-
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathpull-through-cache.tf
62 lines (52 loc) · 1.71 KB
/
pull-through-cache.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
###################################################
# Pull Through Cache Policy
###################################################
data "aws_iam_policy_document" "pull_through_cache" {
count = length(var.pull_through_cache_policies) > 0 ? 1 : 0
dynamic "statement" {
for_each = var.pull_through_cache_policies
iterator = policy
content {
sid = "PullThroughCacheAccess-${policy.key}"
effect = "Allow"
principals {
type = "AWS"
identifiers = policy.value.iam_entities
}
actions = (policy.value.allow_create_repository
? ["ecr:CreateRepository", "ecr:BatchImportUpstreamImage"]
: ["ecr:BatchImportUpstreamImage"]
)
resources = [
for repository in policy.value.repositories :
"arn:aws:ecr:${local.region}:${local.account_id}:repository/${repository}"
]
}
}
}
###################################################
# Pull Through Cache Rules
###################################################
locals {
default_namespaces = {
"ghcr.io" = "github"
"myregistry.azurecr.io" = "azure"
"public.ecr.aws" = "ecr-public"
"quay.io" = "quay"
"registry-1.docker.io" = "docker-hub"
"registry.gitlab.com" = "gitlab"
"registry.k8s.io" = "kubernetes"
}
}
resource "aws_ecr_pull_through_cache_rule" "this" {
for_each = {
for rule in var.pull_through_cache_rules :
coalesce(rule.namespace, local.default_namespaces[rule.upstream_url]) => rule
}
ecr_repository_prefix = each.key
upstream_registry_url = each.value.upstream_url
credential_arn = (each.value.credential != null
? each.value.credential.secretsmanager_secret
: null
)
}