/flux2-ecr-webhook

Implement integrations with Flux webhooks to automatically update ECR images using the image reflector component :rocket:.

Primary LanguageHCLApache License 2.0Apache-2.0

flux2-ecr-webhook

This project allows you to automate the process of calling the Flux webhook (Receiver) when a PUSH action is performed in ECR, which can be useful for automating application deployment. It is designed to be used as a Terraform module to configure an AWS Lambda function that fires when a PUSH action is performed on an ECR repository. The Lambda function reads the necessary parameters from the SSM parameter store and then calls the Flux webhook (Receiver).

The configuration includes creating an SQS queue and a CloudWatch event to trigger the Lambda function when a PUSH action is performed in ECR.

graph LR
  ECR[ECR] -->|Push event| CW[CloudWatch Event]
  CW -->|Trigger| SQS[SQS Queue]
  SQS -->|Trigger| L[Lambda Function]
  L -->|Read parameters| SM[Secret Management]
  L -->|Call webhook| F[Flux Receiver]
Loading

TODO

  • Add unit tests
  • Add support for generic-hmac
  • Add support to lambda with VPC (for internal webhook)

Usage

To use this Terraform module, you must first have created webhooks for each ImageRepository resource in your cluster.

For example, if you have an ImageRepository named my-ecr-repo-ir, you should create a Receiver resource to create a webhook that can be called. This webhook will then be used in our input variable named repo_mapping.

Note: Only generic type receiver is supported.

---
apiVersion: notification.toolkit.fluxcd.io/v1beta2
kind: Receiver
metadata:
  name: my-ecr-repo-receiver
  namespace: flux-system
spec:
  type: generic
  secretRef:
    name: webhook-token
  resources:
    - kind: ImageRepository
      name: my-ecr-repo-ir

The webhook created by the Receiver resource has to be configured in the module, for example:

Note: Let's assume that our ECR repository is called my-ecr-repo.

module "flux2-ecr-webhook" {
  source = "github.com/fabidick22/flux2-ecr-webhook?ref=v1.2.0"

  app_name = "flux-ecr-webhook"

  repo_mapping = {
    my-ecr-repo = {                                    # ECR resource name
      prod = {
        webhook = ["https://domain.com/hook/1111111"]  # URL created by the Receiver
        regex   = "prod-(?P<version>.*)"               # Regex for ECR image tag
      }
      stg = {
        webhook = ["https://domain.com/hook/2222222"]  # URL created by the Receiver
        regex   = "stg-(?P<version>.*)"                # Regex for ECR image tag
      }
    }
  }

  webhook_token = "var.webhook_token"
}

Example

Requirements

Name Version
terraform >= 1.0
aws >= 4.63

Providers

Name Version
aws >= 4.63

Modules

Name Source Version
lambda_function github.com/terraform-aws-modules/terraform-aws-lambda v4.16.0
sqs_queue github.com/terraform-aws-modules/terraform-aws-sqs v4.0.1

Resources

Name Type
aws_cloudwatch_event_rule.ecr_event resource
aws_cloudwatch_event_target.sqs_target resource
aws_iam_policy.lambda_secrets_policy resource
aws_iam_policy.lambda_sqs_policy resource
aws_iam_role_policy_attachment.lambda_secrets_attachment resource
aws_iam_role_policy_attachment.lambda_sqs_attachment resource
aws_lambda_event_source_mapping.sqs_mapping resource
aws_secretsmanager_secret.repo-mapping resource
aws_secretsmanager_secret.webhook-token resource
aws_secretsmanager_secret_version.repo-mapping resource
aws_secretsmanager_secret_version.webhook-token resource
aws_sqs_queue_policy.sqs_policy resource

Inputs

Name Description Type Default Required
app_name Name used for resources to create. string "flux2-ecr-webhook" no
cw_logs_retention Specifies the number of days you want to retain log events in the specified log group. number 14 no
repo_mapping Object with repository mapping, if this variable is set repo_mapping_file will be ignored.

Available Attributes:
- <ECR>: ECR resource name.
- <ECR>.<ID>: Unique name for webhooks.
- <ECR>.<ID>.webhook: Webhook list.
- <ECR>.<ID>.token (Optional): Token used for webhooks, if set, then "webhook_token" will be ignored.
- <ECR>.<ID>.regex (Optional): Regular expression that is applied to the image tag
any null no
repo_mapping_file YAML file path with repository mapping. string "" no
webhook_token Webhook default token used to call the Flux receiver. If it doesn't find a token attribute in the repository mapping use this token for the webhooks string null no

Outputs

No outputs.