[Feature Request]Add parameter for tagging ECR repo (#379)

vinmarco · marboledacci · web-flow · commit 3468d30e4d35 · 2025-04-04T09:42:52.000-05:00
* add job and command for tag ecr repo

* cleanup

* expand option description

* add tests for tagging repo

* Remove repo tag from some tests for extra validation

* fix command

* fix typo

* Add some small fixes

* improved docs and add test for empty tags

* fix condition

* Fix syntax for multiple repo tags

* Update syntax on test for multiple tags

* change test string

* Add debug to tag_repo script

* add account id to tag_repo command

* changed variable name for account it

* Remove debug

---------

Co-authored-by: Mateo Arboleda &lt;mateo.arboleda@circleci.com&gt;
diff --git a/.circleci/test-deploy.yml b/.circleci/test-deploy.yml
@@ -102,6 +102,7 @@ jobs:
           workspace_root: << parameters.workspace_root >>
           repo: << parameters.repo >>
           create_repo: << parameters.create_repo >>
+          repo_tag: Key=Env,Value=CITesting
           tag: << parameters.tag >>
           dockerfile: << parameters.dockerfile >>
           path: << parameters.path >>
@@ -118,6 +119,10 @@ jobs:
           path: << parameters.path >>
           platform: << parameters.platform >>
           push_image: false
+      - aws-ecr/tag_repo:
+          repo: << parameters.repo >>
+          tag: '[{\"Key\": \"Validation\", \"Value\": \"CITesting\"}, {\"Key\": \"Validation2\", \"Value\": \"CITesting\"}]'
+          region: << parameters.region >>
       - run:
           name: Tests for docker image
           command: |
@@ -173,6 +178,7 @@ workflows:
           workspace_root: workspace
           repo: aws-ecr-orb-${CIRCLE_SHA1:0:7}-multi-platform-without-push
           create_repo: true
+          repo_tag: Key=Env,Value=CITesting
           context: [CPE-OIDC]
           tag: integration,myECRRepoTag
           dockerfile: sample/Dockerfile
@@ -198,6 +204,7 @@ workflows:
           workspace_root: workspace
           repo: aws-ecr-orb-${CIRCLE_SHA1:0:7}-default-profile
           create_repo: true
+          repo_tag: Key=Env,Value=CITesting
           context: [CPE-OIDC]
           tag: integration,myECRRepoTag
           dockerfile: sample/Dockerfile
@@ -315,6 +322,7 @@ workflows:
           workspace_root: workspace
           repo: aws-ecr-orb-${CIRCLE_SHA1:0:7}-named-profile-<<matrix.use_credentials_helper>>
           create_repo: true
+          repo_tag: Key=Env,Value=CITesting
           tag: integration,myECRRepoTag
           dockerfile: sample/Dockerfile
           path: workspace
@@ -380,6 +388,7 @@ workflows:
           workspace_root: workspace
           repo: aws-ecr-orb-${CIRCLE_SHA1:0:7}-skip_when_tags_exist-<<matrix.executor>>
           create_repo: true
+          repo_tag: Key=Env,Value=CITesting
           tag: integration,myECRRepoTag
           dockerfile: Dockerfile
           path: ./sample
diff --git a/src/commands/build_and_push_image.yml b/src/commands/build_and_push_image.yml
@@ -227,6 +227,13 @@ parameters:
       Defaults to qemu-v7.0.0-28, change only if you know what you are doing.
       See https://hub.docker.com/r/tonistiigi/binfmt for details.
 
