From 4a46383d4cefc0864770f3e540c442ee294520fa Mon Sep 17 00:00:00 2001 From: Martin Date: Tue, 15 Apr 2025 19:05:52 +0200 Subject: [PATCH] fix: Authentication to ECR public (#690) Originally proposed by @achille-roussel in https://github.com/kreuzwerker/terraform-provider-docker/pull/666 --- internal/provider/authentication_helpers.go | 6 +++++- internal/provider/authentication_helpers_test.go | 10 +++++++++- internal/provider/data_source_docker_registry_image.go | 5 ++++- .../provider/resource_docker_registry_image_funcs.go | 5 ++++- 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/internal/provider/authentication_helpers.go b/internal/provider/authentication_helpers.go index 50662020..01cbc49c 100644 --- a/internal/provider/authentication_helpers.go +++ b/internal/provider/authentication_helpers.go @@ -41,8 +41,12 @@ func normalizeECRPasswordForDockerCLIUsage(password string) string { return password[4:] } +func isECRPublicRepositoryURL(url string) bool { + return url == "public.ecr.aws" +} + func isECRRepositoryURL(url string) bool { - if url == "public.ecr.aws" { + if isECRPublicRepositoryURL(url) { return true } // Regexp is based on the ecr urls shown in https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html diff --git a/internal/provider/authentication_helpers_test.go b/internal/provider/authentication_helpers_test.go index fef82429..627e36d8 100644 --- a/internal/provider/authentication_helpers_test.go +++ b/internal/provider/authentication_helpers_test.go @@ -4,8 +4,16 @@ import ( "testing" ) -func TestIsECRRepositoryURL(t *testing.T) { +func TestIsECRPublicRepositoryURL(t *testing.T) { + if !isECRPublicRepositoryURL("public.ecr.aws") { + t.Fatalf("Expected true") + } + if isECRPublicRepositoryURL("public.ecr.aws.com") { + t.Fatalf("Expected false") + } +} +func TestIsECRRepositoryURL(t *testing.T) { if !isECRRepositoryURL("2385929435838.dkr.ecr.eu-central-1.amazonaws.com") { t.Fatalf("Expected true") } diff --git a/internal/provider/data_source_docker_registry_image.go b/internal/provider/data_source_docker_registry_image.go index 49e0c7ae..eff13a95 100644 --- a/internal/provider/data_source_docker_registry_image.go +++ b/internal/provider/data_source_docker_registry_image.go @@ -85,7 +85,10 @@ func getImageDigest(registry string, registryWithProtocol string, image, tag, us if registry != "ghcr.io" && !isECRRepositoryURL(registry) && !isAzureCRRepositoryURL(registry) && registry != "gcr.io" { req.SetBasicAuth(username, password) } else { - if isECRRepositoryURL(registry) { + if isECRPublicRepositoryURL(registry) { + password = normalizeECRPasswordForHTTPUsage(password) + req.Header.Add("Authorization", "Bearer "+password) + } else if isECRRepositoryURL(registry) { password = normalizeECRPasswordForHTTPUsage(password) req.Header.Add("Authorization", "Basic "+password) } else { diff --git a/internal/provider/resource_docker_registry_image_funcs.go b/internal/provider/resource_docker_registry_image_funcs.go index 1ebdb7bd..16c6734f 100644 --- a/internal/provider/resource_docker_registry_image_funcs.go +++ b/internal/provider/resource_docker_registry_image_funcs.go @@ -270,7 +270,10 @@ func deleteDockerRegistryImage(pushOpts internalPushImageOptions, registryWithPr if pushOpts.Registry != "ghcr.io" && !isECRRepositoryURL(pushOpts.Registry) && !isAzureCRRepositoryURL(pushOpts.Registry) && pushOpts.Registry != "gcr.io" { req.SetBasicAuth(username, password) } else { - if isECRRepositoryURL(pushOpts.Registry) { + if isECRPublicRepositoryURL(pushOpts.Registry) { + password = normalizeECRPasswordForHTTPUsage(password) + req.Header.Add("Authorization", "Bearer "+password) + } else if isECRRepositoryURL(pushOpts.Registry) { password = normalizeECRPasswordForHTTPUsage(password) req.Header.Add("Authorization", "Basic "+password) } else {