From 3a5b364a0b05aa1cdeda217fe1cc9787ba6cea18 Mon Sep 17 00:00:00 2001 From: ian-flores Date: Mon, 2 Feb 2026 11:37:46 -0800 Subject: [PATCH] Remove ECR repository support ECR is no longer used - images are now pulled from public registries. - Remove ECR repository creation from workload and control room persistent steps - Remove ECR VPC endpoints (ecr.api, ecr.dkr) from standard VPC endpoint services - Delete lib/aws/ecr.go and stub Registry methods with ErrECRDeprecated - Remove manage_ecr_repositories config option - Remove ecr-login, skopeo-login, latest-images Justfile recipes --- CLAUDE.md | 1 - Justfile | 37 --------- docs/cli/PTD_CLI_REFERENCE.md | 2 +- lib/aws/ecr.go | 77 ------------------- lib/aws/ecr_test.go | 41 ---------- lib/aws/registry.go | 37 ++++----- lib/aws/registry_test.go | 44 +++++++---- python-pulumi/src/ptd/__init__.py | 8 -- python-pulumi/src/ptd/aws_control_room.py | 1 - python-pulumi/src/ptd/aws_workload.py | 4 - python-pulumi/src/ptd/junkdrawer.py | 8 -- .../aws_control_room_persistent.py | 60 --------------- .../aws_workload_persistent.py | 56 -------------- python-pulumi/tests/test_vpc_endpoints.py | 12 +-- 14 files changed, 48 insertions(+), 340 deletions(-) delete mode 100644 lib/aws/ecr.go delete mode 100644 lib/aws/ecr_test.go diff --git a/CLAUDE.md b/CLAUDE.md index f9f1cab..54ef8e7 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -96,7 +96,6 @@ The Go CLI communicates the infrastructure path to Python Pulumi stacks via the #### AWS Development - `just aws-unset`: Unset all AWS environment variables -- `just latest-images`: Show latest ECR images ## Contributing diff --git a/Justfile b/Justfile index b95b07e..b10f4c2 100644 --- a/Justfile +++ b/Justfile @@ -39,34 +39,6 @@ write-kubeconfig cluster_dir=invocation_directory() kubeconfig='./kubeconfig': # ---------------------------------------------------------------------------- -# `just ecr-login` will log you into the ECR repositories that your current AWS context/variables point to -# this is useful for `docker pull` and `docker push` types of commands, like building custom images, etc. -ecr-login: - #!/bin/bash - - echo "Repositories that exist:" - aws ecr describe-repositories | jq -r '.repositories[].repositoryUri' | sed 's/^/ /' - - # just grab the first repo... it should give us the account and region - rawRepo=$(aws ecr describe-repositories | jq -r '.repositories[0].repositoryUri') - - echo "Logging in..." - # then strip off the image name for actual `docker login` - aws ecr get-login-password | docker login --username AWS --password-stdin ${rawRepo//\/*/} | sed 's/^/ /' - -skopeo-login: - #!/bin/bash - - echo "Repositories that exist:" - aws ecr describe-repositories | jq -r '.repositories[].repositoryUri' | sed 's/^/ /' - - # just grab the first repo... it should give us the account and region - rawRepo=$(aws ecr describe-repositories | jq -r '.repositories[0].repositoryUri') - - echo "Logging in..." - # then strip off the image name for actual `docker login` - aws ecr get-login-password | skopeo login --username AWS --password-stdin ${rawRepo//\/*/} | sed 's/^/ /' - # ensure git is set up to use ssh git-ssh: #!/bin/bash @@ -83,15 +55,6 @@ aws-unset: unset AWS_SECRET_ACCESS_KEY unset AWS_ACCESS_KEY_ID -latest-images: - #!/usr/bin/env bash - for img in $(aws ecr describe-repositories | jq -r '.repositories[].repositoryName'); do - echo "" - echo "---> < Image list for $img >"; - aws ecr describe-images --repository-name $img | jq '.imageDetails | sort_by(.imagePushedAt) | reverse | map(.imagePushedAt + " --- " + (.imageTags | join(", ")) ) | .