ecs_ecr: Fix AWS ECR repository creation (#34798)

* ecs_ecr: Remove registry ID from create repository call [Boto3 documentation][1] specifies 'repositoryName' as the only expected argument. The `**build_kwargs(registry_id)` part also adds 'registryId' which, when executed, fails with: 'Unknown parameter in input: “registryId”, must be one of: repositoryName'. [AWS API documentation][2] also lists only the 'repositoryName' parameter. I.e. this is not a problem with the boto3 library. The default registry ID for the account that's making the request will be used when creating the rpository. This means that if the `registry_id` specified by the user is different from the default registry ID, then the policy changes following the repository creation would fail, because the repository will have been created in one repository but subsequent calls try to modify it in another. Added a safeguard against this scenario. [1]: https://boto3.readthedocs.io/en/latest/reference/services/ecr.html#ECR.Client.create_repository [2]: https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_CreateRepository.html * Fix concurrent ECR integration tests If the `ecr_name` is the same in multiple concurrent test runs, then they can interfere with one another causing both to fail. The `resource_prefix` is guaranteed to be unique for different jobs running in CI an so avoids this issue while also making it easier to identify the test which created the resource.
2018-01-24 02:42:41 +02:00 · 2018-01-24 02:42:41 +02:00 · e970ae102c
commit e970ae102c
parent ff2ad89081
2 changed files with 11 additions and 4 deletions
--- a/lib/ansible/modules/cloud/amazon/ecs_ecr.py
+++ b/lib/ansible/modules/cloud/amazon/ecs_ecr.py
@ -154,6 +154,9 @@ class EcsEcr:
        self.ecr = boto3_conn(module, conn_type='client',
                              resource='ecr', region=region,
                              endpoint=ec2_url, **aws_connect_kwargs)
+        self.sts = boto3_conn(module, conn_type='client',
+                              resource='sts', region=region,
+                              endpoint=ec2_url, **aws_connect_kwargs)
        self.check_mode = module.check_mode
        self.changed = False
        self.skipped = False
@ -183,10 +186,14 @@ class EcsEcr:
            raise

    def create_repository(self, registry_id, name):
+        if registry_id:
+            default_registry_id = self.sts.get_caller_identity().get('Account')
+            if registry_id != default_registry_id:
+                raise Exception('Cannot create repository in registry {}.'
+                                'Would be created in {} instead.'.format(
+                                    registry_id, default_registry_id))
        if not self.check_mode:
-            repo = self.ecr.create_repository(
-                repositoryName=name, **build_kwargs(registry_id)).get(
-                'repository')
+            repo = self.ecr.create_repository(repositoryName=name).get('repository')
            self.changed = True
            return repo
        else:
--- a/test/integration/targets/ecs_ecr/tasks/main.yml
+++ b/test/integration/targets/ecs_ecr/tasks/main.yml
@ -1,6 +1,6 @@
 ---
 - set_fact:
-    ecr_name: 'ecr-test-{{ ansible_date_time.epoch }}'
+    ecr_name: '{{ resource_prefix }}-ecr'

 - block: