Merge pull request #44949 from marianafidalgof/f-aws_ecr_authorization_token

ecr: add ephemeral aws_ecr_authorization_token resource

Author: YakDriver

.changelog/44949.txt

@@ -0,0 +1,3 @@
+```release-note:new-ephemeral
+aws_ecr_authorization_token
+```

internal/service/ecr/authorization_token_ephemeral.go

@@ -0,0 +1,113 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package ecr
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/ecr"
+	"github.com/hashicorp/terraform-plugin-framework/ephemeral"
+	"github.com/hashicorp/terraform-plugin-framework/ephemeral/schema"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+	"github.com/hashicorp/terraform-provider-aws/internal/framework"
+	"github.com/hashicorp/terraform-provider-aws/internal/smerr"
+	itypes "github.com/hashicorp/terraform-provider-aws/internal/types"
+	"github.com/hashicorp/terraform-provider-aws/names"
+)
+
+// @EphemeralResource(aws_ecr_authorization_token, name="AuthorizationToken")
+func newAuthorizationTokenEphemeralResource(_ context.Context) (ephemeral.EphemeralResourceWithConfigure, error) {
+	return &authorizationTokenEphemeralResource{}, nil
+}
+
+type authorizationTokenEphemeralResource struct {
+	framework.EphemeralResourceWithModel[authorizationTokenEphemeralResourceModel]
+}
+
+func (e *authorizationTokenEphemeralResource) Schema(ctx context.Context, _ ephemeral.SchemaRequest, response *ephemeral.SchemaResponse) {
+	response.Schema = schema.Schema{
+		Attributes: map[string]schema.Attribute{
+			"authorization_token": schema.StringAttribute{
+				Computed:  true,
+				Sensitive: true,
+			},
+			"expires_at": schema.StringAttribute{
+				Computed: true,
+			},
+			names.AttrPassword: schema.StringAttribute{
+				Computed:  true,
+				Sensitive: true,
+			},
+			"proxy_endpoint": schema.StringAttribute{
+				Computed: true,
+			},
+			names.AttrUserName: schema.StringAttribute{
+				Computed: true,
+			},
+		},
+	}
+}
+
+func (e *authorizationTokenEphemeralResource) Open(ctx context.Context, request ephemeral.OpenRequest, response *ephemeral.OpenResponse) {
+	conn := e.Meta().ECRClient(ctx)
+	data := authorizationTokenEphemeralResourceModel{}
+
+	smerr.AddEnrich(ctx, &response.Diagnostics, request.Config.Get(ctx, &data))
+	if response.Diagnostics.HasError() {
+		return
+	}
+
+	input := ecr.GetAuthorizationTokenInput{}
+
+	out, err := conn.GetAuthorizationToken(ctx, &input)
+	if err != nil {
+		smerr.AddError(ctx, &response.Diagnostics, err)
+		return
+	}
+
+	if len(out.AuthorizationData) == 0 {
+		smerr.AddError(ctx, &response.Diagnostics, fmt.Errorf("no authorization data returned"))
+		return
+	}
+
+	authorizationData := out.AuthorizationData[0]
+	authorizationToken := aws.ToString(authorizationData.AuthorizationToken)
+	expiresAt := aws.ToTime(authorizationData.ExpiresAt).Format(time.RFC3339)
+	proxyEndpoint := aws.ToString(authorizationData.ProxyEndpoint)
+	authBytes, err := itypes.Base64Decode(authorizationToken)
+	if err != nil {
+		smerr.AddError(ctx, &response.Diagnostics, fmt.Errorf("decoding ECR authorization token: %w", err))
+		return
+	}
+
+	basicAuthorization := strings.Split(string(authBytes), ":")
+	if len(basicAuthorization) != 2 {
+		smerr.AddError(ctx, &response.Diagnostics, fmt.Errorf("unknown ECR authorization token format"))
+		return
+	}
+
+	userName := basicAuthorization[0]
+	password := basicAuthorization[1]
+
+	data.AuthorizationToken = types.StringValue(authorizationToken)
+	data.ProxyEndpoint = types.StringValue(proxyEndpoint)
+	data.ExpiresAt = types.StringValue(expiresAt)
+	data.UserName = types.StringValue(userName)
+	data.Password = types.StringValue(password)
+
+	smerr.AddEnrich(ctx, &response.Diagnostics, response.Result.Set(ctx, &data))
+}
+
+type authorizationTokenEphemeralResourceModel struct {
+	framework.WithRegionModel
+	AuthorizationToken types.String `tfsdk:"authorization_token"`
+	ExpiresAt          types.String `tfsdk:"expires_at"`
+	Password           types.String `tfsdk:"password"`
+	ProxyEndpoint      types.String `tfsdk:"proxy_endpoint"`
+	UserName           types.String `tfsdk:"user_name"`
+}

