search

GoogleCloudPlatform / avocano

Avocano is a sample dropship/fake product website, built with Firebase Hosting, Cloud Run, Cloud SQL and Cloud Build
https://avocano.web.app
Apache License 2.0
68 stars 31 forks source link

💡 [Feature Request] - Update Latest Image logic to use Artifact Registry #253

Closed glasnt closed 1 year ago

glasnt commented 1 year ago

Transition from Container Registry

Effective May 15, 2023, Container Registry is deprecated. If you currently use Container Registry, you can transition to Artifact Registry.

Migration to standard repositories is a simple solution and can apply to a majority of the uses in this project, but there is one outlier: the Terraform to pull the latest image (only applies to avocano TF, not TDPWA TF).

Specifically this section, where there is no current equivalent for Artifact Registry

https://github.com/GoogleCloudPlatform/avocano/blob/54213d648ca0670e0bd3dc3518b52e5905e4d19c/provisioning/terraform/container.tf#L40-L44

grayside commented 1 year ago

The current resource: https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/container_registry_image

From reading this resource, it's not dynamic, instead it formats a URL based on provided parameters: https://github.com/hashicorp/terraform-provider-google/blob/7c286a036810f30dffe1775c8054bebbedf70cfb/google/data_source_container_registry_image.go#L47

Given that, we could:

  1. Do our own string concatenation for the use case as a short-term workaround
  2. Open a feature request to create a google_artifact_registry_docker_image data source
  3. Possibly contribute that resource.

I'm suggesting the resource may be docker-specific because Artifact Registry doesn't abstract different resource types: https://cloud.google.com/artifact-registry/docs/reference/rest/v1/projects.locations.repositories.mavenArtifacts#MavenArtifact

If that makes sense I'm happy to open the issue.

glasnt commented 1 year ago

Docker API is still required in either case, and it doesn't make sense that Artifact Registry would build URLs for every registry type.

From other work, this is close to the minimum terraform required. It includes logic to handle a variable that will accept a tag, or "latest" (as default) and use the latest sha when required. Use the output image as the value of template.container.image in a google_cloud_run_v2_service resource

variable "image_tag" { 
    default = "latest"
    description = "tag of the image"
}

locals {
  project_id  = "PROJECT"
  location    = "REGION
  registry_id = "REPO"
  image_name  = "IMAGE"

  registry_hostname = "${local.location}-docker.pkg.dev"
  image_registry    = "${local.registry_hostname}/${local.project_id}/${local.registry_id}"
  image_sha         = "${data.docker_registry_image.image.name}@${data.docker_registry_image.image.sha256_digest}"
  image_tagged     = "${data.docker_registry_image.image.name}"

  image = var.image_tag == "latest" ? local.image_sha : local.image_tagged
}

terraform {
  required_providers {
    docker = {
      source = "kreuzwerker/docker"
    }
  }
}

data "google_client_config" "default" {}

data "docker_registry_image" "image" {
  name = "${local.image_registry}/${local.image_name}"
}

provider "docker" {
  registry_auth {
    address  = local.registry_hostname
    username = "oauth2accesstoken"
    password = data.google_client_config.default.access_token
  }
}

output "image" { 
   value = local.image
}
glasnt commented 1 year ago

This is being resolved in #378