ecs_ecr - Add encryption_configuration option (ansible-collections#1623)

ecs_ecr - Add encryption_configuration option SUMMARY Adds an encryption_configuration option for new repositories to allow specifying a KMS key. Fixes ansible-collections#1203. ISSUE TYPE Feature Pull Request COMPONENT NAME ecs_ecr ADDITIONAL INFORMATION Reviewed-by: Markus Bergholz <[email protected]> Reviewed-by: Mark Chappell <None> Reviewed-by: Alina Buzachis <None>
abikouo · Jan 18, 2023 · 655a264 · 655a264
1 parent 52859b8
commit 655a264
Showing 1 changed file with 52 additions and 4 deletions.
diff --git a/ecs_ecr.py b/ecs_ecr.py
@@ -85,6 +85,24 @@
         default: false
         type: bool
         version_added: 1.3.0
+    encryption_configuration:
+        description:
+            - The encryption configuration for the repository.
+        required: false
+        suboptions:
+            encryption_type:
+                description:
+                    - The encryption type to use.
+                choices: [AES256, KMS]
+                default: 'AES256'
+                type: str
+            kms_key:
+                description:
+                    - If I(encryption_type=KMS), specify the KMS key to use for encryption.
+                    - The alias, key ID, or full ARN of the KMS key can be specified.
+                type: str
+        type: dict
+        version_added: 5.2.0
 author:
  - David M. Lee (@leedm777)
 extends_documentation_fragment:
@@ -161,6 +179,13 @@
   community.aws.ecs_ecr:
     name: needs-no-lifecycle-policy
     purge_lifecycle_policy: true
+
+- name: set-encryption-configuration
+  community.aws.ecs_ecr:
+    name: uses-custom-kms-key
+    encryption_configuration:
+      encryption_type: KMS
+      kms_key: custom-kms-key-alias
 '''
 
 RETURN = '''
@@ -201,6 +226,7 @@
 except ImportError:
     pass  # Handled by AnsibleAWSModule
 
+from ansible.module_utils.common.dict_transformations import snake_dict_to_camel_dict
 from ansible.module_utils.six import string_types
 
 from ansible_collections.community.aws.plugins.module_utils.modules import AnsibleCommunityAWSModule as AnsibleAWSModule
@@ -248,17 +274,21 @@ def get_repository_policy(self, registry_id, name):
         except is_boto3_error_code(['RepositoryNotFoundException', 'RepositoryPolicyNotFoundException']):
             return None
 
-    def create_repository(self, registry_id, name, image_tag_mutability):
+    def create_repository(self, registry_id, name, image_tag_mutability, encryption_configuration):
         if registry_id:
             default_registry_id = self.sts.get_caller_identity().get('Account')
             if registry_id != default_registry_id:
                 raise Exception('Cannot create repository in registry {0}.'
                                 'Would be created in {1} instead.'.format(registry_id, default_registry_id))
 
+        if encryption_configuration is None:
+            encryption_configuration = dict(encryptionType='AES256')
+
         if not self.check_mode:
             repo = self.ecr.create_repository(
                 repositoryName=name,
-                imageTagMutability=image_tag_mutability).get('repository')
+                imageTagMutability=image_tag_mutability,
+                encryptionConfiguration=encryption_configuration).get('repository')
             self.changed = True
             return repo
         else:
@@ -411,6 +441,7 @@ def run(ecr, params):
         lifecycle_policy_text = params['lifecycle_policy']
         purge_lifecycle_policy = params['purge_lifecycle_policy']
         scan_on_push = params['scan_on_push']
+        encryption_configuration = snake_dict_to_camel_dict(params['encryption_configuration'])
 
         # Parse policies, if they are given
         try:
@@ -437,10 +468,16 @@ def run(ecr, params):
             result['created'] = False
 
             if not repo:
-                repo = ecr.create_repository(registry_id, name, image_tag_mutability)
+                repo = ecr.create_repository(
+                    registry_id, name, image_tag_mutability, encryption_configuration)
                 result['changed'] = True
                 result['created'] = True
             else:
+                if encryption_configuration is not None:
+                    if repo.get('encryptionConfiguration') != encryption_configuration:
+                        result['msg'] = 'Cannot modify repository encryption type'
+                        return False, result
+
                 repo = ecr.put_image_tag_mutability(registry_id, name, image_tag_mutability)
             result['repository'] = repo
 
@@ -550,7 +587,18 @@ def main():
         purge_policy=dict(required=False, type='bool'),
         lifecycle_policy=dict(required=False, type='json'),
         purge_lifecycle_policy=dict(required=False, type='bool'),
-        scan_on_push=(dict(required=False, type='bool', default=False))
+        scan_on_push=(dict(required=False, type='bool', default=False)),
+        encryption_configuration=dict(
+            required=False,
+            type='dict',
+            options=dict(
+                encryption_type=dict(required=False, type='str', default='AES256', choices=['AES256', 'KMS']),
+                kms_key=dict(required=False, type='str', no_log=False),
+            ),
+            required_if=[
+                ['encryption_type', 'KMS', ['kms_key']],
+            ],
+        ),
     )
     mutually_exclusive = [
         ['policy', 'purge_policy'],