Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS CLI Verison 2 support #40

Merged
merged 3 commits into from
Mar 5, 2020
Merged

AWS CLI Verison 2 support #40

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
75c1c90
prepare tests & code path for awscli v2; not yet implemented
pda Mar 3, 2020
509678c
awscli v2 support: use 'aws ecr get-login-password'
pda Mar 3, 2020
6a39e7e
Specify region in 'aws ecr get-login-password'
pda Mar 4, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
50 changes: 44 additions & 6 deletions hooks/environment
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,12 +69,10 @@ function retry() {
done
}

if [[ -z "${AWS_DEFAULT_REGION:-}" ]] ; then
export AWS_DEFAULT_REGION=us-east-1
fi

# For logging into the current AWS account’s registry
if [[ "${BUILDKITE_PLUGIN_ECR_LOGIN:-}" =~ ^(true|1)$ ]] ; then
# 'aws ecr get-login' was removed in awscli 2.0.0, but the alternative
# 'aws ecr get-login-password' was not available until v1.7.10 which
# was only released earlier that same month.
function login_using_aws_ecr_get_login() {
mapfile -t registry_ids <<< "$(plugin_read_list ACCOUNT_IDS | tr "," "\n")"
login_args=()

Expand All @@ -91,6 +89,10 @@ if [[ "${BUILDKITE_PLUGIN_ECR_LOGIN:-}" =~ ^(true|1)$ ]] ; then
login_args+=("--no-include-email")
fi

if [[ -z "${AWS_DEFAULT_REGION:-}" ]] ; then
export AWS_DEFAULT_REGION="us-east-1"
fi

# In earlier versions, we supported registry-region. This is now deprecated
if [[ -n "${BUILDKITE_PLUGIN_ECR_REGISTRY_REGION:-}" ]] ; then
login_args+=("--region" "${BUILDKITE_PLUGIN_ECR_REGISTRY_REGION}")
Expand All @@ -114,4 +116,40 @@ if [[ "${BUILDKITE_PLUGIN_ECR_LOGIN:-}" =~ ^(true|1)$ ]] ; then
ecr_login="${ecr_login//-e none/}"

eval "$ecr_login"
}

function login_using_aws_ecr_get_login_password() {
local region="${BUILDKITE_PLUGIN_ECR_REGISTRY_REGION:-${BUILDKITE_PLUGIN_ECR_REGION:-${AWS_DEFAULT_REGION:-}}}"
if [[ -z $region ]]; then
region="us-east-1"
echo >&2 "AWS region should be specified via plugin config or AWS_DEFAULT_REGION environment."
echo >&2 "Defaulting to $region for legacy compatibility."
fi
mapfile -t account_ids <<< "$(plugin_read_list ACCOUNT_IDS | tr "," "\n")"
if [[ -z ${account_ids[*]} ]]; then
account_ids=("$(aws sts get-caller-identity --query Account --output text)")
fi
if [[ -z ${account_ids[*]} ]]; then
echo >&2 "AWS account ID required via plugin config or 'aws sts get-caller-identity'"
exit 1
fi
local password; password="$(aws --region "$region" ecr get-login-password)"
for account_id in "${account_ids[@]}"; do
docker login --username AWS --password-stdin "$account_id.dkr.ecr.$region.amazonaws.com" <<< "$password"
done
}

function login() {
if aws_version_ge "1.17.10"; then
# 'aws ecr get-login-password' was added in awscli 1.17.10
login_using_aws_ecr_get_login_password
else
# older awscli versions must use 'aws ecr get-login'
login_using_aws_ecr_get_login
fi
}

# For logging into the current AWS account’s registry
if [[ "${BUILDKITE_PLUGIN_ECR_LOGIN:-}" =~ ^(true|1)$ ]] ; then
login
fi
209 changes: 199 additions & 10 deletions tests/run.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,169 @@ load '/usr/local/lib/bats/load.bash'

