This repository contains a simple cli written in go to update an AWS ECR repository with a given policy.
ecr-go
works by reading all YAML config file(s) (.yaml
or .yml
), by default in the files/
directory that define a repository and its associated policy.
Example of valid config file:
myrepo.yaml
:
repositoryName: alma # this is the name of the repository we want to apply the policy to
repositoryPolicyFile: policy.json # this is the policy to apply
policy.json
:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "CrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:root",
"arn:aws:iam::111111111111:root",
"arn:aws:iam::222222222222:root"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
]
}
]
}
If you've build the docker image embedding this cli, you need to pass your aws keys or credentials file to the container:
# Use environment variables
docker run --rm \
-it \
-e AWS_ACCESS_KEY_ID=xxxx \
-e AWS_SECRET_ACCESS_KEY=xxxx \
-e AWS_DEFAULT_REGION=xxxx \
-v "<path to the config directory>:/app/files/"
ecr-go
# Mount your config & credentials files in the container
docker run \
--rm \
-it \
-v ~/.aws:/root/.aws \
-v "<path to the config directory>:/app/files/"
-e AWS_PROFILE=<your profile if needed> \
ecr-go
ecr-go
is looking for the following environment variables:
Name | Type | Default value | Description |
---|---|---|---|
APPLICATION_NAME |
string |
ecr-go |
Name of the application |
CONFIG_DIR |
string |
files/ |
Directory where ecr-go will look for config files |
DRY_RUN |
bool |
false |
Enable dry run mode. Accepted values are go bool values: `1 |
LOG_LEVEL |
string |
info |
Verbosity level. Accepted values are error , info (default) and debug |
APPLICATION_VERSION |
string |
0.0.2 |
Version of ecr-go |
Running in Dry Run mode will on verify that the yaml files are valid. It will not modify the ECR repository policies.
Given the following file tree:
$ tree
.
├── ecr-go*
└─── files
├── alma-keel.json
└── alma-keel.yaml
$ cat files/alma-keel.yaml
repositoryName: alma-keel
repositoryPolicyFile: files/alma-keel.json
$ cat files/alma-keel.json
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "CrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:root",
"arn:aws:iam::111111111111:root",
"arn:aws:iam::222222222222:root"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
]
}
]
}
Simply run:
$ ./ecr-go
2021-05-04T23:06:59+02:00 info Staring ecr-go v0.1.0
2021-05-04T23:06:59+02:00 info Configuration directory is set to files/
2021-05-04T23:06:59+02:00 info Running in dry-mode: false
2021-05-04T23:06:59+02:00 info Updating repository alma-keel ...
2021-05-04T23:06:59+02:00 info Policy updated for repository alma-keel
2021-05-04T23:06:59+02:00 info
2021-05-04T23:06:59+02:00 info Repository update completed. Summary:
2021-05-04T23:06:59+02:00 info Number of successful repositories updates: 1
2021-05-04T23:06:59+02:00 info - alma-keel
2021-05-04T23:06:59+02:00 info Number of failed repositories updates: 0
You can have several yaml files in the files/
directory.
In case of mistake in the configuration (repository name inexistant or insufficient permissions for instance), ecr-go
will summarize:
$ ./ecr-go
2021-05-04T23:08:23+02:00 info Staring ecr-go v0.1.0
2021-05-04T23:08:23+02:00 info Configuration directory is set to files/
2021-05-04T23:08:23+02:00 info Running in dry-mode: false
2021-05-04T23:08:23+02:00 info Updating repository alma-keel ...
2021-05-04T23:08:23+02:00 info Updating repository alma-2 ...
2021-05-04T23:08:23+02:00 info Updating repository alma-11 ...
2021-05-04T23:08:23+02:00 info Updating repository alma-0 ...
2021-05-04T23:08:23+02:00 info Updating repository alma-1 ...
2021-05-04T23:08:23+02:00 error Error: An error occured while updating the repository alma-2: "RepositoryNotFoundException: The repository with name 'alma-2' does not exist in the registry with id '000000000000'"
2021-05-04T23:08:23+02:00 error Error: An error occured while updating the repository alma-0: "RepositoryNotFoundException: The repository with name 'alma-0' does not exist in the registry with id '000000000000'"
2021-05-04T23:08:23+02:00 error Error: An error occured while updating the repository alma-11: "RepositoryNotFoundException: The repository with name 'alma-11' does not exist in the registry with id '000000000000'"
2021-05-04T23:08:23+02:00 info Policy updated for repository alma-keel
2021-05-04T23:08:23+02:00 error Error: An error occured while updating the repository alma-1: "RepositoryNotFoundException: The repository with name 'alma-1' does not exist in the registry with id '000000000000'"
2021-05-04T23:08:23+02:00 info
2021-05-04T23:08:23+02:00 info Repository update completed. Summary:
2021-05-04T23:08:23+02:00 info Number of successful repositories updates: 1
2021-05-04T23:08:23+02:00 info - alma-keel
2021-05-04T23:08:23+02:00 info Number of failed repositories updates: 4
2021-05-04T23:08:23+02:00 info - alma-11: RepositoryNotFoundException: The repository with name 'alma-11' does not exist in the registry with id '000000000000'
2021-05-04T23:08:23+02:00 info - alma-1: RepositoryNotFoundException: The repository with name 'alma-1' does not exist in the registry with id '000000000000'
2021-05-04T23:08:23+02:00 info - alma-2: RepositoryNotFoundException: The repository with name 'alma-2' does not exist in the registry with id '000000000000'
2021-05-04T23:08:23+02:00 info - alma-0: RepositoryNotFoundException: The repository with name 'alma-0' does not exist in the registry with id '000000000000'
exit status 1
You need a working go toolchain (It has been developped and tested with go 1.14 and go 1.16 only, but should work with go >= 1.12 ). Refer to the official documentation for more information (or from your Linux/Mac/Windows distribution documentation to install it from your favorite package manager).
# Clone this repository
git clone https://github.com/lescactus/ecr-go.git && cd ecr-go/
# Build from sources. Use the '-o' flag to change the compiled binary name
go build
# Default compiled binary is ecr-go
# You can optionnaly move it somewhere in your $PATH to access it shell wide
./ecr-go
If you don't have go installed but have docker, run the following command to build inside a docker container:
# Build from sources inside a docker container. Use the '-o' flag to change the compiled binary name
# Warning: the compiled binary belongs to root:root
docker run --rm -it -v "$PWD":/app -w /app golang:1.14 go build
# Default compiled binary is ecr-go
# You can optionnaly move it somewhere in your $PATH to access it shell wide
./ecr-go
If you don't want to pollute your computer with another program, with cli comes with its own docker image:
docker build -t ecr-go .
To run the test suite, run the following commands:
# Run the unit tests. Remove the '-v' flag to reduce verbosity
go test -v ./...
# Get coverage to html format
go test -coverprofile -v /tmp/cover.out ./...
go tool cover -html=/tmp/cover.out -o /tmp/cover.out.html