internal/service/ecr/authorization_token_ephemeral_test.go

@@ -0,0 +1,53 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package ecr_test
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-plugin-testing/statecheck"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
+	"github.com/hashicorp/terraform-plugin-testing/tfversion"
+	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
+	"github.com/hashicorp/terraform-provider-aws/names"
+)
+
+func TestAccECRAuthorizationTokenEphemeral_basic(t *testing.T) {
+	ctx := acctest.Context(t)
+	echoResourceName := "echo.test"
+	dataPath := tfjsonpath.New("data")
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:   func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck: acctest.ErrorCheck(t, names.ECRServiceID),
+		TerraformVersionChecks: []tfversion.TerraformVersionCheck{
+			tfversion.SkipBelow(tfversion.Version1_10_0),
+		},
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		ProtoV6ProviderFactories: acctest.ProtoV6ProviderFactories(ctx, acctest.ProviderNameEcho),
+		CheckDestroy:             acctest.CheckDestroyNoop,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAuthorizationTokenEphemeralResourceConfig_basic(),
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(echoResourceName, dataPath.AtMapKey("authorization_token"), knownvalue.NotNull()),
+					statecheck.ExpectKnownValue(echoResourceName, dataPath.AtMapKey("proxy_endpoint"), knownvalue.NotNull()),
+					statecheck.ExpectKnownValue(echoResourceName, dataPath.AtMapKey("expires_at"), knownvalue.NotNull()),
+					statecheck.ExpectKnownValue(echoResourceName, dataPath.AtMapKey(names.AttrUserName), knownvalue.NotNull()),
+					statecheck.ExpectKnownValue(echoResourceName, dataPath.AtMapKey(names.AttrPassword), knownvalue.NotNull()),
+				},
+			},
+		},
+	})
+}
+
+func testAccAuthorizationTokenEphemeralResourceConfig_basic() string {
+	return acctest.ConfigCompose(
+		acctest.ConfigWithEchoProvider("ephemeral.aws_ecr_authorization_token.test"),
+		`
+ephemeral "aws_ecr_authorization_token" "test" {}
+`)
+}

internal/service/ecr/service_package_gen.go

@@ -0,0 +1,45 @@
+---
+subcategory: "ECR (Elastic Container Registry)"
+layout: "aws"
+page_title: "AWS: aws_ecr_authorization_token"
+description: |-
+  Retrieve an authentication token to communicate with an ECR repository.
+---
+
+# Ephemeral: aws_ecr_authorization_token
+
+Retrieve an authentication token to communicate with an ECR repository.
+
+~> **NOTE:** Ephemeral resources are a new feature and may evolve as we continue to explore their most effective uses. [Learn more](https://developer.hashicorp.com/terraform/language/resources/ephemeral).
+
+~> **NOTE:** The returned authorization token can be used to access any Amazon ECR registry that the IAM principal has access to. The token's permissions scope is determined by the IAM principal's permissions, not by any specific registry.
+
+## Example Usage
+
+```terraform
+ephemeral "aws_ecr_authorization_token" "token" {}
+
+provider "docker" {
+  registry_auth {
+    address  = ephemeral.aws_ecr_authorization_token.token.proxy_endpoint
+    username = ephemeral.aws_ecr_authorization_token.token.user_name
+    password = ephemeral.aws_ecr_authorization_token.token.password
+  }
+}
+```
+
+## Argument Reference
+
+This resource supports the following arguments:
+
+* `region` - (Optional) Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the [provider configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#aws-configuration-reference).
+
+## Attribute Reference
+
+This resource exports the following attributes in addition to the arguments above:
+
+* `authorization_token` - Temporary IAM authentication credentials to access the ECR repository encoded in base64 in the form of `user_name:password`.
+* `expires_at` - Time in UTC RFC3339 format when the authorization token expires.
+* `password` - Password decoded from the authorization token.
+* `proxy_endpoint` - Registry URL to use in the docker login command.
+* `user_name` - User name decoded from the authorization token.