This project allows you to automate the process of calling the Flux webhook (Receiver) when a PUSH
action is performed in ECR, which can be useful for automating application deployment.
It is designed to be used as a Terraform module to configure an AWS Lambda function that fires when a PUSH
action is performed on an ECR repository.
The Lambda function reads the necessary parameters from the SSM parameter store and then calls the Flux webhook (Receiver).
The configuration includes creating an SQS queue and a CloudWatch event to trigger the Lambda function when a PUSH action is performed in ECR.
graph LR
ECR[ECR] -->|Push event| CW[CloudWatch Event]
CW -->|Trigger| SQS[SQS Queue]
SQS -->|Trigger| L[Lambda Function]
L -->|Read parameters| SM[Secret Management]
L -->|Call webhook| F[Flux Receiver]
- Add unit tests
- Add support for generic-hmac
- Add support to lambda with VPC (for internal webhook)
To use this Terraform module, you must first have created webhooks for each ImageRepository resource in your cluster.
For example, if you have an ImageRepository
named my-ecr-repo-ir
, you should create a Receiver resource to create a webhook that can be called.
This webhook will then be used in our input variable named repo_mapping
.
Note: Only
generic
type receiver is supported.
---
apiVersion: notification.toolkit.fluxcd.io/v1beta2
kind: Receiver
metadata:
name: my-ecr-repo-receiver
namespace: flux-system
spec:
type: generic
secretRef:
name: webhook-token
resources:
- kind: ImageRepository
name: my-ecr-repo-ir
The webhook created by the Receiver
resource has to be configured in the module, for example:
Note: Let's assume that our ECR repository is called
my-ecr-repo
.
module "flux2-ecr-webhook" {
source = "github.com/fabidick22/flux2-ecr-webhook?ref=v1.2.0"
app_name = "flux-ecr-webhook"
repo_mapping = {
my-ecr-repo = { # ECR resource name
prod = {
webhook = ["https://domain.com/hook/1111111"] # URL created by the Receiver
regex = "prod-(?P<version>.*)" # Regex for ECR image tag
}
stg = {
webhook = ["https://domain.com/hook/2222222"] # URL created by the Receiver
regex = "stg-(?P<version>.*)" # Regex for ECR image tag
}
}
}
webhook_token = "var.webhook_token"
}
Name | Version |
---|---|
terraform | >= 1.0 |
aws | >= 4.63 |
Name | Version |
---|---|
aws | >= 4.63 |
Name | Source | Version |
---|---|---|
lambda_function | github.com/terraform-aws-modules/terraform-aws-lambda | v4.16.0 |
sqs_queue | github.com/terraform-aws-modules/terraform-aws-sqs | v4.0.1 |
Name | Type |
---|---|
aws_cloudwatch_event_rule.ecr_event | resource |
aws_cloudwatch_event_target.sqs_target | resource |
aws_iam_policy.lambda_secrets_policy | resource |
aws_iam_policy.lambda_sqs_policy | resource |
aws_iam_role_policy_attachment.lambda_secrets_attachment | resource |
aws_iam_role_policy_attachment.lambda_sqs_attachment | resource |
aws_lambda_event_source_mapping.sqs_mapping | resource |
aws_secretsmanager_secret.repo-mapping | resource |
aws_secretsmanager_secret.webhook-token | resource |
aws_secretsmanager_secret_version.repo-mapping | resource |
aws_secretsmanager_secret_version.webhook-token | resource |
aws_sqs_queue_policy.sqs_policy | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
app_name | Name used for resources to create. | string |
"flux2-ecr-webhook" |
no |
cw_logs_retention | Specifies the number of days you want to retain log events in the specified log group. | number |
14 |
no |
repo_mapping | Object with repository mapping, if this variable is set repo_mapping_file will be ignored.Available Attributes: - <ECR> : ECR resource name.- <ECR>.<ID> : Unique name for webhooks.- <ECR>.<ID>.webhook : Webhook list.- <ECR>.<ID>.token (Optional): Token used for webhooks, if set, then "webhook_token" will be ignored.- <ECR>.<ID>.regex (Optional): Regular expression that is applied to the image tag |
any |
null |
no |
repo_mapping_file | YAML file path with repository mapping. | string |
"" |
no |
webhook_token | Webhook default token used to call the Flux receiver. If it doesn't find a token attribute in the repository mapping use this token for the webhooks |
string |
null |
no |
No outputs.