From d3a80478193a376a99c7143501187a3aaffc4891 Mon Sep 17 00:00:00 2001 From: Anouar Chattouna Date: Tue, 11 Jan 2022 11:45:42 +0100 Subject: [PATCH 1/2] Feature: Introduce new payload parameters In release 0.7.0 of GCR Cleaner tool, there was an introduction of new parameters: > This release introduces a new mechanism for deleting tagged images. You can now specify tag_filter_all or tag_filter_any to control how the filters match against images with multiple tags. The existing behavior of tag_filter is preserved, but will be removed in a future release. Additionally, specifying allow_tagged is no longer necessary as specifying any tag filter will automatically activate deleting tagged images. More on https://github.com/GoogleCloudPlatform/gcr-cleaner/releases/tag/v0.7.0 Also in this PR: * Updating examples * Updating documentation * Updating pre-commit repos URLs: using https:// instead of git://. See https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more details --- .pre-commit-config.yaml | 8 ++-- .terraform.lock.hcl | 48 +++++++--------------- README.md | 23 +++-------- examples/complete/.terraform.lock.hcl | 48 +++++++--------------- examples/complete/main.tf | 42 ++++++++----------- examples/minimal/.terraform.lock.hcl | 48 +++++++--------------- iam.tf | 2 + locals.tf | 30 +++++++------- main.tf | 13 +++--- variables.tf | 58 +++++++++++++++------------ 10 files changed, 126 insertions(+), 194 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c17562c..3cefc06 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.58.0 + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.62.3 hooks: - id: terraform_fmt - id: terraform_validate @@ -21,7 +21,7 @@ repos: - '--args=--only=terraform_required_providers' - '--args=--only=terraform_standard_module_structure' - '--args=--only=terraform_workspace_remote' - - repo: git://github.com/pre-commit/pre-commit-hooks - rev: v4.0.1 + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.1.0 hooks: - id: check-merge-conflict diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index b188f77..ad2d5f3 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -1,42 +1,22 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. -provider "registry.terraform.io/hashicorp/external" { - version = "2.1.0" - constraints = ">= 2.1.0" - hashes = [ - "h1:LTl5CGW8wiIEe16AC4MtXN/95xWWNDbap70zJsBTk0w=", - "h1:wbtDfLeawmv6xVT1W0w0fctRCb4ABlaD3JTxwb1jXag=", - "zh:0d83ffb72fbd08986378204a7373d8c43b127049096eaf2765bfdd6b00ad9853", - "zh:7577d6edc67b1e8c2cf62fe6501192df1231d74125d90e51d570d586d95269c5", - "zh:9c669ded5d5affa4b2544952c4b6588dfed55260147d24ced02dca3a2829f328", - "zh:a404d46f2831f90633947ab5d57e19dbfe35b3704104ba6ec80bcf50b058acfd", - "zh:ae1caea1c936d459ceadf287bb5c5bd67b5e2a7819df6f5c4114b7305df7f822", - "zh:afb4f805477694a4b9dde86b268d2c0821711c8aab1c6088f5f992228c4c06fb", - "zh:b993b4a1de8a462643e78f4786789e44ce5064b332fee1cb0d6250ed085561b8", - "zh:c84b2c13fa3ea2c0aa7291243006d560ce480a5591294b9001ce3742fc9c5791", - "zh:c8966f69b7eccccb771704fd5335923692eccc9e0e90cb95d14538fe2e92a3b8", - "zh:d5fe68850d449b811e633a300b114d0617df6d450305e8251643b4d143dc855b", - "zh:ddebfd1e674ba336df09b1f27bbaa0e036c25b7a7087dc8081443f6e5954028b", - ] -} - provider "registry.terraform.io/hashicorp/google" { - version = "4.1.0" + version = "4.6.0" constraints = ">= 4.1.0" hashes = [ - "h1:eqp/ZZ0N2tF0ZSaAUdS6b5TLSZKPegmFLqEFid89V9k=", - "h1:oXcSMwbjSCr0PO2PyZbKPbPXnd4EhxdJGZQwtzQqwrM=", - "zh:3477415ef4ef02d7c065a08fb24b7011ddd77f76b2a011db25e0b73c767acaae", - "zh:43be16d0bbb56d29c090c1abe49e877e4f3ca66bb372a661a2cd0a377cd61e8f", - "zh:6bb202a40055ed302f9dd05e2f3f87aa13080e580a9ac7b0241d634b78b68a2a", - "zh:7179303f628c5fc58129013ef4a4e754e225e266e68af4a7167a06a64d9d97db", - "zh:837cdcf1bafd4c936f15a4a22353efeec96ca23727f8d8ff22e9d53414d87084", - "zh:a853f1a1e9f5ac261fd9a02d869ce7da16917fdd16464dabf2200e2ccd04fba9", - "zh:aba631b9db47cc34857c25459475f17d939a46022f886e396a8254588f720c58", - "zh:ac461358984ba480b4fef1d2be3538d9714aa8814a6f420e1e954227054a14a4", - "zh:ade64689485fc28b6aa0c36861c6c9c66b5d7a8e7282739ecf97c7791b973312", - "zh:c3fbbfe7f6e870e19bb552a2ad84ea38c9ddf3e25e0b7e996ecb2fc7ce336b03", - "zh:d1419f4fe9c07f136ee9015a299cd6acf25a13bea0afa0f69727a576058603d3", + "h1:QbO4yjDrnoSpiYKSHrICNL1ZuWsl5J2rVRFj2kNg7xA=", + "h1:uGcZfOySgiqtYDw0eQXgmdzMDZrsuRXhmzNJYxJbgcc=", + "zh:005a28a2c79f6b29680b0f57260c69c85d8a992688007b6e5645149bd379951f", + "zh:2604d825de72cf99b4899d7880837adeb19d371f48e419666e32c4c3cf6a72e9", + "zh:290da4eb18e44469480cf299bebce89f54e4d301f856cdffe2837b498878c7ec", + "zh:3e5ba1a55d38fa17533a18fc14a612e781ded76c6309734d3dc0a937be27eec1", + "zh:4a85de3cdb33c092d8ccfced3d7302934de0dd4f72bbcebd79d45afe0a0b6f85", + "zh:5fb1a79800833ae922aaba594a8b2bc83be1d254052e12e0ce8330ca0d8933d9", + "zh:679b9f50c6fe0476e74d37935f7598d46d6e9612f75b26a8ef1ca3c13144d06a", + "zh:893216e32378839668c51ef135af1676cd887d63e2edb6625cf9adad7bfa346f", + "zh:ad8f2fd19adbe4c10281ba9b3c8d5100877a9c541d3580bbbe9357714aa77619", + "zh:bff5d6fd15e98c12ee9ed98b0338761dc4a9ba671a37834926daeabf73c71783", + "zh:debdf15fbed8d63e397cd004bf65586bd2b93ce04e47ca51a7c70c1fe9168b87", ] } diff --git a/README.md b/README.md index 694ae97..b883f13 100644 --- a/README.md +++ b/README.md @@ -71,23 +71,10 @@ module "gcr_cleaner" { project_id = "yet-another-project-id" clean_all = true parameters = { - allow_tagged = true - keep = 5 - grace = "120h" - tag_filter = "^beta.+$" + keep = 5 + grace = "120h" + tag_filter_all = "^beta.