From 674ab0824e9d0ac00f3450e14d43fdfc763b9292 Mon Sep 17 00:00:00 2001 From: Matt Merkes Date: Thu, 12 Oct 2023 13:24:29 -0700 Subject: [PATCH] get-ecr-uri.sh falls back to use another region in partition if region unconfigured --- files/get-ecr-uri.sh | 63 ++++++++++++++++++++++++++--- test/cases/get-ecr-uri.sh | 85 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 142 insertions(+), 6 deletions(-) create mode 100755 test/cases/get-ecr-uri.sh diff --git a/files/get-ecr-uri.sh b/files/get-ecr-uri.sh index 56278ab8d..7f6017f4c 100755 --- a/files/get-ecr-uri.sh +++ b/files/get-ecr-uri.sh @@ -3,6 +3,26 @@ set -euo pipefail # More details about the mappings in this file can be found here https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html +# This list includes all commercial non-opt-in regions, which use the same account +# for ECR pause container images. +non_opt_in_aws_regions="ap-northeast-1 +ap-northeast-2 +ap-northeast-3 +ap-south-1 +ap-southeast-1 +ap-southeast-2 +ca-central-1 +eu-central-1 +eu-north-1 +eu-west-1 +eu-west-2 +eu-west-3 +sa-east-1 +us-east-1 +us-east-2 +us-west-1 +us-west-2" + region=$1 aws_domain=$2 if [[ $# -eq 3 ]] && [[ ! -z $3 ]]; then @@ -39,15 +59,15 @@ else af-south-1) acct="877085696533" ;; - eu-south-1) - acct="590381155156" - ;; ap-southeast-3) acct="296578399912" ;; me-central-1) acct="759879836304" ;; + eu-south-1) + acct="590381155156" + ;; eu-south-2) acct="455263428931" ;; @@ -64,9 +84,40 @@ else acct="066635153087" ;; *) - acct="602401143452" - ;; - esac + # If the region is not mapped to an account, let's try to choose another region + # in that partition. + case $aws_domain in + aws-us-gov) + acct="013241004608" + region="us-gov-west-1" + ;; + aws-cn) + acct="961992271922" + region="cn-northwest-1" + ;; + aws-iso) + acct="725322719131" + region="us-iso-east-1" + ;; + aws-iso-b) + acct="187977181151" + region="us-isob-east-1" + ;; + *) + acct="602401143452" + case $non_opt_in_aws_regions in + # This a non-opt-in regions, which use the same account. + *$region*) + # Do nothing. + ;; + *) + region="us-west-2" + ;; + esac # end opt-in check + ;; + esac # end partition check + ;; + esac # end region check fi AWS_ECR_SUBDOMAIN="ecr" diff --git a/test/cases/get-ecr-uri.sh b/test/cases/get-ecr-uri.sh new file mode 100755 index 000000000..15a5bddd5 --- /dev/null +++ b/test/cases/get-ecr-uri.sh @@ -0,0 +1,85 @@ +#!/usr/bin/env bash + +set -o nounset +set -o errexit +set -o pipefail + +echo "--> Should use specified account when passed in" +EXPECTED_ECR_URI="999999999999.dkr.ecr.mars-west-1.aws-mars" +REGION="mars-west-1" +PARTITION="aws-mars" +ECR_URI=$(/etc/eks/get-ecr-uri.sh "${REGION}" "${PARTITION}" "999999999999") +if [ ! "$ECR_URI" = "$EXPECTED_ECR_URI" ]; then + echo "❌ Test Failed: expected ecr-uri=$EXPECTED_ECR_URI but got '${ECR_URI}'" + exit 1 +fi + +echo "--> Should use account mapped to the region when set" +EXPECTED_ECR_URI="590381155156.dkr.ecr.eu-south-1.aws" +REGION="eu-south-1" +PARTITION="aws" +ECR_URI=$(/etc/eks/get-ecr-uri.sh "${REGION}" "${PARTITION}") +if [ ! "$ECR_URI" = "$EXPECTED_ECR_URI" ]; then + echo "❌ Test Failed: expected ecr-uri=$EXPECTED_ECR_URI but got '${ECR_URI}'" + exit 1 +fi + +echo "--> Should use non-opt-in account when not opt-in-region" +EXPECTED_ECR_URI="602401143452.dkr.ecr.us-east-2.aws" +REGION="us-east-2" +PARTITION="aws" +ECR_URI=$(/etc/eks/get-ecr-uri.sh "${REGION}" "${PARTITION}") +if [ ! "$ECR_URI" = "$EXPECTED_ECR_URI" ]; then + echo "❌ Test Failed: expected ecr-uri=$EXPECTED_ECR_URI but got '${ECR_URI}'" + exit 1 +fi + +echo "--> Should use us-west-2 account and region when opt-in-region" +EXPECTED_ECR_URI="602401143452.dkr.ecr.us-west-2.aws" +REGION="eu-south-100" +PARTITION="aws" +ECR_URI=$(/etc/eks/get-ecr-uri.sh "${REGION}" "${PARTITION}") +if [ ! "$ECR_URI" = "$EXPECTED_ECR_URI" ]; then + echo "❌ Test Failed: expected ecr-uri=$EXPECTED_ECR_URI but got '${ECR_URI}'" + exit 1 +fi + +echo "--> Should default us-gov-west-1 when unknown aws-us-gov region" +EXPECTED_ECR_URI="013241004608.dkr.ecr.us-gov-west-1.aws-us-gov" +REGION="us-gov-east-100" +PARTITION="aws-us-gov" +ECR_URI=$(/etc/eks/get-ecr-uri.sh "${REGION}" "${PARTITION}") +if [ ! "$ECR_URI" = "$EXPECTED_ECR_URI" ]; then + echo "❌ Test Failed: expected ecr-uri=$EXPECTED_ECR_URI but got '${ECR_URI}'" + exit 1 +fi + +echo "--> Should default cn-northwest-1 when unknown aws-cn region" +EXPECTED_ECR_URI="961992271922.dkr.ecr.cn-northwest-1.aws-cn" +REGION="cn-north-100" +PARTITION="aws-cn" +ECR_URI=$(/etc/eks/get-ecr-uri.sh "${REGION}" "${PARTITION}") +if [ ! "$ECR_URI" = "$EXPECTED_ECR_URI" ]; then + echo "❌ Test Failed: expected ecr-uri=$EXPECTED_ECR_URI but got '${ECR_URI}'" + exit 1 +fi + +echo "--> Should default us-iso-east-1 when unknown aws-iso region" +EXPECTED_ECR_URI="725322719131.dkr.ecr.us-iso-east-1.aws-iso" +REGION="us-iso-west-100" +PARTITION="aws-iso" +ECR_URI=$(/etc/eks/get-ecr-uri.sh "${REGION}" "${PARTITION}") +if [ ! "$ECR_URI" = "$EXPECTED_ECR_URI" ]; then + echo "❌ Test Failed: expected ecr-uri=$EXPECTED_ECR_URI but got '${ECR_URI}'" + exit 1 +fi + +echo "--> Should default us-isob-east-1 when unknown aws-isob region" +EXPECTED_ECR_URI="602401143452.dkr.ecr.us-west-2.aws-isob" +REGION="us-isob-west-100" +PARTITION="aws-isob" +ECR_URI=$(/etc/eks/get-ecr-uri.sh "${REGION}" "${PARTITION}") +if [ ! "$ECR_URI" = "$EXPECTED_ECR_URI" ]; then + echo "❌ Test Failed: expected ecr-uri=$EXPECTED_ECR_URI but got '${ECR_URI}'" + exit 1 +fi