[0:4]' - echo "---> "; - done; - ############################################################################ # Setup and dependencies ############################################################################ diff --git a/docs/cli/PTD_CLI_REFERENCE.md b/docs/cli/PTD_CLI_REFERENCE.md index 62c850e..daa3a22 100644 --- a/docs/cli/PTD_CLI_REFERENCE.md +++ b/docs/cli/PTD_CLI_REFERENCE.md @@ -606,7 +606,7 @@ All commands follow the Cobra pattern: ### Key Libraries Located in `/lib/`: -- `aws/` - AWS-specific implementations (credentials, ECR, EKS, IAM, proxy, S3, SSM) +- `aws/` - AWS-specific implementations (credentials, EKS, IAM, proxy, S3, SSM) - `azure/` - Azure-specific implementations (credentials, ACR, AKS, Key Vault, proxy, storage) - `steps/` - Deployment step definitions (bootstrap, cluster, helm, images, persistent, workspaces, sites) - `types/` - Core type definitions (Target, Credentials, etc.) diff --git a/lib/aws/ecr.go b/lib/aws/ecr.go deleted file mode 100644 index 89a6659..0000000 --- a/lib/aws/ecr.go +++ /dev/null @@ -1,77 +0,0 @@ -package aws - -import ( - "context" - "sort" - - "github.com/aws/aws-sdk-go-v2/service/ecr" - ecrTypes "github.com/aws/aws-sdk-go-v2/service/ecr/types" - "github.com/posit-dev/ptd/lib/helpers" - "github.com/posit-dev/ptd/lib/types" -) - -func GetEcrAuthToken(ctx context.Context, c *Credentials, region string) (string, error) { - client := ecr.New(ecr.Options{ - Region: region, - Credentials: c.credentialsProvider, - }) - - output, err := client.GetAuthorizationToken(ctx, &ecr.GetAuthorizationTokenInput{}) - if err != nil { - return "", err - } - - return helpers.Base64Decode(*output.AuthorizationData[0].AuthorizationToken) -} - -func LatestDigestForRepository(ctx context.Context, c *Credentials, region, repository string) (string, error) { - detail, err := LatestImageForRepository(ctx, c, region, repository) - if err != nil { - return "", err - } - - return detail.Digest, nil -} - -func LatestImageForRepository(ctx context.Context, c *Credentials, region, repository string) (detail types.ImageDetails, err error) { - client := ecr.New(ecr.Options{ - Region: region, - Credentials: c.credentialsProvider, - }) - - var imageDetails []ecrTypes.ImageDetail - maxResults := int32(500) - var nextToken *string - for { - output, err := client.DescribeImages(ctx, &ecr.DescribeImagesInput{ - RepositoryName: &repository, - MaxResults: &maxResults, - NextToken: nextToken, - }) - if err != nil { - return detail, err - } - - imageDetails = append(imageDetails, output.ImageDetails...) - - if output.NextToken == nil { - break - } - nextToken = output.NextToken - } - - if len(imageDetails) == 0 { - return - } - - sort.Slice(imageDetails, func(i, j int) bool { - return imageDetails[i].ImagePushedAt.After(*imageDetails[j].ImagePushedAt) - }) - - detail = types.ImageDetails{ - Digest: *imageDetails[0].ImageDigest, - Tags: imageDetails[0].ImageTags, - } - - return -} diff --git a/lib/aws/ecr_test.go b/lib/aws/ecr_test.go deleted file mode 100644 index b28e8fc..0000000 --- a/lib/aws/ecr_test.go +++ /dev/null @@ -1,41 +0,0 @@ -package aws - -import ( - "context" - "testing" - - "github.com/aws/aws-sdk-go-v2/service/ecr" -) - -// MockECRClient is a mock implementation of ECR client for testing -type MockECRClient struct { - DescribeImagesOutput *ecr.DescribeImagesOutput -} - -// Mock AWS credentials for testing -type TestCredentials struct { - *Credentials -} - -func TestLatestImageForRepository(t *testing.T) { - // Test that the function exists with the right signature - ctx := context.Background() - - // Can't directly test this function without mocking AWS SDK - // Just make sure the function exists with expected signature - t.Run("Function exists", func(t *testing.T) { - _, _ = LatestImageForRepository(ctx, &Credentials{}, "us-west-2", "test-repo") - }) -} - -func TestLatestDigestForRepository(t *testing.T) { - // Since this function now calls LatestImageForRepository, we just need to verify - // it calls through and returns the digest correctly - ctx := context.Background() - - // Can't directly test this function without mocking AWS SDK - // Just make sure the function