feat: provision all ressources to schedule purge

Author: benoit-garcia

README.md

@@ -23,12 +23,20 @@ module "my_registry" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement_terraform) | >= 0.13 |
+| <a name="requirement_archive"></a> [archive](#requirement_archive) | >= 2.0.0 |
 | <a name="requirement_scaleway"></a> [scaleway](#requirement_scaleway) | >= 2.0.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [archive_file.registry_purge](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/resources/file) | resource |
+| [scaleway_function.registry_purge](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/function) | resource |
+| [scaleway_function_cron.registry_purge](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/function_cron) | resource |
+| [scaleway_function_namespace.maintenance](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/function_namespace) | resource |
+| [scaleway_iam_api_key.registry_purge](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_api_key) | resource |
+| [scaleway_iam_application.registry_purge](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_application) | resource |
+| [scaleway_iam_policy.registry_purge](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/iam_policy) | resource |
 | [scaleway_registry_namespace.this](https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/registry_namespace) | resource |
 
 ## Inputs
@@ -39,14 +47,25 @@ module "my_registry" {
 | <a name="input_description"></a> [description](#input_description) | Description of the namespace. | `string` | `null` | no |
 | <a name="input_is_public"></a> [is_public](#input_is_public) | Whether the images stored in the namespace should be downloadable publicly (docker pull). | `bool` | `false` | no |
 | <a name="input_project_id"></a> [project_id](#input_project_id) | ID of the project the namespace is associated with. Ressource will be created in the project set at the provider level if null. | `string` | `null` | no |
+| <a name="input_purge_dry_run"></a> [purge_dry_run](#input_purge_dry_run) | Prevent deletion of tags & images. | `bool` | `true` | no |
+| <a name="input_purge_log_level"></a> [purge_log_level](#input_purge_log_level) | Log Level of the purge function. Refer to the Go [slog package documentation](https://pkg.go.dev/log/slog#Level) for accepted values | `number` | `0` | no |
+| <a name="input_purge_preserve_tag_patterns"></a> [purge_preserve_tag_patterns](#input_purge_preserve_tag_patterns) | List of regex patterns for tags to preserve. By default, preserves semantic versioning tags. | `list(string)` | ```[ "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" ]``` | no |
+| <a name="input_purge_retention_days"></a> [purge_retention_days](#input_purge_retention_days) | Number of days to keep images before deletion. | `number` | `30` | no |
+| <a name="input_purge_schedule"></a> [purge_schedule](#input_purge_schedule) | Cron schedule for the cleanup function. Set to empty string to disable scheduled cleanup. | `string` | `"0 0 * * *"` | no |
+| <a name="input_purge_timeout"></a> [purge_timeout](#input_purge_timeout) | Timeout for the cleanup function in seconds. | `number` | `300` | no |
 | <a name="input_region"></a> [region](#input_region) | Region in which the namespace should be created. Ressource will be created in the region set at the provider level if null. | `string` | `null` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
+| <a name="output_cleanup_application_id"></a> [cleanup_application_id](#output_cleanup_application_id) | ID of the IAM application for the cleanup function. |
+| <a name="output_cleanup_cron_id"></a> [cleanup_cron_id](#output_cleanup_cron_id) | ID of the cron trigger for the cleanup function. |
+| <a name="output_cleanup_function_endpoint"></a> [cleanup_function_endpoint](#output_cleanup_function_endpoint) | Endpoint URL of the cleanup function. |
 | <a name="output_endpoint"></a> [endpoint](#output_endpoint) | URL of the namespace. |
 | <a name="output_id"></a> [id](#output_id) | ID of the namespace. |
+| <a name="output_maintenance_namespace_id"></a> [maintenance_namespace_id](#output_maintenance_namespace_id) | ID of the maintenance function namespace. |
+| <a name="output_purge_function_id"></a> [purge_function_id](#output_purge_function_id) | ID of the cleanup function. |
 <!-- END_TF_DOCS -->
 
