[Enhancement]: Lightsail add option to enable access to Amazon ECR private repositories

[reikje]

Description

Lightsail Container Service can poll images from private ECR repositories. For this to work, two things need to happen:

1. activate the Amazon ECR image puller IAM role for your Lightsail container service
2. add a policy to a private ECR repository

see: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-container-service-ecr-private-repo-access

While I can do (2) using the aws_ecr_repository_policy resource, I haven't found anything in the aws_lightsail_container_service to accomplish (1).

Affected Resource(s) and/or Data Source(s)

aws_lightsail_container_service

Potential Terraform Configuration

No response

References

No response

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[bschaatsbergen]

Hi @reikje,

Thanks for taking your time to raise this request. I'll happily take a look at it.

API for reference: https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_CreateContainerService.html
API property that we need to add for reference: https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_PrivateRegistryAccessRequest.html

I suspect that the schema will be as following (by quickly glancing over the API spec)

resource "aws_lightsail_container_service" "my_container_service" {
  name        = "container-service-1"
  power       = "nano"
  scale       = 1
  is_disabled = false

  private_registry_access {
    ecr_image_puller_role {
      is_active = true
    }
  }
}

[bschaatsbergen]

PR is ready :)

[reikje]

Hi @bschaatsbergen, thanks for picking this up so quickly. Scanned through the changes quickly but not very good with golang here. Does your PR include changing the policy permissions on the ECR repository or just enabling the puller role? Here is a bit of a poor man's workaround that I currently do on my end since the functionality wasn't there:

# enable puller role
resource "null_resource" "private_registry_access" {
  triggers = {
    always_run = timestamp()
  }

  provisioner "local-exec" {
    command = "aws lightsail update-container-service --service-name ${aws_lightsail_container_service.default.name} --private-registry-access ecrImagePullerRole={isActive=true} --region ${data.aws_region.current.name}"
  }
  depends_on = [aws_lightsail_container_service.default]
}

# give puller role permissions on the ECR private repository
data "external" "ecr_image_puller_role_arn" {
  program = ["sh", "-c", "aws lightsail get-container-services --service-name ${aws_lightsail_container_service.default.name} | jq -r '.containerServices[0].privateRegistryAccess.ecrImagePullerRole | { ecrImagePullerRoleArn: .principalArn }'"]
  depends_on = [null_resource.private_registry_access]
}

resource "aws_ecr_repository_policy" "default" {
  repository = aws_ecr_repository.default.name
  depends_on = [data.external.ecr_image_puller_role_arn]

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "allow-lightsail",
      "Effect": "Allow",
      "Principal": {
        "AWS": "${data.external.ecr_image_puller_role_arn.result.ecrImagePullerRoleArn}"
      },
      "Action": [
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
    }
  ]
}
EOF
}

One problem I am having right now is that on the initial run, is that when Lightsail container service is created, it initially is in state "UPDATING". When null_resource.private_registry_access runs on the initial apply, it will not contain the principalArn that is needed to update the permissions on the ECR repository.

"privateRegistryAccess": {
  "ecrImagePullerRole": {
    "isActive": true,
    "principalArn": ""
  }
}

The principalArn will be there on consecutive runs.

[bschaatsbergen]

Hi @reikje,

The pull request introduces the ability to activate the ECR image puller role and outputs that respective principal ARN.
Using the principal ARN we configure our ECR repository policy as below:

resource "aws_lightsail_container_service" "default" {
  name        = "container-service-1"
  power       = "nano"
  scale       = 1
  is_disabled = false

  private_registry_access {
    ecr_image_puller_role {
      is_active = true
    }
  }
}

resource "aws_ecr_repository" "default" {
  name                 = "bar"
  image_tag_mutability = "MUTABLE"

  image_scanning_configuration {
    scan_on_push = true
  }
}

resource "aws_ecr_repository_policy" "default" {
  repository = aws_ecr_repository.default.name

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "allow-lightsail",
      "Effect": "Allow",
      "Principal": {
        "AWS": "${aws_lightsail_container_service.default.private_registry_access[0].ecr_image_puller_role[0].principal_arn}"
      },
      "Action": [
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
    }
  ]
}
EOF
}

Quick feedback on why your code doesn't work the first run from a blank slate; it's because updating the lightsail container service takes about 30 seconds. Hopefully you can replace your logic soonish with what I've shared above :)

[reikje]

@bschaatsbergen thanks and great - outputting the respective principal ARN will totally work. Cheers and great work!

[bschaatsbergen]

With pleasure @reikje, I suppose that this will be either part of the upcoming release or the one after that.

[github-actions]

This functionality has been released in v4.36.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.