fix: remove hardcoded AWS region when creating ECR lifecycle policies (…

…#353) * fix: remove hardcoded AWS region when creating ECR lifecycle policies * test: unit tests for parsing ECR registry URI * fix linting errors
mesosphere · Mar 7, 2023 · 2fe144a · 2fe144a
1 parent c1e6eb4
commit 2fe144a
Show file tree

Hide file tree

Showing 5 changed files with 103 additions and 6 deletions.
diff --git a/cmd/mindthegap/push/helmbundle/helm_bundle.go b/cmd/mindthegap/push/helmbundle/helm_bundle.go
@@ -120,7 +120,7 @@ func NewCommand(out output.Output) *cobra.Command {
 			if ecr.IsECRRegistry(destRegistryURI.Host()) {
 				prePushFuncs = append(
 					prePushFuncs,
-					ecr.EnsureRepositoryExistsFunc(""),
+					ecr.EnsureRepositoryExistsFunc(destRegistryURI.Host(), ""),
 				)
 			}
 

diff --git a/cmd/mindthegap/push/imagebundle/image_bundle.go b/cmd/mindthegap/push/imagebundle/image_bundle.go
@@ -121,7 +121,7 @@ func NewCommand(out output.Output) *cobra.Command {
 			if ecr.IsECRRegistry(destRegistryURI.Host()) {
 				prePushFuncs = append(
 					prePushFuncs,
-					ecr.EnsureRepositoryExistsFunc(ecrLifecyclePolicy),
+					ecr.EnsureRepositoryExistsFunc(destRegistryURI.Host(), ecrLifecyclePolicy),
 				)
 			}
 

diff --git a/docker/ecr/registry.go b/docker/ecr/registry.go
@@ -4,13 +4,34 @@
 package ecr
 
 import (
+	"fmt"
 	"regexp"
 )
 
+// regular expression to represent all ECR endpoints. see list at https://docs.aws.amazon.com/general/latest/gr/ecr.html
 var ecrRegistryRegexp = regexp.MustCompile(
-	`^(?:https://)?[a-zA-Z0-9]+\.dkr\.ecr\.[^.]+\.amazonaws\.com/?`,
+	`^(?:https://)?([a-zA-Z0-9]+)\.dkr\.ecr(-fips)?\.([^.]+)\.amazonaws\.com/?`,
 )
 
 func IsECRRegistry(registryAddress string) bool {
 	return ecrRegistryRegexp.MatchString(registryAddress)
 }
+
+func ParseECRRegistry(
+	registryAddress string,
+) (accountID string, fips bool, region string, err error) {
+	matches := ecrRegistryRegexp.FindStringSubmatch(registryAddress)
+	if len(matches) == 0 {
+		return "", false, "", fmt.Errorf(
+			"only private Amazon Elastic Container Registry supported")
+	} else if len(matches) < 3 {
+		return "", false, "", fmt.Errorf(
+			"%q is not a valid repository URI for private Amazon Elastic Container Registry", registryAddress)
+	}
+
+	accountID = matches[1]
+	fips = (matches[2] == "-fips")
+	region = matches[3]
+	err = nil
+	return
+}
diff --git a/docker/ecr/registry_test.go b/docker/ecr/registry_test.go
@@ -3,7 +3,12 @@
 
 package ecr
 
-import "testing"
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
 
 func TestIsECRRegistry(t *testing.T) {
 	t.Parallel()
@@ -35,6 +40,10 @@ func TestIsECRRegistry(t *testing.T) {
 		name:            "non-ECR with http protocol",
 		registryAddress: "http://gcr.io",
 		want:            false,
+	}, {
+		name:            "ECR with FIPS protocol",
+		registryAddress: "https://123456789.dkr.ecr-fips.us-east-1.amazonaws.com",
+		want:            true,
 	}}
 	for _, tt := range tests {
 		tt := tt // Capture range variable.
@@ -46,3 +55,66 @@ func TestIsECRRegistry(t *testing.T) {
 		})
 	}
 }
+
+func TestParseECRRegistry(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name            string
+		registryAddress string
+		wantError       string
+		wantAccountID   string
+		wantFips        bool
+		wantRegion      string
+	}{{
+		name:            "Valid ECR with https protocol",
+		registryAddress: "https://123456789.dkr.ecr.us-east-1.amazonaws.com",
+		wantError:       "",
+		wantAccountID:   "123456789",
+		wantFips:        false,
+		wantRegion:      "us-east-1",
+	}, {
+		name:            "Valid ECR without https protocol",
+		registryAddress: "123456789.dkr.ecr.us-east-1.amazonaws.com",
+		wantError:       "",
+		wantAccountID:   "123456789",
+		wantFips:        false,
+		wantRegion:      "us-east-1",
+	}, {
+		name:            "ECR with FIPS",
+		registryAddress: "https://123456789.dkr.ecr-fips.us-gov-east-1.amazonaws.com",
+		wantError:       "",
+		wantAccountID:   "123456789",
+		wantFips:        true,
+		wantRegion:      "us-gov-east-1",
+	}, {
+		name:            "public ECR",
+		registryAddress: "public.ecr.aws",
+		wantError:       "only private Amazon Elastic Container Registry supported",
+		wantAccountID:   "",
+		wantFips:        false,
+		wantRegion:      "",
+	}, {
+		name:            "non ECR",
+		registryAddress: "gcr.io",
+		wantError:       "only private Amazon Elastic Container Registry supported",
+		wantAccountID:   "",
+		wantFips:        false,
+		wantRegion:      "",
+	}}
+	for _, tt := range tests {
+		tt := tt // Capture range variable.
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			gotID, gotFips, gotRegion, gotErr := ParseECRRegistry(tt.registryAddress)
+
+			if tt.wantError != "" {
+				require.ErrorContains(t, gotErr, tt.wantError)
+			} else {
+				require.NoError(t, gotErr)
+				assert.Equal(t, tt.wantAccountID, gotID)
+				assert.Equal(t, tt.wantFips, gotFips)
+				assert.Equal(t, tt.wantRegion, gotRegion)
+			}
+		})
+	}
+}
diff --git a/docker/ecr/repository.go b/docker/ecr/repository.go
@@ -16,13 +16,17 @@ import (
 	"k8s.io/utils/pointer"
 )
 
-func EnsureRepositoryExistsFunc(ecrLifecyclePolicy string) func(
+func EnsureRepositoryExistsFunc(registryAddress, ecrLifecyclePolicy string) func(
 	_, repositoryName string, _ ...string,
 ) error {
 	return func(
 		_, repositoryName string, _ ...string,
 	) error {
-		cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion("us-west-2"))
+		_, _, region, err := ParseECRRegistry(registryAddress)
+		if err != nil {
+			return fmt.Errorf("failed to parse ECR registry host URI: %w", err)
+		}
+		cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
 		if err != nil {
 			log.Fatalf("unable to load SDK config, %v", err)
 		}