hashicorp · ewbankkit · Feb 14, 2024 · Nov 20, 2023 · Nov 21, 2023 · Nov 21, 2023
@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/aws_ecr_pull_through_cache_rule: Add `credential_arn` attribute
+```
+
+```release-note:enhancement
+data-source/aws_ecr_pull_through_cache_rule: Add `credential_arn` attribute
+```
@@ -5,6 +5,7 @@ package ecr
 
 import (
 	"context"
+	"github.com/hashicorp/terraform-provider-aws/internal/verify"
 	"log"
 
 	"github.com/YakDriver/regexache"
@@ -25,6 +26,7 @@ func ResourcePullThroughCacheRule() *schema.Resource {
 		CreateWithoutTimeout: resourcePullThroughCacheRuleCreate,
 		ReadWithoutTimeout:   resourcePullThroughCacheRuleRead,
 		DeleteWithoutTimeout: resourcePullThroughCacheRuleDelete,
+		UpdateWithoutTimeout: resourcePullThroughCacheRuleUpdate,
 
 		Importer: &schema.ResourceImporter{
 			StateContext: schema.ImportStatePassthroughContext,
@@ -51,6 +53,11 @@ func ResourcePullThroughCacheRule() *schema.Resource {
 				Required: true,
 				ForceNew: true,
 			},
+			"credential_arn": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: verify.ValidARN,
+			},
 		},
 	}
 }
@@ -64,6 +71,7 @@ func resourcePullThroughCacheRuleCreate(ctx context.Context, d *schema.ResourceD
 	input := &ecr.CreatePullThroughCacheRuleInput{
 		EcrRepositoryPrefix: aws.String(repositoryPrefix),
 		UpstreamRegistryUrl: aws.String(d.Get("upstream_registry_url").(string)),
+		CredentialArn:       aws.String(d.Get("credential_arn").(string)),
 	}
 
 	log.Printf("[DEBUG] Creating ECR Pull Through Cache Rule: %s", input)
@@ -78,6 +86,27 @@ func resourcePullThroughCacheRuleCreate(ctx context.Context, d *schema.ResourceD
 	return append(diags, resourcePullThroughCacheRuleRead(ctx, d, meta)...)
 }
 
+func resourcePullThroughCacheRuleUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	conn := meta.(*conns.AWSClient).ECRConn(ctx)
+
+	repositoryPrefix := d.Get("ecr_repository_prefix").(string)
+	input := &ecr.UpdatePullThroughCacheRuleInput{
+		EcrRepositoryPrefix: aws.String(repositoryPrefix),
+		CredentialArn:       aws.String(d.Get("credential_arn").(string)),
+	}
+
+	log.Printf("[DEBUG] Updating ECR Pull Through Cache Rule: %s", input)
+	_, err := conn.UpdatePullThroughCacheRuleWithContext(ctx, input)
+
+	if err != nil {
+		return diag.Errorf("updating ECR Pull Through Cache Rule (%s): %s", repositoryPrefix, err)
+	}
+
+	d.SetId(repositoryPrefix)
+
+	return resourcePullThroughCacheRuleRead(ctx, d, meta)
+}
+
 func resourcePullThroughCacheRuleRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	var diags diag.Diagnostics
 
@@ -98,6 +127,7 @@ func resourcePullThroughCacheRuleRead(ctx context.Context, d *schema.ResourceDat
 	d.Set("ecr_repository_prefix", rule.EcrRepositoryPrefix)
 	d.Set("registry_id", rule.RegistryId)
 	d.Set("upstream_registry_url", rule.UpstreamRegistryUrl)
+	d.Set("credential_arn", rule.CredentialArn)
 
 	return diags
 }

@@ -39,6 +39,10 @@ func DataSourcePullThroughCacheRule() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"credential_arn": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 		},
 	}
 }
@@ -60,6 +64,7 @@ func dataSourcePullThroughCacheRuleRead(ctx context.Context, d *schema.ResourceD
 	d.Set("ecr_repository_prefix", rule.EcrRepositoryPrefix)
 	d.Set("registry_id", rule.RegistryId)
 	d.Set("upstream_registry_url", rule.UpstreamRegistryUrl)
+	d.Set("credential_arn", rule.CredentialArn)
 
 	return diags
 }
@@ -55,6 +55,29 @@ func TestAccECRPullThroughCacheRuleDataSource_repositoryPrefixWithSlash(t *testi
 	})
 }
 
