feat(tf): ECR repository and image deployment

Add container image repository creation and build+push to Terraform
deployment. TODO: Does not include docs update.

Author: athewsey

infra/main.tf

@@ -1,9 +1,19 @@
+# Agent Container Image
+module "container_image" {
+  source = "./modules/container-image"
+
+  force_image_rebuild = var.force_image_rebuild
+  image_build_tool    = var.container_image_build_tool
+  repository_name     = "langgraph-cx-agent"
+}
+
 # Bedrock Agent Role
 module "bedrock_role" {
-  source            = "./modules/agentcore-iam-role"
-  role_name         = var.bedrock_role_name
-  knowledge_base_id = module.kb_stack.knowledge_base_id
-  guardrail_id      = module.guardrail.guardrail_id
+  source                   = "./modules/agentcore-iam-role"
+  container_repository_arn = module.container_image.ecr_repository_arn
+  role_name                = var.bedrock_role_name
+  knowledge_base_id        = module.kb_stack.knowledge_base_id
+  guardrail_id             = module.guardrail.guardrail_id
 }
 
 # Knowledge Base Stack

infra/modules/agentcore-iam-role/bedrock-agentcore-policy.tf

@@ -34,9 +34,13 @@ resource "aws_iam_policy" "ecr_permissions" {
           "ecr:BatchGetImage",
           "ecr:GetDownloadUrlForLayer"
         ]
-        Resource = [
-          "arn:aws:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/*"
-        ]
+        Resource = (
+          var.container_repository_arn == "" ?
+          [
+            "arn:aws:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/*"
+          ] :
+          [var.container_repository_arn]
+        )
       },
       {
         Sid    = "ECRTokenAccess"

infra/modules/agentcore-iam-role/variables.tf

@@ -3,6 +3,12 @@ variable "role_name" {
   type        = string
 }
 
+variable "container_repository_arn" {
+  description = "ARN of specific Amazon ECR repository to grant access (default: all)"
+  default     = ""
+  type        = string
+}
+
 variable "knowledge_base_id" {
   description = "Knowledge Base ID to restrict access to"
   type        = string

infra/modules/container-image/main.tf

@@ -0,0 +1,40 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+locals {
+  image_src_path = "${path.root}/${var.relative_image_src_path}"
+  image_src_hash = sha512(
+    join(
+      "",
+      # TODO: Find a way to exclude .venv, dist, and potentially other subfolders:
+      [for f in fileset(".", "${local.image_src_path}/**") : filesha512(f)]
+    )
+  )
+
+  image_build_extra_args = "--platform linux/arm64"
+  image_build_push_cmd = <<-EOT
+    aws ecr get-login-password | ${var.image_build_tool} login --username AWS \
+      --password-stdin ${aws_ecr_repository.ecr_repository.repository_url} &&
+    ${var.image_build_tool} build ${local.image_build_extra_args} \
+      -t ${aws_ecr_repository.ecr_repository.repository_url}:${var.image_tag} \
+      ${local.image_src_path} &&
+    ${var.image_build_tool} push ${aws_ecr_repository.ecr_repository.repository_url}:${var.image_tag}
+  EOT
+}
+
+resource "aws_ecr_repository" "ecr_repository" {
+  name = var.repository_name
+}
+
+resource "terraform_data" "ecr_image" {
+  triggers_replace = [
+    aws_ecr_repository.ecr_repository.id,
+    var.force_image_rebuild == true ? timestamp() : local.image_src_hash
+  ]
+
+  input = "${aws_ecr_repository.ecr_repository.repository_url}:${var.image_tag}"
+
+  provisioner "local-exec" {
+    command = local.image_build_push_cmd
+  }
+}

infra/modules/container-image/outputs.tf

@@ -0,0 +1,14 @@
+output "ecr_repository_arn" {
+  description = "ARN of the Amazon ECR repository for the agent container image"
+  value       = aws_ecr_repository.ecr_repository.arn
+}
+
+output "ecr_repository_uri" {
+  description = "URI of the Amazon ECR repository for the agent container image"
+  value       = aws_ecr_repository.ecr_repository.repository_url
+}
+
+output "ecr_image_uri" {
+  description = "URI of the Amazon ECR repository for the agent container image"
+  value       = terraform_data.ecr_image.output
+}

infra/modules/container-image/variables.tf

@@ -0,0 +1,28 @@
+variable "force_image_rebuild" {
+  description = "Set true to force rebuild & push of image to ECR even if source appears unchanged"
+  default     = false
+  type        = bool
+}
+
+variable "image_build_tool" {
+  description = "Either 'docker' or a Docker-compatible alternative e.g. 'finch'"
+  default     = "docker"
+  type        = string
+}
+
+variable "relative_image_src_path" {
+  description = "Path to container image source folder, relative to Terraform root"
+  default     = "../cx-agent-backend"
+  type        = string
+}
+
+variable "image_tag" {
+  description = "Tag to apply to the pushed container image in Amazon ECR"
+  default     = "latest"
+  type        = string
+}
+
+variable "repository_name" {
+  description = "Name of the Amazon ECR repository to create and deploy the image to"
+  type        = string
+}

infra/terraform.tfvars.example

@@ -1,3 +1,7 @@
+# Container Image Build Variables
+## Uncomment the below line if you use 'finch' instead of Docker:
+# container_image_build_tool = "finch"
+
 # Bedrock Role Variables
 bedrock_role_name = "agentic-ai-bedrock-role"
 

infra/variables.tf

@@ -1,3 +1,16 @@
+# Container Image Variables
+variable "force_image_rebuild" {
+  description = "Set true to force rebuild+push of container image even if source seems unchanged"
+  default     = false
+  type        = bool
+}
+
+variable "container_image_build_tool" {
+  description = "Either 'docker' or a Docker-compatible alternative e.g. 'finch'"
+  default     = "docker"
+  type        = string
+}
+
 # Bedrock Role Variables
 variable "bedrock_role_name" {
   description = "Name of the Bedrock agent role"