Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ecs_ecr - Add encryption_configuration option #1623

Conversation

rwha
Copy link
Contributor

@rwha rwha commented Dec 20, 2022

SUMMARY

Adds an encryption_configuration option for new repositories to allow specifying a KMS key. Fixes #1203.

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

ecs_ecr

ADDITIONAL INFORMATION

@github-actions
Copy link

github-actions bot commented Dec 20, 2022

Docs Build 📝

Thank you for contribution!✨

This PR has been merged and your docs changes will be incorporated when they are next published.

@softwarefactory-project-zuul
Copy link
Contributor

Build failed.

✔️ ansible-galaxy-importer SUCCESS in 4m 13s
✔️ build-ansible-collection SUCCESS in 5m 50s
✔️ ansible-test-sanity-docker-devel SUCCESS in 10m 13s (non-voting)
✔️ ansible-test-sanity-docker-milestone SUCCESS in 10m 40s (non-voting)
✔️ ansible-test-sanity-docker-stable-2.12 SUCCESS in 11m 41s
✔️ ansible-test-sanity-docker-stable-2.13 SUCCESS in 10m 11s
✔️ ansible-test-sanity-docker-stable-2.14 SUCCESS in 10m 23s
✔️ ansible-test-units-amazon-aws-python36 SUCCESS in 6m 40s
✔️ ansible-test-units-amazon-aws-python38 SUCCESS in 5m 58s
✔️ ansible-test-units-amazon-aws-python39 SUCCESS in 6m 21s
ansible-test-changelog FAILURE in 2m 22s
✔️ ansible-test-splitter SUCCESS in 2m 54s
✔️ integration-community.aws-1 SUCCESS in 6m 21s
⚠️ integration-community.aws-2 SKIPPED
⚠️ integration-community.aws-3 SKIPPED
⚠️ integration-community.aws-4 SKIPPED
⚠️ integration-community.aws-5 SKIPPED
⚠️ integration-community.aws-6 SKIPPED
⚠️ integration-community.aws-7 SKIPPED
⚠️ integration-community.aws-8 SKIPPED
⚠️ integration-community.aws-9 SKIPPED
⚠️ integration-community.aws-10 SKIPPED
⚠️ integration-community.aws-11 SKIPPED
⚠️ integration-community.aws-12 SKIPPED
⚠️ integration-community.aws-13 SKIPPED
⚠️ integration-community.aws-14 SKIPPED
⚠️ integration-community.aws-15 SKIPPED
⚠️ integration-community.aws-16 SKIPPED
⚠️ integration-community.aws-17 SKIPPED
⚠️ integration-community.aws-18 SKIPPED
⚠️ integration-community.aws-19 SKIPPED
⚠️ integration-community.aws-20 SKIPPED
⚠️ integration-community.aws-21 SKIPPED
⚠️ integration-community.aws-22 SKIPPED

@ansibullbot
Copy link

@ansibullbot ansibullbot added community_review feature This issue/PR relates to a feature request module module needs_triage new_contributor Help guide this first time contributor plugins plugin (any type) labels Dec 20, 2022
@softwarefactory-project-zuul
Copy link
Contributor

Build succeeded.

✔️ ansible-galaxy-importer SUCCESS in 3m 59s
✔️ build-ansible-collection SUCCESS in 5m 33s
✔️ ansible-test-sanity-docker-devel SUCCESS in 9m 27s (non-voting)
✔️ ansible-test-sanity-docker-milestone SUCCESS in 9m 52s (non-voting)
✔️ ansible-test-sanity-docker-stable-2.12 SUCCESS in 10m 27s
✔️ ansible-test-sanity-docker-stable-2.13 SUCCESS in 9m 17s
✔️ ansible-test-sanity-docker-stable-2.14 SUCCESS in 9m 34s
✔️ ansible-test-units-amazon-aws-python36 SUCCESS in 6m 20s
✔️ ansible-test-units-amazon-aws-python38 SUCCESS in 7m 49s
✔️ ansible-test-units-amazon-aws-python39 SUCCESS in 6m 05s
✔️ ansible-test-changelog SUCCESS in 2m 27s
✔️ ansible-test-splitter SUCCESS in 3m 04s
✔️ integration-community.aws-1 SUCCESS in 5m 41s
⚠️ integration-community.aws-2 SKIPPED
⚠️ integration-community.aws-3 SKIPPED
⚠️ integration-community.aws-4 SKIPPED
⚠️ integration-community.aws-5 SKIPPED
⚠️ integration-community.aws-6 SKIPPED
⚠️ integration-community.aws-7 SKIPPED
⚠️ integration-community.aws-8 SKIPPED
⚠️ integration-community.aws-9 SKIPPED
⚠️ integration-community.aws-10 SKIPPED
⚠️ integration-community.aws-11 SKIPPED
⚠️ integration-community.aws-12 SKIPPED
⚠️ integration-community.aws-13 SKIPPED
⚠️ integration-community.aws-14 SKIPPED
⚠️ integration-community.aws-15 SKIPPED
⚠️ integration-community.aws-16 SKIPPED
⚠️ integration-community.aws-17 SKIPPED
⚠️ integration-community.aws-18 SKIPPED
⚠️ integration-community.aws-19 SKIPPED
⚠️ integration-community.aws-20 SKIPPED
⚠️ integration-community.aws-21 SKIPPED
⚠️ integration-community.aws-22 SKIPPED

@rwha rwha changed the title Add encryption_config option Add encryption_configuration option Dec 20, 2022
@markuman
Copy link
Member

@rwha thanks for your first contribution.
Can you also please expand the integration test tests/integration/targets/ecs_ecr/?

@ansibullbot ansibullbot added integration tests/integration tests tests and removed needs_triage labels Dec 21, 2022
@softwarefactory-project-zuul
Copy link
Contributor

Build succeeded.

✔️ ansible-galaxy-importer SUCCESS in 4m 01s
✔️ build-ansible-collection SUCCESS in 5m 54s
✔️ ansible-test-sanity-docker-devel SUCCESS in 11m 50s (non-voting)
✔️ ansible-test-sanity-docker-milestone SUCCESS in 9m 49s (non-voting)
✔️ ansible-test-sanity-docker-stable-2.12 SUCCESS in 8m 57s
✔️ ansible-test-sanity-docker-stable-2.13 SUCCESS in 9m 26s
✔️ ansible-test-sanity-docker-stable-2.14 SUCCESS in 9m 23s
✔️ ansible-test-units-amazon-aws-python36 SUCCESS in 6m 19s
✔️ ansible-test-units-amazon-aws-python38 SUCCESS in 6m 10s
✔️ ansible-test-units-amazon-aws-python39 SUCCESS in 6m 03s
✔️ ansible-test-changelog SUCCESS in 2m 22s
✔️ ansible-test-splitter SUCCESS in 3m 08s
✔️ integration-community.aws-1 SUCCESS in 6m 28s
⚠️ integration-community.aws-2 SKIPPED
⚠️ integration-community.aws-3 SKIPPED
⚠️ integration-community.aws-4 SKIPPED
⚠️ integration-community.aws-5 SKIPPED
⚠️ integration-community.aws-6 SKIPPED
⚠️ integration-community.aws-7 SKIPPED
⚠️ integration-community.aws-8 SKIPPED
⚠️ integration-community.aws-9 SKIPPED
⚠️ integration-community.aws-10 SKIPPED
⚠️ integration-community.aws-11 SKIPPED
⚠️ integration-community.aws-12 SKIPPED
⚠️ integration-community.aws-13 SKIPPED
⚠️ integration-community.aws-14 SKIPPED
⚠️ integration-community.aws-15 SKIPPED
⚠️ integration-community.aws-16 SKIPPED
⚠️ integration-community.aws-17 SKIPPED
⚠️ integration-community.aws-18 SKIPPED
⚠️ integration-community.aws-19 SKIPPED
⚠️ integration-community.aws-20 SKIPPED
⚠️ integration-community.aws-21 SKIPPED
⚠️ integration-community.aws-22 SKIPPED

@rwha
Copy link
Contributor Author

rwha commented Dec 21, 2022

I have something written to check for modifications to the encryption config, but I'm unsure of how to handle an unsupported change.

If the encryption configuration for an existing repository is different from what is defined in the task, should the task fail, or should a warning be emitted? I would prefer a failure, however showing a warning was mentioned in #1203. If a failure is preferred, should the code at that point do something like this?

result['msg'] = 'Repository encryption configuration cannot be modified.'
return False, result

@markuman
Copy link
Member

If the encryption configuration for an existing repository is different from what is defined in the task, should the task fail, or should a warning be emitted? I would prefer a failure,

I'll prefer a warning instead of a complete interruption.
Imo it must use also module.warn( ... )

But let's wait was others are expecting/prefer.
cc @alinabuzachis @jatorcasso @jillr @tremble

TL;DR: Once the ECR is created, the encryption mode is not changeable. What should the module do when the requested encryption differs from existing encryption? Fail or warn?

@markuman markuman added the backport-5 PR should be backported to the stable-5 branch label Dec 21, 2022
@tremble tremble changed the title Add encryption_configuration option ecs_ecr - Add encryption_configuration option Dec 22, 2022
@tremble
Copy link
Contributor

tremble commented Dec 22, 2022

TL;DR: Once the ECR is created, the encryption mode is not changeable. What should the module do when the requested encryption differs from existing encryption? Fail or warn?

I would lean towards fail rather than warn especially with something security related: When Ansible's running within a tool like Ansible Tower Automation Platform, the warnings may be completely missed unless someone goes explicitly looking for them. While it seems minor, with the same encryption algorithms in use, the difference between who controls the encryption keys, and what keys are reused for what purposes may be important to folks.

@ansibullbot ansibullbot removed the new_contributor Help guide this first time contributor label Dec 22, 2022
plugins/modules/ecs_ecr.py Outdated Show resolved Hide resolved
plugins/modules/ecs_ecr.py Outdated Show resolved Hide resolved
@softwarefactory-project-zuul
Copy link
Contributor

Build failed.

✔️ ansible-galaxy-importer SUCCESS in 4m 04s
✔️ build-ansible-collection SUCCESS in 6m 44s
ansible-test-sanity-docker-devel FAILURE in 8m 45s (non-voting)
ansible-test-sanity-docker-milestone FAILURE in 9m 44s (non-voting)
ansible-test-sanity-docker-stable-2.12 FAILURE in 10m 04s
ansible-test-sanity-docker-stable-2.13 FAILURE in 9m 54s
ansible-test-sanity-docker-stable-2.14 FAILURE in 10m 00s
✔️ ansible-test-units-amazon-aws-python36 SUCCESS in 5m 51s
✔️ ansible-test-units-amazon-aws-python38 SUCCESS in 7m 44s
✔️ ansible-test-units-amazon-aws-python39 SUCCESS in 5m 44s
✔️ ansible-test-changelog SUCCESS in 2m 18s
✔️ ansible-test-splitter SUCCESS in 2m 27s
✔️ integration-community.aws-1 SUCCESS in 6m 21s
⚠️ integration-community.aws-2 SKIPPED
⚠️ integration-community.aws-3 SKIPPED
⚠️ integration-community.aws-4 SKIPPED
⚠️ integration-community.aws-5 SKIPPED
⚠️ integration-community.aws-6 SKIPPED
⚠️ integration-community.aws-7 SKIPPED
⚠️ integration-community.aws-8 SKIPPED
⚠️ integration-community.aws-9 SKIPPED
⚠️ integration-community.aws-10 SKIPPED
⚠️ integration-community.aws-11 SKIPPED
⚠️ integration-community.aws-12 SKIPPED
⚠️ integration-community.aws-13 SKIPPED
⚠️ integration-community.aws-14 SKIPPED
⚠️ integration-community.aws-15 SKIPPED
⚠️ integration-community.aws-16 SKIPPED
⚠️ integration-community.aws-17 SKIPPED
⚠️ integration-community.aws-18 SKIPPED
⚠️ integration-community.aws-19 SKIPPED
⚠️ integration-community.aws-20 SKIPPED
⚠️ integration-community.aws-21 SKIPPED
⚠️ integration-community.aws-22 SKIPPED

@softwarefactory-project-zuul
Copy link
Contributor

Build failed.

✔️ ansible-galaxy-importer SUCCESS in 3m 59s
✔️ build-ansible-collection SUCCESS in 5m 40s
ansible-test-sanity-docker-devel FAILURE in 10m 37s (non-voting)
ansible-test-sanity-docker-milestone FAILURE in 9m 54s (non-voting)
ansible-test-sanity-docker-stable-2.12 FAILURE in 9m 51s
ansible-test-sanity-docker-stable-2.13 FAILURE in 9m 32s
ansible-test-sanity-docker-stable-2.14 FAILURE in 10m 00s
✔️ ansible-test-units-amazon-aws-python36 SUCCESS in 5m 51s
✔️ ansible-test-units-amazon-aws-python38 SUCCESS in 5m 45s
✔️ ansible-test-units-amazon-aws-python39 SUCCESS in 7m 39s
✔️ ansible-test-changelog SUCCESS in 2m 22s
✔️ ansible-test-splitter SUCCESS in 2m 54s
integration-community.aws-1 FAILURE in 6m 48s
⚠️ integration-community.aws-2 SKIPPED
⚠️ integration-community.aws-3 SKIPPED
⚠️ integration-community.aws-4 SKIPPED
⚠️ integration-community.aws-5 SKIPPED
⚠️ integration-community.aws-6 SKIPPED
⚠️ integration-community.aws-7 SKIPPED
⚠️ integration-community.aws-8 SKIPPED
⚠️ integration-community.aws-9 SKIPPED
⚠️ integration-community.aws-10 SKIPPED
⚠️ integration-community.aws-11 SKIPPED
⚠️ integration-community.aws-12 SKIPPED
⚠️ integration-community.aws-13 SKIPPED
⚠️ integration-community.aws-14 SKIPPED
⚠️ integration-community.aws-15 SKIPPED
⚠️ integration-community.aws-16 SKIPPED
⚠️ integration-community.aws-17 SKIPPED
⚠️ integration-community.aws-18 SKIPPED
⚠️ integration-community.aws-19 SKIPPED
⚠️ integration-community.aws-20 SKIPPED
⚠️ integration-community.aws-21 SKIPPED
⚠️ integration-community.aws-22 SKIPPED

Arguments with a default should not be marked as required
@softwarefactory-project-zuul
Copy link
Contributor

Build succeeded.

✔️ ansible-galaxy-importer SUCCESS in 4m 57s
✔️ build-ansible-collection SUCCESS in 7m 16s
✔️ ansible-test-sanity-docker-devel SUCCESS in 12m 16s (non-voting)
✔️ ansible-test-sanity-docker-milestone SUCCESS in 9m 39s (non-voting)
✔️ ansible-test-sanity-docker-stable-2.12 SUCCESS in 10m 51s
✔️ ansible-test-sanity-docker-stable-2.13 SUCCESS in 12m 26s
✔️ ansible-test-sanity-docker-stable-2.14 SUCCESS in 9m 49s
✔️ ansible-test-units-amazon-aws-python36 SUCCESS in 6m 47s
✔️ ansible-test-units-amazon-aws-python38 SUCCESS in 6m 53s
✔️ ansible-test-units-amazon-aws-python39 SUCCESS in 6m 25s
✔️ ansible-test-changelog SUCCESS in 2m 44s
✔️ ansible-test-splitter SUCCESS in 2m 49s
✔️ integration-community.aws-1 SUCCESS in 8m 20s
⚠️ integration-community.aws-2 SKIPPED
⚠️ integration-community.aws-3 SKIPPED
⚠️ integration-community.aws-4 SKIPPED
⚠️ integration-community.aws-5 SKIPPED
⚠️ integration-community.aws-6 SKIPPED
⚠️ integration-community.aws-7 SKIPPED
⚠️ integration-community.aws-8 SKIPPED
⚠️ integration-community.aws-9 SKIPPED
⚠️ integration-community.aws-10 SKIPPED
⚠️ integration-community.aws-11 SKIPPED
⚠️ integration-community.aws-12 SKIPPED
⚠️ integration-community.aws-13 SKIPPED
⚠️ integration-community.aws-14 SKIPPED
⚠️ integration-community.aws-15 SKIPPED
⚠️ integration-community.aws-16 SKIPPED
⚠️ integration-community.aws-17 SKIPPED
⚠️ integration-community.aws-18 SKIPPED
⚠️ integration-community.aws-19 SKIPPED
⚠️ integration-community.aws-20 SKIPPED
⚠️ integration-community.aws-21 SKIPPED
⚠️ integration-community.aws-22 SKIPPED

@rwha rwha requested a review from tremble December 22, 2022 17:22
@markuman markuman requested review from tremble and alinabuzachis and removed request for tremble January 12, 2023 20:07
Copy link
Contributor

@tremble tremble left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not overly familiar with ECR, however in general things look good

tests/integration/targets/ecs_ecr/tasks/main.yml Outdated Show resolved Hide resolved
tests/integration/targets/ecs_ecr/tasks/main.yml Outdated Show resolved Hide resolved
@softwarefactory-project-zuul
Copy link
Contributor

Build succeeded.

✔️ ansible-galaxy-importer SUCCESS in 4m 00s
✔️ build-ansible-collection SUCCESS in 5m 42s
✔️ ansible-test-sanity-docker-devel SUCCESS in 9m 17s (non-voting)
✔️ ansible-test-sanity-docker-milestone SUCCESS in 10m 01s (non-voting)
✔️ ansible-test-sanity-docker-stable-2.12 SUCCESS in 10m 19s
✔️ ansible-test-sanity-docker-stable-2.13 SUCCESS in 10m 55s
✔️ ansible-test-sanity-docker-stable-2.14 SUCCESS in 10m 10s
✔️ ansible-test-units-amazon-aws-python36 SUCCESS in 24m 13s
✔️ ansible-test-units-amazon-aws-python38 SUCCESS in 6m 17s
✔️ ansible-test-units-amazon-aws-python39 SUCCESS in 7m 13s
✔️ ansible-test-units-amazon-aws-python310 SUCCESS in 6m 46s
✔️ ansible-test-changelog SUCCESS in 2m 14s
✔️ ansible-test-splitter SUCCESS in 2m 47s
✔️ integration-community.aws-1 SUCCESS in 6m 20s
⚠️ integration-community.aws-2 SKIPPED
⚠️ integration-community.aws-3 SKIPPED
⚠️ integration-community.aws-4 SKIPPED
⚠️ integration-community.aws-5 SKIPPED
⚠️ integration-community.aws-6 SKIPPED
⚠️ integration-community.aws-7 SKIPPED
⚠️ integration-community.aws-8 SKIPPED
⚠️ integration-community.aws-9 SKIPPED
⚠️ integration-community.aws-10 SKIPPED
⚠️ integration-community.aws-11 SKIPPED
⚠️ integration-community.aws-12 SKIPPED
⚠️ integration-community.aws-13 SKIPPED
⚠️ integration-community.aws-14 SKIPPED
⚠️ integration-community.aws-15 SKIPPED
⚠️ integration-community.aws-16 SKIPPED
⚠️ integration-community.aws-17 SKIPPED
⚠️ integration-community.aws-18 SKIPPED
⚠️ integration-community.aws-19 SKIPPED
⚠️ integration-community.aws-20 SKIPPED
⚠️ integration-community.aws-21 SKIPPED
⚠️ integration-community.aws-22 SKIPPED

@markuman markuman added the mergeit Merge the PR (SoftwareFactory) label Jan 18, 2023
@softwarefactory-project-zuul
Copy link
Contributor

Build succeeded (gate pipeline).

✔️ ansible-galaxy-importer SUCCESS in 4m 03s
✔️ build-ansible-collection SUCCESS in 5m 25s
✔️ ansible-test-sanity-docker-devel SUCCESS in 10m 17s (non-voting)
✔️ ansible-test-sanity-docker-milestone SUCCESS in 9m 02s (non-voting)
✔️ ansible-test-sanity-docker-stable-2.12 SUCCESS in 9m 06s
✔️ ansible-test-sanity-docker-stable-2.13 SUCCESS in 8m 46s
✔️ ansible-test-sanity-docker-stable-2.14 SUCCESS in 8m 58s
✔️ ansible-test-units-amazon-aws-python36 SUCCESS in 23m 46s
✔️ ansible-test-units-amazon-aws-python38 SUCCESS in 6m 48s
✔️ ansible-test-units-amazon-aws-python39 SUCCESS in 7m 45s
✔️ ansible-test-units-amazon-aws-python310 SUCCESS in 8m 45s
✔️ ansible-test-changelog SUCCESS in 2m 53s
✔️ ansible-test-splitter SUCCESS in 2m 40s
✔️ integration-community.aws-1 SUCCESS in 7m 42s
⚠️ integration-community.aws-2 SKIPPED
⚠️ integration-community.aws-3 SKIPPED
⚠️ integration-community.aws-4 SKIPPED
⚠️ integration-community.aws-5 SKIPPED
⚠️ integration-community.aws-6 SKIPPED
⚠️ integration-community.aws-7 SKIPPED
⚠️ integration-community.aws-8 SKIPPED
⚠️ integration-community.aws-9 SKIPPED
⚠️ integration-community.aws-10 SKIPPED
⚠️ integration-community.aws-11 SKIPPED
⚠️ integration-community.aws-12 SKIPPED
⚠️ integration-community.aws-13 SKIPPED
⚠️ integration-community.aws-14 SKIPPED
⚠️ integration-community.aws-15 SKIPPED
⚠️ integration-community.aws-16 SKIPPED
⚠️ integration-community.aws-17 SKIPPED
⚠️ integration-community.aws-18 SKIPPED
⚠️ integration-community.aws-19 SKIPPED
⚠️ integration-community.aws-20 SKIPPED
⚠️ integration-community.aws-21 SKIPPED
⚠️ integration-community.aws-22 SKIPPED

@softwarefactory-project-zuul softwarefactory-project-zuul bot merged commit efbe850 into ansible-collections:main Jan 18, 2023
@patchback
Copy link

patchback bot commented Jan 18, 2023

Backport to stable-5: 💚 backport PR created

✅ Backport PR branch: patchback/backports/stable-5/efbe85034d64bf0f48e128683f06272fdfc54911/pr-1623

Backported as #1661

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

patchback bot pushed a commit that referenced this pull request Jan 18, 2023
ecs_ecr - Add encryption_configuration option

SUMMARY
Adds an encryption_configuration option for new repositories to allow specifying a KMS key. Fixes #1203.
ISSUE TYPE

Feature Pull Request

COMPONENT NAME
ecs_ecr
ADDITIONAL INFORMATION

Reviewed-by: Markus Bergholz <[email protected]>
Reviewed-by: Mark Chappell <None>
Reviewed-by: Alina Buzachis <None>
(cherry picked from commit efbe850)
@rwha rwha deleted the ecs_ecr/add-encryption-config branch January 18, 2023 20:15
softwarefactory-project-zuul bot pushed a commit that referenced this pull request Jan 18, 2023
[PR #1623/efbe8503 backport][stable-5] ecs_ecr - Add encryption_configuration option

This is a backport of PR #1623 as merged into main (efbe850).
SUMMARY
Adds an encryption_configuration option for new repositories to allow specifying a KMS key. Fixes #1203.
ISSUE TYPE

Feature Pull Request

COMPONENT NAME
ecs_ecr
ADDITIONAL INFORMATION

Reviewed-by: Markus Bergholz <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-5 PR should be backported to the stable-5 branch community_review feature This issue/PR relates to a feature request integration tests/integration mergeit Merge the PR (SoftwareFactory) module module plugins plugin (any type) tests tests
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ecs_ecr - support for specifying KMS key
5 participants