+func TestAccECRPullThroughCacheRuleDataSource_credential(t *testing.T) {
+	ctx := acctest.Context(t)
+	upstreamRegistryUrl := "registry-1.docker.io"
+	dataSource := "data.aws_ecr_pull_through_cache_rule.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, ecr.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPullThroughCacheRuleDataSourceConfig_credentialArn(),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(dataSource, "upstream_registry_url", upstreamRegistryUrl),
+					acctest.CheckResourceAttrAccountID(dataSource, "registry_id"),
+					resource.TestCheckResourceAttrSet(dataSource, "credential_arn"),
+				),
+			},
+		},
+	})
+}
+
+				),
 func testAccPullThroughCacheRuleDataSourceConfig_basic() string {
 	return `
 resource "aws_ecr_pull_through_cache_rule" "test" {
@@ -80,3 +103,27 @@ data "aws_ecr_pull_through_cache_rule" "test" {
 }
 `, repositoryPrefix)
 }
+
+func testAccPullThroughCacheRuleDataSourceConfig_credentialArn() string {
+	return `
+resource "aws_secretsmanager_secret" "test" {
+  name                    = "ecr-pullthroughcache/docker-hub"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "test" {
+  secret_id     = aws_secretsmanager_secret.test.id
+  secret_string = "test"
+}
+
+resource "aws_ecr_pull_through_cache_rule" "test" {
+  ecr_repository_prefix = "ecr-public"
+  upstream_registry_url = "registry-1.docker.io"
+  credential_arn        = aws_secretsmanager_secret.test.arn
+}
+
+data "aws_ecr_pull_through_cache_rule" "test" {
+  ecr_repository_prefix = aws_ecr_pull_through_cache_rule.test.ecr_repository_prefix
+}
+`
+}
@@ -22,6 +22,7 @@ import (
 func TestAccECRPullThroughCacheRule_basic(t *testing.T) {
 	ctx := acctest.Context(t)
 	repositoryPrefix := "tf-test-" + sdkacctest.RandString(8)
+	upstreamRegistryUrl := "public.ecr.aws"
 	resourceName := "aws_ecr_pull_through_cache_rule.test"
 
 	resource.ParallelTest(t, resource.TestCase{
@@ -36,7 +37,38 @@ func TestAccECRPullThroughCacheRule_basic(t *testing.T) {
 					testAccCheckPullThroughCacheRuleExists(ctx, resourceName),
 					resource.TestCheckResourceAttr(resourceName, "ecr_repository_prefix", repositoryPrefix),
 					testAccCheckPullThroughCacheRuleRegistryID(resourceName),
-					resource.TestCheckResourceAttr(resourceName, "upstream_registry_url", "public.ecr.aws"),
+					resource.TestCheckResourceAttr(resourceName, "upstream_registry_url", upstreamRegistryUrl),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func TestAccECRPullThroughCacheRule_credentialArn(t *testing.T) {
+	ctx := acctest.Context(t)
+	repositoryPrefix := "tf-test-" + sdkacctest.RandString(8)
+	upstreamRegistryUrl := "registry-1.docker.io"
+	resourceName := "aws_ecr_pull_through_cache_rule.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, ecr.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckPullThroughCacheRuleDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPullThroughCacheRuleConfig_credentialArn(repositoryPrefix, "docker-hub"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckPullThroughCacheRuleExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "ecr_repository_prefix", repositoryPrefix),
+					testAccCheckPullThroughCacheRuleRegistryID(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "upstream_registry_url", upstreamRegistryUrl),
+					resource.TestCheckResourceAttrSet(resourceName, "credential_arn"),
 				),
 			},
 			{
@@ -181,6 +213,26 @@ resource "aws_ecr_pull_through_cache_rule" "test" {
 }
 `, repositoryPrefix)
 }
+func testAccPullThroughCacheRuleConfig_credentialArn(repositoryPrefix string, credentialArn string) string {
+	return fmt.Sprintf(`
+resource "aws_secretsmanager_secret" "test" {
+  name                    = "ecr-pullthroughcache/%[2]s"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "test" {
+  secret_id     = aws_secretsmanager_secret.test.id
+  secret_string = "test"
+}
+
+resource "aws_ecr_pull_through_cache_rule" "test" {
+  ecr_repository_prefix = %[1]q
+  upstream_registry_url = "registry-1.docker.io"
+  depends_on            = [aws_secretsmanager_secret.test]
+  credential_arn        = aws_secretsmanager_secret.test.arn
+}
+`, repositoryPrefix, credentialArn)
+}
 
 func testAccPullThroughCacheRuleConfig_failWhenAlreadyExist(repositoryPrefix string) string {
 	return fmt.Sprintf(`

@@ -31,3 +31,5 @@ This data source exports the following attributes in addition to the arguments a
 - `id` - The repository name prefix.
 - `upstream_registry_url` - The registry URL of the upstream public registry to use as the source.
 - `registry_id` - The registry ID where the repository was created.
+- `credential_arn` - ARN of the Secret which will be used to authenticate against the registry.
+
@@ -19,6 +19,7 @@ upstream repositories, see [Using pull through cache rules](https://docs.aws.ama
 resource "aws_ecr_pull_through_cache_rule" "example" {
   ecr_repository_prefix = "ecr-public"
   upstream_registry_url = "public.ecr.aws"
+  credential_arn = "arn:aws:secretsmanager:us-east-1:123456789:secret:ecr-pullthroughcache/ecrpublic"
 }
 ```
 
@@ -28,6 +29,7 @@ This resource supports the following arguments:
 
 * `ecr_repository_prefix` - (Required, Forces new resource) The repository name prefix to use when caching images from the source registry.
 * `upstream_registry_url` - (Required, Forces new resource) The registry URL of the upstream public registry to use as the source.
+* `credential_arn` - (Optional) ARN of the Secret which will be used to authenticate against the registry.
 
 ## Attribute Reference