# export AWS_STUB_DEBUG=/dev/tty

@test "Login to ECR" {
@test "ECR login; configured account ID, configured region" {
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS=321321321321
export BUILDKITE_PLUGIN_ECR_REGION=ap-southeast-2

stub aws \
"--version : echo aws-cli/2.0.0 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
"--region ap-southeast-2 ecr get-login-password : echo hunter2"

stub docker \
"login --username AWS --password-stdin 321321321321.dkr.ecr.ap-southeast-2.amazonaws.com : cat > /tmp/password-stdin ; echo logging in to docker"

run "$PWD/hooks/environment"

assert_success
assert_output --partial "logging in to docker"
[[ $(cat /tmp/password-stdin) == "hunter2" ]]

unstub aws
unstub docker
}

@test "ECR login; configured account ID, configured legacy registry-region" {
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS=321321321321
export BUILDKITE_PLUGIN_ECR_REGISTRY_REGION=ap-southeast-2

stub aws \
"--version : echo aws-cli/2.0.0 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
"--region ap-southeast-2 ecr get-login-password : echo hunter2"

stub docker \
"login --username AWS --password-stdin 321321321321.dkr.ecr.ap-southeast-2.amazonaws.com : cat > /tmp/password-stdin ; echo logging in to docker"

run "$PWD/hooks/environment"

assert_success
assert_output --partial "logging in to docker"
[[ $(cat /tmp/password-stdin) == "hunter2" ]]

unstub aws
unstub docker
}
@test "ECR login; configured account ID, AWS_DEFAULT_REGION set" {
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS=421321321321
export AWS_DEFAULT_REGION=us-west-2

stub aws \
"--version : echo aws-cli/2.0.0 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
"--region us-west-2 ecr get-login-password : echo hunter2"

stub docker \
"login --username AWS --password-stdin 421321321321.dkr.ecr.us-west-2.amazonaws.com : cat > /tmp/password-stdin ; echo logging in to docker"

run "$PWD/hooks/environment"

assert_success
assert_output --partial "logging in to docker"
[[ $(cat /tmp/password-stdin) == "hunter2" ]]

unstub aws
unstub docker
}
@test "ECR login; configured account ID, no region specified defaults to us-east-1" {
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS=421321321321

stub aws \
"--version : echo aws-cli/2.0.0 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
"--region us-east-1 ecr get-login-password : echo hunter2"

stub docker \
"login --username AWS --password-stdin 421321321321.dkr.ecr.us-east-1.amazonaws.com : cat > /tmp/password-stdin ; echo logging in to docker"


run "$PWD/hooks/environment"

assert_success
assert_output --partial "AWS region should be specified"
assert_output --partial "Defaulting to us-east-1"
assert_output --partial "logging in to docker"

unstub aws
unstub docker
}
@test "ECR login; multiple account IDs" {
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS_0=111111111111
export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS_1=222222222222
export BUILDKITE_PLUGIN_ECR_REGION=us-east-1

stub aws \
"--version : echo aws-cli/2.0.0 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
"--region us-east-1 ecr get-login-password : echo sameforeachaccount"

stub docker \
"login --username AWS --password-stdin 111111111111.dkr.ecr.us-east-1.amazonaws.com : cat > /tmp/password-stdin-0 ; echo logging in to docker" \
"login --username AWS --password-stdin 222222222222.dkr.ecr.us-east-1.amazonaws.com : cat > /tmp/password-stdin-1 ; echo logging in to docker"


run "$PWD/hooks/environment"

assert_success
assert_output --partial "logging in to docker"
[[ $(cat /tmp/password-stdin-0) == "sameforeachaccount" ]]
[[ $(cat /tmp/password-stdin-1) == "sameforeachaccount" ]]

unstub aws
unstub docker
}
@test "ECR login; multiple comma-separated account IDs" {
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS=333333333333,444444444444
export BUILDKITE_PLUGIN_ECR_REGION=us-east-1

stub aws \
"--version : echo aws-cli/2.0.0 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
"--region us-east-1 ecr get-login-password : echo sameforeachaccount"

