feat(ecs): Add RepositoryCredentials support

packages/@aws-cdk/aws-ecs/README.md

@@ -30,7 +30,7 @@ cluster.addDefaultAutoScalingGroupCapacity('Capacity', {
 const ecsService = new ecs.LoadBalancedEc2Service(this, 'Service', {
   cluster,
   memoryLimitMiB: 512,
-  image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+  image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
 });
 ```
 
@@ -134,7 +134,7 @@ To add containers to a task definition, call `addContainer()`:
 ```ts
 const container = fargateTaskDefinition.addContainer("WebContainer", {
   // Use an image from DockerHub
-  image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+  image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
   // ... other options here ...
 });
 ```
@@ -148,7 +148,7 @@ const ec2TaskDefinition = new ecs.Ec2TaskDefinition(this, 'TaskDef', {
 
 const container = ec2TaskDefinition.addContainer("WebContainer", {
   // Use an image from DockerHub
-  image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+  image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
   memoryLimitMiB: 1024
   // ... other options here ...
 });
@@ -183,8 +183,8 @@ const taskDefinition = new ecs.TaskDefinition(this, 'TaskDef', {
 Images supply the software that runs inside the container. Images can be
 obtained from either DockerHub or from ECR repositories, or built directly from a local Dockerfile.
 
-* `ecs.ContainerImage.fromDockerHub(imageName)`: use a publicly available image from
-  DockerHub.
+* `ecs.ContainerImage.fromInternet(imageName, { credentials?: MY_SECRET })`: use a public or private image from
+  DockerHub or another online registry.
 * `ecs.ContainerImage.fromEcrRepository(repo, tag)`: use the given ECR repository as the image
   to start. If no tag is provided, "latest" is assumed.
 * `ecs.ContainerImage.fromAsset(this, 'Image', { directory: './image' })`: build and upload an

packages/@aws-cdk/aws-ecs/lib/container-definition.ts

@@ -379,7 +379,7 @@ export class ContainerDefinition extends cdk.Construct {
       portMappings: this.portMappings.map(renderPortMapping),
       privileged: this.props.privileged,
       readonlyRootFilesystem: this.props.readonlyRootFilesystem,
-      repositoryCredentials: undefined, // FIXME
+      repositoryCredentials: this.props.image.credentials && this.props.image.renderRepositoryCredentials(),
       ulimits: this.ulimits.map(renderUlimit),
       user: this.props.user,
       volumesFrom: this.volumesFrom.map(renderVolumeFrom),

packages/@aws-cdk/aws-ecs/lib/container-image.ts

@@ -1,17 +1,28 @@
 import ecr = require('@aws-cdk/aws-ecr');
+import secretsmanager = require('@aws-cdk/aws-secretsmanager');
 import cdk = require('@aws-cdk/cdk');
-
 import { ContainerDefinition } from './container-definition';
+import { CfnTaskDefinition } from './ecs.generated';
+
+/**
+ * Repository Credential resources
+ */
+export interface RepositoryCreds {
+  /**
+   * The secret that contains credentials for the image repository
+   */
+  readonly secret: secretsmanager.ISecret;
+}
 
 /**
  * Constructs for types of container images
  */
 export abstract class ContainerImage {
   /**
-   * Reference an image on DockerHub
+   * Reference an image on DockerHub or another online registry
    */
-  public static fromDockerHub(name: string) {
-    return new DockerHubImage(name);
+  public static fromInternet(name: string, props: InternetHostedImageProps = {}) {
+    return new InternetHostedImage(name, props);
   }
 
   /**
@@ -33,12 +44,26 @@ export abstract class ContainerImage {
    */
   public abstract readonly imageName: string;
 
+  /**
+   * Optional credentials for a private image registry
+   */
+  public abstract readonly credentials?: RepositoryCreds;
+
   /**
    * Called when the image is used by a ContainerDefinition
    */
   public abstract bind(containerDefinition: ContainerDefinition): void;
+
+  /**
+   * Render the Repository credentials to the CloudFormation object
+   */
+  public renderRepositoryCredentials(): CfnTaskDefinition.RepositoryCredentialsProperty {
+    return {
+        credentialsParameter: this.credentials ? this.credentials.secret.secretArn : ''
+    };
+  }
 }
 
 import { AssetImage, AssetImageProps } from './images/asset-image';
-import { DockerHubImage } from './images/dockerhub';
 import { EcrImage } from './images/ecr';
+import { InternetHostedImage, InternetHostedImageProps } from './images/internet-hosted';

packages/@aws-cdk/aws-ecs/lib/images/asset-image.ts

@@ -1,7 +1,7 @@
 import { DockerImageAsset } from '@aws-cdk/assets-docker';
 import cdk = require('@aws-cdk/cdk');
 import { ContainerDefinition } from '../container-definition';
-import { ContainerImage } from '../container-image';
+import { ContainerImage, RepositoryCreds } from '../container-image';
 
 export interface AssetImageProps {
   /**
@@ -14,7 +14,9 @@ export interface AssetImageProps {
  * An image that will be built at synthesis time
  */
 export class AssetImage extends ContainerImage {
