284f26303c
* Fix copy/pasta for ecs_ecr test names * Add support for lifecycle policies to ecs_ecr New feature for ecs_ecr to support [ECR Lifecycle Policies][]. Fixes #32003 [ECR Lifecycle Policies]: https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html * Improve error message for ecs_ecr parsing errors Replaces the exception and stack trace with a description of what's actually going wrong from a user perspective. * Rename delete policy to purge policy Marks the `delete_policy` parameter as deprecated, to be removed in Ansible 2.6. * Add version_added to purge_policy * Remove changing results based on verbosity What I really want is --diff support, and changing results based on verbosity is abnormal. * Ensure repository name is lowercase * Fix deprecation cycle to 4 releases * Use a YAML anchor for credentials * Remove filters from assertions * Add minimal permissions needed * Updating version_added and deprecation cycle The original PR sat while a few releases happened. * Bumping version added and deprecation version We missed the 2.8 release. * Removing bare except: This is not allowed and is generally bad practice. * Fix lint errors * update ansible release metadata * Use the new alias deprecation scheme This was added in the time the PR has been in development, so rework things to use it. * Add test coverage This makes sure that lifecycle_policy is produced when passed in. *Also a minor suggestion for simplification from PR. * Restore changes from 62871 lost in rebase * Add changelog * Remove version_added for new purge_policy option Per sanity test fail.
543 lines
13 KiB
YAML
543 lines
13 KiB
YAML
---
|
|
- set_fact:
|
|
ecr_name: '{{ resource_prefix }}-ecr'
|
|
|
|
- block:
|
|
|
|
- name: set connection information for all tasks
|
|
set_fact:
|
|
aws_connection_info: &aws_connection_info
|
|
aws_access_key: "{{ aws_access_key }}"
|
|
aws_secret_key: "{{ aws_secret_key }}"
|
|
security_token: "{{ security_token }}"
|
|
region: "{{ aws_region }}"
|
|
no_log: yes
|
|
|
|
- name: When creating with check mode
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should skip, change and create
|
|
assert:
|
|
that:
|
|
- result is skipped
|
|
- result is changed
|
|
- result.created
|
|
|
|
|
|
- name: When specifying a registry that is inaccessible
|
|
ecs_ecr:
|
|
registry_id: 999999999999
|
|
name: '{{ ecr_name }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: it should fail with an AccessDeniedException
|
|
assert:
|
|
that:
|
|
- result is failed
|
|
- '"AccessDeniedException" in result.msg'
|
|
|
|
|
|
- name: When creating a repository
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: it should change and create
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- result.created
|
|
|
|
- name: it should have been configured as mutable by default
|
|
assert:
|
|
that:
|
|
- result.repository.imageTagMutability == "MUTABLE"
|
|
|
|
|
|
- name: When creating a repository that already exists in check mode
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should not skip, should not change
|
|
assert:
|
|
that:
|
|
- result is not skipped
|
|
- result is not changed
|
|
|
|
|
|
- name: When creating a repository that already exists
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: it should not change
|
|
assert:
|
|
that:
|
|
- result is not changed
|
|
|
|
|
|
- name: When in check mode, and deleting a policy that does not exist
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
purge_policy: yes
|
|
<<: *aws_connection_info
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should not skip and not change
|
|
assert:
|
|
that:
|
|
- result is not skipped
|
|
- result is not changed
|
|
|
|
|
|
- name: When in check mode, setting policy on a repository that has no policy
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
policy: '{{ policy }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should skip, change and not create
|
|
assert:
|
|
that:
|
|
- result is skipped
|
|
- result is changed
|
|
- not result.created
|
|
|
|
|
|
- name: When setting policy on a repository that has no policy
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
policy: '{{ policy }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: it should change and not create
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- not result.created
|
|
|
|
|
|
- name: When in check mode, and deleting a policy that exists
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
delete_policy: yes
|
|
<<: *aws_connection_info
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should skip, change but not create, have deprecations
|
|
assert:
|
|
that:
|
|
- result is skipped
|
|
- result is changed
|
|
- not result.created
|
|
- result.deprecations
|
|
|
|
|
|
- name: When in check mode, and purging a policy that exists
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
purge_policy: yes
|
|
<<: *aws_connection_info
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should skip, change but not create, no deprecations
|
|
assert:
|
|
that:
|
|
- result is skipped
|
|
- result is changed
|
|
- not result.created
|
|
- result.deprecations is not defined
|
|
|
|
|
|
- name: When purging a policy that exists
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
purge_policy: yes
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: it should change and not create
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- not result.created
|
|
|
|
|
|
- name: When setting a policy as a string
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
policy: '{{ policy | to_json }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: it should change and not create
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- not result.created
|
|
|
|
|
|
- name: When setting a policy to its current value
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
policy: '{{ policy }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: it should not change
|
|
assert:
|
|
that:
|
|
- result is not changed
|
|
|
|
- name: When omitting policy on a repository that has a policy
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: it should not change
|
|
assert:
|
|
that:
|
|
- result is not changed
|
|
|
|
- name: When specifying both policy and purge_policy
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
policy: '{{ policy }}'
|
|
purge_policy: yes
|
|
<<: *aws_connection_info
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: it should fail
|
|
assert:
|
|
that:
|
|
- result is failed
|
|
|
|
|
|
- name: When specifying invalid JSON for policy
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
policy: "Ceci n'est pas une JSON"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: it should fail
|
|
assert:
|
|
that:
|
|
- result is failed
|
|
|
|
|
|
- name: When in check mode, and purging a lifecycle policy that does not exists
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
purge_lifecycle_policy: yes
|
|
<<: *aws_connection_info
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should not skip and not change
|
|
assert:
|
|
that:
|
|
- not result is skipped
|
|
- not result is changed
|
|
|
|
|
|
- name: When in check mode, setting lifecyle policy on a repository that has no policy
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
lifecycle_policy: '{{ lifecycle_policy }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should skip, change and not create
|
|
assert:
|
|
that:
|
|
- result is skipped
|
|
- result is changed
|
|
- not result.created
|
|
|
|
|
|
- name: When setting lifecycle policy on a repository that has no policy
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
lifecycle_policy: '{{ lifecycle_policy }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: it should change and not create
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- not result.created
|
|
- result.lifecycle_policy is defined
|
|
- result.lifecycle_policy.rules|length == 1
|
|
|
|
|
|
- name: When in check mode, and purging a lifecyle policy that exists
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
purge_lifecycle_policy: yes
|
|
<<: *aws_connection_info
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should skip, change but not create
|
|
assert:
|
|
that:
|
|
- result is skipped
|
|
- result is changed
|
|
- not result.created
|
|
|
|
|
|
- name: When purging a lifecycle policy that exists
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
purge_lifecycle_policy: yes
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: it should change and not create
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- not result.created
|
|
|
|
|
|
- name: When setting a lifecyle policy as a string
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
lifecycle_policy: '{{ lifecycle_policy | to_json }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: it should change and not create
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- not result.created
|
|
|
|
|
|
- name: When setting a lifecycle policy to its current value
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
lifecycle_policy: '{{ lifecycle_policy }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: it should not change
|
|
assert:
|
|
that:
|
|
- not result is changed
|
|
|
|
|
|
- name: When omitting lifecycle policy on a repository that has a policy
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: it should not change
|
|
assert:
|
|
that:
|
|
- not result is changed
|
|
|
|
|
|
- name: When specifying both lifecycle_policy and purge_lifecycle_policy
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
lifecycle_policy: '{{ lifecycle_policy }}'
|
|
purge_lifecycle_policy: yes
|
|
<<: *aws_connection_info
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: it should fail
|
|
assert:
|
|
that:
|
|
- result is failed
|
|
|
|
|
|
- name: When specifying invalid JSON for lifecycle policy
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
lifecycle_policy: "Ceci n'est pas une JSON"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: it should fail
|
|
assert:
|
|
that:
|
|
- result is failed
|
|
|
|
|
|
- name: When specifying an invalid document for lifecycle policy
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
lifecycle_policy:
|
|
rules:
|
|
- invalid: "Ceci n'est pas une rule"
|
|
<<: *aws_connection_info
|
|
register: result
|
|
ignore_errors: true
|
|
|
|
- name: it should fail
|
|
assert:
|
|
that:
|
|
- result is failed
|
|
|
|
|
|
- name: When in check mode, deleting a repository that exists
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should skip, change and not create
|
|
assert:
|
|
that:
|
|
- result is skipped
|
|
- result is changed
|
|
- not result.created
|
|
|
|
|
|
- name: When deleting a repository that exists
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: it should change
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
|
|
|
|
- name: When in check mode, deleting a repository that does not exist
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should not change
|
|
assert:
|
|
that:
|
|
- result is not skipped
|
|
- result is not changed
|
|
|
|
|
|
- name: When deleting a repository that does not exist
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
state: absent
|
|
<<: *aws_connection_info
|
|
register: result
|
|
|
|
- name: it should not change
|
|
assert:
|
|
that:
|
|
- result is not changed
|
|
|
|
- name: When creating an immutable repository
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
image_tag_mutability: immutable
|
|
register: result
|
|
|
|
- name: it should change and create
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- result.created
|
|
|
|
- name: it should have been configured as immutable
|
|
assert:
|
|
that:
|
|
- result.repository.imageTagMutability == "IMMUTABLE"
|
|
|
|
|
|
- name: When configuring an existing immutable repository to be mutable in check mode
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
image_tag_mutability: mutable
|
|
register: result
|
|
check_mode: yes
|
|
|
|
- name: it should skip, change and configured mutable
|
|
assert:
|
|
that:
|
|
- result is skipped
|
|
- result is changed
|
|
- result.repository.imageTagMutability == "MUTABLE"
|
|
|
|
- name: When configuring an existing immutable repository to be mutable
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
image_tag_mutability: mutable
|
|
register: result
|
|
|
|
- name: it should change and configured mutable
|
|
assert:
|
|
that:
|
|
- result is changed
|
|
- result.repository.imageTagMutability == "MUTABLE"
|
|
|
|
- name: When configuring an already mutable repository to be mutable
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
region: '{{ ec2_region }}'
|
|
ec2_access_key: '{{ec2_access_key}}'
|
|
ec2_secret_key: '{{ec2_secret_key}}'
|
|
security_token: '{{security_token}}'
|
|
image_tag_mutability: mutable
|
|
register: result
|
|
|
|
- name: it should not change
|
|
assert:
|
|
that:
|
|
- result is not changed
|
|
|
|
always:
|
|
|
|
- name: Delete lingering ECR repository
|
|
ecs_ecr:
|
|
name: '{{ ecr_name }}'
|
|
state: absent
|
|
<<: *aws_connection_info
|