Merge pull request #1 from togethercomputer/derek/eng-26466-setup-ecr-lambda-tf-module

Add tf code for re-usable Lambda ECR infra combo

Author: derekdowling

.github/workflows/approve-emergency.yaml

@@ -0,0 +1,18 @@
+name: Approve Emergency Pull Request
+
+on:
+  pull_request:
+    types: [opened, reopened, edited, synchronize, labeled]
+    branches:
+      - main
+
+defaults:
+  run:
+    shell: bash
+    working-directory: ./approve_emergency
+
+jobs:
+  approve_emergency:
+    if: ${{ vars.ACTIONS_ENABLED == 'true' }}
+    uses: togethercomputer/github-actions-test/.github/workflows/approve-emergency.yaml@main
+    secrets: inherit

.github/workflows/auto-merge-init-pr.yaml

@@ -0,0 +1,95 @@
+name: Auto-merge Initialization PR created via Terraform
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: read
+
+env:
+  GITHUB_TOKEN: ${{ secrets.ROBOT_GITHUB_TOKEN }}
+  TRIGGER_TITLE_PREFIX: "[INITIALIZE]"
+  TRIGGER_BODY_MARKER: "<!-- INIT_PR_MARKER: DO_NOT_TOUCH -->"
+
+jobs:
+  init_repo:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check if this is the INIT PR
+        id: check_init_pr
+        run: |
+          TITLE=$(jq -r '.pull_request.title' "$GITHUB_EVENT_PATH")
+          BODY=$(jq -r '.pull_request.body' "$GITHUB_EVENT_PATH")
+
+          if [[ "$TITLE" == "${{ env.TRIGGER_TITLE_PREFIX }}"* && "$BODY" == *"${{ env.TRIGGER_BODY_MARKER }}"* ]]; then
+            echo "INIT_PR=true" >> $GITHUB_ENV
+            echo "INIT PR detected."
+          else
+            echo "INIT_PR=false" >> $GITHUB_ENV
+            echo "Not the INIT PR, skipping approval and merge."
+          fi
+
+      - name: Set repo variable to enable other actions to run
+        if: env.INIT_PR == 'true'
+        run: |
+          gh variable set ACTIONS_ENABLED --body "true" --repo https://github.com/${{ github.repository }}
+
+      - name: Fetch PR Author
+        if: env.INIT_PR == 'true'
+        id: pr_author
+        run: |
+          set -x
+          AUTHOR=$(jq -r '.pull_request.user.login' "$GITHUB_EVENT_PATH")
+          echo "PR_AUTHOR=$AUTHOR" >> $GITHUB_ENV
+
+      - name: Check if Author is in togethercomputer/tech-ops
+        if: env.INIT_PR == 'true'
+        id: check_team
+        run: |
+          set -x
+          ORG_NAME="togethercomputer"
+          TEAM_SLUG="tech-ops"
+          AUTHOR="$PR_AUTHOR"
+          
+          MEMBERS=$(curl -s -H "Authorization: Bearer ${{ secrets.ROBOT_GITHUB_TOKEN }}" \
+            -H "Accept: application/vnd.github+json" \
+            "https://api.github.com/orgs/$ORG_NAME/teams/$TEAM_SLUG/members" | jq -r '.[].login')
+
+          if echo "$MEMBERS" | grep -q "^$AUTHOR$"; then
+            echo "User is in togethercomputer/tech-ops"
+            echo "APPROVE_PR=true" >> $GITHUB_ENV
+          else
+            echo "User is NOT in togethercomputer/tech-ops. Exiting."
+            exit 1
+          fi
+
+      - name: Approve PR
+        if: env.APPROVE_PR == 'true'
+        run: |
+          gh pr review --approve https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}
+
+      - name: Merge PR
+        if: env.APPROVE_PR == 'true'
+        run: |
+          gh pr merge --squash --admin https://github.com/${{ github.repository }}/pull/${{ github.event.pull_request.number }}
+
+      - name: Remove This Workflow After init PR merged
+        if: env.APPROVE_PR == 'true'
+        run: |
+          git config --global user.name "together-robot"
+          git config --global user.email "together-robot@users.noreply.github.com"
+          
+          # Clone the repo
+          git clone https://x-access-token:${{ secrets.ROBOT_GITHUB_TOKEN }}@github.com/${{ github.repository }} repo
+          cd repo
+
+          # Remove the workflow file
+          rm -f .github/workflows/auto-merge-init-pr.yaml
+
+          # Commit and push the change
+          git commit -am 'Cleanup: Remove initialization workflow after merging PR'
+          git push origin main

.github/workflows/label-pr-size.yaml

@@ -0,0 +1,18 @@
+name: Label Pull Request with T-shirt Size
+
+on:
+  pull_request:
+    types: [opened, reopened, edited, synchronize]
+    branches:
+      - main
+
+defaults:
+  run:
+    shell: bash
+    working-directory: ./label-pr-size
+
+jobs:
+  label_pr_size:
+    if: ${{ vars.ACTIONS_ENABLED == 'true' }}
+    uses: togethercomputer/github-actions-test/.github/workflows/label-pr-size.yaml@main
+    secrets: inherit

