Create ECR repos for the CI images

This adds some repositories to enable apache/tvm#10646. The main caveat with this approach (vs letting CI nodes create the repositories as necessary) is that new images require an interaction with the infra team, but this is probably fine since these are pretty rare (`ci_hexagon` is the only new one in the past several months).
driazati · Mar 17, 2022 · 9ef63ef · 9ef63ef
1 parent cffb78e
commit 9ef63ef
Show file tree

Hide file tree

Showing 4 changed files with 88 additions and 7 deletions.
diff --git a/autoscalers.tf b/autoscalers.tf
@@ -34,17 +34,45 @@ resource "aws_iam_role_policy" "autoscalers" {
  {
    "Version": "2012-10-17",
    "Statement": [
-     {
-       "Sid": "SccacheAccess",
-       "Effect": "Allow",
-       "Action": [
+      {
+        "Sid": "SccacheAccess",
+        "Effect": "Allow",
+        "Action": [
          "s3:DeleteObject",
          "s3:GetObject",
          "s3:ListBucket",
          "s3:PutObject"
-       ],
-       "Resource": "arn:aws:s3:::tvm-sccache-${var.environment}/*"
-     }
+        ],
+        "Resource": "arn:aws:s3:::tvm-sccache-${var.environment}/*"
+      },
+      {
+          "Sid": "ECRAccess1",
+          "Effect": "Allow",
+          "Action": [
+              "ecr:BatchCheckLayerAvailability",
+              "ecr:BatchGetImage",
+              "ecr:CompleteLayerUpload",
+              "ecr:CreateRepository",
+              "ecr:DescribeImages",
+              "ecr:DescribeRepositories",
+              "ecr:GetDownloadUrlForLayer",
+              "ecr:InitiateLayerUpload",
+              "ecr:ListImages",
+              "ecr:PutImage",
+              "ecr:TagResource",
+              "ecr:UploadLayerPart"
+          ],
+          "Resource": "arn:aws:ecr:us-west-2:477529581014:repository/ci_lint"
+      },
+      {
+          "Sid": "ECRAccess2",
+          "Effect": "Allow",
+          "Action": [
+              "ecr:DescribeRegistry",
+              "ecr:GetAuthorizationToken"
+          ],
+          "Resource": "*"
+      }
    ]
  }
 EOF

diff --git a/ecr.tf b/ecr.tf
@@ -0,0 +1,38 @@
+resource "aws_ecr_repository" "ci_ecr" {
+  for_each             = var.ecr_repositories
+  name                 = each.value
+  image_tag_mutability = "IMMUTABLE"
+}
+
+resource "aws_ecr_lifecycle_policy" "ci_ecr_policy" {
+  for_each             = var.ecr_repositories
+  name                 = each.value
+  repository           = aws_ecr_repository.ci_ecr.name
+
+  policy = <<EOF
+{
+    "rules": [
+        {
+        "rules": [
+            {
+            "action": {
+                "type": "expire"
+            },
+            "selection": {
+                "countType": "sinceImagePushed",
+                "countUnit": "days",
+                "countNumber": 7,
+                "tagStatus": "tagged",
+                "tagPrefixList": [
+                "PR-"
+                ]
+            },
+            "description": "Remove PR images",
+            "rulePriority": 1
+            }
+        ]
+        }
+    ]
+}
+EOF
+}
diff --git a/variables.tf b/variables.tf
@@ -62,6 +62,11 @@ variable "subject_alternative_names" {
   default = []
 }
 
+variable "ecr_repositories" {
+  type    = list(string)
+  default = []
+}
+
 variable "is_private" {
   type    = bool
   default = false

diff --git a/vars/tvm-ci-prod.auto.tfvars b/vars/tvm-ci-prod.auto.tfvars
@@ -48,6 +48,16 @@ autoscaler_types = {
   }
 }
 
+ecr_repositories = [
+  "ci_arm",
+  "ci_cpu",
+  "ci_gpu",
+  "ci_hexagon",
+  "ci_lint",
+  "ci_qemu",
+  "ci_wasm"
+]
+
 domain_name               = "ci.tlcpack.ai"
 subject_alternative_names = ["docs.staging.tlcpack.ai"]
 ebs_volume_size           = 500