This module is able to use your Docker Hub details and periodically clone Docker Hub repo's to private ECR repositories. This way you won't run into Docker Hub rate limits. If you pair it with a VPC endpoint you can get improved pull results (and perhaps use this in a stricter environment with no internet access).
Your Docker Hub access token needs to have public repo pull permissions (that is the only permission it needs as well). Otherwise the CodeBuild will run into rate limiting issues because the networking is shared.
An example of the containers variable:
containers = {
"mongo" = ["latest"],
"redis" = ["latest"],
"hashicorp/vault" = ["1.14", "1.13.3"],
}
The paths of the images will be prefixed with the namespace variable to prevent conflicts. If your image URLs will be:
XXXXX.dkr.ecr.eu-west-1.amazonaws.com/ecsclone/redis
This module also supports adding additional Dockerfile lines. This is helpful if you need to add VOLUME bind mounts to standard containers. For instance it can be used for Vault agent to creates a shared bind mount with the VOLUME keyword:
build_commands = {
"hashicorp/vault:1.14" = [
"RUN mkdir /etc/vault",
"RUN chmod 777 /etc/vault",
"VOLUME [\"/etc/vault\"]"
]
}
The resulting Dockerfile will be:
FROM hashicorp/vault:1.14
RUN mkdir /etc/vault
RUN chmod 777 /etc/vault
VOLUME ["/etc/vault"]
Now you can mount the same /etc/vault folder in your application containers and run them as a sidecar container. Vault can put the .env to the shared folder.
There are also other usecases for this. You might need to initialize a standard Docker image with environment variables with ENV that are not initialized when the container was built. This allows you to customize the behaviour of standard public containers without running your own build pipeline.
A fully working setup can be found in the examples folder.
For more debugging steps check out the elasticscale blog.
ElasticScale is a Solutions Architecture as a Service focusing on start-ups and scale-ups. For a fixed monthly subscription fee, we handle all your AWS workloads. Some services include:
- Migrating existing workloads to AWS
- Implementing the Zero Trust security model
- Integrating DevOps principles within your organization
- Moving to infrastructure automation (Terraform)
- Complying with ISO27001 regulations within AWS
You can pause the subscription at any time and have direct access to certified AWS professionals.
Check out our website for more information.
| Name | Version |
|---|---|
| terraform | >= 1.1 |
| aws | >= 4.22.0 |
| Name | Version |
|---|---|
| aws | 4.67.0 |
| null | 3.2.1 |
No modules.
| Name | Type |
|---|---|
| aws_codebuild_project.main | resource |
| aws_ecr_lifecycle_policy.this | resource |
| aws_ecr_repository.this | resource |
| aws_ecr_repository_policy.this | resource |
| aws_iam_role.main | resource |
| aws_iam_role_policy.main | resource |
| aws_ssm_parameter.accesstoken | resource |
| null_resource.init | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.assume_role | data source |
| aws_iam_policy_document.main | data source |
| aws_iam_policy_document.secrets | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_id | AWS account ID (default to caller ID) | string |
null |
no |
| build_commands | This allows you to add additional lines to the Dockerfile before pushing to ECR | map(list(string)) |
{} |
no |
| cloudwatch_log_group_name | Name of the Cloudwatch log group to create. | string |
"" |
no |
| cloudwatch_log_stream_name | Name of the Cloudwatch log stream to create. | string |
"" |
no |
| codebuild_project_name | Name of the CodeBuild project | string |
"" |
no |
| containers | Containers to clone including tags | map(list(string)) |
n/a | yes |
| docker_hub_access_token | Docker Hub access token (public repo read only access) | string |
"" |
no |
| docker_hub_access_token_secret_arn | Secrets Manager secret ARN that contains Docker Hub access token (public repo read only access) | string |
"" |
no |
| docker_hub_access_token_secret_kms_arn | KMS key ARN used to decrypt Docker Hub access token secret | string |
"" |
no |
| docker_hub_username | Docker Hub username | string |
n/a | yes |
| ecr_repo_policies | JSON ECR policies to add to one or more repos | map(string) |
{} |
no |
| iam_role_name | Name of the IAM role to create | string |
"" |
no |
| namespace | Prefix to add before all pulled containers to prevent conflicts | string |
"ecsclone" |
no |
| prefix | Prefix to add to all resources | string |
"ecs-clone-" |
no |
| profile | AWS profile to use | string |
null |
no |
| region | AWS region (default to caller region) | string |
null |
no |
| Name | Description |
|---|---|
| iam_role_arn | The ARN of the IAM role |
| image_base_url | The base URL for your ECR images from Docker Hub |
| project_arn | The ARN of the CodeBuild project |