feat: add credential param for private repository #2101 (#2582)

rverpillot · web-flow · commit e070b5fd0844 · 2021-07-13T15:53:28.000Z
This PR add support for private repositories. It adds new parameter `credential` for ECS services which contain ARN of the AWS secret. This parameter generates corresponding CloudFormation resources. Fixes #2101 By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
diff --git a/internal/pkg/deploy/cloudformation/stack/backend_svc.go b/internal/pkg/deploy/cloudformation/stack/backend_svc.go
@@ -118,25 +118,26 @@ func (s *BackendService) Template() (string, error) {
 		return "", err
 	}
 	content, err := s.parser.ParseBackendService(template.WorkloadOpts{
-		Variables:                s.manifest.BackendServiceConfig.Variables,
-		Secrets:                  s.manifest.BackendServiceConfig.Secrets,
-		NestedStack:              outputs,
-		Sidecars:                 sidecars,
-		Autoscaling:              autoscaling,
-		CapacityProviders:        capacityProviders,
-		DesiredCountOnSpot:       desiredCountOnSpot,
-		ExecuteCommand:           convertExecuteCommand(&s.manifest.ExecuteCommand),
-		WorkloadType:             manifest.BackendServiceType,
-		HealthCheck:              s.manifest.BackendServiceConfig.ImageConfig.HealthCheckOpts(),
-		LogConfig:                convertLogging(s.manifest.Logging),
-		DockerLabels:             s.manifest.ImageConfig.DockerLabels,
-		DesiredCountLambda:       desiredCountLambda.String(),
-		EnvControllerLambda:      envControllerLambda.String(),
-		Storage:                  storage,
-		Network:                  convertNetworkConfig(s.manifest.Network),
-		EntryPoint:               entrypoint,
-		Command:                  command,
-		DependsOn:                dependencies,
+		Variables:            s.manifest.BackendServiceConfig.Variables,
+		Secrets:              s.manifest.BackendServiceConfig.Secrets,
+		NestedStack:          outputs,
+		Sidecars:             sidecars,
+		Autoscaling:          autoscaling,
+		CapacityProviders:    capacityProviders,
+		DesiredCountOnSpot:   desiredCountOnSpot,
+		ExecuteCommand:       convertExecuteCommand(&s.manifest.ExecuteCommand),
+		WorkloadType:         manifest.BackendServiceType,
+		HealthCheck:          s.manifest.BackendServiceConfig.ImageConfig.HealthCheckOpts(),
+		LogConfig:            convertLogging(s.manifest.Logging),
+		DockerLabels:         s.manifest.ImageConfig.DockerLabels,
+		DesiredCountLambda:   desiredCountLambda.String(),
+		EnvControllerLambda:  envControllerLambda.String(),
+		Storage:              storage,
+		Network:              convertNetworkConfig(s.manifest.Network),
+		EntryPoint:           entrypoint,
+		Command:              command,
+		DependsOn:            dependencies,
+		CredentialsParameter: aws.StringValue(s.manifest.ImageConfig.Credentials),
 		ServiceDiscoveryEndpoint: s.rc.ServiceDiscoveryEndpoint,
 	})
 	if err != nil {
diff --git a/internal/pkg/deploy/cloudformation/stack/lb_web_svc.go b/internal/pkg/deploy/cloudformation/stack/lb_web_svc.go
@@ -157,29 +157,30 @@ func (s *LoadBalancedWebService) Template() (string, error) {
 		allowedSourceIPs = *s.manifest.AllowedSourceIps
 	}
 	content, err := s.parser.ParseLoadBalancedWebService(template.WorkloadOpts{
-		Variables:                s.manifest.Variables,
-		Secrets:                  s.manifest.Secrets,
-		Aliases:                  aliases,
-		NestedStack:              outputs,
-		Sidecars:                 sidecars,
-		LogConfig:                convertLogging(s.manifest.Logging),
-		DockerLabels:             s.manifest.ImageConfig.DockerLabels,
-		Autoscaling:              autoscaling,
-		CapacityProviders:        capacityProviders,
-		DesiredCountOnSpot:       desiredCountOnSpot,
-		ExecuteCommand:           convertExecuteCommand(&s.manifest.ExecuteCommand),
-		WorkloadType:             manifest.LoadBalancedWebServiceType,
-		HealthCheck:              s.manifest.ImageConfig.HealthCheckOpts(),
-		HTTPHealthCheck:          convertHTTPHealthCheck(&s.manifest.HealthCheck),
-		AllowedSourceIps:         allowedSourceIPs,
-		RulePriorityLambda:       rulePriorityLambda.String(),
-		DesiredCountLambda:       desiredCountLambda.String(),
-		EnvControllerLambda:      envControllerLambda.String(),
-		Storage:                  storage,
-		Network:                  convertNetworkConfig(s.manifest.Network),
-		EntryPoint:               entrypoint,
-		Command:                  command,
-		DependsOn:                dependencies,
+		Variables:            s.manifest.Variables,
+		Secrets:              s.manifest.Secrets,
+		Aliases:              aliases,
+		NestedStack:          outputs,
+		Sidecars:             sidecars,
+		LogConfig:            convertLogging(s.manifest.Logging),
+		DockerLabels:         s.manifest.ImageConfig.DockerLabels,
+		Autoscaling:          autoscaling,
+		CapacityProviders:    capacityProviders,
+		DesiredCountOnSpot:   desiredCountOnSpot,
+		ExecuteCommand:       convertExecuteCommand(&s.manifest.ExecuteCommand),
+		WorkloadType:         manifest.LoadBalancedWebServiceType,
+		HealthCheck:          s.manifest.ImageConfig.HealthCheckOpts(),
+		HTTPHealthCheck:      convertHTTPHealthCheck(&s.manifest.HealthCheck),
+		AllowedSourceIps:     allowedSourceIPs,
+		RulePriorityLambda:   rulePriorityLambda.String(),
+		DesiredCountLambda:   desiredCountLambda.String(),
+		EnvControllerLambda:  envControllerLambda.String(),
+		Storage:              storage,
+		Network:              convertNetworkConfig(s.manifest.Network),
+		EntryPoint:           entrypoint,
+		Command:              command,
+		DependsOn:            dependencies,
+		CredentialsParameter: aws.StringValue(s.manifest.ImageConfig.Credentials),
 		ServiceDiscoveryEndpoint: s.rc.ServiceDiscoveryEndpoint,
 	})
 	if err != nil {
diff --git a/internal/pkg/deploy/cloudformation/stack/scheduled_job.go b/internal/pkg/deploy/cloudformation/stack/scheduled_job.go
@@ -163,20 +163,21 @@ func (j *ScheduledJob) Template() (string, error) {
 	}
 