+$" } - }, - { - project_id = "automation-project-id" - repositories = [ - { - # in `test/tools/ci` repository and all its child repositories, keep only 5 tags - name = "test/tools/ci" - allow_tagged = true - keep = 5 - recursive = true - } - ] } ] } @@ -110,7 +97,7 @@ module "gcr_cleaner" { | Name | Version | |------|---------| -| [google](#provider\_google) | 4.1.0 | +| [google](#provider\_google) | 4.6.0 | ## Modules @@ -152,7 +139,7 @@ No modules. | [disable\_dependent\_services](#input\_disable\_dependent\_services) | If `true`, services that are enabled and which depend on this service should also be disabled when this service is destroyed. If `false` or unset, an error will be generated if any enabled services depend on this service when destroying it. | `bool` | `false` | no | | [disable\_on\_destroy](#input\_disable\_on\_destroy) | If `true`, disable the service when the terraform resource is destroyed. May be useful in the event that a project is long-lived but the infrastructure running in that project changes frequently. | `bool` | `false` | no | | [gcr\_cleaner\_image](#input\_gcr\_cleaner\_image) | The docker image of the gcr cleaner to deploy to Cloud Run. | `string` | `"gcr.io/gcr-cleaner/gcr-cleaner:latest"` | no | -| [gcr\_repositories](#input\_gcr\_repositories) | List of Google Container Registries objects to create:
list(object({
    project_id      = Value of the Google project id, if ommited, it will be assigned `google_project_id` variable value (optional(string))
    storage_region  = Location of the storage bucket (optional(string))
    repositories    = Docker image repositories to clean (optional(list(object({
      name         = Name of the repository (string)
      grace        = Relative duration in which to ignore references. This value is specified as a time duration value like "5s" or "3h". If set, refs newer than the duration will not be deleted. If unspecified, the default is no grace period (all untagged image refs are deleted) (optional(string))
      allow_tagged = If set to true, will check all images including tagged. If unspecified, the default will only delete untagged images (optional(bool))
      keep         = If an integer is provided, it will always keep that minimum number of images. Note that it will not consider images inside the `grace` duration (optional(string))
      tag_filter   = Used for tags regexp definition to define pattern to clean, requires `allow_tagged` must be true. For example: use `"^dev.+$"` to limit cleaning only on the tags with beginning with is `dev`. The default is no filtering (optional(string))
      recursive    = If set to true, will recursively search all child repositories (optional(bool))
    }))))
    clean_all       = Set to `true` to clean all project's repositories (optional(bool))
    parameters      = Map of parameters to apply to all repositories when `clean_all` is set to `true` (optional(object({
      grace        = Relative duration in which to ignore references. This value is specified as a time duration value like "5s" or "3h". If set, refs newer than the duration will not be deleted. If unspecified, the default is no grace period (all untagged image refs are deleted) (optional(string))
      allow_tagged = If set to true, will check all images including tagged. If unspecified, the default will only delete untagged images (optional(bool))
      keep         = If an integer is provided, it will always keep that minimum number of images. Note that it will not consider images inside the `grace` duration (optional(string))
      tag_filter   = Used for tags regexp definition to define pattern to clean, requires `allow_tagged` must be true. For example: use `"^dev.+$"` to limit cleaning only on the tags with beginning with is `dev`. The default is no filtering (optional(string))
    })))
}))
| 
list(object({
    project_id     = optional(string)
    storage_region = optional(string)
    repositories = optional(list(object({
      name         = string
      grace        = optional(string)
      allow_tagged = optional(bool)
      keep         = optional(string)
      tag_filter   = optional(string)
      recursive    = optional(bool)
    })))
    clean_all = optional(bool)
    parameters = optional(object({
      grace        = optional(string)
      allow_tagged = optional(bool)
      keep         = optional(string)
      tag_filter   = optional(string)
    }))
  }))
| `[]` | no | +| [gcr\_repositories](#input\_gcr\_repositories) | List of Google Container Registries objects to create:
list(object({
    project_id     = Value of the Google project id, if ommited, it will be assigned `google_project_id` variable value (optional(string))
    storage_region = Location of the storage bucket (optional(string))
    repositories = Docker image repositories to clean (optional(list(object({
      name           = Name of the repository (string)
      grace          = Relative duration in which to ignore references. This value is specified as a time duration value like "5s" or "3h". If set, refs newer than the duration will not be deleted. If unspecified, the default is no grace period (all untagged image refs are deleted) (optional(string))
      allow_tagged   = (Deprecated) This option is deprecated and has no effect. By default, GCR Cleaner will not delete tagged images. To delete tagged images, specify `tag_filter_any` or `tag_filter_all` (optional(bool))
      keep           = If an integer is provided, it will always keep that minimum number of images. Note that it will not consider images inside the `grace` duration (optional(string))
      tag_filter     = (Deprecated) If specified, any image where the first tag matches this given regular expression will be deleted. The image will not be deleted if other tags match the regular expression (optional(string))
      tag_filter_any = If specified, any image with at least one tag that matches this given regular expression will be deleted. The image will be deleted even if it has other tags that do not match the given regular expression (optional(string))
      tag_filter_all = If specified, any image where all tags match this given regular expression will be deleted. The image will not be delete if it has other tags that do not match the given regular expression (optional(string))
