Merge pull request #16831 from DrFaust92/r/ecr_registry_policy

r/ecr_registry_policy - new resource
hashicorp · Apr 5, 2021 · e06ee9e · e06ee9e
2 parents 71a766e + 41e46cc
commit e06ee9e
Show file tree

Hide file tree

Showing 5 changed files with 351 additions and 0 deletions.
diff --git a/.changelog/16831.txt b/.changelog/16831.txt
@@ -0,0 +1,3 @@
+```release-note:new-resource
+aws_ecr_registry_policy
+```
diff --git a/aws/provider.go b/aws/provider.go
@@ -668,6 +668,7 @@ func Provider() *schema.Provider {
 			"aws_ec2_transit_gateway_vpc_attachment_accepter":         resourceAwsEc2TransitGatewayVpcAttachmentAccepter(),
 			"aws_ecr_lifecycle_policy":                                resourceAwsEcrLifecyclePolicy(),
 			"aws_ecrpublic_repository":                                resourceAwsEcrPublicRepository(),
+			"aws_ecr_registry_policy":                                 resourceAwsEcrRegistryPolicy(),
 			"aws_ecr_replication_configuration":                       resourceAwsEcrReplicationConfiguration(),
 			"aws_ecr_repository":                                      resourceAwsEcrRepository(),
 			"aws_ecr_repository_policy":                               resourceAwsEcrRepositoryPolicy(),

