fix: find ECR region in image full name

Shesekino · Shesekino · commit 9cbac89f48b1 · 2019-12-31T13:30:37.000+02:00
when trying to pull images from ECR, decide the AWS region they reside in based on the image full name. an image full name is in the registry/repository:tag format, for example: aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app:latest (https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html)
diff --git a/src/images/credentials.ts b/src/images/credentials.ts
@@ -1,17 +1,19 @@
 import * as aws from 'aws-sdk';
 
+import logger = require('../common/logger');
+
 export async function getSourceCredentials(imageSource: string): Promise<string | undefined> {
   // TODO is this the best way we can determine the image's source?
   if (imageSource.indexOf('.ecr.') !== -1) {
-    return getEcrCredentials();
+    const ecrRegion = ecrRegionFromFullImageName(imageSource);
+    return getEcrCredentials(ecrRegion);
   }
   return undefined;
 }
 
-function getEcrCredentials(): Promise<string> {
+function getEcrCredentials(region: string): Promise<string> {
   return new Promise(async (resolve, reject) => {
-    // TODO grab region... from...? ask users to provide it?
-    const ecr = new aws.ECR({region: 'us-east-2'});
+    const ecr = new aws.ECR({region});
     return ecr.getAuthorizationToken({}, (err, data) => {
       if (err) {
         return reject(err);
@@ -38,3 +40,29 @@ function getEcrCredentials(): Promise<string> {
     });
   });
 }
+
+export function ecrRegionFromFullImageName(imageFullName: string): string {
+  // should look like this
+  // aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app:latest
+  // https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html
+  try {
+    const [registry, repository] = imageFullName.split('/');
+    if (!repository) {
+      throw new Error('ECR image full name missing repository');
+    }
+
+    const parts = registry.split('.');
+    if (!(
+      parts.length === 6 &&
+      parts[1] === 'dkr' &&
+      parts[2] === 'ecr' &&
+      parts[4] === 'amazonaws'
+    )) {
+      throw new Error('ECR image full name in unexpected format');
+    }
+    return parts[3];
+  } catch (err) {
+    logger.error({err, imageFullName}, 'failed extracting ECR region from image full name');
+    throw err;
+  }
+}
diff --git a/test/unit/image-registry-credentials.test.ts b/test/unit/image-registry-credentials.test.ts
@@ -0,0 +1,18 @@
+import * as tap from 'tap';
+
+import * as credentials from '../../src/images/credentials';
+
+tap.test('ecrRegionFromFullImageName()', async (t) => {
+  const imageFullNameTemplate = 'aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app:latest';
+  const ecrRegionTemplate = credentials.ecrRegionFromFullImageName(imageFullNameTemplate);
+  t.equals(ecrRegionTemplate, 'region', 'extracts region from the image full name template');
+
+  const imageFullName = '291964488713.dkr.ecr.us-east-2.amazonaws.com/snyk/debian:10';
+  const ecrRegion = credentials.ecrRegionFromFullImageName(imageFullName);
+  t.equals(ecrRegion, 'us-east-2', 'extracts region from the image full name fixture');
+
+  t.throws(() => {credentials.ecrRegionFromFullImageName('');}, 'throws on badly formatted images');
+  t.throws(() => {credentials.ecrRegionFromFullImageName('dkr.ecr.region.amazonaws.com/my-web-app:latest');}, 'throws on badly formatted images');
+  t.throws(() => {credentials.ecrRegionFromFullImageName('aws_account_id.dkr.ecr.amazonaws.com/my-web-app:latest');}, 'throws on badly formatted images');
+  t.throws(() => {credentials.ecrRegionFromFullImageName('aws_account_id.dkr.ecr.region.amazonaws.com');}, 'throws on badly formatted images');
+});