+  public readonly credentials?: RepositoryCreds;
   private readonly asset: DockerImageAsset;
+
   constructor(scope: cdk.Construct, id: string, props: AssetImageProps) {
     super();
     this.asset = new DockerImageAsset(scope, id, { directory: props.directory });

packages/@aws-cdk/aws-ecs/lib/images/ecr.ts

@@ -1,12 +1,13 @@
 import ecr = require('@aws-cdk/aws-ecr');
 import { ContainerDefinition } from '../container-definition';
-import { ContainerImage } from '../container-image';
+import { ContainerImage, RepositoryCreds } from '../container-image';
 
 /**
  * An image from an ECR repository
  */
 export class EcrImage extends ContainerImage {
   public readonly imageName: string;
+  public readonly credentials?: RepositoryCreds;
   private readonly repository: ecr.IRepository;
 
   constructor(repository: ecr.IRepository, tag: string) {

packages/@aws-cdk/aws-ecs/lib/images/internet-hosted.ts

@@ -0,0 +1,33 @@
+import secretsmanager = require('@aws-cdk/aws-secretsmanager');
+import { ContainerDefinition } from "../container-definition";
+import { ContainerImage, RepositoryCreds } from "../container-image";
+
+export interface InternetHostedImageProps {
+    /**
+     * Optional secret that houses credentials for the image registry
+     */
+    credentials?: secretsmanager.ISecret;
+}
+
+/**
+ * A container image hosted on DockerHub or another online registry
+ */
+export class InternetHostedImage extends ContainerImage {
+  public readonly imageName: string;
+  public readonly credentials?: RepositoryCreds;
+
+  constructor(imageName: string, props: InternetHostedImageProps = {}) {
+    super();
+    this.imageName = imageName;
+
+    if (props.credentials !== undefined) {
+        this.credentials = { secret: props.credentials };
+    }
+  }
+
+  public bind(containerDefinition: ContainerDefinition): void {
+    if (this.credentials !== undefined) {
+        this.credentials.secret.grantRead(containerDefinition.taskDefinition.obtainExecutionRole());
+    }
+  }
+}

packages/@aws-cdk/aws-ecs/lib/index.ts

@@ -21,7 +21,7 @@ export * from './load-balanced-ecs-service';
 export * from './load-balanced-fargate-service-applet';
 
 export * from './images/asset-image';
-export * from './images/dockerhub';
+export * from './images/internet-hosted';
 export * from './images/ecr';
 
 export * from './log-drivers/aws-log-driver';

packages/@aws-cdk/aws-ecs/lib/load-balanced-fargate-service-applet.ts

@@ -132,7 +132,7 @@ export class LoadBalancedFargateServiceApplet extends cdk.Stack {
       memoryMiB: props.memoryMiB,
       publicLoadBalancer: props.publicLoadBalancer,
       publicTasks: props.publicTasks,
-      image: ContainerImage.fromDockerHub(props.image),
+      image: ContainerImage.fromInternet(props.image),
       desiredCount: props.desiredCount,
       environment: props.environment,
       certificate,

packages/@aws-cdk/aws-ecs/package.json

@@ -79,6 +79,7 @@
     "@aws-cdk/aws-logs": "^0.24.1",
     "@aws-cdk/aws-route53": "^0.24.1",
     "@aws-cdk/aws-sns": "^0.24.1",
+    "@aws-cdk/aws-secretsmanager": "^0.24.1",
     "@aws-cdk/cdk": "^0.24.1",
     "@aws-cdk/cx-api": "^0.24.1"
   },
@@ -97,6 +98,7 @@
     "@aws-cdk/aws-iam": "^0.24.1",
     "@aws-cdk/aws-logs": "^0.24.1",
     "@aws-cdk/aws-route53": "^0.24.1",
+    "@aws-cdk/aws-secretsmanager": "^0.24.1",
     "@aws-cdk/cdk": "^0.24.1"
   },
   "engines": {

packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-awsvpc-nw.ts

@@ -19,7 +19,7 @@ const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'TaskDef', {
 });
 
 const container = taskDefinition.addContainer('web', {
-  image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+  image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
   memoryLimitMiB: 256,
 });
 

packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-bridge-nw.ts

@@ -21,7 +21,7 @@ const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'TaskDef', {
 });
 
 const container = taskDefinition.addContainer('web', {
-  image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+  image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
   memoryLimitMiB: 256,
 });
 container.addPortMappings({

packages/@aws-cdk/aws-ecs/test/ec2/test.ec2-event-rule-target.ts

@@ -17,7 +17,7 @@ export = {
 
     const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'TaskDef');
     taskDefinition.addContainer('TheContainer', {
-      image: ecs.ContainerImage.fromDockerHub('henk'),
+      image: ecs.ContainerImage.fromInternet('henk'),
       memoryLimitMiB: 256
     });
 

packages/@aws-cdk/aws-ecs/test/ec2/test.ec2-service.ts

@@ -17,7 +17,7 @@ export = {
       const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef');
 
       taskDefinition.addContainer("web", {
-        image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+        image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
         memoryLimitMiB: 512
       });
 
@@ -57,7 +57,7 @@ export = {
       cluster.addCapacity('DefaultAutoScalingGroup', { instanceType: new ec2.InstanceType('t2.micro') });
