Add support for AWS China regions (closes #12)

snowplow-devops · Apr 4, 2024 · 9be2e35 · 9be2e35
1 parent 6d313e9
commit 9be2e35
Show file tree

Hide file tree

Showing 4 changed files with 98 additions and 59 deletions.
diff --git a/README.md b/README.md
@@ -198,6 +198,7 @@ module "rs_loader" {
 | <a name="input_iam_permissions_boundary"></a> [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | The permissions boundary ARN to set on IAM roles created | `string` | `""` | no |
 | <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | The instance type to use | `string` | `"t3a.micro"` | no |
 | <a name="input_java_opts"></a> [java\_opts](#input\_java\_opts) | Custom JAVA Options | `string` | `"-XX:InitialRAMPercentage=75 -XX:MaxRAMPercentage=75"` | no |
+| <a name="input_private_ecr_registry"></a> [private\_ecr\_registry](#input\_private\_ecr\_registry) | The URL of an ECR registry that the sub-account has access to (e.g. '000000000000.dkr.ecr.cn-north-1.amazonaws.com.cn/') | `string` | `""` | no |
 | <a name="input_redshift_aws_s3_folder_monitoring_stage_url"></a> [redshift\_aws\_s3\_folder\_monitoring\_stage\_url](#input\_redshift\_aws\_s3\_folder\_monitoring\_stage\_url) | AWS bucket URL of folder monitoring stage - must be within 'redshift\_aws\_s3\_bucket\_name' (NOTE: must be set if 'folder\_monitoring\_enabled' is true) | `string` | `""` | no |
 | <a name="input_redshift_aws_s3_folder_monitoring_transformer_output_stage_url"></a> [redshift\_aws\_s3\_folder\_monitoring\_transformer\_output\_stage\_url](#input\_redshift\_aws\_s3\_folder\_monitoring\_transformer\_output\_stage\_url) | AWS bucket URL of transformer output stage - must be within 'redshift\_aws\_s3\_bucket\_name' (NOTE: must be set if 'folder\_monitoring\_enabled' is true) | `string` | `""` | no |
 | <a name="input_redshift_jsonpaths_bucket"></a> [redshift\_jsonpaths\_bucket](#input\_redshift\_jsonpaths\_bucket) | S3 path that holds JSONPaths | `string` | `""` | no |

diff --git a/main.tf b/main.tf
@@ -24,6 +24,25 @@ locals {
 data "aws_region" "current" {}
 data "aws_caller_identity" "current" {}
 
+locals {
+  is_aws_global = replace(data.aws_region.current.name, "cn-", "") == data.aws_region.current.name
+  iam_partition = local.is_aws_global ? "aws" : "aws-cn"
+
+  is_private_ecr_registry = var.private_ecr_registry != ""
+  private_ecr_registry_statement = [{
+    Action = [
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer"
+    ]
+    Effect = "Allow"
+    Resource = [
+      "*"
+    ]
+  }]
+  private_ecr_registry_statement_final = local.is_private_ecr_registry ? local.private_ecr_registry_statement : []
+}
+
 module "telemetry" {
   source  = "snowplow-devops/telemetry/snowplow"
   version = "0.5.0"
@@ -79,61 +98,64 @@ resource "aws_iam_policy" "iam_policy" {
 
