hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.33k stars 1.73k forks source link

Add support for container images #4317

Open mjrlee opened 5 years ago

mjrlee commented 5 years ago

Community Note

Description

I would like to use the latest digest of a tagged image in GCR for the metadata for an instance group.

At the moment I have to use the Docker provider, which adds an authentication step and requires Docker to be installed on the CI/CD runner.

This could be greatly simplified by having a terraform data source that does something like:

gcloud container images describe gcr.io/google-containers/busybox:latest
image_summary:
  digest: sha256:326f5d6db34dbc2292c6a58a0f8a0a90f185beae923568907b0365bd892b7458
  fully_qualified_digest: gcr.io/google-containers/busybox@sha256:326f5d6db34dbc2292c6a58a0f8a0a90f185beae923568907b0365bd892b7458
  registry: gcr.io
  repository: google-containers/busybox

Affected Resource(s)

Datasource:

Potential Terraform Configuration

data "google_container_image" "busybox" {
  name "gcr.io/google-containers/busybox:latest"
}

module "gce-container" {
  source  = "terraform-google-modules/container-vm/google"
  version = "1.0.0"

  container = {
    image = data.google_container_image.busybox.fully_qualified_digest
  }

  restart_policy = "Always"
}

References

Capstan commented 3 years ago

I ran into this wrt google_container_registry_image, wanting to have automatic resolution if I provide a tag that is mutable, and I do not provide a digest, that I can still read the digest out of the data and have the provider facilitate that lookup for me. This would improve release processes where the image reference is never re-pulled by the underlying facility, since terraform naturally won't see a difference between :latest and :latest images, even if between the two apply phases, someone changed the tag.

I would expect that Artifact Registry would have the same issue, but individual packages don't appear to be part of the provider yet.