feat: add a new feature to run image builds (#201)

Author: akocbek

ibm_catalog.json

@@ -352,6 +352,9 @@
             {
               "key": "builds"
             },
+            {
+              "key": "container_registry_namespace"
+            },
             {
               "key": "domain_mappings"
             },

modules/build/README.md

@@ -73,4 +73,6 @@ No modules.
 | <a name="output_build_id"></a> [build\_id](#output\_build\_id) | The ID of the created code engine build. |
 | <a name="output_id"></a> [id](#output\_id) | The unique identifier of the created code engine build. |
 | <a name="output_name"></a> [name](#output\_name) | The name of the created code engine build. |
+| <a name="output_output_image"></a> [output\_image](#output\_output\_image) | The container image reference of the created code engine build. |
+| <a name="output_output_secret"></a> [output\_secret](#output\_output\_secret) | The registry secret of the created code engine build. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/build/outputs.tf

@@ -16,3 +16,13 @@ output "name" {
   description = "The name of the created code engine build."
   value       = resource.ibm_code_engine_build.ce_build.name
 }
+
+output "output_image" {
+  description = "The container image reference of the created code engine build."
+  value       = resource.ibm_code_engine_build.ce_build.output_image
+}
+
+output "output_secret" {
+  description = "The registry secret of the created code engine build."
+  value       = resource.ibm_code_engine_build.ce_build.output_secret
+}

solutions/project/DA-inputs.md

@@ -17,7 +17,7 @@ The `builds` input variable allows you to provide details of the of builds which
 
 ### Options for Builds
 
-  - `output_image` (required): The name of the image.
+  - `output_image` (optional): The name of the image. A container image can be identified by a container image reference with the following structure: registry / namespace / repository : tag. If not provided, the name is automatically build using region registry / container_registry_namespace input / build name.
   - `output_secret` (required): The secret that is required to access the image registry.
   - `source_url` (required): The URL of the code repository.
   - `strategy_type` (required): Specifies the type of source to determine if your build source is in a repository or based on local source code.
@@ -118,10 +118,30 @@ The `secrets` input variable allows you to provide a method to include sensitive
 ### Example for Secrets
 
 ```hcl
+# generic secret
 {
   "your-secret-name" = {
     format = "generic"
     data   = { "key_1" : "value_1", "key_2" : "value_2" }
   }
 }
+
+# registry secret
+"registry_secret_name" = {
+    format = "registry"
+    optional("data") = {
+      "server"   = "private.us.icr.io",
+      "username" = "iamapikey",
+      "password" = iam_api_key, # pragma: allowlist secret
+    }
+}
+
+# private repository
+"private_repo" = {
+    format = "generic"
+    "data" = {
+      "password" = github_token, # pragma: allowlist secret
+      "username"   = github_user
+    }
+}
 ```

solutions/project/main.tf

@@ -26,10 +26,54 @@ module "project" {
 ##############################################################################
 # Code Engine Build
 ##############################################################################
+locals {
+  registry_region_result = data.external.container_registry_region.result
+  registry               = lookup(local.registry_region_result, "registry", null)
+  container_registry     = local.registry != null ? "private.${local.registry}" : null
+  registry_region_error  = lookup(local.registry_region_result, "error", null)
+
+  # This will cause Terraform to fail if "error" is present in the external script output executed as a part of container_registry_region
+  # tflint-ignore: terraform_unused_declarations
+  fail_if_registry_region_error = local.registry_region_error != null ? tobool("Registry region script failed: ${local.registry_region_error}") : null
+
+  # if no build defines a container image reference (output_image), a new container registry namespace must be created using container_registry_namespace.
+  any_missing_output_image = anytrue([
+    for build in values(var.builds) :
+    !contains(keys(build), "output_image") || build.output_image == null
+  ])
+  image_container = local.any_missing_output_image && local.container_registry != null ? "${local.container_registry}/${resource.ibm_cr_namespace.my_namespace[0].name}" : ""
+
+  # if output_image not exists then a new created container image reference
+  updated_builds = {
+    for name, build in var.builds :
+    name => merge(
+      build,
+      {
+        output_image = coalesce(build.output_image, "${local.image_container}/${name}")
+      }
+    )
+  }
+}
+
+resource "ibm_cr_namespace" "my_namespace" {
+  count = local.any_missing_output_image && var.container_registry_namespace != null ? 1 : 0
+  name  = var.container_registry_namespace
+}
+
+data "external" "container_registry_region" {
+  program = ["bash", "${path.module}/scripts/get-cr-region.sh"]
+
+  query = {
+    RESOURCE_GROUP_ID = module.resource_group.resource_group_id
+    REGION            = var.region
+    IBMCLOUD_API_KEY  = var.ibmcloud_api_key
+  }
+}
+
 module "build" {
   depends_on         = [module.secret]
   source             = "../../modules/build"
-  for_each           = var.builds
+  for_each           = local.updated_builds
   project_id         = module.project.project_id
   name               = each.key
   output_image       = each.value.output_image
@@ -43,7 +87,21 @@ module "build" {
   strategy_size      = each.value.strategy_size
   strategy_spec_file = each.value.strategy_spec_file
   timeout            = each.value.timeout
+}
 
+resource "null_resource" "run_build" {
+  depends_on = [module.build]
+  provisioner "local-exec" {
+    interpreter = ["/bin/bash", "-c"]
+    command     = "${path.module}/scripts/build-run.sh"
+    environment = {
+      IBMCLOUD_API_KEY  = var.ibmcloud_api_key
+      RESOURCE_GROUP_ID = module.resource_group.resource_group_id
+      CE_PROJECT_NAME   = module.project.name
+      REGION            = var.region
+      BUILDS            = join(" ", keys(local.updated_builds))
+    }
+  }
 }
 