 ## Authors

functions.tf

@@ -0,0 +1,84 @@
+# Create a serverless namespace for maintenance functions
+resource "scaleway_function_namespace" "maintenance" {
+  name        = format("%s-maintenance", var.name)
+  description = format("Namespace for maintenance functions for %s registry", var.name)
+  project_id  = scaleway_registry_namespace.this.project_id
+  region      = scaleway_registry_namespace.this.region
+}
+
+# Create an IAM application for the function
+resource "scaleway_iam_application" "registry_purge" {
+  name        = format("%s-registry-cleanup", var.name)
+  description = "Application for registry cleanup function"
+}
+
+# Create an IAM policy to allow the function to access the registry
+resource "scaleway_iam_policy" "registry_purge" {
+  name           = format("%s-registry-cleanup-policy", var.name)
+  description    = "Policy for registry cleanup function"
+  application_id = scaleway_iam_application.registry_purge.id
+
+  # Rule to allow the function to read and delete images in the registry namespace
+  rule {
+    project_ids          = [scaleway_registry_namespace.this.project_id]
+    permission_set_names = ["ContainerRegistryFullAccess"]
+  }
+}
+
+# Create an API key for the function
+resource "scaleway_iam_api_key" "registry_purge" {
+  application_id     = scaleway_iam_application.registry_purge.id
+  description        = "API key for registry cleanup function"
+  default_project_id = scaleway_registry_namespace.this.project_id
+}
+
+# Archive the function code
+resource "archive_file" "registry_purge" {
+  type        = "zip"
+  source_dir  = "${path.module}/functions/purge"
+  output_path = "${path.module}/functions/purge.zip"
+  excludes    = [".git", ".gitignore", "README.md", "vendor"]
+}
+
+# Deploy the function
+resource "scaleway_function" "registry_purge" {
+  name         = "purge-old-images"
+  description  = "Purges old images from the container registry namespace"
+  deploy       = true
+  namespace_id = scaleway_function_namespace.maintenance.id
+  handler      = "Handle"
+  http_option  = "redirected"
+  privacy      = "private"
+  runtime      = "go123"
+  timeout      = var.purge_timeout
+
+  memory_limit = 128
+  max_scale    = 1
+  min_scale    = 0
+
+  zip_file = archive_file.registry_purge.output_path
+  zip_hash = archive_file.registry_purge.output_sha256
+
+  environment_variables = {
+    REGISTRY_NAMESPACE    = var.name
+    RETENTION_DAYS        = var.purge_retention_days
+    PRESERVE_TAG_PATTERNS = join(",", var.purge_preserve_tag_patterns)
+    DRY_RUN               = var.purge_dry_run
+    LOG_LEVEL             = var.purge_log_level
+  }
+
+  secret_environment_variables = {
+    REGISTRY_ACCESS_KEY = scaleway_iam_api_key.registry_purge.access_key
+    REGISTRY_SECRET_KEY = scaleway_iam_api_key.registry_purge.secret_key
+    REGISTRY_PROJECT_ID = scaleway_registry_namespace.this.project_id
+    REGISTRY_REGION     = scaleway_registry_namespace.this.region
+  }
+}
+
+# Create a cron trigger for the function only if cleanup_schedule is not empty
+resource "scaleway_function_cron" "registry_purge" {
+  count       = var.purge_schedule != "" ? 1 : 0
+  function_id = scaleway_function.registry_purge.id
+  schedule    = var.purge_schedule
+  args        = "{}"
+}

outputs.tf

@@ -7,3 +7,29 @@ output "endpoint" {
   description = "URL of the namespace."
   value       = scaleway_registry_namespace.this.endpoint
 }
+
+output "maintenance_namespace_id" {
+  description = "ID of the maintenance function namespace."
+  value       = scaleway_function_namespace.maintenance.id
+}
+
+# Cleanup function outputs
+output "purge_function_id" {
+  description = "ID of the cleanup function."
+  value       = scaleway_function.registry_purge.id
+}
+
+output "cleanup_function_endpoint" {
+  description = "Endpoint URL of the cleanup function."
+  value       = scaleway_function.registry_purge.domain_name
+}
+
+output "cleanup_application_id" {
+  description = "ID of the IAM application for the cleanup function."
+  value       = scaleway_iam_application.registry_purge.id
+}
+
+output "cleanup_cron_id" {
+  description = "ID of the cron trigger for the cleanup function."
+  value       = var.purge_schedule != "" ? scaleway_function_cron.registry_purge[0].id : null
+}

variables.tf

@@ -26,3 +26,40 @@ variable "project_id" {
   type        = string
   default     = null
 }
+
+# Purge function variables
+variable "purge_retention_days" {
+  description = "Number of days to keep images before deletion."
+  type        = number
+  default     = 30
+}
+
+variable "purge_preserve_tag_patterns" {
+  description = "List of regex patterns for tags to preserve. By default, preserves semantic versioning tags."
+  type        = list(string)
+  default     = ["^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$"]
+}
+
+variable "purge_schedule" {
+  description = "Cron schedule for the cleanup function. Set to empty string to disable scheduled cleanup."
+  type        = string
+  default     = "0 0 * * *"
+}
+
+variable "purge_timeout" {
+  description = "Timeout for the cleanup function in seconds."
+  type        = number
+  default     = 300
+}
+
+variable "purge_dry_run" {
+  description = "Prevent deletion of tags & images."
+  type        = bool
+  default     = true
+}
+
+variable "purge_log_level" {
+  description = "Log Level of the purge function. Refer to the Go [slog package documentation](https://pkg.go.dev/log/slog#Level) for accepted values"
+  type        = number
+  default     = 0
+}

versions.tf

@@ -5,5 +5,9 @@ terraform {
       source  = "scaleway/scaleway"
       version = ">= 2.0.0"
     }
+    archive = {
+      source  = "hashicorp/archive"
+      version = ">= 2.0.0"
+    }
   }
 }