      recursive      = If set to true, will recursively search all child repositories (optional(bool))
    }))))
    clean_all  = Set to `true` to clean all project's repositories (optional(bool))
    parameters = Map of parameters to apply to all repositories when `clean_all` is set to `true` (optional(object({
      grace          = Relative duration in which to ignore references. This value is specified as a time duration value like "5s" or "3h". If set, refs newer than the duration will not be deleted. If unspecified, the default is no grace period (all untagged image refs are deleted) (optional(string))
      allow_tagged   = (Deprecated) This option is deprecated and has no effect. By default, GCR Cleaner will not delete tagged images. To delete tagged images, specify `tag_filter_any` or `tag_filter_all` (optional(bool))
      keep           = If an integer is provided, it will always keep that minimum number of images. Note that it will not consider images inside the `grace` duration (optional(string))
      tag_filter     = (Deprecated) If specified, any image where the first tag matches this given regular expression will be deleted. The image will not be deleted if other tags match the regular expression (optional(string))
      tag_filter_any = If specified, any image with at least one tag that matches this given regular expression will be deleted. The image will be deleted even if it has other tags that do not match the given regular expression (optional(string))
      tag_filter_all = If specified, any image where all tags match this given regular expression will be deleted. The image will not be delete if it has other tags that do not match the given regular expression (optional(string))
    })))
}))
| 
list(object({
    project_id     = optional(string)
    storage_region = optional(string)
    repositories = optional(list(object({
      name           = string
      grace          = optional(string)
      allow_tagged   = optional(bool)
      keep           = optional(string)
      tag_filter     = optional(string)
      tag_filter_any = optional(string)
      tag_filter_all = optional(string)
      recursive      = optional(bool)
    })))
    clean_all = optional(bool)
    parameters = optional(object({
      grace          = optional(string)
      allow_tagged   = optional(bool)
      keep           = optional(string)
      tag_filter     = optional(string)
      tag_filter_any = optional(string)
      tag_filter_all = optional(string)
    }))
  }))
| `[]` | no | ## Outputs diff --git a/examples/complete/.terraform.lock.hcl b/examples/complete/.terraform.lock.hcl index b188f77..ad2d5f3 100644 --- a/examples/complete/.terraform.lock.hcl +++ b/examples/complete/.terraform.lock.hcl @@ -1,42 +1,22 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. -provider "registry.terraform.io/hashicorp/external" { - version = "2.1.0" - constraints = ">= 2.1.0" - hashes = [ - "h1:LTl5CGW8wiIEe16AC4MtXN/95xWWNDbap70zJsBTk0w=", - "h1:wbtDfLeawmv6xVT1W0w0fctRCb4ABlaD3JTxwb1jXag=", - "zh:0d83ffb72fbd08986378204a7373d8c43b127049096eaf2765bfdd6b00ad9853", - "zh:7577d6edc67b1e8c2cf62fe6501192df1231d74125d90e51d570d586d95269c5", - "zh:9c669ded5d5affa4b2544952c4b6588dfed55260147d24ced02dca3a2829f328", - "zh:a404d46f2831f90633947ab5d57e19dbfe35b3704104ba6ec80bcf50b058acfd", - "zh:ae1caea1c936d459ceadf287bb5c5bd67b5e2a7819df6f5c4114b7305df7f822", - "zh:afb4f805477694a4b9dde86b268d2c0821711c8aab1c6088f5f992228c4c06fb", - "zh:b993b4a1de8a462643e78f4786789e44ce5064b332fee1cb0d6250ed085561b8", - "zh:c84b2c13fa3ea2c0aa7291243006d560ce480a5591294b9001ce3742fc9c5791", - "zh:c8966f69b7eccccb771704fd5335923692eccc9e0e90cb95d14538fe2e92a3b8", - "zh:d5fe68850d449b811e633a300b114d0617df6d450305e8251643b4d143dc855b", - "zh:ddebfd1e674ba336df09b1f27bbaa0e036c25b7a7087dc8081443f6e5954028b", - ] -} - provider "registry.terraform.io/hashicorp/google" { - version = "4.1.0" + version = "4.6.0" constraints = ">= 4.1.0" hashes = [ - "h1:eqp/ZZ0N2tF0ZSaAUdS6b5TLSZKPegmFLqEFid89V9k=", - "h1:oXcSMwbjSCr0PO2PyZbKPbPXnd4EhxdJGZQwtzQqwrM=", - "zh:3477415ef4ef02d7c065a08fb24b7011ddd77f76b2a011db25e0b73c767acaae", - "zh:43be16d0bbb56d29c090c1abe49e877e4f3ca66bb372a661a2cd0a377cd61e8f", - "zh:6bb202a40055ed302f9dd05e2f3f87aa13080e580a9ac7b0241d634b78b68a2a", - "zh:7179303f628c5fc58129013ef4a4e754e225e266e68af4a7167a06a64d9d97db", - "zh:837cdcf1bafd4c936f15a4a22353efeec96ca23727f8d8ff22e9d53414d87084", - "zh:a853f1a1e9f5ac261fd9a02d869ce7da16917fdd16464dabf2200e2ccd04fba9", - "zh:aba631b9db47cc34857c25459475f17d939a46022f886e396a8254588f720c58", - "zh:ac461358984ba480b4fef1d2be3538d9714aa8814a6f420e1e954227054a14a4", - "zh:ade64689485fc28b6aa0c36861c6c9c66b5d7a8e7282739ecf97c7791b973312", - "zh:c3fbbfe7f6e870e19bb552a2ad84ea38c9ddf3e25e0b7e996ecb2fc7ce336b03", - "zh:d1419f4fe9c07f136ee9015a299cd6acf25a13bea0afa0f69727a576058603d3", + "h1:QbO4yjDrnoSpiYKSHrICNL1ZuWsl5J2rVRFj2kNg7xA=", + "h1:uGcZfOySgiqtYDw0eQXgmdzMDZrsuRXhmzNJYxJbgcc=", + "zh:005a28a2c79f6b29680b0f57260c69c85d8a992688007b6e5645149bd379951f", + "zh:2604d825de72cf99b4899d7880837adeb19d371f48e419666e32c4c3cf6a72e9", + "zh:290da4eb18e44469480cf299bebce89f54e4d301f856cdffe2837b498878c7ec", + "zh:3e5ba1a55d38fa17533a18fc14a612e781ded76c6309734d3dc0a937be27eec1", + "zh:4a85de3cdb33c092d8ccfced3d7302934de0dd4f72bbcebd79d45afe0a0b6f85", + "zh:5fb1a79800833ae922aaba594a8b2bc83be1d254052e12e0ce8330ca0d8933d9", + "zh:679b9f50c6fe0476e74d37935f7598d46d6e9612f75b26a8ef1ca3c13144d06a", + "zh:893216e32378839668c51ef135af1676cd887d63e2edb6625cf9adad7bfa346f", + "zh:ad8f2fd19adbe4c10281ba9b3c8d5100877a9c541d3580bbbe9357714aa77619", + "zh:bff5d6fd15e98c12ee9ed98b0338761dc4a9ba671a37834926daeabf73c71783", + "zh:debdf15fbed8d63e397cd004bf65586bd2b93ce04e47ca51a7c70c1fe9168b87", ] } diff --git a/examples/complete/main.tf b/examples/complete/main.tf index c5bf624..f0af566 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -22,24 +22,28 @@ module "gcr_cleaner" { { storage_region = "eu" repositories = [ + { + # in `test/nginx` repository, delete all `beta` tags + name = "test/nginx" + tag_filter_all = "^beta.