New data source aws_ecr_authorization_token

[edgarpoce]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Summary

Add a new data source called aws_ecr_authorization_token that provides the necessary credentials to access private ECR repositories
see https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_GetAuthorizationToken.html

Reasoning for change

As a terraform user I want to manage Docker images in private ECR repositories. In order to do this I need to get the credentials of the private repository.

The end goal is to be able to build and manage remote docker images fully in Terraform.
e.g.

provider "aws" {
  region  = "us-east-1"
}

resource "aws_ecr_repository" "helloworld" {
  name = "helloworld"
}

data "aws_ecr_authorization_token" "helloworld" {
  registry_id = aws_ecr_repository.helloworld.registry_id
}

provider "docker" {
  registry_auth {
    address  = data.aws_ecr_authorization_token.helloworld.proxy_endpoint
    username = data.aws_ecr_authorization_token.helloworld.user_name
    password = data.aws_ecr_authorization_token.helloworld.password
  }
}

resource "docker_registry_image" "helloworld" {
  name = "${aws_ecr_repository.helloworld.repository_url}:1.0"
  build {
    context = "context"
  }
}

Relates OR Closes #11332

Release note for CHANGELOG:

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccAWSEcrDataSource_ecrAuthorizationToken'

...

[ewbankkit]

Verified acceptance tests:

$ make testacc TEST=./aws/ TESTARGS='-run=TestAccAWSEcrDataSource_ecrAuthorizationToken'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws/ -v -count 1 -parallel 20 -run=TestAccAWSEcrDataSource_ecrAuthorizationToken -timeout 120m
=== RUN   TestAccAWSEcrDataSource_ecrAuthorizationToken
--- PASS: TestAccAWSEcrDataSource_ecrAuthorizationToken (41.01s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	41.049s

[edgarpoce]

Thanks for reviewing!, I'll implement the changes ASAP.

[anGie44]

Thanks for the latest updates @edgarpoce, LGTM 👍

Output of acceptance test:

--- PASS: TestAccAWSEcrAuthorizationTokenDataSource_basic (32.09s)

[anGie44]

Hi @edgarpoce, in using this data-source in practice such that it's attributes are used as input's to the docker provider's registry_auth block, I came across a plan-time issue such that the docker provider doesn't seem to uses these attributes and instead continues to look for the auth credentials in the registry config file. this behavior of a provider config block not acknowledging data-source values, unfortunately, is a known limitation in some providers, and in retrospect not something I was aware of while reviewing. while this use case may not cover all potential uses of this data-source, I wanted to get your feedback (as well anyone following this PR or @Phat3 related GH Issue) regarding this potential unwanted behavior before we make this feature generally available to ensure the data-source can still assist in yours/others resource management workflows.

[edgarpoce]

@anGie44 , If I understand the problem you are mentioning correctly I think it's bug in the Docker provider.
I contributed a PR that is scheduled for release v.2.8.0. see hashicorp/terraform-provider-docker#250
The bug in the Docker provider makes the whole deployment fail if there's a reference to another resource as part of the docker provider configuration.

[anGie44]

@edgarpoce thanks for pointing to the PR in the docker provider! I can now confirm that building that provider from your PR branch and using this new data-source works as I'd expect 👍

e.g.

data "aws_ecr_repository" "helloworld" {
  name = "helloworld"
}

data "aws_ecr_authorization_token" "helloworld" {
  registry_id = data.aws_ecr_repository.helloworld.registry_id
}

provider "docker" {
registry_auth {
    address  = data.aws_ecr_authorization_token.helloworld.proxy_endpoint
    username = data.aws_ecr_authorization_token.helloworld.user_name
    password = data.aws_ecr_authorization_token.helloworld.password
  }
}

data "docker_registry_image" "test" {
  name = "${data.aws_ecr_repository.helloworld.repository_url}:latest"
}

output "image_sha" {
    value = data.docker_registry_image.test.sha256_digest
 }

[anGie44]

hi @edgarpoce! do you mind fixing the conflicts that have emerged? (I made an attempt here but found it more involved than I expected so reverted to how it was last). I'd like to get this into the next release :)

[edgarpoce]

@anGie44 , the conflict is fixed now. Thanks!

[ghost]

This has been released in version 2.67.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!