 ##############################################################################
@@ -72,9 +130,30 @@ module "config_map" {
 ##############################################################################
 # Code Engine Secret
 ##############################################################################
+locals {
+  # if the secret is a registry type, inject generated credentials (username, password, server) if they're not already provided.
+  secrets = {
+    for name, secret in var.secrets :
+    name => merge(
+      secret,
+      {
+        data = (
+          secret.format == "registry"
+          ? merge(secret.data, {
+            password = lookup(secret.data, "password", var.ibmcloud_api_key),
+            username = lookup(secret.data, "username", "iamapikey"),
+            server   = lookup(secret.data, "server", local.container_registry)
+          })
+          : secret.data
+        )
+      }
+    )
+  }
+}
+
 module "secret" {
   source     = "../../modules/secret"
-  for_each   = var.secrets
+  for_each   = local.secrets
   project_id = module.project.project_id
   name       = each.key
   data       = sensitive(each.value.data)

solutions/project/scripts/build-run.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+set -e
+
+if [[ -z "${IBMCLOUD_API_KEY}" ]]; then
+  echo "IBMCLOUD_API_KEY is required" >&2
+  exit 1
+fi
+
+if [[ -z "${RESOURCE_GROUP_ID}" ]]; then
+  echo "RESOURCE_GROUP_ID is required" >&2
+  exit 1
+fi
+
+if [[ -z "${CE_PROJECT_NAME}" ]]; then
+  echo "CE_PROJECT_NAME is required" >&2
+  exit 1
+fi
+
+if [[ -z "${REGION}" ]]; then
+  echo "REGION is required" >&2
+  exit 1
+fi
+
+if [[ -z "${BUILDS}" ]]; then
+  echo "BUILDS is required" >&2
+  exit 1
+fi
+
+ibmcloud login -r "${REGION}" -g "${RESOURCE_GROUP_ID}" --quiet
+
+# selecet the right code engine project
+ibmcloud ce project select -n "${CE_PROJECT_NAME}"
+
+# run a build for all builds
+for build in $BUILDS; do
+    echo "$build"
+    ibmcloud ce buildrun submit --build  "$build"
+done

solutions/project/scripts/get-cr-region.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+set -euo pipefail
+
+INPUT=$(cat)
+REGION=$(echo "$INPUT" | jq -r '.REGION')
+RESOURCE_GROUP_ID=$(echo "$INPUT" | jq -r '.RESOURCE_GROUP_ID')
+IBMCLOUD_API_KEY=$(echo "$INPUT" | jq -r '.IBMCLOUD_API_KEY')
+export IBMCLOUD_API_KEY
+
+if [[ -z "${IBMCLOUD_API_KEY}" || "${IBMCLOUD_API_KEY}" == "null" ]]; then
+  echo '{"error": "IBMCLOUD_API_KEY is required"}'
+  exit 0
+fi
+
+if [[ -z "${RESOURCE_GROUP_ID}"  || "${RESOURCE_GROUP_ID}" == "null" ]]; then
+  echo '{"error": "RESOURCE_GROUP_ID is required"}'
+  exit 0
+fi
+
+if [[ -z "${REGION}" || "${REGION}" == "null" ]]; then
+  echo '{"error": "REGION is required"}'
+  exit 0
+fi
+
+if ! ibmcloud login -r "${REGION}" -g "${RESOURCE_GROUP_ID}" --quiet > /dev/null 2>&1; then
+  printf '{"error": "Failed to login using: ibmcloud login -r %s -g %s"}' "$REGION" "$RESOURCE_GROUP_ID"
+  exit 0
+fi
+
+# extract registry value from text "You are targeting region 'us-south', the registry is 'us.icr.io'."
+registry=$(ibmcloud cr region 2>/dev/null | grep registry | sed -E "s/.*registry is '([^']+)'.*/\1/")
+
+# Validate registry value
+if [[ -z "$registry" ]]; then
+  echo '{"error": "Failed to parse registry region from ibmcloud cr region"}'
+  exit 0
+fi
+
+echo "{\"registry\": \"${registry}\"}"

solutions/project/variables.tf

@@ -46,7 +46,7 @@ variable "project_name" {
 variable "builds" {
   description = "A map of code engine builds to be created.[Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-code-engine/blob/main/solutions/project/DA-inputs.md#builds)"
   type = map(object({
-    output_image       = string
+    output_image       = optional(string)
     output_secret      = string # pragma: allowlist secret
     source_url         = string
     strategy_type      = string
@@ -61,6 +61,20 @@ variable "builds" {
   default = {}
 }
 
+variable "container_registry_namespace" {
+  description = "The name of the namespace to create in IBM Cloud Container Registry for organizing container images. Used only for builds that do not have output_image set."
+  type        = string
+  default     = null
+
+  validation {
+    condition = alltrue([
+      for build in values(var.builds) :
+      contains(keys(build), "output_image") && build.output_image != null
+    ]) || var.container_registry_namespace != null
+    error_message = "container_registry_namespace is required because at least one build is missing an output_image"
+  }
+}
+
 ##############################################################################
 # Code Engine Domain Mapping
 ##############################################################################

solutions/project/version.tf

@@ -6,5 +6,13 @@ terraform {
       source  = "IBM-Cloud/ibm"
       version = "1.79.2"
     }
+    external = {
+      source  = "hashicorp/external"
+      version = "2.3.5"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "3.2.4"
+    }
   }
 }