def test_ensure_repository_without_cross_account_access(self, mock_create_ecr_client, mock_get_account_id):
mock_ecr_client = MagicMock()
mock_create_ecr_client.return_value = mock_ecr_client
mock_get_account_id.return_value = "12345"
ecr = ECR("aws-region", "test-repo", "12345")
ecr.ensure_repository()
mock_ecr_client.create_repository.assert_called_with(
repositoryName='test-repo',
imageScanningConfiguration={'scanOnPush': True}
)
mock_ecr_client.set_repository_policy.assert_not_called()
def test_ensure_repository_with_cross_account_access(self, mock_create_ecr_client, mock_get_account_id):
mock_ecr_client = MagicMock()
mock_create_ecr_client.return_value = mock_ecr_client
mock_get_account_id.return_value = "98765"
ecr = ECR("aws-region", "test-repo", "12345")
ecr.ensure_repository()
mock_ecr_client.create_repository.assert_called_with(
repositoryName='test-repo',
imageScanningConfiguration={'scanOnPush': True}
)
expected_policy_text = {"Version": "2008-10-17", "Statement": [
{"Sid": "AllowCrossAccountPull-98765", "Effect": "Allow", "Principal": {"AWS": ["98765"]},
"Action": ["ecr:GetDownloadUrlForLayer", "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage",
"ecr:InitiateLayerUpload", "ecr:PutImage", "ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"]}]}
mock_ecr_client.set_repository_policy.assert_called_with(
repositoryName='test-repo',
policyText=json.dumps(expected_policy_text),
)