community.aws icon indicating copy to clipboard operation
community.aws copied to clipboard
verified publisher icon ansible-collections

ecs_ecr - support for specifying KMS key

Open GreNIX opened this issue 3 years ago • 6 comments

Summary

Unless I'm missing something, I don't see a way to specify KMS key usage in this module. Is it possible to integrate this?

Issue Type

Feature Idea

Component Name

ecs_ecr

Additional Information

Code of Conduct

  • [X] I agree to follow the Ansible Code of Conduct

GreNIX avatar Jun 02 '22 17:06 GreNIX

Files identified in the description: None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot avatar Jun 02 '22 17:06 ansibullbot

Yes. It's possible.
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ecr.html

But only on create. It's not changeable once the ECR is created.

markuman avatar Jun 03 '22 09:06 markuman

Files identified in the description:

  • [plugins/modules/ecs_ecr.py](https://github.com/['ansible-collections/amazon.aws', 'ansible-collections/community.aws', 'ansible-collections/community.vmware']/blob/main/plugins/modules/ecs_ecr.py)

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot avatar Jun 03 '22 09:06 ansibullbot

cc @jillr @leedm777 @s-hertel @tremble click here for bot help

ansibullbot avatar Jun 03 '22 09:06 ansibullbot

@markuman

Yes. It's possible. https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ecr.html

But only on create. It's not changeable once the ECR is created.

I have this working to some extent, but is it possible to pass variables to it, in an Ansible role? Currently, it only works if I hard code the values in the client.create_repository function within the module. I would like to do something like this:

- name: create repo from custom module
   ecr_kms_module:
      repositoryName: "{{ repo_name }}"
      encryptionConfiguration.kmsKey: "{{ kms_key }}"

GreNIX avatar Jun 06 '22 20:06 GreNIX

@markuman

Yes. It's possible. https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ecr.html But only on create. It's not changeable once the ECR is created.

I have this working to some extent, but is it possible to pass variables to it, in an Ansible role? Currently, it only works if I hard code the values in the client.create_repository function within the module. I would like to do something like this:

- name: create repo from custom module
   ecr_kms_module:
      repositoryName: "{{ repo_name }}"
      encryptionConfiguration.kmsKey: "{{ kms_key }}"

Yes, it should work just out of the box.
Maybe something is wrong with your key-name decision and handling.
I suggest not to create a new module for this task. Instead patch the existing ecs_ecr module and add just the missing kms_key parameter. If the ecr already exists, the kms_key parameter can be ignored, because it's not changeable. Maybe through a warning if the requestes key differs from the existing key.
Are you willing to prepare a PR @GreNIX ?

markuman avatar Jun 22 '22 08:06 markuman