       const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef');
       taskDefinition.addContainer('BaseContainer', {
-        image: ecs.ContainerImage.fromDockerHub('test'),
+        image: ecs.ContainerImage.fromInternet('test'),
         memoryReservationMiB: 10,
       });
 
@@ -82,7 +82,7 @@ export = {
       cluster.addCapacity('DefaultAutoScalingGroup', { instanceType: new ec2.InstanceType('t2.micro') });
       const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef');
       taskDefinition.addContainer('BaseContainer', {
-        image: ecs.ContainerImage.fromDockerHub('test'),
+        image: ecs.ContainerImage.fromInternet('test'),
         memoryReservationMiB: 10,
       });
 
@@ -128,7 +128,7 @@ export = {
       const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef');
 
       taskDefinition.addContainer("web", {
-        image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+        image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
         memoryLimitMiB: 512
       });
 
@@ -158,7 +158,7 @@ export = {
         });
 
         taskDefinition.addContainer("web", {
-          image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+          image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
           memoryLimitMiB: 512
         });
 
@@ -190,7 +190,7 @@ export = {
         });
 
         taskDefinition.addContainer("web", {
-          image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+          image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
           memoryLimitMiB: 512
         });
 
@@ -241,7 +241,7 @@ export = {
         });
 
         taskDefinition.addContainer("web", {
-          image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+          image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
           memoryLimitMiB: 512
         });
 
@@ -267,7 +267,7 @@ export = {
       const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef');
 
       taskDefinition.addContainer("web", {
-        image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+        image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
         memoryLimitMiB: 512
       });
 
@@ -296,7 +296,7 @@ export = {
       const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef');
 
       taskDefinition.addContainer("web", {
-        image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+        image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
         memoryLimitMiB: 512
       });
 
@@ -327,7 +327,7 @@ export = {
       const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef');
 
       taskDefinition.addContainer("web", {
-        image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+        image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
         memoryLimitMiB: 512
       });
 
@@ -358,7 +358,7 @@ export = {
       const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef');
 
       taskDefinition.addContainer("web", {
-        image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+        image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
         memoryLimitMiB: 512
       });
 
@@ -385,7 +385,7 @@ export = {
       const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef');
 
       taskDefinition.addContainer("web", {
-        image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+        image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
         memoryLimitMiB: 512
       });
 
@@ -415,7 +415,7 @@ export = {
       const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef');
 
       taskDefinition.addContainer("web", {
-        image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+        image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
         memoryLimitMiB: 512
       });
 
@@ -442,7 +442,7 @@ export = {
       const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef');
 
       taskDefinition.addContainer("web", {
-        image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+        image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
         memoryLimitMiB: 512
       });
 
@@ -473,7 +473,7 @@ export = {
       const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef');
 
       taskDefinition.addContainer("web", {
-        image: ecs.ContainerImage.fromDockerHub("amazon/amazon-ecs-sample"),
+        image: ecs.ContainerImage.fromInternet("amazon/amazon-ecs-sample"),
         memoryLimitMiB: 512
       });
 
@@ -501,7 +501,7 @@ export = {
       cluster.addCapacity('DefaultAutoScalingGroup', { instanceType: new ec2.InstanceType('t2.micro') });
       const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'TD', { networkMode: ecs.NetworkMode.Host });
       const container = taskDefinition.addContainer('web', {
-        image: ecs.ContainerImage.fromDockerHub('test'),
+        image: ecs.ContainerImage.fromInternet('test'),
         memoryLimitMiB: 1024,
       });
       container.addPortMappings({ containerPort: 808 });