+  repo_tag:
+    type: string
+    default: ""
+    description: |
+      A list of strings in json format, containing tags for repository.
+      Shorthand Syntax: [{"Key": "FirstTag", "Value": "FirstValue"}]
+
 steps:
   - when:
       condition: <<parameters.checkout>>
@@ -269,6 +276,7 @@ steps:
             repo_encryption_type: <<parameters.repo_encryption_type>>
             encryption_kms_key: <<parameters.repo_encryption_kms_key>>
             image_tag_mutability: <<parameters.repo_image_tag_mutability>>
+            repo_tag: <<parameters.repo_tag>>
   - when:
       condition: <<parameters.set_repo_policy>>
       steps:
diff --git a/src/commands/create_repo.yml b/src/commands/create_repo.yml
@@ -51,6 +51,13 @@ parameters:
       be immutable which will prevent them from being overwritten.
     default: "MUTABLE"
 
+  repo_tag:
+    type: string
+    description: >
+      A list of strings in json format, containing tags for repository.
+      Shorthand Syntax: [{"Key": "FirstTag", "Value": "FirstValue"}]
+    default: ""
+
 steps:
   - run:
       name: Create Repository
@@ -63,4 +70,5 @@ steps:
         AWS_ECR_ENUM_ENCRYPTION_TYPE: <<parameters.repo_encryption_type>>
         AWS_ECR_STR_ENCRYPTION_KMS_KEY: <<parameters.encryption_kms_key>>
         AWS_ECR_STR_IMAGE_TAG_MUTABILITY: <<parameters.image_tag_mutability>>
+        AWS_ECR_STR_REPO_TAG: <<parameters.repo_tag>>
       command: <<include(scripts/create_repo.sh)>>
diff --git a/src/commands/tag_repo.yml b/src/commands/tag_repo.yml
@@ -0,0 +1,42 @@
+description: >
+  Add tag to an existing ECR repository
+
+parameters:
+  account_id:
+    type: string
+    default: ${AWS_ACCOUNT_ID}
+    description: >
+      The 12 digit AWS id associated with the ECR account.
+      This field is required
+
+  repo:
+    type: string
+    description: Name of an Amazon ECR repository
+
+  tag:
+    type: string
+    description: >
+      A list of strings in json format, containing tags for repository
+      Shorthand Syntax: [{"Key": "FirstTag", "Value": "FirstValue"}]
+
+  profile_name:
+    default: "default"
+    description: AWS profile to use
+    type: string
+
+  region:
+    type: string
+    default: ${AWS_DEFAULT_REGION}
+    description: >
+      AWS region of ECR repository. Defaults to environment variable ${AWS_DEFAULT_REGION}
+
+steps:
+  - run:
+      name: Add tag <<parameters.tag>> to <<parameters.repo>>
+      environment:
+        AWS_ECR_STR_REPO: <<parameters.repo>>
+        AWS_ECR_STR_REPO_TAG: <<parameters.tag>>
+        AWS_ECR_STR_REGION: <<parameters.region>>
+        AWS_ECR_STR_AWS_PROFILE: <<parameters.profile_name>>
+        AWS_ECR_STR_ACCOUNT_ID: <<parameters.account_id>>
+      command: <<include(scripts/tag_repo.sh)>>
diff --git a/src/jobs/build_and_push_image.yml b/src/jobs/build_and_push_image.yml
@@ -232,6 +232,13 @@ parameters:
       Defaults to qemu-v7.0.0-28, change only if you know what you are doing.
       See https://hub.docker.com/r/tonistiigi/binfmt for details.
 
+  repo_tag:
+    type: string
+    default: ""
+    description: |
+      A list of strings in json format, containing tags for repository.
+      Shorthand Syntax: [{"Key": "FirstTag", "Value": "FirstValue"}]
+
 steps:
   - build_and_push_image:
       account_id: <<parameters.account_id>>
@@ -269,3 +276,4 @@ steps:
       use_credentials_helper: <<parameters.use_credentials_helper>>
       aws_domain: <<parameters.aws_domain>>
       binfmt_version: <<parameters.binfmt_version>>
+      repo_tag: <<parameters.repo_tag>>
diff --git a/src/scripts/create_repo.sh b/src/scripts/create_repo.sh
@@ -4,6 +4,7 @@ AWS_ECR_EVAL_REPO="$(eval echo "${AWS_ECR_STR_REPO}")"
 AWS_ECR_EVAL_PROFILE_NAME="$(eval echo "${AWS_ECR_STR_PROFILE_NAME}")"
 AWS_ECR_EVAL_ENCRYPTION_KMS_KEY="$(eval echo "${AWS_ECR_STR_ENCRYPTION_KMS_KEY}")"
 AWS_ECR_EVAL_IMAGE_TAG_MUTABILITY="$(eval echo "${AWS_ECR_STR_IMAGE_TAG_MUTABILITY}")"
+AWS_ECR_EVAL_REPO_TAG="$(eval echo "${AWS_ECR_STR_REPO_TAG}")"
 
