ansible/test/integration/targets/ecs_ecr/tasks/main.yml
Benjamin Brabant 29939383e6 Improve ecs_ecr module to handle image_tag_mutability feature (#62871)
Since 2019 jul. 26, AWS Elastic Container Registry can be configured to be immutable that prevent overwritting of an existing tag in the registry.
https://aws.amazon.com/fr/about-aws/whats-new/2019/07/amazon-ecr-now-supports-immutable-image-tags/
https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html

By default, ecr is created MUTABLE, as this was the only option before this feature.
This module leverage new capabilities of boto3 to configure image_tag_mutability option.
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ecr.html#ECR.Client.put_image_tag_mutability

The image_tag_mutability option definition was inspired by existing terraform module.
https://www.terraform.io/docs/providers/aws/r/ecr_repository.html
2019-10-11 09:13:13 -07:00

417 lines
11 KiB
YAML

---
- set_fact:
ecr_name: '{{ resource_prefix }}-ecr'
- block:
- name: When creating with check mode
ecs_ecr:
name: '{{ ecr_name }}'
region: '{{ ec2_region }}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
check_mode: yes
- name: it should skip, change and create
assert:
that:
- result is skipped
- result is changed
- result.created
- name: When specifying a registry that is inaccessible
ecs_ecr:
registry_id: 999999999999
name: '{{ ecr_name }}'
region: '{{ ec2_region }}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
ignore_errors: true
- name: it should fail with an AccessDeniedException
assert:
that:
- result is failed
- '"AccessDeniedException" in result.msg'
- name: When creating a repository
ecs_ecr:
name: '{{ ecr_name }}'
region: '{{ ec2_region }}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
- name: it should change and create
assert:
that:
- result is changed
- result.created
- name: it should have been configured as mutable by default
assert:
that:
- result.repository.imageTagMutability == "MUTABLE"
- name: When creating a repository that already exists in check mode
ecs_ecr:
name: '{{ ecr_name }}'
region: '{{ ec2_region }}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
check_mode: yes
- name: it should not skip, should not change
assert:
that:
- result is not skipped
- result is not changed
- name: When creating a repository that already exists
ecs_ecr:
name: '{{ ecr_name }}'
region: '{{ ec2_region }}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
- name: it should not change
assert:
that:
- result is not changed
- name: When in check mode, and deleting a policy that does not exist
ecs_ecr:
region: '{{ ec2_region }}'
name: '{{ ecr_name }}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
delete_policy: yes
register: result
check_mode: yes
- name: it should not skip and not change
assert:
that:
- result is not skipped
- result is not changed
- name: When in check mode, setting policy on a repository that has no policy
ecs_ecr:
region: '{{ ec2_region }}'
name: '{{ ecr_name }}'
policy: '{{ policy }}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
check_mode: yes
- name: it should skip, change and not create
assert:
that:
- result is skipped
- result is changed
- not result.created
- name: When setting policy on a repository that has no policy
ecs_ecr:
region: '{{ ec2_region }}'
name: '{{ ecr_name }}'
policy: '{{ policy }}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
- name: it should change and not create
assert:
that:
- result is changed
- not result.created
- name: When in check mode, and deleting a policy that exists
ecs_ecr:
region: '{{ ec2_region }}'
name: '{{ ecr_name }}'
delete_policy: yes
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
check_mode: yes
- name: it should skip, change but not create
assert:
that:
- result is skipped
- result is changed
- not result.created
- name: When deleting a policy that exists
ecs_ecr:
region: '{{ ec2_region }}'
name: '{{ ecr_name }}'
delete_policy: yes
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
- name: it should change and not create
assert:
that:
- result is changed
- not result.created
- name: When setting a policy as a string
ecs_ecr:
region: '{{ ec2_region }}'
name: '{{ ecr_name }}'
policy: '{{ policy | to_json }}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
- name: it should change and not create
assert:
that:
- result is changed
- not result.created
- name: When setting a policy to its current value
ecs_ecr:
region: '{{ ec2_region }}'
name: '{{ ecr_name }}'
policy: '{{ policy }}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
- name: it should not change
assert:
that:
- result is not changed
- name: When omitting policy on a repository that has a policy
ecs_ecr:
region: '{{ ec2_region }}'
name: '{{ ecr_name }}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
- name: it should not change
assert:
that:
- result is not changed
- name: When specifying both policy and delete_policy
ecs_ecr:
region: '{{ ec2_region }}'
name: '{{ ecr_name }}'
policy: '{{ policy }}'
delete_policy: yes
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
ignore_errors: true
- name: it should fail
assert:
that:
- result is failed
- name: When specifying invalid JSON for policy
ecs_ecr:
region: '{{ ec2_region }}'
name: '{{ ecr_name }}'
policy_text: "Ceci n'est pas une JSON"
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
ignore_errors: true
- name: it should fail
assert:
that:
- result is failed
- name: When in check mode, deleting a policy that exists
ecs_ecr:
name: '{{ ecr_name }}'
region: '{{ ec2_region }}'
state: absent
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
check_mode: yes
- name: it should skip, change and not create
assert:
that:
- result is skipped
- result is changed
- not result.created
- name: When deleting a policy that exists
ecs_ecr:
name: '{{ ecr_name }}'
region: '{{ ec2_region }}'
state: absent
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
- name: it should change
assert:
that:
- result is changed
- name: When in check mode, deleting a policy that does not exist
ecs_ecr:
name: '{{ ecr_name }}'
region: '{{ ec2_region }}'
state: absent
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
check_mode: yes
- name: it should not change
assert:
that:
- result is not skipped
- result is not changed
- name: When deleting a policy that does not exist
ecs_ecr:
name: '{{ ecr_name }}'
region: '{{ ec2_region }}'
state: absent
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
register: result
- name: it should not change
assert:
that:
- result is not changed
- name: When creating an immutable repository
ecs_ecr:
name: '{{ ecr_name }}'
region: '{{ ec2_region }}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
image_tag_mutability: immutable
register: result
- name: it should change and create
assert:
that:
- result is changed
- result.created
- name: it should have been configured as immutable
assert:
that:
- result.repository.imageTagMutability == "IMMUTABLE"
- name: When configuring an existing immutable repository to be mutable in check mode
ecs_ecr:
name: '{{ ecr_name }}'
region: '{{ ec2_region }}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
image_tag_mutability: mutable
register: result
check_mode: yes
- name: it should skip, change and configured mutable
assert:
that:
- result is skipped
- result is changed
- result.repository.imageTagMutability == "MUTABLE"
- name: When configuring an existing immutable repository to be mutable
ecs_ecr:
name: '{{ ecr_name }}'
region: '{{ ec2_region }}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
image_tag_mutability: mutable
register: result
- name: it should change and configured mutable
assert:
that:
- result is changed
- result.repository.imageTagMutability == "MUTABLE"
- name: When configuring an already mutable repository to be mutable
ecs_ecr:
name: '{{ ecr_name }}'
region: '{{ ec2_region }}'
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'
image_tag_mutability: mutable
register: result
- name: it should not change
assert:
that:
- result is not changed
always:
- name: Delete lingering ECR repository
ecs_ecr:
name: '{{ ecr_name }}'
region: '{{ ec2_region }}'
state: absent
ec2_access_key: '{{ec2_access_key}}'
ec2_secret_key: '{{ec2_secret_key}}'
security_token: '{{security_token}}'