+$" + }, { # in `test/nginx` repository, delete all images older than 30 days (720h) name = "test/nginx" grace = "720h" }, { - # in `test/python` repository, keep 3 `alpha` tags - name = "test/python" - allow_tagged = true - keep = 3 - tag_filter = "^alpha.+$" + # in `test/python` repository, if there is at least one `alpha` tag, + # delete all and keep only 3 tags + name = "test/python" + keep = 3 + tag_filter_any = "^alpha.+$" }, { - # in `test/tools/ci` repository and all its child repositories, keep only 5 tags - name = "test/tools/ci" - allow_tagged = true - keep = 5 - recursive = true + # in `test/tools/ci` repository and all its child repositories, keep only 5 images + name = "test/tools/ci" + keep = 5 + recursive = true } ] }, @@ -53,21 +57,9 @@ module "gcr_cleaner" { clean_all = true storage_region = "eu" parameters = { - allow_tagged = true - keep = 5 - grace = "120h" - tag_filter = "^beta.+$" - } - }, - { - # in all repositories, keep 10 `live` tags, ignore anything newer than 15 days - clean_all = true - storage_region = "eu" - parameters = { - allow_tagged = true - keep = 10 - grace = "360h" - tag_filter = "^live.+$" + keep = 5 + grace = "120h" + tag_filter_all = "^beta.+$" } } ] diff --git a/examples/minimal/.terraform.lock.hcl b/examples/minimal/.terraform.lock.hcl index b188f77..ad2d5f3 100644 --- a/examples/minimal/.terraform.lock.hcl +++ b/examples/minimal/.terraform.lock.hcl @@ -1,42 +1,22 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. -provider "registry.terraform.io/hashicorp/external" { - version = "2.1.0" - constraints = ">= 2.1.0" - hashes = [ - "h1:LTl5CGW8wiIEe16AC4MtXN/95xWWNDbap70zJsBTk0w=", - "h1:wbtDfLeawmv6xVT1W0w0fctRCb4ABlaD3JTxwb1jXag=", - "zh:0d83ffb72fbd08986378204a7373d8c43b127049096eaf2765bfdd6b00ad9853", - "zh:7577d6edc67b1e8c2cf62fe6501192df1231d74125d90e51d570d586d95269c5", - "zh:9c669ded5d5affa4b2544952c4b6588dfed55260147d24ced02dca3a2829f328", - "zh:a404d46f2831f90633947ab5d57e19dbfe35b3704104ba6ec80bcf50b058acfd", - "zh:ae1caea1c936d459ceadf287bb5c5bd67b5e2a7819df6f5c4114b7305df7f822", - "zh:afb4f805477694a4b9dde86b268d2c0821711c8aab1c6088f5f992228c4c06fb", - "zh:b993b4a1de8a462643e78f4786789e44ce5064b332fee1cb0d6250ed085561b8", - "zh:c84b2c13fa3ea2c0aa7291243006d560ce480a5591294b9001ce3742fc9c5791", - "zh:c8966f69b7eccccb771704fd5335923692eccc9e0e90cb95d14538fe2e92a3b8", - "zh:d5fe68850d449b811e633a300b114d0617df6d450305e8251643b4d143dc855b", - "zh:ddebfd1e674ba336df09b1f27bbaa0e036c25b7a7087dc8081443f6e5954028b", - ] -} - provider "registry.terraform.io/hashicorp/google" { - version = "4.1.0" + version = "4.6.0" constraints = ">= 4.1.0" hashes = [ - "h1:eqp/ZZ0N2tF0ZSaAUdS6b5TLSZKPegmFLqEFid89V9k=", - "h1:oXcSMwbjSCr0PO2PyZbKPbPXnd4EhxdJGZQwtzQqwrM=", - "zh:3477415ef4ef02d7c065a08fb24b7011ddd77f76b2a011db25e0b73c767acaae", - "zh:43be16d0bbb56d29c090c1abe49e877e4f3ca66bb372a661a2cd0a377cd61e8f", - "zh:6bb202a40055ed302f9dd05e2f3f87aa13080e580a9ac7b0241d634b78b68a2a", - "zh:7179303f628c5fc58129013ef4a4e754e225e266e68af4a7167a06a64d9d97db", - "zh:837cdcf1bafd4c936f15a4a22353efeec96ca23727f8d8ff22e9d53414d87084", - "zh:a853f1a1e9f5ac261fd9a02d869ce7da16917fdd16464dabf2200e2ccd04fba9", - "zh:aba631b9db47cc34857c25459475f17d939a46022f886e396a8254588f720c58", - "zh:ac461358984ba480b4fef1d2be3538d9714aa8814a6f420e1e954227054a14a4", - "zh:ade64689485fc28b6aa0c36861c6c9c66b5d7a8e7282739ecf97c7791b973312", - "zh:c3fbbfe7f6e870e19bb552a2ad84ea38c9ddf3e25e0b7e996ecb2fc7ce336b03", - "zh:d1419f4fe9c07f136ee9015a299cd6acf25a13bea0afa0f69727a576058603d3", + "h1:QbO4yjDrnoSpiYKSHrICNL1ZuWsl5J2rVRFj2kNg7xA=", + "h1:uGcZfOySgiqtYDw0eQXgmdzMDZrsuRXhmzNJYxJbgcc=", + "zh:005a28a2c79f6b29680b0f57260c69c85d8a992688007b6e5645149bd379951f", + "zh:2604d825de72cf99b4899d7880837adeb19d371f48e419666e32c4c3cf6a72e9", + "zh:290da4eb18e44469480cf299bebce89f54e4d301f856cdffe2837b498878c7ec", + "zh:3e5ba1a55d38fa17533a18fc14a612e781ded76c6309734d3dc0a937be27eec1", + "zh:4a85de3cdb33c092d8ccfced3d7302934de0dd4f72bbcebd79d45afe0a0b6f85", + "zh:5fb1a79800833ae922aaba594a8b2bc83be1d254052e12e0ce8330ca0d8933d9", + "zh:679b9f50c6fe0476e74d37935f7598d46d6e9612f75b26a8ef1ca3c13144d06a", + "zh:893216e32378839668c51ef135af1676cd887d63e2edb6625cf9adad7bfa346f", + "zh:ad8f2fd19adbe4c10281ba9b3c8d5100877a9c541d3580bbbe9357714aa77619", + "zh:bff5d6fd15e98c12ee9ed98b0338761dc4a9ba671a37834926daeabf73c71783", + "zh:debdf15fbed8d63e397cd004bf65586bd2b93ce04e47ca51a7c70c1fe9168b87", ] } diff --git a/iam.tf b/iam.tf index 63c7677..7b33bc1 100644 --- a/iam.tf +++ b/iam.tf @@ -20,6 +20,8 @@ resource "google_cloud_run_service_iam_binding" "this" { ] } +# Grant cleaner service account roles/browser role in order to query the registry. +# This is the most minimal permission. resource "google_project_iam_member" "this" { project = google_cloud_run_service.this.project role = "roles/browser" diff --git a/locals.tf b/locals.tf index a33036a..9c74442 100644 --- a/locals.tf +++ b/locals.tf @@ -19,13 +19,14 @@ locals { # Set default values for optional fields. project_all_repositories = [ for repo in var.gcr_repositories : { - repo = "${repo.storage_region != null ? "${repo.storage_region}.gcr.io" : "gcr.io"}/${repo.project_id != null ? repo.project_id : local.google_project_id}" - grace = repo.parameters != null ? (repo.parameters.grace != null ? repo.parameters.grace : "0") : "0" - allow_tagged = repo.parameters != null ? (repo.parameters.allow_tagged != null ? repo.parameters.allow_tagged : false) : false - keep = repo.parameters != null ? (repo.parameters.keep != null ? repo.parameters.keep : "0") : "0" - tag_filter = repo.parameters != null ? (repo.parameters.tag_filter != null ? repo.parameters.tag_filter : "") : "" - recursive = true - filter = repo.parameters != null ? "grace-${repo.parameters.grace != null ? repo.parameters.grace : "0"}-allow_tagged-${repo.parameters.allow_tagged != null ? repo.parameters.allow_tagged : false}-keep-${repo.parameters.keep != null ? repo.parameters.keep : "0"}-tag_filter-${repo.parameters.tag_filter != null ? repo.parameters.tag_filter : "no"}" : "delete-all-untagged-images-recursive" + repo = "${repo.storage_region != null ? "${repo.storage_region}.gcr.io" : "gcr.io"}/${repo.project_id != null ? repo.project_id : local.google_project_id}" + grace = repo.parameters != null ? (repo.parameters.grace != null ? repo.parameters.grace : "0") : "0" + keep = repo.parameters != null ? (repo.parameters.keep != null ? repo.parameters.keep : "0") : "0" + tag_filter = repo.parameters != null ? (repo.parameters.tag_filter != null ? repo.parameters.tag_filter : "") : "" + tag_filter_any = repo.parameters != null ? (repo.parameters.tag_filter_any != null ? repo.parameters.tag_filter_any : "") : "" + tag_filter_all = repo.parameters != null ? (repo.parameters.ttag_filter_allag_filter != null ? repo.parameters.tag_filter_all : "") : "" + recursive = true + filter = repo.parameters != null ? "grace-${repo.parameters.grace != null ? repo.parameters.grace : "0"}-keep-${repo.parameters.keep != null ? repo.parameters.keep : "0"}-tag_filter-${repo.parameters.tag_filter != null ? repo.parameters.tag_filter : "no"}-tag_filter_any-${repo.parameters.tag_filter_any != null ? repo.parameters.tag_filter_any : "no"}-tag_filter_any-${repo.parameters.tag_filter_any != null ? repo.parameters.tag_filter_any : "no"}" : "delete-all-untagged-images-recursive" } if repo.clean_all == true ] @@ -35,13 +36,14 @@ locals { for gcr in var.gcr_repositories : [ for repo in gcr.repositories : merge(repo, { - repo = "${gcr.storage_region != null ? "${gcr.storage_region}.gcr.io" : "gcr.io"}/${gcr.project_id != null ? gcr.project_id : local.google_project_id}/${repo.name}" - grace = repo.grace != null ? repo.grace : "0" - allow_tagged = repo.allow_tagged != null ? repo.allow_tagged : false - keep = repo.keep != null ? repo.keep : "0" - tag_filter = repo.tag_filter != null ? repo.tag_filter : "" - recursive = repo.recursive != null ? repo.recursive : false - filter = "grace-${repo.grace != null ? repo.grace : "0"}-allow_tagged-${repo.allow_tagged != null ? repo.allow_tagged : false}-keep-${repo.keep != null ? repo.keep : "0"}-tag_filter-${repo.tag_filter != null ? repo.tag_filter : "no"}-recursive-${repo.recursive != null ? repo.recursive : false}" + repo = "${gcr.storage_region != null ? "${gcr.storage_region}.gcr.io" : "gcr.io"}/${gcr.project_id != null ? gcr.project_id : local.google_project_id}/${repo.name}" + grace = repo.grace != null ? repo.grace : "0" + keep = repo.keep != null ? repo.keep : "0" + tag_filter = repo.tag_filter != null ? repo.tag_filter : "" + tag_filter_any = repo.tag_filter_any != null ? repo.tag_filter_any : "" + tag_filter_all = repo.tag_filter_all != null ? repo.tag_filter_all : "" + recursive = repo.recursive != null ? repo.recursive : false + filter = "grace-${repo.grace != null ? repo.grace : "0"}-keep-${repo.keep != null ? repo.keep : "0"}-tag_filter-${repo.tag_filter != null ? repo.tag_filter : "no"}-tag_filter_any-${repo.tag_filter_any != null ? repo.tag_filter_any : "no"}-tag_filter_all-${repo.tag_filter_all != null ? repo.tag_filter_all : "no"}-recursive-${repo.recursive != null ? repo.recursive : false}" } ) ] if gcr.repositories != null diff --git a/main.tf b/main.tf index f56713f..3f99ec7 100644 --- a/main.tf +++ b/main.tf @@ -82,12 +82,13 @@ resource "google_cloud_scheduler_job" "this" { http_method = "POST" uri = "${google_cloud_run_service.this.status[0].url}/http" body = base64encode(jsonencode({ - allow_tagged = tobool(each.value.allow_tagged), - grace = each.value.grace, - keep = tonumber(each.value.keep), - repos = [each.value.repo], - tag_filter = each.value.tag_filter, - recursive = tobool(each.value.recursive), + grace = each.value.grace, + keep = tonumber(each.value.keep), + repos = [each.value.repo], + tag_filter = each.value.tag_filter, + tag_filter_any = each.value.tag_filter_any, + tag_filter_all = each.value.tag_filter_all, + recursive = tobool(each.value.recursive), })) oidc_token { service_account_email = google_service_account.invoker.email diff --git a/variables.tf b/variables.tf index a6082cc..5d6e2e1 100644 --- a/variables.tf +++ b/variables.tf @@ -62,22 +62,26 @@ variable "gcr_repositories" { List of Google Container Registries objects to create: ``` list(object({ - project_id = Value of the Google project id, if ommited, it will be assigned `google_project_id` variable value (optional(string)) - storage_region = Location of the storage bucket (optional(string)) - repositories = Docker image repositories to clean (optional(list(object({ - name = Name of the repository (string) - grace = Relative duration in which to ignore references. This value is specified as a time duration value like "5s" or "3h". If set, refs newer than the duration will not be deleted. If unspecified, the default is no grace period (all untagged image refs are deleted) (optional(string)) - allow_tagged = If set to true, will check all images including tagged. If unspecified, the default will only delete untagged images (optional(bool)) - keep = If an integer is provided, it will always keep that minimum number of images. Note that it will not consider images inside the `grace` duration (optional(string)) - tag_filter = Used for tags regexp definition to define pattern to clean, requires `allow_tagged` must be true. For example: use `"^dev.