 	content, err := j.parser.ParseScheduledJob(template.WorkloadOpts{
-		Variables:                j.manifest.Variables,
-		Secrets:                  j.manifest.Secrets,
-		NestedStack:              outputs,
-		Sidecars:                 sidecars,
-		ScheduleExpression:       schedule,
-		StateMachine:             stateMachine,
-		HealthCheck:              j.manifest.ImageConfig.HealthCheckOpts(),
-		LogConfig:                convertLogging(j.manifest.Logging),
-		DockerLabels:             j.manifest.ImageConfig.DockerLabels,
-		Storage:                  storage,
-		Network:                  convertNetworkConfig(j.manifest.Network),
-		EntryPoint:               entrypoint,
-		Command:                  command,
-		DependsOn:                dependencies,
+		Variables:            j.manifest.Variables,
+		Secrets:              j.manifest.Secrets,
+		NestedStack:          outputs,
+		Sidecars:             sidecars,
+		ScheduleExpression:   schedule,
+		StateMachine:         stateMachine,
+		HealthCheck:          j.manifest.ImageConfig.HealthCheckOpts(),
+		LogConfig:            convertLogging(j.manifest.Logging),
+		DockerLabels:         j.manifest.ImageConfig.DockerLabels,
+		Storage:              storage,
+		Network:              convertNetworkConfig(j.manifest.Network),
+		EntryPoint:           entrypoint,
+		Command:              command,
+		DependsOn:            dependencies,
+		CredentialsParameter: aws.StringValue(j.manifest.ImageConfig.Credentials),
 		ServiceDiscoveryEndpoint: j.rc.ServiceDiscoveryEndpoint,
 
