Merge pull request #588 from wri/gtc-2958b

GTC-2958 Tag Docker image from docker hash, so it always exists

.dockerignore

@@ -6,7 +6,6 @@
 # MyPy
 .mypy_cache/*
 
-# Docker Files
 docker-compose.dev.yml
 docker-compose.prod.yml
 docker-compose.test.yml

terraform/data.tf

@@ -193,3 +193,10 @@ data "template_file" "step_function_policy" {
     raster_analysis_state_machine_arn = data.terraform_remote_state.raster_analysis_lambda.outputs.raster_analysis_state_machine_arn
   }
 }
+
+# Hash of the contents of the FastAPI app docker. The docker commands run in the main
+# directory (parent directory of terraform directory), and the Docker file is in the
+# same directory.
+data "external" "hash" {
+  program = ["${path.root}/scripts/hash.sh", "${path.root}/../", "."]
+}

terraform/main.tf

@@ -26,7 +26,13 @@ locals {
   aurora_instance_class = data.terraform_remote_state.core.outputs.aurora_cluster_instance_class
   aurora_max_vcpus      = local.aurora_instance_class == "db.t3.medium" ? 2 : local.aurora_instance_class == "db.r6g.large" ? 2 : local.aurora_instance_class == "db.r6g.xlarge" ? 4 : local.aurora_instance_class == "db.r6g.2xlarge" ? 8 : local.aurora_instance_class == "db.r6g.4xlarge" ? 16 : local.aurora_instance_class == "db.r6g.8xlarge" ? 32 : local.aurora_instance_class == "db.r6g.16xlarge" ? 64 : local.aurora_instance_class == "db.r5.large" ? 2 : local.aurora_instance_class == "db.r5.xlarge" ? 4 : local.aurora_instance_class == "db.r5.2xlarge" ? 8 : local.aurora_instance_class == "db.r5.4xlarge" ? 16 : local.aurora_instance_class == "db.r5.8xlarge" ? 32 : local.aurora_instance_class == "db.r5.12xlarge" ? 48 : local.aurora_instance_class == "db.r5.16xlarge" ? 64 : local.aurora_instance_class == "db.r5.24xlarge" ? 96 : ""
   service_url           = var.environment == "dev" ? "http://${module.fargate_autoscaling.lb_dns_name}" : var.service_url
-  container_tag         = substr(var.git_sha, 0, 7)
+  # The container_registry module only pushes a new Docker image if the docker hash
+  # computed by its hash.sh script has changed. So, we make the container tag exactly
+  # be that hash. Therefore, we will know that either the previous docker with the
+  # same contents and tag will already exist, if nothing has changed in the docker
+  # image, or the container registry module will push a new docker with the tag we
+  # want.
+  container_tag         = lookup(data.external.hash.result, "hash")
   lb_dns_name           = coalesce(module.fargate_autoscaling.lb_dns_name, var.lb_dns_name)
 }
 

terraform/scripts/hash.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+# 
+# Calculates hash of Docker image source contents
+#
+# Must be identical to the script that is used by the
+# gfw-terraform-modules:terraform/modules/container_registry Terraform module.
+#
+# Usage:
+#
+# $ ./hash.sh .
+#
+
+set -e
+
+pushd () {
+    command pushd "$@" > /dev/null
+}
+
+popd () {
+    command popd "$@" > /dev/null
+}
+
+ROOT_DIR=${1:-.}
+DOCKER_PATH=${2:-.}
+IGNORE="${DOCKER_PATH}/.dockerignore"
+
+pushd "$ROOT_DIR"
+
+# Hash all source files of the Docker image
+if [ -f "$IGNORE" ]; then
+    # We don't want to compute hashes for files listed in .dockerignore
+    # to match regex pattern we need to escape leading .
+    a=$(printf "! -regex ^./%s.* " `< .dockerignore`)
+    b=${a//\/.//\\\.}
+
+    file_hashes="$(
+       find . -type f $b -exec md5sum {} \;
+  )"
+else
+  # Exclude Python cache files, dot files
+  file_hashes="$(
+        find . -type f -not -name '*.pyc' -not -path './.**' -exec md5sum {} \;
+  )"
+fi
+
+popd
+
+hash="$(echo "$file_hashes" | md5sum | cut -d' ' -f1)"
+
+echo '{ "hash": "'"$hash"'" }'