Enable ghcr.io pull-through cache for ECR

This commit creates a pull-through cache rule to pull images from ghcr.io. This allows us to push images to ghcr.io instead of directly to AWS ECR. We need to explicitly create the repositories for the pull-through cache, as ECR doesn't support cross-account permissions to create the ECR repositories on the fly.
alphagov · Jul 8, 2024 · 3c9e2d6 · 3c9e2d6
1 parent 480b66e
commit 3c9e2d6
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/terraform/deployments/ecr/ecr-pull.tf b/terraform/deployments/ecr/ecr-pull.tf
@@ -5,7 +5,8 @@ data "aws_iam_policy_document" "allow_cross_account_pull_from_ecr" {
     actions = [
       "ecr:GetDownloadUrlForLayer",
       "ecr:BatchCheckLayerAvailability",
-      "ecr:BatchGetImage"
+      "ecr:BatchGetImage",
+      "ecr:BatchImportUpstreamImage",
     ]
     principals {
       identifiers = var.puller_arns
@@ -15,7 +16,10 @@ data "aws_iam_policy_document" "allow_cross_account_pull_from_ecr" {
 }
 
 resource "aws_ecr_repository_policy" "pull_from_ecr" {
-  for_each   = toset([for repo in local.repositories : aws_ecr_repository.repositories[repo].name])
+  for_each = toset(concat(
+    [for repo in local.repositories : aws_ecr_repository.repositories[repo].name],
+    [for repo in local.repositories : aws_ecr_repository.github_repositories[repo].name]
+  ))
   repository = each.key
   policy     = data.aws_iam_policy_document.allow_cross_account_pull_from_ecr.json
 }

diff --git a/terraform/deployments/ecr/main.tf b/terraform/deployments/ecr/main.tf
@@ -78,8 +78,29 @@ resource "aws_ecr_repository" "repositories" {
   image_scanning_configuration { scan_on_push = true }
 }
 
+resource "aws_ecr_repository" "github_repositories" {
+  for_each             = toset(local.repositories)
+  name                 = "github/alphagov/${each.key}"
+  image_tag_mutability = "MUTABLE" # To support a movable `latest` for developer convenience.
+  image_scanning_configuration { scan_on_push = true }
+}
+
+resource "aws_ecr_pull_through_cache_rule" "github" {
+  ecr_repository_prefix = "github"
+  upstream_registry_url = "ghcr.io"
+  credential_arn        = "arn:aws:secretsmanager:eu-west-1:172025368201:secret:ecr-pullthroughcache/github-packages-udvpiZ"
+}
+
+import {
+  to = aws_ecr_pull_through_cache_rule.github
+  id = "github"
+}
+
 resource "aws_ecr_lifecycle_policy" "ecr_lifecycle_policy" {
-  for_each   = toset([for repo in local.repositories : aws_ecr_repository.repositories[repo].name])
+  for_each = toset(concat(
+    [for repo in local.repositories : aws_ecr_repository.repositories[repo].name],
+    [for repo in local.repositories : aws_ecr_repository.github_repositories[repo].name]
+  ))
   repository = each.key
 
   policy = jsonencode({