29939383e6
Since 2019 jul. 26, AWS Elastic Container Registry can be configured to be immutable that prevent overwritting of an existing tag in the registry. https://aws.amazon.com/fr/about-aws/whats-new/2019/07/amazon-ecr-now-supports-immutable-image-tags/ https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html By default, ecr is created MUTABLE, as this was the only option before this feature. This module leverage new capabilities of boto3 to configure image_tag_mutability option. https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ecr.html#ECR.Client.put_image_tag_mutability The image_tag_mutability option definition was inspired by existing terraform module. https://www.terraform.io/docs/providers/aws/r/ecr_repository.html
417 lines
11 KiB
YAML
417 lines
11 KiB
YAML
---
|
|
- set_fact:
|
|
ecr_name: '{{ resource_prefix }}-ecr'
|
|
|
|
- block:
|
|
|
|
- name: When creating with check mode
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should skip, change and create
|
|
assert:
|
|
that:
|
|
- result is skipped
|
|
- result is changed
|
|
- result.created
|
|
|
|
|
|
- name: When specifying a registry that is inaccessible
|
|
ecs_ecr:
|
|
registry_id: 999999999999
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: it should fail with an AccessDeniedException
|
|
assert:
|
|
that:
|
|
- result is failed
|
|
- '"AccessDeniedException" in result.msg'
|
|
|
|
|
|
- name: When creating a repository
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
|
|
- name: it should change and create
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- result.created
|
|
|
|
- name: it should have been configured as mutable by default
|
|
assert:
|
|
that:
|
|
- result.repository.imageTagMutability == "MUTABLE"
|
|
|
|
|
|
- name: When creating a repository that already exists in check mode
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should not skip, should not change
|
|
assert:
|
|
that:
|
|
- result is not skipped
|
|
- result is not changed
|
|
|
|
|
|
- name: When creating a repository that already exists
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
|
|
- name: it should not change
|
|
assert:
|
|
that:
|
|
- result is not changed
|
|
|
|
|
|
- name: When in check mode, and deleting a policy that does not exist
|
|
ecs_ecr:
|
|
region: '{{ ec2_region }}'
|
|
name: '{{ ecr_name }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
delete_policy: yes
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should not skip and not change
|
|
assert:
|
|
that:
|
|
- result is not skipped
|
|
- result is not changed
|
|
|
|
|
|
- name: When in check mode, setting policy on a repository that has no policy
|
|
ecs_ecr:
|
|
region: '{{ ec2_region }}'
|
|
name: '{{ ecr_name }}'
|
|
policy: '{{ policy }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should skip, change and not create
|
|
assert:
|
|
that:
|
|
- result is skipped
|
|
- result is changed
|
|
- not result.created
|
|
|
|
|
|
- name: When setting policy on a repository that has no policy
|
|
ecs_ecr:
|
|
region: '{{ ec2_region }}'
|
|
name: '{{ ecr_name }}'
|
|
policy: '{{ policy }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
|
|
- name: it should change and not create
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- not result.created
|
|
|
|
|
|
- name: When in check mode, and deleting a policy that exists
|
|
ecs_ecr:
|
|
region: '{{ ec2_region }}'
|
|
name: '{{ ecr_name }}'
|
|
delete_policy: yes
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should skip, change but not create
|
|
assert:
|
|
that:
|
|
- result is skipped
|
|
- result is changed
|
|
- not result.created
|
|
|
|
|
|
- name: When deleting a policy that exists
|
|
ecs_ecr:
|
|
region: '{{ ec2_region }}'
|
|
name: '{{ ecr_name }}'
|
|
delete_policy: yes
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
|
|
- name: it should change and not create
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- not result.created
|
|
|
|
|
|
- name: When setting a policy as a string
|
|
ecs_ecr:
|
|
region: '{{ ec2_region }}'
|
|
name: '{{ ecr_name }}'
|
|
policy: '{{ policy | to_json }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
|
|
- name: it should change and not create
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- not result.created
|
|
|
|
|
|
- name: When setting a policy to its current value
|
|
ecs_ecr:
|
|
region: '{{ ec2_region }}'
|
|
name: '{{ ecr_name }}'
|
|
policy: '{{ policy }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
|
|
- name: it should not change
|
|
assert:
|
|
that:
|
|
- result is not changed
|
|
|
|
|
|
- name: When omitting policy on a repository that has a policy
|
|
ecs_ecr:
|
|
region: '{{ ec2_region }}'
|
|
name: '{{ ecr_name }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
|
|
- name: it should not change
|
|
assert:
|
|
that:
|
|
- result is not changed
|
|
|
|
|
|
- name: When specifying both policy and delete_policy
|
|
ecs_ecr:
|
|
region: '{{ ec2_region }}'
|
|
name: '{{ ecr_name }}'
|
|
policy: '{{ policy }}'
|
|
delete_policy: yes
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: it should fail
|
|
assert:
|
|
that:
|
|
- result is failed
|
|
|
|
|
|
- name: When specifying invalid JSON for policy
|
|
ecs_ecr:
|
|
region: '{{ ec2_region }}'
|
|
name: '{{ ecr_name }}'
|
|
policy_text: "Ceci n'est pas une JSON"
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: it should fail
|
|
assert:
|
|
that:
|
|
- result is failed
|
|
|
|
|
|
- name: When in check mode, deleting a policy that exists
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
state: absent
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should skip, change and not create
|
|
assert:
|
|
that:
|
|
- result is skipped
|
|
- result is changed
|
|
- not result.created
|
|
|
|
|
|
- name: When deleting a policy that exists
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
state: absent
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
|
|
- name: it should change
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
|
|
|
|
- name: When in check mode, deleting a policy that does not exist
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
state: absent
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should not change
|
|
assert:
|
|
that:
|
|
- result is not skipped
|
|
- result is not changed
|
|
|
|
|
|
- name: When deleting a policy that does not exist
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
state: absent
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
register: result
|
|
|
|
- name: it should not change
|
|
assert:
|
|
that:
|
|
- result is not changed
|
|
|
|
- name: When creating an immutable repository
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
image_tag_mutability: immutable
|
|
register: result
|
|
|
|
- name: it should change and create
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- result.created
|
|
|
|
- name: it should have been configured as immutable
|
|
assert:
|
|
that:
|
|
- result.repository.imageTagMutability == "IMMUTABLE"
|
|
|
|
|
|
- name: When configuring an existing immutable repository to be mutable in check mode
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
image_tag_mutability: mutable
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should skip, change and configured mutable
|
|
assert:
|
|
that:
|
|
- result is skipped
|
|
- result is changed
|
|
- result.repository.imageTagMutability == "MUTABLE"
|
|
|
|
- name: When configuring an existing immutable repository to be mutable
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
image_tag_mutability: mutable
|
|
register: result
|
|
|
|
- name: it should change and configured mutable
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- result.repository.imageTagMutability == "MUTABLE"
|
|
|
|
- name: When configuring an already mutable repository to be mutable
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
image_tag_mutability: mutable
|
|
register: result
|
|
|
|
- name: it should not change
|
|
assert:
|
|
that:
|
|
- result is not changed
|
|
|
|
always:
|
|
|
|
- name: Delete lingering ECR repository
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
state: absent
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|