image-copy-X: improve READMEs

Signed-off-by: Jason Hall <jason@chainguard.dev>

image-copy-ecr/README.md

@@ -2,6 +2,28 @@
 
 This sets up a Lambda function to listen for `registry.push` events to a private Chainguard Registry group, and mirrors those new images to a repository in Elastic Container Registry.
 
+### Usage
+
+You can use this terraform module to deploy this integration by instantiating
+it like this:
+
+```
+module "image-copy" {
+  source = "github.com/chainguard-dev/enforce-events//image-copy-ecr/iac"
+
+  # The Chainguard IAM group from which we expect to receive events.
+  # This is used to authenticate that the Chainguard events are intended
+  # for you, and not another user.
+  # Images pushed to repos under this group will be mirrored to Artifact Registry.
+  group = "<group-id>"
+
+  # This is the location in ECR where images will be mirrored.
+  # For example: pushes to cgr.dev/<group>/foo:1.2.3 will be mirrored to
+  # <account>.dkr.ecr.<region>.amazonaws.com/<dst_repo>/foo:1.2.3
+  dst_repo = "mirrored/images"
+}
+```
+
 The Terraform does everything:
 
 - builds the mirroring app into an image using `ko_build`
@@ -10,7 +32,7 @@ The Terraform does everything:
 - allows the Lambda function to assume the puller identity and push to ECR
 - sets up a subscription to notify the Lambda function when pushes happen to cgr.dev
 
-## Setup
+### Setup
 
 ```sh
 aws sso login --profile my-profile
@@ -19,31 +41,10 @@ terraform init
 terraform apply
 ```
 
-This will prompt for a group ID and destination repo, and show you the resources it will create.
-
 When the resources are created, any images that are pushed to your group will be mirrored to the ECR repository.
 
 The Lambda function has minimal permissions: it's only allowed to push images to the destination repo and its sub-repos.
 
 The Chainguard identity also has minimal permissions: it only has permission to pull from the source repo.
 
 To tear down resources, run `terraform destroy`.
-
-## Demo
-
-After setting up the infrastructure as described above:
-
-```sh
-crane cp random.kontain.me/random cgr.dev/<org>/random:hello-demo
-```
-
-This pulls a randomly generated image from `kontain.me` and pushes it to your private registry.
-
-The Lambda function you set up will fire and copy the image to ECR. A few seconds later:
-
-```sh
-crane ls <account-id>.dkr.ecr.<region>.amazonaws.com/<dst-repo>/random
-hello-demo
-```
-
-It worked! 🎉

image-copy-gcr/README.md

@@ -28,8 +28,8 @@ module "image-copy" {
   group = "<group-id>"
 
   # This is the location in Artifact Registry where images will be mirrored.
-  # For example: pushes to cgr.dev/<group>/foo will be mirrored to
-  # <location>-docker.pkg.dev/<project_id>/<dst_repo>/foo.
+  # For example: pushes to cgr.dev/<group>/foo:1.2.3 will be mirrored to
+  # <location>-docker.pkg.dev/<project_id>/<dst_repo>/foo:1.2.3
   dst_repo = "mirrored/images"
 
   # Location of the Artifact Registry repository, and the Cloud Run subscriber.
@@ -46,3 +46,20 @@ The Terraform does everything:
 - sets up a Chainguard Identity with permissions to pull from the private cgr.dev repo
 - allows the Cloud Run service's SA to assume the puller identity
 - sets up a subscription to notify the Cloud Run service when pushes happen to cgr.dev
+
+### Setup
+
+```sh
+gcloud auth application-default login
+chainctl auth login
+terraform init
+terraform apply
+```
+
+When the resources are created, any images that are pushed to your group will be mirrored to the GCR repository.
+
+The Cloud Run app has minimal permissions: it's only allowed to push images.
+
+The Chainguard identity also has minimal permissions: it only has permission to pull from the source repo.
+
+To tear down resources, run `terraform destroy`.