.github/workflows/linear-pr-checker.yaml

@@ -0,0 +1,18 @@
+name: Linear PR Checker
+
+on:
+  pull_request:
+    types: [opened, reopened, edited, synchronize]
+    branches:
+      - main
+
+defaults:
+  run:
+    shell: bash
+    working-directory: ./pr_checker
+
+jobs:
+  linear_pr_checker:
+    if: ${{ vars.ACTIONS_ENABLED == 'true' }}
+    uses: togethercomputer/tools/.github/workflows/pr_checker.yml@main
+    secrets: inherit

.github/workflows/main-merge.yaml

@@ -0,0 +1,21 @@
+name: Main Merge
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  version-bump:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
+      - name: Bump version and push tag
+        id: bump
+        uses: anothrNick/github-tag-action@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          WITH_V: true
+      

README.md

@@ -1,2 +1,72 @@
-# td-mod-ecr-image-lambda
-A terraform module for setting up a Lambda that runs an ECR Image
+<!-- BEGIN_TF_DOCS -->
+# Terraform Lambda ECR Module
+
+This module creates an ECR repository and Lambda function with image configuration.
+It's designed to work with CI/CD pipelines for image updates.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.7.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.64.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.94.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.lambda_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_ecr_lifecycle_policy.lambda_repo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
+| [aws_ecr_repository.lambda_repo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
+| [aws_ecr_repository_policy.lambda_repo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy) | resource |
+| [aws_iam_policy.lambda_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.lambda_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.lambda_ecr_pull](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.lambda_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.lambda_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_lambda_function.function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_ecr_repository_name"></a> [ecr\_repository\_name](#input\_ecr\_repository\_name) | Name of the ECR repository | `string` | n/a | yes |
+| <a name="input_encryption_type"></a> [encryption\_type](#input\_encryption\_type) | The encryption type to use for the repository. Valid values are AES256 or KMS | `string` | `"AES256"` | no |
+| <a name="input_environment_variables"></a> [environment\_variables](#input\_environment\_variables) | Environment variables for the Lambda function | `map(string)` | `{}` | no |
+| <a name="input_function_name"></a> [function\_name](#input\_function\_name) | Name of the Lambda function | `string` | n/a | yes |
+| <a name="input_image_tag_mutability"></a> [image\_tag\_mutability](#input\_image\_tag\_mutability) | The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE | `string` | `"MUTABLE"` | no |
+| <a name="input_initial_image_uri"></a> [initial\_image\_uri](#input\_initial\_image\_uri) | Initial image URI to use for Lambda function | `string` | `""` | no |
+| <a name="input_log_retention_days"></a> [log\_retention\_days](#input\_log\_retention\_days) | Number of days to retain Lambda function logs | `number` | `14` | no |
+| <a name="input_memory_size"></a> [memory\_size](#input\_memory\_size) | Amount of memory in MB your Lambda Function can use at runtime | `number` | `128` | no |
+| <a name="input_non_release_image_retention_count"></a> [non\_release\_image\_retention\_count](#input\_non\_release\_image\_retention\_count) | The number of images to keep in the repository | `number` | `50` | no |
+| <a name="input_release_image_retention_count"></a> [release\_image\_retention\_count](#input\_release\_image\_retention\_count) | The number of images to keep in the repository with v-prefixed tags | `number` | `100` | no |
+| <a name="input_scan_on_push"></a> [scan\_on\_push](#input\_scan\_on\_push) | Indicates whether images are scanned after being pushed to the repository | `bool` | `true` | no |
+| <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | List of security group IDs associated with the Lambda function (VPC) | `list(string)` | `null` | no |
+| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | List of subnet IDs associated with the Lambda function (VPC) | `list(string)` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
+| <a name="input_timeout"></a> [timeout](#input\_timeout) | The amount of time your Lambda Function has to run in seconds | `number` | `30` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cloudwatch_log_group_arn"></a> [cloudwatch\_log\_group\_arn](#output\_cloudwatch\_log\_group\_arn) | The ARN of the CloudWatch log group |
+| <a name="output_cloudwatch_log_group_name"></a> [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | The name of the CloudWatch log group |
+| <a name="output_ecr_repository_arn"></a> [ecr\_repository\_arn](#output\_ecr\_repository\_arn) | The ARN of the ECR repository |
+| <a name="output_ecr_repository_url"></a> [ecr\_repository\_url](#output\_ecr\_repository\_url) | The URL of the ECR repository |
+| <a name="output_lambda_function_arn"></a> [lambda\_function\_arn](#output\_lambda\_function\_arn) | The ARN of the Lambda function |
+| <a name="output_lambda_function_invoke_arn"></a> [lambda\_function\_invoke\_arn](#output\_lambda\_function\_invoke\_arn) | The invoke ARN of the Lambda function |
+| <a name="output_lambda_function_name"></a> [lambda\_function\_name](#output\_lambda\_function\_name) | The name of the Lambda function |
+| <a name="output_lambda_function_role_arn"></a> [lambda\_function\_role\_arn](#output\_lambda\_function\_role\_arn) | The ARN of the IAM role created for the Lambda function |
+| <a name="output_lambda_function_role_name"></a> [lambda\_function\_role\_name](#output\_lambda\_function\_role\_name) | The name of the IAM role created for the Lambda function |
+<!-- END_TF_DOCS -->