 if [ "$AWS_ECR_BOOL_PUBLIC_REGISTRY" == "1" ]; then
     aws ecr-public describe-repositories --profile "${AWS_ECR_EVAL_PROFILE_NAME}" --region us-east-1 --repository-names "${AWS_ECR_EVAL_REPO}" >/dev/null 2>&1 ||
@@ -20,6 +21,10 @@ else
       ENCRYPTION_CONFIGURATION+=",kmsKey=${AWS_ECR_EVAL_ENCRYPTION_KMS_KEY}"
     fi
 
+    if [ -z "${AWS_ECR_EVAL_REPO_TAG}" ]; then
+        AWS_ECR_EVAL_REPO_TAG="{\"Key\": \"Name\", \"Value\": \""${AWS_ECR_EVAL_REPO}\""}"
+    fi
+    
     aws ecr describe-repositories \
       --profile "${AWS_ECR_EVAL_PROFILE_NAME}" \
       --region "${AWS_ECR_EVAL_REGION}" \
@@ -30,5 +35,6 @@ else
           --repository-name "${AWS_ECR_EVAL_REPO}" \
           --image-tag-mutability "${AWS_ECR_EVAL_IMAGE_TAG_MUTABILITY}" \
           --image-scanning-configuration "${IMAGE_SCANNING_CONFIGURATION}" \
-          --encryption-configuration "${ENCRYPTION_CONFIGURATION}"
+          --encryption-configuration "${ENCRYPTION_CONFIGURATION}" \
+          --tags "${AWS_ECR_EVAL_REPO_TAG}"
 fi
diff --git a/src/scripts/tag_repo.sh b/src/scripts/tag_repo.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+AWS_ECR_EVAL_ACCOUNT_ID="$(eval echo "${AWS_ECR_STR_ACCOUNT_ID}")"
+AWS_ECR_EVAL_REGION="$(eval echo "${AWS_ECR_STR_REGION}")"
+AWS_ECR_EVAL_REPO="$(eval echo "${AWS_ECR_STR_REPO}")"
+AWS_ECR_EVAL_PROFILE_NAME="$(eval echo "${AWS_ECR_STR_PROFILE_NAME}")"
+AWS_ECR_EVAL_REPO_TAG="$(eval echo "${AWS_ECR_STR_REPO_TAG}")"
+
+if [ "$AWS_ECR_BOOL_PUBLIC_REGISTRY" == "1" ]; then
+    echo "repo_tag is not supported on public repos"
+    exit 1
+fi
+
+if [ -z "${AWS_ECR_STR_REPO_TAG}" ]; then
+    AWS_ECR_EVAL_REPO_TAG="{\"Key\": \"Name\", \"Value\": \""${AWS_ECR_EVAL_REPO}\""}"
+fi
+aws ecr tag-resource \
+    --profile "${AWS_ECR_EVAL_PROFILE_NAME}" \
+    --region "${AWS_ECR_EVAL_REGION}" \
+    --resource-arn "arn:aws:ecr:${AWS_ECR_EVAL_REGION}:${AWS_ECR_EVAL_ACCOUNT_ID}:repository/${AWS_ECR_EVAL_REPO}" \
+    --tags "${AWS_ECR_EVAL_REPO_TAG}"