diff --git a/aws/resource_aws_ecr_registry_policy.go b/aws/resource_aws_ecr_registry_policy.go
@@ -0,0 +1,90 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/ecr"
+	"github.com/hashicorp/aws-sdk-go-base/tfawserr"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+)
+
+func resourceAwsEcrRegistryPolicy() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsEcrRegistryPolicyPut,
+		Read:   resourceAwsEcrRegistryPolicyRead,
+		Update: resourceAwsEcrRegistryPolicyPut,
+		Delete: resourceAwsEcrRegistryPolicyDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"policy": {
+				Type:             schema.TypeString,
+				Required:         true,
+				DiffSuppressFunc: suppressEquivalentAwsPolicyDiffs,
+				ValidateFunc:     validation.StringIsJSON,
+			},
+			"registry_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func resourceAwsEcrRegistryPolicyPut(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).ecrconn
+
+	input := ecr.PutRegistryPolicyInput{
+		PolicyText: aws.String(d.Get("policy").(string)),
+	}
+
+	out, err := conn.PutRegistryPolicy(&input)
+	if err != nil {
+		return fmt.Errorf("Error creating ECR Registry Policy: %w", err)
+	}
+
+	regID := aws.StringValue(out.RegistryId)
+
+	d.SetId(regID)
+
+	return resourceAwsEcrRegistryPolicyRead(d, meta)
+}
+
+func resourceAwsEcrRegistryPolicyRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).ecrconn
+
+	log.Printf("[DEBUG] Reading registry policy %s", d.Id())
+	out, err := conn.GetRegistryPolicy(&ecr.GetRegistryPolicyInput{})
+	if err != nil {
+		if !d.IsNewResource() && tfawserr.ErrCodeEquals(err, ecr.ErrCodeRegistryPolicyNotFoundException) {
+			log.Printf("[WARN] ECR Registry (%s) not found, removing from state", d.Id())
+			d.SetId("")
+			return nil
+		}
+		return err
+	}
+
+	d.Set("registry_id", out.RegistryId)
+	d.Set("policy", out.PolicyText)
+
+	return nil
+}
+
+func resourceAwsEcrRegistryPolicyDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).ecrconn
+
+	_, err := conn.DeleteRegistryPolicy(&ecr.DeleteRegistryPolicyInput{})
+	if err != nil {
+		if tfawserr.ErrCodeEquals(err, ecr.ErrCodeRegistryPolicyNotFoundException) {
+			return nil
+		}
+		return err
+	}
+
+	return nil
+}
diff --git a/aws/resource_aws_ecr_registry_policy_test.go b/aws/resource_aws_ecr_registry_policy_test.go
@@ -0,0 +1,195 @@
+package aws
+
+import (
+	"fmt"
+	"regexp"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/service/ecr"
+	"github.com/hashicorp/aws-sdk-go-base/tfawserr"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+func TestAccAWSEcrRegistryPolicy_serial(t *testing.T) {
+	testFuncs := map[string]func(t *testing.T){
+		"basic":      testAccAWSEcrRegistryPolicy_basic,
+		"disappears": testAccAWSEcrRegistryPolicy_disappears,
+	}
+
+	for name, testFunc := range testFuncs {
+		testFunc := testFunc
+
+		t.Run(name, func(t *testing.T) {
+			testFunc(t)
+		})
+	}
+}
+
+func testAccAWSEcrRegistryPolicy_basic(t *testing.T) {
+	var v ecr.GetRegistryPolicyOutput
+	resourceName := "aws_ecr_registry_policy.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		ErrorCheck:   testAccErrorCheck(t, ecr.EndpointsID),
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSEcrRegistryPolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSEcrRegistryPolicy(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSEcrRegistryPolicyExists(resourceName, &v),
+					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`"ecr:ReplicateImage".+`)),
+					testAccCheckResourceAttrAccountID(resourceName, "registry_id"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccAWSEcrRegistryPolicyUpdated(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSEcrRegistryPolicyExists(resourceName, &v),
+					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`"ecr:ReplicateImage".+`)),
+					resource.TestMatchResourceAttr(resourceName, "policy", regexp.MustCompile(`"ecr:CreateRepository".+`)),
+					testAccCheckResourceAttrAccountID(resourceName, "registry_id"),
+				),
+			},
+		},
+	})
+}
+
+func testAccAWSEcrRegistryPolicy_disappears(t *testing.T) {
+	var v ecr.GetRegistryPolicyOutput
+	resourceName := "aws_ecr_registry_policy.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		ErrorCheck:   testAccErrorCheck(t, ecr.EndpointsID),
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSEcrRegistryPolicyDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSEcrRegistryPolicy(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSEcrRegistryPolicyExists(resourceName, &v),
+					testAccCheckResourceDisappears(testAccProvider, resourceAwsEcrRegistryPolicy(), resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
+func testAccCheckAWSEcrRegistryPolicyDestroy(s *terraform.State) error {
+	conn := testAccProvider.Meta().(*AWSClient).ecrconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_ecr_registry_policy" {
+			continue
+		}
+
+		_, err := conn.GetRegistryPolicy(&ecr.GetRegistryPolicyInput{})
+		if err != nil {
+			if tfawserr.ErrCodeEquals(err, ecr.ErrCodeRegistryPolicyNotFoundException) {
+				return nil
+			}
+			return err
+		}
+	}
+
+	return nil
+}
+
+func testAccCheckAWSEcrRegistryPolicyExists(name string, res *ecr.GetRegistryPolicyOutput) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[name]
+		if !ok {
+			return fmt.Errorf("Not found: %s", name)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No ECR registry policy ID is set")
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).ecrconn
+
+		output, err := conn.GetRegistryPolicy(&ecr.GetRegistryPolicyInput{})
+		if err != nil {
+			if tfawserr.ErrCodeEquals(err, ecr.ErrCodeRegistryPolicyNotFoundException) {
+				return fmt.Errorf("ECR repository %s not found", rs.Primary.ID)
+			}
+			return err
+		}
+
+		*res = *output
+
+		return nil
+	}
+}
+
+func testAccAWSEcrRegistryPolicy() string {
+	return `
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
+data "aws_partition" "current" {}
+
+resource "aws_ecr_registry_policy" "test" {
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Sid" : "testpolicy",
+        "Effect" : "Allow",
+        "Principal" : {
+          "AWS" : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+        },
+        "Action" : [
+          "ecr:ReplicateImage"
+        ],
+        "Resource" : [
+          "arn:${data.aws_partition.current.partition}:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/*"
+        ]
+      }
+    ]
+  })
+}
+`
+}
+
+func testAccAWSEcrRegistryPolicyUpdated() string {
+	return `
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
+data "aws_partition" "current" {}
+
+resource "aws_ecr_registry_policy" "test" {
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Sid" : "testpolicy",
+        "Effect" : "Allow",
+        "Principal" : {
+          "AWS" : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+        },
+        "Action" : [
+          "ecr:ReplicateImage",
+          "ecr:CreateRepository"
+        ],
+        "Resource" : [
+          "arn:${data.aws_partition.current.partition}:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/*"
+        ]
+      }
+    ]
+  })
+}
+`
+}
diff --git a/website/docs/r/ecr_registry_policy.html.markdown b/website/docs/r/ecr_registry_policy.html.markdown
@@ -0,0 +1,62 @@
+---
+subcategory: "ECR"
+layout: "aws"
+page_title: "AWS: aws_ecr_registry_policy"
+description: |-
+  Provides an Elastic Container Registry Policy.
+---
+
+# Resource: aws_ecr_registry_policy
+
+Provides an Elastic Container Registry Policy.
+
+## Example Usage
+
+```terraform
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
+data "aws_partition" "current" {}
+
+resource "aws_ecr_registry_policy" "example" {
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid    = "testpolicy",
+        Effect = "Allow",
+        Principal = {
+          "AWS" : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+        },
+        Action = [
+          "ecr:ReplicateImage"
+        ],
+        Resource = [
+          "arn:${data.aws_partition.current.partition}:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/*"
+        ]
+      }
+    ]
+  })
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `policy` - (Required) The policy document. This is a JSON formatted string. For more information about building IAM policy documents with Terraform, see the [AWS IAM Policy Document Guide](https://learn.hashicorp.com/terraform/aws/iam-policy)
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `registry_id` - The registry ID where the registry was created.
+
+## Import
+
+ECR Registry Policy can be imported using the registry id, e.g.
+
+```
+$ terraform import aws_ecr_registry_policy.example 123456789012
+```