Merge pull request #1371 from alphagov/add-pull-cache-repos

Enable ghcr.io pull-through cache for ECR
alphagov · Jul 8, 2024 · e11be35 · e11be35
2 parents 480b66e + 3c9e2d6
commit e11be35
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/terraform/deployments/ecr/ecr-pull.tf b/terraform/deployments/ecr/ecr-pull.tf
@@ -5,7 +5,8 @@ data "aws_iam_policy_document" "allow_cross_account_pull_from_ecr" {
     actions = [
       "ecr:GetDownloadUrlForLayer",
       "ecr:BatchCheckLayerAvailability",
-      "ecr:BatchGetImage"
+      "ecr:BatchGetImage",
+      "ecr:BatchImportUpstreamImage",
     ]
     principals {
       identifiers = var.puller_arns
@@ -15,7 +16,10 @@ data "aws_iam_policy_document" "allow_cross_account_pull_from_ecr" {
 }
 
 resource "aws_ecr_repository_policy" "pull_from_ecr" {
-  for_each   = toset([for repo in local.repositories : aws_ecr_repository.repositories[repo].name])
+  for_each = toset(concat(
+    [for repo in local.repositories : aws_ecr_repository.repositories[repo].name],
+    [for repo in local.repositories : aws_ecr_repository.github_repositories[repo].name]
+  ))
   repository = each.key
   policy     = data.aws_iam_policy_document.allow_cross_account_pull_from_ecr.json
 }

diff --git a/terraform/deployments/ecr/main.tf b/terraform/deployments/ecr/main.tf
@@ -78,8 +78,29 @@ resource "aws_ecr_repository" "repositories" {
   image_scanning_configuration { scan_on_push = true }
 }
 
+resource "aws_ecr_repository" "github_repositories" {
+  for_each             = toset(local.repositories)
+  name                 = "github/alphagov/${each.key}"
+  image_tag_mutability = "MUTABLE" # To support a movable `latest` for developer convenience.
+  image_scanning_configuration { scan_on_push = true }
+}
+
+resource "aws_ecr_pull_through_cache_rule" "github" {
+  ecr_repository_prefix = "github"
+  upstream_registry_url = "ghcr.io"
+  credential_arn        = "arn:aws:secretsmanager:eu-west-1:172025368201:secret:ecr-pullthroughcache/github-packages-udvpiZ"
+}
+
+import {
+  to = aws_ecr_pull_through_cache_rule.github
+  id = "github"
+}
+
 resource "aws_ecr_lifecycle_policy" "ecr_lifecycle_policy" {
-  for_each   = toset([for repo in local.repositories : aws_ecr_repository.repositories[repo].name])
+  for_each = toset(concat(
+    [for repo in local.repositories : aws_ecr_repository.repositories[repo].name],
+    [for repo in local.repositories : aws_ecr_repository.github_repositories[repo].name]
+  ))
   repository = each.key
 
   policy = jsonencode({