stub docker \
"login --username AWS --password-stdin 333333333333.dkr.ecr.us-east-1.amazonaws.com : cat > /tmp/password-stdin-0 ; echo logging in to docker" \
"login --username AWS --password-stdin 444444444444.dkr.ecr.us-east-1.amazonaws.com : cat > /tmp/password-stdin-1 ; echo logging in to docker"


run "$PWD/hooks/environment"

assert_success
assert_output --partial "logging in to docker"
[[ $(cat /tmp/password-stdin-0) == "sameforeachaccount" ]]
[[ $(cat /tmp/password-stdin-1) == "sameforeachaccount" ]]

unstub aws
unstub docker
}
@test "ECR login; discovered account ID" {
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export AWS_DEFAULT_REGION=us-east-1

stub aws \
"--version : echo aws-cli/2.0.0 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
"sts get-caller-identity --query Account --output text : echo 888888888888" \
"--region us-east-1 ecr get-login-password : echo hunter2"

stub docker \
"login --username AWS --password-stdin 888888888888.dkr.ecr.us-east-1.amazonaws.com : cat > /tmp/password-stdin ; echo logging in to docker"

run "$PWD/hooks/environment"

assert_success
assert_output --partial "logging in to docker"
[[ $(cat /tmp/password-stdin) == "hunter2" ]]

unstub aws
unstub docker
}

@test "ECR login (v1.17.10; after get-login-password was added, before get-login was removed)" {
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_NO_INCLUDE_EMAIL=true

stub aws \
"--version : echo aws-cli/1.17.9 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
"ecr get-login --no-include-email : echo docker login -u AWS -p 1234 https://1234.dkr.ecr.us-east-1.amazonaws.com"

stub docker \
Expand All @@ -25,11 +183,32 @@ load '/usr/local/lib/bats/load.bash'
unstub docker
}

@test "Login to ECR (without --no-include-email)" {
@test "ECR login (before aws cli 1.17.10 in which get-login-password was added)" {
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_NO_INCLUDE_EMAIL=true

stub aws \
"--version : echo aws-cli/1.17.9 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
"ecr get-login --no-include-email : echo docker login -u AWS -p 1234 https://1234.dkr.ecr.us-east-1.amazonaws.com"

stub docker \
"login -u AWS -p 1234 https://1234.dkr.ecr.us-east-1.amazonaws.com : echo logging in to docker"

run "$PWD/hooks/environment"

assert_success
assert_output --partial "logging in to docker"

unstub aws
unstub docker
}

@test "ECR login (before aws cli 1.17.10) (without --no-include-email)" {
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_NO_INCLUDE_EMAIL=false

stub aws \
"--version : echo aws-cli/1.17.9 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
"ecr get-login : echo docker login -u AWS -p 1234 https://1234.dkr.ecr.us-east-1.amazonaws.com"

stub docker \
Expand All @@ -44,13 +223,14 @@ load '/usr/local/lib/bats/load.bash'
unstub docker
}

@test "Login to ECR with Account IDS" {
@test "ECR login (before aws cli 1.17.10) with Account IDS" {
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS_0=1111
export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS_1=2222
export BUILDKITE_PLUGIN_ECR_NO_INCLUDE_EMAIL=true

stub aws \
"--version : echo aws-cli/1.17.9 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
"ecr get-login --no-include-email --registry-ids 1111 2222 : echo echo logging in to docker"

run "$PWD/hooks/environment"
Expand All @@ -61,11 +241,12 @@ load '/usr/local/lib/bats/load.bash'
unstub aws
}

@test "Login to ECR with Comma-delimited Account IDS (older aws-cli)" {
@test "ECR login (before aws cli 1.17.10) with Comma-delimited Account IDS (older aws-cli)" {
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS="1111,2222,3333"

stub aws \
"--version : echo aws-cli/1.11.40 Python/2.7.10 Darwin/16.6.0 botocore/1.5.80" \
"--version : echo aws-cli/1.11.40 Python/2.7.10 Darwin/16.6.0 botocore/1.5.80" \
"ecr get-login --registry-ids 1111 2222 3333 : echo echo logging in to docker"