+$"` to limit cleaning only on the tags with beginning with is `dev`. The default is no filtering (optional(string)) - recursive = If set to true, will recursively search all child repositories (optional(bool)) + project_id = Value of the Google project id, if ommited, it will be assigned `google_project_id` variable value (optional(string)) + storage_region = Location of the storage bucket (optional(string)) + repositories = Docker image repositories to clean (optional(list(object({ + name = Name of the repository (string) + grace = Relative duration in which to ignore references. This value is specified as a time duration value like "5s" or "3h". If set, refs newer than the duration will not be deleted. If unspecified, the default is no grace period (all untagged image refs are deleted) (optional(string)) + allow_tagged = (Deprecated) This option is deprecated and has no effect. By default, GCR Cleaner will not delete tagged images. To delete tagged images, specify `tag_filter_any` or `tag_filter_all` (optional(bool)) + keep = If an integer is provided, it will always keep that minimum number of images. Note that it will not consider images inside the `grace` duration (optional(string)) + tag_filter = (Deprecated) If specified, any image where the first tag matches this given regular expression will be deleted. The image will not be deleted if other tags match the regular expression (optional(string)) + tag_filter_any = If specified, any image with at least one tag that matches this given regular expression will be deleted. The image will be deleted even if it has other tags that do not match the given regular expression (optional(string)) + tag_filter_all = If specified, any image where all tags match this given regular expression will be deleted. The image will not be delete if it has other tags that do not match the given regular expression (optional(string)) + recursive = If set to true, will recursively search all child repositories (optional(bool)) })))) - clean_all = Set to `true` to clean all project's repositories (optional(bool)) - parameters = Map of parameters to apply to all repositories when `clean_all` is set to `true` (optional(object({ - grace = Relative duration in which to ignore references. This value is specified as a time duration value like "5s" or "3h". If set, refs newer than the duration will not be deleted. If unspecified, the default is no grace period (all untagged image refs are deleted) (optional(string)) - allow_tagged = If set to true, will check all images including tagged. If unspecified, the default will only delete untagged images (optional(bool)) - keep = If an integer is provided, it will always keep that minimum number of images. Note that it will not consider images inside the `grace` duration (optional(string)) - tag_filter = Used for tags regexp definition to define pattern to clean, requires `allow_tagged` must be true. For example: use `"^dev.+$"` to limit cleaning only on the tags with beginning with is `dev`. The default is no filtering (optional(string)) + clean_all = Set to `true` to clean all project's repositories (optional(bool)) + parameters = Map of parameters to apply to all repositories when `clean_all` is set to `true` (optional(object({ + grace = Relative duration in which to ignore references. This value is specified as a time duration value like "5s" or "3h". If set, refs newer than the duration will not be deleted. If unspecified, the default is no grace period (all untagged image refs are deleted) (optional(string)) + allow_tagged = (Deprecated) This option is deprecated and has no effect. By default, GCR Cleaner will not delete tagged images. To delete tagged images, specify `tag_filter_any` or `tag_filter_all` (optional(bool)) + keep = If an integer is provided, it will always keep that minimum number of images. Note that it will not consider images inside the `grace` duration (optional(string)) + tag_filter = (Deprecated) If specified, any image where the first tag matches this given regular expression will be deleted. The image will not be deleted if other tags match the regular expression (optional(string)) + tag_filter_any = If specified, any image with at least one tag that matches this given regular expression will be deleted. The image will be deleted even if it has other tags that do not match the given regular expression (optional(string)) + tag_filter_all = If specified, any image where all tags match this given regular expression will be deleted. The image will not be delete if it has other tags that do not match the given regular expression (optional(string)) }))) })) ``` @@ -87,19 +91,23 @@ EOF project_id = optional(string) storage_region = optional(string) repositories = optional(list(object({ - name = string - grace = optional(string) - allow_tagged = optional(bool) - keep = optional(string) - tag_filter = optional(string) - recursive = optional(bool) + name = string + grace = optional(string) + allow_tagged = optional(bool) + keep = optional(string) + tag_filter = optional(string) + tag_filter_any = optional(string) + tag_filter_all = optional(string) + recursive = optional(bool) }))) clean_all = optional(bool) parameters = optional(object({ - grace = optional(string) - allow_tagged = optional(bool) - keep = optional(string) - tag_filter = optional(string) + grace = optional(string) + allow_tagged = optional(bool) + keep = optional(string) + tag_filter = optional(string) + tag_filter_any = optional(string) + tag_filter_all = optional(string) })) })) default = [] From 47910a9dd12c15beb3f89f956e0c496590d1178b Mon Sep 17 00:00:00 2001 From: Anouar Chattouna Date: Tue, 11 Jan 2022 12:12:04 +0100 Subject: [PATCH 2/2] reviews --- README.md | 2 +- variables.tf | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/README.md b/README.md index b883f13..df26c25 100644 --- a/README.md +++ b/README.md @@ -139,7 +139,7 @@ No modules. | [disable\_dependent\_services](#input\_disable\_dependent\_services) | If `true`, services that are enabled and which depend on this service should also be disabled when this service is destroyed. If `false` or unset, an error will be generated if any enabled services depend on this service when destroying it. | `bool` | `false` | no | | [disable\_on\_destroy](#input\_disable\_on\_destroy) | If `true`, disable the service when the terraform resource is destroyed. May be useful in the event that a project is long-lived but the infrastructure running in that project changes frequently. | `bool` | `false` | no | | [gcr\_cleaner\_image](#input\_gcr\_cleaner\_image) | The docker image of the gcr cleaner to deploy to Cloud Run. | `string` | `"gcr.io/gcr-cleaner/gcr-cleaner:latest"` | no | -| [gcr\_repositories](#input\_gcr\_repositories) | List of Google Container Registries objects to create:
list(object({
    project_id     = Value of the Google project id, if ommited, it will be assigned `google_project_id` variable value (optional(string))
    storage_region = Location of the storage bucket (optional(string))
    repositories = Docker image repositories to clean (optional(list(object({
      name           = Name of the repository (string)
      grace          = Relative duration in which to ignore references. This value is specified as a time duration value like "5s" or "3h". If set, refs newer than the duration will not be deleted. If unspecified, the default is no grace period (all untagged image refs are deleted) (optional(string))
      allow_tagged   = (Deprecated) This option is deprecated and has no effect. By default, GCR Cleaner will not delete tagged images. To delete tagged images, specify `tag_filter_any` or `tag_filter_all` (optional(bool))
      keep           = If an integer is provided, it will always keep that minimum number of images. Note that it will not consider images inside the `grace` duration (optional(string))
      tag_filter     = (Deprecated) If specified, any image where the first tag matches this given regular expression will be deleted. The image will not be deleted if other tags match the regular expression (optional(string))
      tag_filter_any = If specified, any image with at least one tag that matches this given regular expression will be deleted. The image will be deleted even if it has other tags that do not match the given regular expression (optional(string))
      tag_filter_all = If specified, any image where all tags match this given regular expression will be deleted. The image will not be delete if it has other tags that do not match the given regular expression (optional(string))
      recursive      = If set to true, will recursively search all child repositories (optional(bool))
    }))))
    clean_all  = Set to `true` to clean all project's repositories (optional(bool))
    parameters = Map of parameters to apply to all repositories when `clean_all` is set to `true` (optional(object({
      grace          = Relative duration in which to ignore references. This value is specified as a time duration value like "5s" or "3h". If set, refs newer than the duration will not be deleted. If unspecified, the default is no grace period (all untagged image refs are deleted) (optional(string))
      allow_tagged   = (Deprecated) This option is deprecated and has no effect. By default, GCR Cleaner will not delete tagged images. To delete tagged images, specify `tag_filter_any` or `tag_filter_all` (optional(bool))
      keep           = If an integer is provided, it will always keep that minimum number of images. Note that it will not consider images inside the `grace` duration (optional(string))
      tag_filter     = (Deprecated) If specified, any image where the first tag matches this given regular expression will be deleted. The image will not be deleted if other tags match the regular expression (optional(string))
      tag_filter_any = If specified, any image with at least one tag that matches this given regular expression will be deleted. The image will be deleted even if it has other tags that do not match the given regular expression (optional(string))
      tag_filter_all = If specified, any image where all tags match this given regular expression will be deleted. The image will not be delete if it has other tags that do not match the given regular expression (optional(string))
    })))
}))
| 
list(object({
    project_id     = optional(string)
    storage_region = optional(string)
    repositories = optional(list(object({
      name           = string
      grace          = optional(string)
      allow_tagged   = optional(bool)
      keep           = optional(string)
      tag_filter     = optional(string)
      tag_filter_any = optional(string)
      tag_filter_all = optional(string)
      recursive      = optional(bool)
    })))
    clean_all = optional(bool)
    parameters = optional(object({
      grace          = optional(string)
      allow_tagged   = optional(bool)
      keep           = optional(string)
      tag_filter     = optional(string)
      tag_filter_any = optional(string)
      tag_filter_all = optional(string)
    }))
  }))
| `[]` | no | +| [gcr\_repositories](#input\_gcr\_repositories) | List of Google Container Registries objects to create:
list(object({
    project_id     = Value of the Google project id, if ommited, it will be assigned `google_project_id` variable value (optional(string))
    storage_region = Location of the storage bucket (optional(string))
    repositories = Docker image repositories to clean (optional(list(object({
      name           = Name of the repository (string)
      grace          = Relative duration in which to ignore references. This value is specified as a time duration value like "5s" or "3h". If set, refs newer than the duration will not be deleted. If unspecified, the default is no grace period (all untagged image refs are deleted) (optional(string))
      keep           = If an integer is provided, it will always keep that minimum number of images. Note that it will not consider images inside the `grace` duration (optional(string))
      tag_filter     = (Deprecated) If specified, any image where the first tag matches this given regular expression will be deleted. The image will not be deleted if other tags match the regular expression (optional(string))