   policy = jsonencode({
     Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "s3:ListBucket",
-          "s3:PutObject",
-          "s3:GetObject"
-        ],
-        Resource = [
-          "arn:aws:s3:::${var.redshift_aws_s3_bucket_name}/",
-          "arn:aws:s3:::${var.redshift_aws_s3_bucket_name}/*"
-        ]
-      },
-      {
-        Effect = "Allow",
-        Action = ["s3:GetObject"],
-        Resource = [
-          "arn:aws:s3:::${var.redshift_aws_s3_bucket_name}/*/shredding_complete.json"
-        ]
-      },
-      {
-        Effect = "Allow",
-        Action = [
-          "sqs:DeleteMessage",
-          "sqs:GetQueueUrl",
-          "sqs:ListQueues",
-          "sqs:ChangeMessageVisibility",
-          "sqs:ReceiveMessage",
-          "sqs:SendMessage"
-        ],
-        Resource = [
-          "arn:aws:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${var.sqs_queue_name}"
-        ]
-      },
-      {
-        Effect = "Allow",
-        Action = [
-          "logs:PutLogEvents",
-          "logs:CreateLogStream",
-          "logs:DescribeLogStreams"
-        ],
-        Resource = [
-          "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${local.cloudwatch_log_group_name}:*"
-        ]
-      },
-      {
-        Effect = "Allow",
-        Action = [
-          "sts:AssumeRole"
-        ],
-        Resource = [
-          aws_iam_role.sts_credentials_role.arn
-        ]
-      }
-    ]
+    Statement = concat(
+      local.private_ecr_registry_statement_final,
+      [
+        {
+          Effect = "Allow",
+          Action = [
+            "s3:ListBucket",
+            "s3:PutObject",
+            "s3:GetObject"
+          ],
+          Resource = [
+            "arn:${local.iam_partition}:s3:::${var.redshift_aws_s3_bucket_name}/",
+            "arn:${local.iam_partition}:s3:::${var.redshift_aws_s3_bucket_name}/*"
+          ]
+        },
+        {
+          Effect = "Allow",
+          Action = ["s3:GetObject"],
+          Resource = [
+            "arn:${local.iam_partition}:s3:::${var.redshift_aws_s3_bucket_name}/*/shredding_complete.json"
+          ]
+        },
+        {
+          Effect = "Allow",
+          Action = [
+            "sqs:DeleteMessage",
+            "sqs:GetQueueUrl",
+            "sqs:ListQueues",
+            "sqs:ChangeMessageVisibility",
+            "sqs:ReceiveMessage",
+            "sqs:SendMessage"
+          ],
+          Resource = [
+            "arn:${local.iam_partition}:sqs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${var.sqs_queue_name}"
+          ]
+        },
+        {
+          Effect = "Allow",
+          Action = [
+            "logs:PutLogEvents",
+            "logs:CreateLogStream",
+            "logs:DescribeLogStreams"
+          ],
+          Resource = [
+            "arn:${local.iam_partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${local.cloudwatch_log_group_name}:*"
+          ]
+        },
+        {
+          Effect = "Allow",
+          Action = [
+            "sts:AssumeRole"
+          ],
+          Resource = [
+            aws_iam_role.sts_credentials_role.arn
+          ]
+        }
+      ]
+    )
   })
 }
 
@@ -184,9 +206,9 @@ resource "aws_iam_policy" "sts_credentials_policy" {
           "s3:GetObjectVersion",
         ],
         Resource = [
-          "arn:aws:s3:::${var.redshift_aws_s3_bucket_name}",
-          "arn:aws:s3:::${var.redshift_aws_s3_bucket_name}/",
-          "arn:aws:s3:::${var.redshift_aws_s3_bucket_name}/*"
+          "arn:${local.iam_partition}:s3:::${var.redshift_aws_s3_bucket_name}",
+          "arn:${local.iam_partition}:s3:::${var.redshift_aws_s3_bucket_name}/",
+          "arn:${local.iam_partition}:s3:::${var.redshift_aws_s3_bucket_name}/*"
         ]
       }
     ]
@@ -377,6 +399,10 @@ locals {
 
     container_memory = "${module.instance_type_metrics.memory_application_mb}m"
     java_opts        = var.java_opts
+
+    is_private_ecr_registry = local.is_private_ecr_registry
+    private_ecr_registry    = var.private_ecr_registry
+    region                  = data.aws_region.current.name
   })
 }
 

diff --git a/templates/user-data.sh.tmpl b/templates/user-data.sh.tmpl
@@ -1,3 +1,7 @@
+%{ if is_private_ecr_registry }
+aws ecr get-login-password --region ${region} | docker login --username AWS --password-stdin ${private_ecr_registry}
+%{ endif ~}
+
 # Launch the loader
 sudo docker run \
   -d \
@@ -16,7 +20,7 @@ sudo docker run \
   --env JDK_JAVA_OPTIONS='${java_opts}' \
   --env ACCEPT_LIMITED_USE_LICENSE=${accept_limited_use_license} \
   --env INSTANCE_ID=$(get_instance_id) \
-  snowplow/rdb-loader-redshift:${version} \
+  ${private_ecr_registry}snowplow/rdb-loader-redshift:${version} \
   --config ${config_b64} \
   --iglu-config ${iglu_resolver_b64}
 

diff --git a/variables.tf b/variables.tf
@@ -393,3 +393,11 @@ variable "redshift_aws_s3_folder_monitoring_transformer_output_stage_url" {
   type        = string
   default     = ""
 }
+
+# --- Image Repositories
+
+variable "private_ecr_registry" {
+  description = "The URL of an ECR registry that the sub-account has access to (e.g. '000000000000.dkr.ecr.cn-north-1.amazonaws.com.cn/')"
+  type        = string
+  default     = ""
+}