Note that this also requires
the Lambda function execution task role to have access to this secret.

[1] https://aws.amazon.com/blogs/compute/introducing-private-registry-authentication-support-for-aws-fargate/

* Output the ECS task execution role name

We need the role name rather than the ARN of the role to attach policies
to it later. Yes we could infer the name from the ARN using split etc
but meh, just output it.

* Add `initProcessEnabled` to container def

Enable running container definitions with the —init flag to ensure a
proper supervisor runs our command.
  • Loading branch information...
joshmyers authored and maartenvanderhoef committed Aug 2, 2019
1 parent 215c2f2 commit ba219431fd8292dd0595f7cf59e53720700edd90
Showing with 56 additions and 7 deletions.
  1. +4 −0 main.tf
  2. +21 −7 modules/ecs_container_definition/main.tf
  3. +11 −0 modules/ecs_container_definition/variables.tf
  4. +5 −0 modules/iam/output.tf
  5. +4 −0 outputs.tf
  6. +11 −0 variables.tf
@@ -181,6 +181,8 @@ module "container_definition" {
container_memory = "${var.container_memory}"
container_memory_reservation = "${var.container_memory_reservation}"

container_init_process_enabled = "${var.container_init_process_enabled}"

container_port = "${var.container_port}"
host_port = "${var.awsvpc_enabled ? var.container_port : var.host_port }"

@@ -189,6 +191,8 @@ module "container_definition" {
container_envvars = "${var.container_envvars}"
container_secrets = "${var.container_secrets}"

repository_credentials_secret_arn = "${var.repository_credentials_secret_arn}"

container_docker_labels = "${var.container_docker_labels}"

mountpoints = ["${var.mountpoints}"]
@@ -39,7 +39,16 @@ locals {
without_port = []
}

use_port = "${var.container_port == "" ? "without_port" : "with_port" }"
repository_credentials = {
with_credentials = {
credentialsParameter = "${var.repository_credentials_secret_arn}"
}

without_credentials = {}
}

use_port = "${var.container_port == "" ? "without_port" : "with_port" }"
use_credentials = "${var.repository_credentials_secret_arn == "" ? "without_credentials" : "with_credentials" }"

container_definitions = [{
name = "${var.container_name}"
@@ -56,12 +65,17 @@ locals {

privileged = "${var.privileged}"

hostname = "${var.hostname}"
environment = ["${null_resource.envvars_as_list_of_maps.*.triggers}"]
secrets = ["${null_resource.secrets_as_list_of_maps.*.triggers}"]
mountPoints = ["${var.mountpoints}"]
portMappings = "${local.port_mappings[local.use_port]}"
healthCheck = "${var.healthcheck}"
hostname = "${var.hostname}"
environment = ["${null_resource.envvars_as_list_of_maps.*.triggers}"]
secrets = ["${null_resource.secrets_as_list_of_maps.*.triggers}"]
mountPoints = ["${var.mountpoints}"]
portMappings = "${local.port_mappings[local.use_port]}"
healthCheck = "${var.healthcheck}"
repositoryCredentials = "${local.repository_credentials[local.use_credentials]}"

linuxParameters = {
initProcessEnabled = "${var.container_init_process_enabled ? true : false }"
}

logConfiguration = {
logDriver = "${var.log_driver}"
@@ -26,6 +26,11 @@ variable "container_port" {
default = 80
}

variable "container_init_process_enabled" {
description = "Should the container be run with initProcessEnabled (--init)"
default = false
}

variable "host_port" {
description = "The port number on the container instance (host) to reserve for the container_port. If using containers in a task with the awsvpc or host network mode, the hostPort can either be left blank or set to the same value as the containerPort."
}
@@ -163,3 +168,9 @@ variable "tags" {
type = "map"
default = {}
}

variable "repository_credentials_secret_arn" {
description = "ARN of Docker private registry credentials stored in secrets manager"
type = "string"
default = ""
}
@@ -3,6 +3,11 @@ output "ecs_task_execution_role_arn" {
value = "${element(concat(aws_iam_role.ecs_task_execution_role.*.arn, list("")), 0)}"
}

# ecs_task_execution_role_arn outputs the Role-name for the ECS Task Execution role.
output "ecs_task_execution_role_name" {
value = "${element(concat(aws_iam_role.ecs_task_execution_role.*.name, list("")), 0)}"
}

# ecs_taskrole_arn outputs the Role-Arn of the ECS Task
output "ecs_taskrole_arn" {
value = "${element(concat(aws_iam_role.ecs_tasks_role.*.arn, list("")), 0)}"
@@ -14,6 +14,10 @@ output "task_execution_role_arn" {
value = "${module.iam.ecs_task_execution_role_arn}"
}

output "task_execution_role_name" {
value = "${module.iam.ecs_task_execution_role_name}"
}

output "aws_ecs_task_definition_arn" {
value = "${module.ecs_task_definition_selector.selected_task_definition_for_deployment}"
}
@@ -24,6 +24,11 @@ variable "container_secrets_enabled" {
default = false
}

variable "container_init_process_enabled" {
description = "Should the container be run with initProcessEnabled (--init)"
default = false
}

variable "awsvpc_enabled" {
default = false
description = "With awsvpc_enabled the network_mode for the ECS task definition will be awsvpc, defaults to bridge"
@@ -506,3 +511,9 @@ variable "health_check_grace_period_seconds" {
description = "The amount of seconds to wait before the first health check. Only relevant for load balanced apps. Default 5 minutes"
default = 300
}

variable "repository_credentials_secret_arn" {
description = "ARN of Docker private registry credentials stored in secrets manager"
type = "string"
default = ""
}

0 comments on commit ba21943

Please sign in to comment.
You can’t perform that action at this time.