feat: image tag mutability is configurable (#375)

carlosjgp · web-flow · commit 1b5c555f0df5 · 2025-02-17T09:54:20.000-05:00
* feat: image tag mutability is configurable

Signed-off-by: Carlos Juan Gómez Peñalver &lt;carlos@automata.tech&gt;

* feat: add config to job

Signed-off-by: Carlos Juan Gómez Peñalver &lt;carlos@automata.tech&gt;

* feat: add config to job

Signed-off-by: Carlos Juan Gómez Peñalver &lt;carlos@automata.tech&gt;

---------

Signed-off-by: Carlos Juan Gómez Peñalver &lt;carlos@automata.tech&gt;
diff --git a/src/commands/build_and_push_image.yml b/src/commands/build_and_push_image.yml
@@ -201,6 +201,16 @@ parameters:
       The alias, key ID, or full ARN of the KMS key can be specified.
     default: ""
 
+  repo_image_tag_mutability:
+    type: enum
+    enum: ["MUTABLE", "IMMUTABLE"]
+    description: >
+      The tag mutability setting for the repository. If this parameter is omitted,
+      the default setting of MUTABLE will be used which will allow image tags to be
+      overwritten. If IMMUTABLE is specified, all image tags within the repository will
+      be immutable which will prevent them from being overwritten.
+    default: "MUTABLE"
+
   use_credentials_helper:
     type: boolean
     default: true
@@ -248,6 +258,7 @@ steps:
             public_registry: <<parameters.public_registry>>
             repo_encryption_type: <<parameters.repo_encryption_type>>
             encryption_kms_key: <<parameters.repo_encryption_kms_key>>
+            image_tag_mutability: <<parameters.repo_image_tag_mutability>>
   - when:
       condition: <<parameters.set_repo_policy>>
       steps:
diff --git a/src/commands/create_repo.yml b/src/commands/create_repo.yml
@@ -41,6 +41,16 @@ parameters:
       The alias, key ID, or full ARN of the KMS key can be specified.
     default: ""
 
+  image_tag_mutability:
+    type: enum
+    enum: ["MUTABLE", "IMMUTABLE"]
+    description: >
+      The tag mutability setting for the repository. If this parameter is omitted,
+      the default setting of MUTABLE will be used which will allow image tags to be
+      overwritten. If IMMUTABLE is specified, all image tags within the repository will
+      be immutable which will prevent them from being overwritten.
+    default: "MUTABLE"
+
 steps:
   - run:
       name: Create Repository
@@ -52,4 +62,5 @@ steps:
         AWS_ECR_BOOL_PUBLIC_REGISTRY: <<parameters.public_registry>>
         AWS_ECR_ENUM_ENCRYPTION_TYPE: <<parameters.repo_encryption_type>>
         AWS_ECR_STR_ENCRYPTION_KMS_KEY: <<parameters.encryption_kms_key>>
+        AWS_ECR_STR_IMAGE_TAG_MUTABILITY: <<parameters.image_tag_mutability>>
       command: <<include(scripts/create_repo.sh)>>
diff --git a/src/jobs/build_and_push_image.yml b/src/jobs/build_and_push_image.yml
@@ -199,6 +199,16 @@ parameters:
       The alias, key ID, or full ARN of the KMS key can be specified.
     default: ""
 
+  repo_image_tag_mutability:
+    type: enum
+    enum: ["MUTABLE", "IMMUTABLE"]
+    description: >
+      The tag mutability setting for the repository. If this parameter is omitted,
+      the default setting of MUTABLE will be used which will allow image tags to be
+      overwritten. If IMMUTABLE is specified, all image tags within the repository will
+      be immutable which will prevent them from being overwritten.
+    default: "MUTABLE"
+
   aws_domain:
     type: string
     default: "amazonaws.com"
@@ -246,5 +256,6 @@ steps:
       auth: <<parameters.auth>>
       repo_encryption_type: <<parameters.repo_encryption_type>>
       repo_encryption_kms_key: <<parameters.repo_encryption_kms_key>>
+      repo_image_tag_mutability: <<parameters.repo_image_tag_mutability>>
       use_credentials_helper: <<parameters.use_credentials_helper>>
       aws_domain: <<parameters.aws_domain>>
diff --git a/src/scripts/create_repo.sh b/src/scripts/create_repo.sh
@@ -3,6 +3,7 @@ AWS_ECR_EVAL_REGION="$(eval echo "${AWS_ECR_STR_REGION}")"
 AWS_ECR_EVAL_REPO="$(eval echo "${AWS_ECR_STR_REPO}")"
 AWS_ECR_EVAL_PROFILE_NAME="$(eval echo "${AWS_ECR_STR_PROFILE_NAME}")"
 AWS_ECR_EVAL_ENCRYPTION_KMS_KEY="$(eval echo "${AWS_ECR_STR_ENCRYPTION_KMS_KEY}")"
+AWS_ECR_EVAL_IMAGE_TAG_MUTABILITY="$(eval echo "${AWS_ECR_STR_IMAGE_TAG_MUTABILITY}")"
 
 if [ "$AWS_ECR_BOOL_PUBLIC_REGISTRY" == "1" ]; then
     aws ecr-public describe-repositories --profile "${AWS_ECR_EVAL_PROFILE_NAME}" --region us-east-1 --repository-names "${AWS_ECR_EVAL_REPO}" >/dev/null 2>&1 ||
@@ -27,6 +28,7 @@ else
           --profile "${AWS_ECR_EVAL_PROFILE_NAME}" \
           --region "${AWS_ECR_EVAL_REGION}" \
           --repository-name "${AWS_ECR_EVAL_REPO}" \
+          --image-tag-mutability "${AWS_ECR_EVAL_IMAGE_TAG_MUTABILITY}" \
           --image-scanning-configuration "${IMAGE_SCANNING_CONFIGURATION}" \
           --encryption-configuration "${ENCRYPTION_CONFIGURATION}"
 fi
