This creates private container image repositories hosted in the AWS Elastic Container Registry (ECR) of your AWS Account using a Terramate project.
For equivalent examples see:
Install the dependencies:
Set the AWS Account credentials using SSO, e.g.:
# set the account credentials.
# NB the aws cli stores these at ~/.aws/config.
# NB this is equivalent to manually configuring SSO using aws configure sso.
# see https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-manual
# see https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-auto-sso
cat >secrets-example.sh <<'EOF'
# set the environment variables to use a specific profile.
# NB use aws configure sso to configure these manually.
# e.g. use the pattern <aws-sso-session>-<aws-account-id>-<aws-role-name>
export aws_sso_session='example'
export aws_sso_start_url='https://example.awsapps.com/start'
export aws_sso_region='eu-west-1'
export aws_sso_account_id='123456'
export aws_sso_role_name='AdministratorAccess'
export AWS_PROFILE="$aws_sso_session-$aws_sso_account_id-$aws_sso_role_name"
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_DEFAULT_REGION
# configure the ~/.aws/config file.
# NB unfortunately, I did not find a way to create the [sso-session] section
# inside the ~/.aws/config file using the aws cli. so, instead, manage that
# file using python.
python3 <<'PY_EOF'
import configparser
import os
aws_sso_session = os.getenv('aws_sso_session')
aws_sso_start_url = os.getenv('aws_sso_start_url')
aws_sso_region = os.getenv('aws_sso_region')
aws_sso_account_id = os.getenv('aws_sso_account_id')
aws_sso_role_name = os.getenv('aws_sso_role_name')
aws_profile = os.getenv('AWS_PROFILE')
config = configparser.ConfigParser()
aws_config_directory_path = os.path.expanduser('~/.aws')
aws_config_path = os.path.join(aws_config_directory_path, 'config')
if os.path.exists(aws_config_path):
config.read(aws_config_path)
config[f'sso-session {aws_sso_session}'] = {
'sso_start_url': aws_sso_start_url,
'sso_region': aws_sso_region,
'sso_registration_scopes': 'sso:account:access',
}
config[f'profile {aws_profile}'] = {
'sso_session': aws_sso_session,
'sso_account_id': aws_sso_account_id,
'sso_role_name': aws_sso_role_name,
'region': aws_sso_region,
}
os.makedirs(aws_config_directory_path, mode=0o700, exist_ok=True)
with open(aws_config_path, 'w') as f:
config.write(f)
PY_EOF
unset aws_sso_start_url
unset aws_sso_region
unset aws_sso_session
unset aws_sso_account_id
unset aws_sso_role_name
# show the user, user amazon resource name (arn), and the account id, of the
# profile set in the AWS_PROFILE environment variable.
if ! aws sts get-caller-identity >/dev/null 2>&1; then
aws sso login
fi
aws sts get-caller-identity
EOFOr, set the AWS Account credentials using an Access Key, e.g.:
# set the account credentials.
# NB get these from your aws account iam console.
# see Managing access keys (console) at
# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey
cat >secrets-example.sh <<'EOF'
export AWS_ACCESS_KEY_ID='TODO'
export AWS_SECRET_ACCESS_KEY='TODO'
unset AWS_PROFILE
# set the default region.
export AWS_DEFAULT_REGION='eu-west-1'
# show the user, user amazon resource name (arn), and the account id.
aws sts get-caller-identity
EOFLoad the secrets:
source secrets-example.shReview the files:
Initialize the project:
terramate run terraform init -lockfile=readonlyLaunch the example:
terramate run terraform applyShow the terraform state:
terramate run terraform state list
terramate run terraform showLog in the container registry:
NB You are logging in at the registry level. You are not logging in at the repository level.
aws ecr get-login-password \
--region "$(terramate run -C stacks/ecr terraform output -raw registry_region)" \
| docker login \
--username AWS \
--password-stdin \
"$(terramate run -C stacks/ecr terraform output -raw registry_domain)"NB This saves the credentials in the ~/.docker/config.json local file.
Inspect the created example container image:
image="$(terramate run -C stacks/ecr terraform output -json images | jq -r .example)"
crane manifest "$image" | jq .Download the created example container image from the created container image repository, and execute it locally:
docker run --rm "$image"Delete the local copy of the created container image:
docker rmi "$image"Log out the container registry:
docker logout \
"$(terramate run -C stacks/ecr terraform output -raw registry_domain)"Delete the example image resource:
terramate run -C stacks/ecr \
terraform destroy -target='terraform_data.ecr_image["example"]'At the ECR AWS Management Console, verify that the example image no longer exists (actually, it's the image index/tag that no longer exists).
Do an terraform apply to verify that it recreates the example image:
terramate run terraform applyDestroy the example:
terramate run --reverse terraform destroyList this repository dependencies (and which have newer versions):
GITHUB_COM_TOKEN='YOUR_GITHUB_PERSONAL_TOKEN' ./renovate.sh- Its not possible to create multiple container image registries.
- A single registry is automatically created when the AWS Account is created.
- You have to create a separate repository for each of your container images.
- A repository name can include several path segments (e.g.
hello/world).
- A repository name can include several path segments (e.g.
- Terramate does not support flowing Terraform outputs into other Terraform
program input variables. Instead, Terraform programs should use Terraform
data sources to find the resources that are already created. Those resources
can normally be found by the resource tag (e.g.
stack) defined in a Terramate global.