      tag_filter_any = If specified, any image with at least one tag that matches this given regular expression will be deleted. The image will be deleted even if it has other tags that do not match the given regular expression (optional(string))
      tag_filter_all = If specified, any image where all tags match this given regular expression will be deleted. The image will not be delete if it has other tags that do not match the given regular expression (optional(string))
      recursive      = If set to true, will recursively search all child repositories (optional(bool))
    }))))
    clean_all  = Set to `true` to clean all project's repositories (optional(bool))
    parameters = Map of parameters to apply to all repositories when `clean_all` is set to `true` (optional(object({
      grace          = Relative duration in which to ignore references. This value is specified as a time duration value like "5s" or "3h". If set, refs newer than the duration will not be deleted. If unspecified, the default is no grace period (all untagged image refs are deleted) (optional(string))
      keep           = If an integer is provided, it will always keep that minimum number of images. Note that it will not consider images inside the `grace` duration (optional(string))
      tag_filter     = (Deprecated) If specified, any image where the first tag matches this given regular expression will be deleted. The image will not be deleted if other tags match the regular expression (optional(string))
      tag_filter_any = If specified, any image with at least one tag that matches this given regular expression will be deleted. The image will be deleted even if it has other tags that do not match the given regular expression (optional(string))
      tag_filter_all = If specified, any image where all tags match this given regular expression will be deleted. The image will not be delete if it has other tags that do not match the given regular expression (optional(string))
    })))
}))
| 
list(object({
    project_id     = optional(string)
    storage_region = optional(string)
    repositories = optional(list(object({
      name           = string
      grace          = optional(string)
      keep           = optional(string)
      tag_filter     = optional(string)
      tag_filter_any = optional(string)
      tag_filter_all = optional(string)
      recursive      = optional(bool)
    })))
    clean_all = optional(bool)
    parameters = optional(object({
      grace          = optional(string)
      keep           = optional(string)
      tag_filter     = optional(string)
      tag_filter_any = optional(string)
      tag_filter_all = optional(string)
    }))
  }))
| `[]` | no | ## Outputs diff --git a/variables.tf b/variables.tf index 5d6e2e1..ccd4ae4 100644 --- a/variables.tf +++ b/variables.tf @@ -67,7 +67,6 @@ list(object({ repositories = Docker image repositories to clean (optional(list(object({ name = Name of the repository (string) grace = Relative duration in which to ignore references. This value is specified as a time duration value like "5s" or "3h". If set, refs newer than the duration will not be deleted. If unspecified, the default is no grace period (all untagged image refs are deleted) (optional(string)) - allow_tagged = (Deprecated) This option is deprecated and has no effect. By default, GCR Cleaner will not delete tagged images. To delete tagged images, specify `tag_filter_any` or `tag_filter_all` (optional(bool)) keep = If an integer is provided, it will always keep that minimum number of images. Note that it will not consider images inside the `grace` duration (optional(string)) tag_filter = (Deprecated) If specified, any image where the first tag matches this given regular expression will be deleted. The image will not be deleted if other tags match the regular expression (optional(string)) tag_filter_any = If specified, any image with at least one tag that matches this given regular expression will be deleted. The image will be deleted even if it has other tags that do not match the given regular expression (optional(string)) @@ -77,7 +76,6 @@ list(object({ clean_all = Set to `true` to clean all project's repositories (optional(bool)) parameters = Map of parameters to apply to all repositories when `clean_all` is set to `true` (optional(object({ grace = Relative duration in which to ignore references. This value is specified as a time duration value like "5s" or "3h". If set, refs newer than the duration will not be deleted. If unspecified, the default is no grace period (all untagged image refs are deleted) (optional(string)) - allow_tagged = (Deprecated) This option is deprecated and has no effect. By default, GCR Cleaner will not delete tagged images. To delete tagged images, specify `tag_filter_any` or `tag_filter_all` (optional(bool)) keep = If an integer is provided, it will always keep that minimum number of images. Note that it will not consider images inside the `grace` duration (optional(string)) tag_filter = (Deprecated) If specified, any image where the first tag matches this given regular expression will be deleted. The image will not be deleted if other tags match the regular expression (optional(string)) tag_filter_any = If specified, any image with at least one tag that matches this given regular expression will be deleted. The image will be deleted even if it has other tags that do not match the given regular expression (optional(string)) @@ -93,7 +91,6 @@ EOF repositories = optional(list(object({ name = string grace = optional(string) - allow_tagged = optional(bool) keep = optional(string) tag_filter = optional(string) tag_filter_any = optional(string) @@ -103,7 +100,6 @@ EOF clean_all = optional(bool) parameters = optional(object({ grace = optional(string) - allow_tagged = optional(bool) keep = optional(string) tag_filter = optional(string) tag_filter_any = optional(string)