fix: Clean up example

terraform-aws-modules · Mar 25, 2024 · 302d433 · 302d433
1 parent 4be46cc
commit 302d433
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 84 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.2
+    rev: v1.88.3
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each

diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -40,26 +40,22 @@ Note that this example may create resources which will incur monetary charges on
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_dockerhub_credentials"></a> [dockerhub\_credentials](#module\_dockerhub\_credentials) | terraform-aws-modules/secrets-manager/aws | n/a |
 | <a name="module_ecr"></a> [ecr](#module\_ecr) | ../.. | n/a |
 | <a name="module_ecr_disabled"></a> [ecr\_disabled](#module\_ecr\_disabled) | ../.. | n/a |
 | <a name="module_ecr_registry"></a> [ecr\_registry](#module\_ecr\_registry) | ../.. | n/a |
 | <a name="module_public_ecr"></a> [public\_ecr](#module\_public\_ecr) | ../.. | n/a |
+| <a name="module_secrets_manager_dockerhub_credentials"></a> [secrets\_manager\_dockerhub\_credentials](#module\_secrets\_manager\_dockerhub\_credentials) | terraform-aws-modules/secrets-manager/aws | ~> 1.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_dockerhub_credentials"></a> [dockerhub\_credentials](#input\_dockerhub\_credentials) | Dockerhub credentials | <pre>object({<br>    username    = string<br>    accessToken = string<br>  })</pre> | n/a | yes |
+No inputs.
 
 ## Outputs
 

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -6,15 +6,15 @@ locals {
   region = "us-east-1"
   name   = "ecr-ex-${replace(basename(path.cwd), "_", "-")}"
 
+  account_id = data.aws_caller_identity.current.account_id
+
   tags = {
     Name       = local.name
     Example    = local.name
     Repository = "https://github.com/terraform-aws-modules/terraform-aws-ecr"
   }
 }
 
-data "aws_partition" "current" {}
-data "aws_region" "current" {}
 data "aws_caller_identity" "current" {}
 
 ################################################################################
@@ -101,53 +101,26 @@ module "public_ecr" {
 data "aws_iam_policy_document" "registry" {
   statement {
     principals {
-      type = "AWS"
-      identifiers = [
-        "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
-      ]
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${local.account_id}:root"]
     }
 
-    actions = [
-      "ecr:ReplicateImage",
-    ]
-
-    resources = [
-      module.ecr.repository_arn,
-    ]
-  }
-
-  statement {
-    sid = "ecr-public"
-    principals {
-      type = "AWS"
-      identifiers = [
-        format("arn:%s:iam::%s:root", data.aws_partition.current.partition, data.aws_caller_identity.current.account_id)
-      ]
-    }
-    actions = [
-      "ecr:CreateRepository",
-      "ecr:BatchImportUpstreamImage"
-    ]
-    resources = [
-      format("arn:%s:iam:%s:%s:repository/ecr-public/*", data.aws_partition.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id)
-    ]
+    actions   = ["ecr:ReplicateImage"]
+    resources = [module.ecr.repository_arn]
   }
 
   statement {
     sid = "dockerhub"
+
     principals {
-      type = "AWS"
-      identifiers = [
-        format("arn:%s:iam::%s:root", data.aws_partition.current.partition, data.aws_caller_identity.current.account_id)
-      ]
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${local.account_id}:root"]
     }
     actions = [
       "ecr:CreateRepository",
       "ecr:BatchImportUpstreamImage"
     ]
-    resources = [
-      format("arn:%s:iam:%s:%s:repository/dockerhub/*", data.aws_partition.current.partition, data.aws_region.current.name, data.aws_caller_identity.current.account_id)
-    ]
+    resources = ["arn:aws:ecr-public::${local.account_id}:repository/dockerhub/*"]
   }
 }
 
@@ -169,7 +142,7 @@ module "ecr_registry" {
     dockerhub = {
       ecr_repository_prefix = "dockerhub"
       upstream_registry_url = "registry-1.docker.io"
-      credential_arn        = module.dockerhub_credentials.secret_arn
+      credential_arn        = module.secrets_manager_dockerhub_credentials.secret_arn
     }
   }
 
@@ -201,40 +174,40 @@ module "ecr_registry" {
 
   # Registry Replication Configuration
   create_registry_replication_configuration = true
-  registry_replication_rules = [
-    {
-      destinations = [
-        {
-          region      = "us-west-2"
-          registry_id = data.aws_caller_identity.current.account_id
-          }, {
-          region      = "eu-west-1"
-          registry_id = data.aws_caller_identity.current.account_id
-        }
-      ]
+  registry_replication_rules = [{
+    destinations = [
+      {
+        region      = "us-west-2"
+        registry_id = local.account_id
+        }, {
+        region      = "eu-west-1"
+        registry_id = local.account_id
+      }
+    ]
 
-      repository_filters = [
-        {
-          filter      = "prod-microservice"
-          filter_type = "PREFIX_MATCH"
-        }
-      ]
-    }
-  ]
+    repository_filters = [{
+      filter      = "prod-microservice"
+      filter_type = "PREFIX_MATCH"
+    }]
+  }]
 
   tags = local.tags
 }
 
-# Make sure to read https://docs.aws.amazon.com/AmazonECR/latest/userguide/pull-through-cache-creating-secret.html
-module "dockerhub_credentials" {
-  source = "terraform-aws-modules/secrets-manager/aws"
+module "secrets_manager_dockerhub_credentials" {
+  source  = "terraform-aws-modules/secrets-manager/aws"
+  version = "~> 1.0"
 
-  # Secret names must contain 1-512 Unicode characters and be prefixed with ecr-pullthroughcache/.
-  name_prefix             = "ecr-pullthroughcache/dockerhub-credentials"
-  description             = "Dockerhub credentials"
-  recovery_window_in_days = 30
+  # Secret names must contain 1-512 Unicode characters and be prefixed with ecr-pullthroughcache/
+  name_prefix = "ecr-pullthroughcache/dockerhub-credentials"
+  description = "Dockerhub credentials"
 
-  secret_string = jsonencode(var.dockerhub_credentials)
+  # For example only
+  recovery_window_in_days = 0
+  secret_string = jsonencode({
+    username    = "example"
+    accessToken = "YouShouldNotStoreThisInPlainText"
+  })
 
   # Policy
   create_policy       = true
@@ -244,10 +217,8 @@ module "dockerhub_credentials" {
       sid = "AllowAccountRead"
       principals = [
         {
-          type = "AWS"
-          identifiers = [
-            format("arn:%s:iam::%s:root", data.aws_partition.current.partition, data.aws_caller_identity.current.account_id)
-          ]
+          type        = "AWS"
+          identifiers = ["arn:aws:iam::${local.account_id}:root"]
         }
       ]
       actions   = ["secretsmanager:GetSecretValue"]

diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -1,8 +0,0 @@
-variable "dockerhub_credentials" {
-  type = object({
-    username    = string
-    accessToken = string
-  })
-  description = "Dockerhub credentials"
-  sensitive   = true
-}