First iteration of ecr-mirror module

Author: petewilcock

README.md

@@ -1,2 +1,42 @@
-# terraform-aws-ecr-mirror
-A Terraform module that performs a local docker pull and push to a given ECR repository
+# Terraform Module: AWS ECR Mirror
+
+A Terraform module that performs a local docker pull and push to a given AWS ECR repository
+
+## Use Case
+In late 2020, Docker Hub announced that the Hub service would begin limiting the rate at which images can be pulled under their anonymous and free plans. 
+
+The [AWS recommendation](https://aws.amazon.com/blogs/containers/advice-for-customers-dealing-with-docker-hub-rate-limits-and-a-coming-soon-announcement/) for those not wishing to upgrade to a paid plan is to mirror the Dockerhub image to their own AWS ECR repository. 
+
+This simple task requires a basic 'pull from Dockerhub-push to ECR' loop for which there exists no good bootstrapping solution (outside of a convolution such as a CodeBuild pipeline) for a new ECR repository that would look to use a Dockerhub image as its 'base' image which can then be used in subsequent builds without the pull limits. 
+
+This module is a simple terraform `local-exec` provisioner which runs the required awscli and docker push commands to ECR, and can be woven in to your existing set-up. 
+
+## Requirements
+
+- aws-cli installed and configured with a named [profile](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) that has permissions to push to the desired ECR repository
+- [Docker installed](https://docs.docker.com/engine/install/) on the machine executing terraform, and permissions for the user executing terraform to run docker commands (e.g. by adding the user to the 'docker' user group)
+
+## Usage Example
+
+```
+module "ecr_mirror" {
+  source = "./docker_init"
+  aws_account_id = "123456544225"
+  aws_region = "eu-west-1"
+  docker_source = "wordpress:php7.4-apache"
+  aws_profile = "default"
+  ecr_repo_name = "php_wordpress"
+  ecr_repo_tag = "base"
+}
+```
+
+Consider adding an additional `depends_on` attribute if you are using this module in combination with a Terraform resource that also creates the ECR repository being pushed to. 
+
+## License
+Licensed under the Apache License, Version 2.0 (the "License").
+
+You may obtain a copy of the License at apache.org/licenses/LICENSE-2.0.
+
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" basis, without WARRANTIES or conditions of any kind, either express or implied.
+
+See the License for the specific language governing permissions and limitations under the License.

docker_pullpush.sh

@@ -0,0 +1,4 @@
+docker pull $1
+aws ecr get-login-password --region $2 --profile $4 | docker login --username AWS --password-stdin $3.dkr.ecr.$2.amazonaws.com
+docker tag $1 $3.dkr.ecr.eu-west-1.amazonaws.com/$5:$6
+docker push $3.dkr.ecr.eu-west-1.amazonaws.com/$5:$6

main.tf.tf

@@ -0,0 +1,10 @@
+resource "null_resource" "wordpress_pullpush" {
+
+  triggers = {
+    shell_hash = sha256(var.docker_source)
+  }
+  provisioner "local-exec" {
+      // ARGs to script are source image, region, AWS Account ID, aws_profile
+      command = "${abspath(path.module)}/docker_pullpush.sh ${var.docker_source} ${var.aws_region} ${var.aws_account_id} ${var.aws_profile}"
+  }
+}

outputs.tf

@@ -0,0 +1,23 @@
+variable "aws_region" {
+    description = "The region in which the ECR repository is located."
+}
+
+variable "docker_source" {
+    description = "The source location of the Docker image being pulled."
+}
+
+variable "aws_account_id" {
+    description = "The AWS Account ID where the ECR repository is located."
+}
+
+variable "aws_profile" {
+    description = "The awscli profile name (located in the ~/.aws/credentials file) used to authenticate the ECR login and push."
+}
+
+variable "ecr_repo_name" {
+    description = "The name of the ECR repository being pushed to."
+}
+
+variable "ecr_repo_tag" {
+    description = "The tag of the ECR repository image being pushed."
+}