Expand All @@ -77,11 +258,12 @@ load '/usr/local/lib/bats/load.bash'
unstub aws
}

@test "Login to ECR with Comma-delimited Account IDS (newer aws-cli)" {
@test "ECR login (before aws cli 1.17.10) with Comma-delimited Account IDS (newer aws-cli)" {
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS="1111,2222,3333"

stub aws \
"--version : echo aws-cli/1.11.117 Python/2.7.10 Darwin/16.6.0 botocore/1.5.80" \
"--version : echo aws-cli/1.11.117 Python/2.7.10 Darwin/16.6.0 botocore/1.5.80" \
"ecr get-login --no-include-email --registry-ids 1111 2222 3333 : echo echo logging in to docker"

Expand All @@ -93,12 +275,13 @@ load '/usr/local/lib/bats/load.bash'
unstub aws
}

@test "Login to ECR with region specified" {
@test "ECR login (before aws cli 1.17.10) with region specified" {
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_NO_INCLUDE_EMAIL=true
export BUILDKITE_PLUGIN_ECR_REGISTRY_REGION=ap-southeast-2

stub aws \
"--version : echo aws-cli/1.17.9 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
"ecr get-login --no-include-email --region ap-southeast-2 : echo docker login -u AWS -p 1234 https://1234.dkr.ecr.ap-southeast-2.amazonaws.com"

stub docker \
Expand All @@ -113,13 +296,14 @@ load '/usr/local/lib/bats/load.bash'
unstub docker
}

@test "Login to ECR with region and registry id's" {
@test "ECR login (before aws cli 1.17.10) with region and registry id's" {
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_NO_INCLUDE_EMAIL=true
export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS="1111,2222,3333"
export BUILDKITE_PLUGIN_ECR_REGISTRY_REGION=ap-southeast-2

stub aws \
"--version : echo aws-cli/1.17.9 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
"ecr get-login --no-include-email --region ap-southeast-2 --registry-ids 1111 2222 3333 : echo docker login -u AWS -p 1234 https://1234.dkr.ecr.ap-southeast-2.amazonaws.com"

stub docker \
Expand All @@ -134,12 +318,14 @@ load '/usr/local/lib/bats/load.bash'
unstub docker
}

@test "Login to ECR with error, and then retry until success" {
@test "ECR login (before aws cli 1.17.10) with error, and then retry until success" {
[[ -z $SKIP_SLOW ]] || skip "skipping slow test"
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_NO_INCLUDE_EMAIL=true
export BUILDKITE_PLUGIN_ECR_RETRIES=1

stub aws \
"--version : echo aws-cli/1.17.9 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
"ecr get-login --no-include-email : exit 1" \
"ecr get-login --no-include-email : echo echo logging in to docker"

Expand All @@ -152,12 +338,14 @@ load '/usr/local/lib/bats/load.bash'
unstub aws
}

@test "Login to ECR with error, and then retry until failure" {
@test "ECR login (before aws cli 1.17.10) with error, and then retry until failure" {
[[ -z $SKIP_SLOW ]] || skip "skipping slow test"
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_NO_INCLUDE_EMAIL=true
export BUILDKITE_PLUGIN_ECR_RETRIES=1

stub aws \
"--version : echo aws-cli/1.17.9 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
"ecr get-login --no-include-email : exit 1" \
"ecr get-login --no-include-email : exit 1"

Expand All @@ -170,11 +358,12 @@ load '/usr/local/lib/bats/load.bash'
unstub aws
}

@test "Login to ECR doesn't disclose credentials" {
@test "ECR login (before aws cli 1.17.10) doesn't disclose credentials" {
export BUILDKITE_PLUGIN_ECR_LOGIN=true
export BUILDKITE_PLUGIN_ECR_NO_INCLUDE_EMAIL=true

stub aws \
"--version : echo aws-cli/1.17.9 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
"ecr get-login --no-include-email : echo docker login -u AWS -p supersecret https://1234.dkr.ecr.us-east-1.amazonaws.com"

stub docker \
Expand Down