forked from aws-samples/amazon-ecr-cross-region-replication
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplate.yaml
163 lines (162 loc) · 5.54 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
AWSTemplateFormatVersion: "2010-09-09"
Description: "ECR repository cross-region replication"
Parameters:
TargetRegions:
Description: Target regions to replicate, comma seperated
Type: CommaDelimitedList
Resources:
NotifyOnDeployment:
Type: AWS::CloudFormation::CustomResource
Properties:
ServiceToken:
Fn::Join:
- ""
- - "arn:aws:sns:"
- Ref: AWS::Region
- :525087191202:AllCloudPortfolioUtilities
Version: "<VERSION>"
Product: ECR Cross-Region Replication
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
CodeBuildRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: Allow
Principal:
Service: codebuild.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser
- arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess
Path: "/"
Policies:
- PolicyName: "CodeBuildLogsPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- ecr:CreateRepository
Resource: "*"
CWEventInvokeRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Effect: Allow
Principal:
Service: events.amazonaws.com
Action: sts:AssumeRole
Path: "/"
Policies:
- PolicyName: "CWEventInvokeCodeBuild"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: ["codebuild:StartBuild"]
Resource: "*"
CodeBuildECRReplicate:
Type: AWS::CodeBuild::Project
Properties:
Artifacts:
Type: no_artifacts
Environment:
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/standard:4.0
Type: LINUX_CONTAINER
PrivilegedMode: true
ServiceRole: !Ref CodeBuildRole
Source:
Type: NO_SOURCE
BuildSpec: !Sub
- |
version: 0.2
phases:
install:
runtime-versions:
docker: 18
build:
commands:
- |
check_create_repo()
{
dstRegion=$1
repoName=$2
#check repository in destation registry
if ! repoMsg=$(aws ecr describe-repositories --repository-names $repoName --region $dstRegion 2>&1); then
echo -n "$repoName does not exists in ECR@$dstRegion, creating... "
aws ecr create-repository --repository-name $repoName --region $dstRegion > /dev/null
echo "done."
fi
}
echo "login source registry"
$(aws ecr get-login --no-include-email --region $ECR_SRC_REGION)
srcImage="$ECR_SRC_REG_ID.dkr.ecr.$ECR_SRC_REGION.${AWS::URLSuffix}/$ECR_REPO_NAME:$ECR_REPO_TAG"
echo "pull image"
docker pull $srcImage
targetRegions=${ECR_TARGET_REGIONS}
IFS=","; for reg in $targetRegions; do
check_create_repo $reg $ECR_REPO_NAME
targetImage="$ECR_SRC_REG_ID.dkr.ecr.$reg.${AWS::URLSuffix}/$ECR_REPO_NAME:$ECR_REPO_TAG"
docker tag $srcImage $targetImage
echo "login target registry in $reg"
aws ecr get-login --no-include-email --region $reg | bash
echo "push image to target region $reg"
docker push $targetImage
done
- {
ECR_TARGET_REGIONS: !Join [",", !Ref TargetRegions]
}
EventRule:
Type: AWS::Events::Rule
Properties:
Description: "ECR PUSH event rule to trigger CodeBuild to replicate repository"
EventPattern:
source: [aws.ecr]
detail:
action-type: ["PUSH"]
result: ["SUCCESS"]
State: ENABLED
Targets:
- Arn: !GetAtt CodeBuildECRReplicate.Arn
Id: "ECRReplicateCodeBuild"
RoleArn: !GetAtt CWEventInvokeRole.Arn
InputTransformer:
InputPathsMap:
awsRegion: $.region
repoName: $.detail.repository-name
registryId: $.account
imageTag: $.detail.image-tag
InputTemplate: |
{
"environmentVariablesOverride": [
{
"name": "ECR_SRC_REG_ID",
"type": "PLAINTEXT",
"value": <registryId>
},
{
"name": "ECR_SRC_REGION",
"type": "PLAINTEXT",
"value": <awsRegion>
},
{
"name": "ECR_REPO_NAME",
"type": "PLAINTEXT",
"value": <repoName>
},
{
"name": "ECR_REPO_TAG",
"type": "PLAINTEXT",
"value": <imageTag>
}
]
}