From e970ae102c31c500ee1ccd479b55b368ee3d6366 Mon Sep 17 00:00:00 2001 From: Deiwin Sarjas Date: Wed, 24 Jan 2018 02:42:41 +0200 Subject: [PATCH] ecs_ecr: Fix AWS ECR repository creation (#34798) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * ecs_ecr: Remove registry ID from create repository call [Boto3 documentation][1] specifies 'repositoryName' as the only expected argument. The `**build_kwargs(registry_id)` part also adds 'registryId' which, when executed, fails with: 'Unknown parameter in input: “registryId”, must be one of: repositoryName'. [AWS API documentation][2] also lists only the 'repositoryName' parameter. I.e. this is not a problem with the boto3 library. The default registry ID for the account that's making the request will be used when creating the rpository. This means that if the `registry_id` specified by the user is different from the default registry ID, then the policy changes following the repository creation would fail, because the repository will have been created in one repository but subsequent calls try to modify it in another. Added a safeguard against this scenario. [1]: https://boto3.readthedocs.io/en/latest/reference/services/ecr.html#ECR.Client.create_repository [2]: https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_CreateRepository.html * Fix concurrent ECR integration tests If the `ecr_name` is the same in multiple concurrent test runs, then they can interfere with one another causing both to fail. The `resource_prefix` is guaranteed to be unique for different jobs running in CI an so avoids this issue while also making it easier to identify the test which created the resource. --- lib/ansible/modules/cloud/amazon/ecs_ecr.py | 13 ++++++++++--- test/integration/targets/ecs_ecr/tasks/main.yml | 2 +- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/lib/ansible/modules/cloud/amazon/ecs_ecr.py b/lib/ansible/modules/cloud/amazon/ecs_ecr.py index 94d84c18cc..06c4fde843 100644 --- a/lib/ansible/modules/cloud/amazon/ecs_ecr.py +++ b/lib/ansible/modules/cloud/amazon/ecs_ecr.py @@ -154,6 +154,9 @@ class EcsEcr: self.ecr = boto3_conn(module, conn_type='client', resource='ecr', region=region, endpoint=ec2_url, **aws_connect_kwargs) + self.sts = boto3_conn(module, conn_type='client', + resource='sts', region=region, + endpoint=ec2_url, **aws_connect_kwargs) self.check_mode = module.check_mode self.changed = False self.skipped = False @@ -183,10 +186,14 @@ class EcsEcr: raise def create_repository(self, registry_id, name): + if registry_id: + default_registry_id = self.sts.get_caller_identity().get('Account') + if registry_id != default_registry_id: + raise Exception('Cannot create repository in registry {}.' + 'Would be created in {} instead.'.format( + registry_id, default_registry_id)) if not self.check_mode: - repo = self.ecr.create_repository( - repositoryName=name, **build_kwargs(registry_id)).get( - 'repository') + repo = self.ecr.create_repository(repositoryName=name).get('repository') self.changed = True return repo else: diff --git a/test/integration/targets/ecs_ecr/tasks/main.yml b/test/integration/targets/ecs_ecr/tasks/main.yml index b21c291bf1..6e95f40683 100644 --- a/test/integration/targets/ecs_ecr/tasks/main.yml +++ b/test/integration/targets/ecs_ecr/tasks/main.yml @@ -1,6 +1,6 @@ --- - set_fact: - ecr_name: 'ecr-test-{{ ansible_date_time.epoch }}' + ecr_name: '{{ resource_prefix }}-ecr' - block: