AWS CLI Verison 2 support

[pda]

• rebase away the temporary merge of Fix & unit test awscli version comparison function #39, once it's in master

awscli v2.0.0 removed the aws ecr get-login command, in favour of the aws ecr get-login-password command which was introduced very recently in v1.17.10 via aws/aws-cli#4874 . In order for ecr-buildkite-plugin to support new and slightly-less-new versions of the AWS CLI, we need to decide which to use by version-checking.

Additionally, the new get-login-password no longer provides the ECR registry address(es), so we need to build them with knowledge of the AWS account ID and region.

AWS region is determined by:

• (legacy registry-region plugin config)
• region plugin config
• AWS_DEFAULT_REGION environment
• us-east-1 default.

AWS account IDs are determined by:

• account-ids plugin config (YAML array, or legacy comma-separated)
• aws sts get-caller-identity

If multiple account-ids are configured, a single aws ecr get-login-password call is made, and multiple docker login ... are made; one for each account/registry. This is correct according to aws/aws-cli#4874 (comment) and https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth:

The password that is returned is valid for any registry that your IAM principal has access to. We have updated our documentation to be more explicit about the authorization data that is returned in the get-authorization-token and get-login-password commands.

Fixes #37

[toolmantim]

Amazing work!

Related to my question in #39, could we drop support for aws-cli < 1.17.10 in this plugin release? Seems reasonable to me.

[pda]

I think that would cause quite a bit of chaos, since 1.17.10 was only tagged 28 days ago.

We could however drop support for < 1.11.91 re. the --no-include-email nonsense, although that flag also has implications on docker version compatibility. But those are both from ~2017 so pretty safe to drop them soon, I imagine.

[toolmantim]

Cool, yeah having thought that through, that would be chaos.

🚀

[pda]

Rebased, tests still look good:

 ✓ ECR login; configured account ID, configured region
 ✓ ECR login; configured account ID, configured legacy registry-region
 ✓ ECR login; configured account ID, discovered region
 ✓ ECR login; configured account ID, default region
 ✓ ECR login; multiple account IDs
 ✓ ECR login; multiple comma-separated account IDs
 ✓ ECR login; discovered account ID
 ✓ ECR login (v1.17.10; after get-login-password was added, before get-login was removed)
 ✓ ECR login (before aws cli 1.17.10 in which get-login-password was added)
 ✓ ECR login (before aws cli 1.17.10) (without --no-include-email)
 ✓ ECR login (before aws cli 1.17.10) with Account IDS
 ✓ ECR login (before aws cli 1.17.10) with Comma-delimited Account IDS (older aws-cli)
 ✓ ECR login (before aws cli 1.17.10) with Comma-delimited Account IDS (newer aws-cli)
 ✓ ECR login (before aws cli 1.17.10) with region specified
 ✓ ECR login (before aws cli 1.17.10) with region and registry id's
 ✓ ECR login (before aws cli 1.17.10) with error, and then retry until success
 ✓ ECR login (before aws cli 1.17.10) with error, and then retry until failure
 ✓ ECR login (before aws cli 1.17.10) doesn't disclose credentials
 ✓ version_a_gte_b: basic: major less; false
 ✓ version_a_gte_b: basic: major more; true
 ✓ version_a_gte_b: basic: major same, minor less; false
 ✓ version_a_gte_b: basic: major same, minor more; true
 ✓ version_a_gte_b: basic: major same, minor same, patch same; true
 ✓ version_a_gte_b: basic: major same, minor same, patch more; true
 ✓ version_a_gte_b: basic: major same, minor same, patch less; false
 ✓ version_a_gte_b: specific: 1.11.40 >= 1.11.91; false
 ✓ version_a_gte_b: specific: 2.0.2 >= 1.11.91; true
 ✓ version_a_gte_b: specific: 2.0.2 >= 2.0.0; true

28 tests, 0 failures

[pda]

I found a bug in my implementation; potential AWS region mismatch between the aws ecr get-login-password call (used AWS_DEFAULT_REGION) and the docker login endpoint (used the plugin-config region). Fixed.