From 386fca3e1408a9389efac08598bde2d93d53fbba Mon Sep 17 00:00:00 2001
From: natekruse-aws <natekrus@amazon.com>
Date: Fri, 13 Sep 2024 19:16:28 -0500
Subject: [PATCH] fix(eks): update private ecr repo url regex (#31394)

### Issue # (if applicable)


### Reason for this change

The regex for private ECR repos currently excludes some supported URLs in AWS regions. Updating the regex to be more inclusive of all AWS regions.

### Description of changes

Modified private ECR repo URL to be domain agnostic.

### Description of how you validated changes

All existing tests pass:
- `npx cdk -a test/aws-eks/test/integ.eks-helm-asset.js deploy --all`
- `yarn test aws-eks`
- `yarn integ --directory test/aws-eks/test`

Manually updated lambda function highside to verify change works in isolated regions as well.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../lib/aws-eks/kubectl-handler/helm/__init__.py       |  2 +-
 packages/aws-cdk-lib/aws-eks/test/helm-chart.test.ts   | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/kubectl-handler/helm/__init__.py b/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/kubectl-handler/helm/__init__.py
index ddf0753a8aa6b..49b684851420e 100644
--- a/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/kubectl-handler/helm/__init__.py
+++ b/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/kubectl-handler/helm/__init__.py
@@ -101,7 +101,7 @@ def helm_handler(event, context):
 
 def get_oci_cmd(repository, version):
     # Generates OCI command based on pattern. Public ECR vs Private ECR are treated differently.
-    private_ecr_pattern = 'oci://(?P<registry>\d+\.dkr\.ecr\.(?P<region>[a-z0-9\-]+)\.amazonaws\.com(\.cn)?)*'
+    private_ecr_pattern = 'oci://(?P<registry>\d+\.dkr\.ecr\.(?P<region>[a-z0-9\-]+)\.(?P<domain>[a-z0-9\.-]+))*'
     public_ecr_pattern = 'oci://(?P<registry>public\.ecr\.aws)*'
 
     private_registry = re.match(private_ecr_pattern, repository).groupdict()
diff --git a/packages/aws-cdk-lib/aws-eks/test/helm-chart.test.ts b/packages/aws-cdk-lib/aws-eks/test/helm-chart.test.ts
index cb3804d4289e7..0974ebbf844e6 100644
--- a/packages/aws-cdk-lib/aws-eks/test/helm-chart.test.ts
+++ b/packages/aws-cdk-lib/aws-eks/test/helm-chart.test.ts
@@ -272,5 +272,15 @@ describe('helm chart', () => {
       // THEN
       Template.fromStack(stack).hasResourceProperties(eks.HelmChart.RESOURCE_TYPE, { SkipCrds: true });
     });
+    test('should use private ecr repo when specified', () => {
+      // GIVEN
+      const { stack, cluster } = testFixtureCluster();
+
+      // WHEN
+      new eks.HelmChart(stack, 'MyPrivateChart', { cluster, chart: 'chart', repository: 'oci://012345678.dkr.ecr.us-east-1.amazonaws.com/private-repo' });
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties(eks.HelmChart.RESOURCE_TYPE, { Repository: 'oci://012345678.dkr.ecr.us-east-1.amazonaws.com/private-repo' });
+    });
   });
 });