 		EnvControllerLambda: envControllerLambda.String(),
diff --git a/internal/pkg/manifest/svc_test.go b/internal/pkg/manifest/svc_test.go
@@ -27,6 +27,7 @@ name: frontend
 type: "Load Balanced Web Service"
 image:
   location: foo/bar
+  credentials: some arn
   port: 80
 cpu: 512
 memory: 1024
@@ -80,6 +81,7 @@ environments:
 						ImageConfig: ImageWithPortAndHealthcheck{
 							ImageWithPort: ImageWithPort{Image: Image{Build: BuildArgsOrString{},
 								Location: aws.String("foo/bar"),
+								Credentials: aws.String("some arn"),
 							}, Port: aws.Uint16(80)},
 						},
 						RoutingRule: RoutingRule{
diff --git a/internal/pkg/manifest/workload.go b/internal/pkg/manifest/workload.go
@@ -72,6 +72,7 @@ type Workload struct {
 type Image struct {
 	Build        BuildArgsOrString `yaml:"build"`           // Build an image from a Dockerfile.
 	Location     *string           `yaml:"location"`        // Use an existing image instead.
+	Credentials  *string           `yaml:"credentials"`     // ARN of the secret containing the private repository credentials.
 	DockerLabels map[string]string `yaml:"labels,flow"`     // Apply Docker labels to the container at runtime.
 	DependsOn    map[string]string `yaml:"depends_on,flow"` // Add any sidecar dependencies.
 }
diff --git a/internal/pkg/template/workload.go b/internal/pkg/template/workload.go
@@ -252,13 +252,14 @@ type WorkloadOpts struct {
 	ServiceDiscoveryEndpoint string
 
 	// Additional options for service templates.
-	WorkloadType        string
-	HealthCheck         *ecs.HealthCheck
-	HTTPHealthCheck     HTTPHealthCheckOpts
-	AllowedSourceIps    []string
-	RulePriorityLambda  string
-	DesiredCountLambda  string
-	EnvControllerLambda string
+	WorkloadType         string
+	HealthCheck          *ecs.HealthCheck
+	HTTPHealthCheck      HTTPHealthCheckOpts
+	AllowedSourceIps     []string
+	RulePriorityLambda   string
+	DesiredCountLambda   string
+	EnvControllerLambda  string
+	CredentialsParameter string
 
 	// Additional options for job templates.
 	ScheduleExpression string
diff --git a/site/content/docs/include/image-config.en.md b/site/content/docs/include/image-config.en.md
@@ -34,6 +34,9 @@ All paths are relative to your workspace root.
 Instead of building a container from a Dockerfile, you can specify an existing image name. Mutually exclusive with [`image.build`](#image-build).
 The `location` field follows the same definition as the [`image` parameter](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_image) in the Amazon ECS task definition.
 
+<span class="parent-field">image.</span><a id="image-credential" href="#image-credential" class="field">`credentials`</a> <span class="type">String</span>
+An optional credentials arn for private repository. The `credentials` field follows the same definition as the [`credentialsParameter`](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html) in the Amazon ECS task definition.  
+
 <span class="parent-field">image.</span><a id="image-port" href="#image-port" class="field">`port`</a> <span class="type">Integer</span>  
 The port exposed in your Dockerfile. Copilot should parse this value for you from your `EXPOSE` instruction.
 
@@ -54,4 +57,4 @@ image:
     nginx: start
     startup: success
 ```
-In the above example, the task's main container will only start after the `nginx` sidecar has started and the `startup` container has completed successfully.  
+In the above example, the task's main container will only start after the `nginx` sidecar has started and the `startup` container has completed successfully.  
diff --git a/templates/workloads/partials/cf/workload-container.yml b/templates/workloads/partials/cf/workload-container.yml
@@ -32,4 +32,8 @@
     Retries: {{.HealthCheck.Retries}}
     StartPeriod: {{.HealthCheck.StartPeriod}}
     Timeout: {{.HealthCheck.Timeout}}
+{{- end}}
+{{- if .CredentialsParameter}}
+  RepositoryCredentials:
+    CredentialsParameter: {{.CredentialsParameter}}
 {{- end}}

Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,7 @@ type Workload struct {`
`72`	`72`	`type Image struct {`
`73`	`73`	Build BuildArgsOrString `yaml:"build"` // Build an image from a Dockerfile.
`74`	`74`	Location *string `yaml:"location"` // Use an existing image instead.
	`75`	+ Credentials *string `yaml:"credentials"` // ARN of the secret containing the private repository credentials.
`75`	`76`	DockerLabels map[string]string `yaml:"labels,flow"` // Apply Docker labels to the container at runtime.
`76`	`77`	DependsOn map[string]string `yaml:"depends_on,flow"` // Add any sidecar dependencies.
`77`	`78`	`}`