exists with expected signature - t.Run("Function exists", func(t *testing.T) { - _, _ = LatestDigestForRepository(ctx, &Credentials{}, "us-west-2", "test-repo") - }) -} diff --git a/lib/aws/registry.go b/lib/aws/registry.go index bfa5670..548c696 100644 --- a/lib/aws/registry.go +++ b/lib/aws/registry.go @@ -2,12 +2,16 @@ package aws import ( "context" + "errors" "fmt" - "strings" "github.com/posit-dev/ptd/lib/types" ) +// ErrECRDeprecated is returned when ECR functionality is accessed. +// ECR has been removed in favor of public Docker Hub images. +var ErrECRDeprecated = errors.New("ECR functionality has been removed; images are now pulled from public Docker Hub") + type Registry struct { accountID string region string @@ -28,33 +32,20 @@ func (r Registry) RegistryURI() string { return fmt.Sprintf("%s.dkr.ecr.%s.amazonaws.com", r.accountID, r.region) } +// GetAuthForCredentials is deprecated - ECR is no longer used. +// Images are now pulled from public Docker Hub. func (r Registry) GetAuthForCredentials(ctx context.Context, c types.Credentials) (username string, password string, err error) { - awsCreds, err := OnlyAwsCredentials(c) - if err != nil { - return - } - authToken, err := GetEcrAuthToken(ctx, awsCreds, r.region) - if err != nil { - return - } - username = "AWS" - password = strings.TrimPrefix(authToken, "AWS:") - return + return "", "", ErrECRDeprecated } +// GetLatestDigestForRepository is deprecated - ECR is no longer used. +// Images are now pulled from public Docker Hub. func (r Registry) GetLatestDigestForRepository(ctx context.Context, c types.Credentials, repository string) (string, error) { - awsCreds, err := OnlyAwsCredentials(c) - if err != nil { - return "", err - } - return LatestDigestForRepository(ctx, awsCreds, r.region, repository) + return "", ErrECRDeprecated } +// GetLatestImageForRepository is deprecated - ECR is no longer used. +// Images are now pulled from public Docker Hub. func (r Registry) GetLatestImageForRepository(ctx context.Context, c types.Credentials, repository string) (details types.ImageDetails, err error) { - awsCreds, err := OnlyAwsCredentials(c) - if err != nil { - return - } - - return LatestImageForRepository(ctx, awsCreds, r.region, repository) + return types.ImageDetails{}, ErrECRDeprecated } diff --git a/lib/aws/registry_test.go b/lib/aws/registry_test.go index 6b054c7..ae81bfd 100644 --- a/lib/aws/registry_test.go +++ b/lib/aws/registry_test.go @@ -28,9 +28,8 @@ func TestRegistryMethods(t *testing.T) { assert.Equal(t, "111122223333.dkr.ecr.us-east-1.amazonaws.com", registry.RegistryURI()) } -// This is a simple mock implementation of the GetAuthForCredentials method -// For a real test, we would need to mock the AWS ECR service -func TestGetAuthForCredentials_Mock(t *testing.T) { +// Test that ECR methods return deprecation errors since ECR is no longer used +func TestGetAuthForCredentials_Deprecated(t *testing.T) { accountID := "123456789012" registry := NewRegistry(accountID, "us-east-1") @@ -42,31 +41,42 @@ func TestGetAuthForCredentials_Mock(t *testing.T) { envVarsVal: map[string]string{}, } - // We can't actually call the real GetAuthForCredentials since it would try to use AWS - // But we can check that the function exists and accepts the right parameters - assert.NotPanics(t, func() { - // This would normally call the AWS API, but we're not executing it - registry.GetAuthForCredentials(context.Background(), creds) - }) + username, password, err := registry.GetAuthForCredentials(context.Background(), creds) + + assert.ErrorIs(t, err, ErrECRDeprecated) + assert.Empty(t, username) + assert.Empty(t, password) } -func TestGetLatestImageForRepository(t *testing.T) { +func TestGetLatestDigestForRepository_Deprecated(t *testing.T) { + accountID := "123456789012" + registry := NewRegistry(accountID, "us-west-2") + + creds := &MockCredentials{ + accountIDVal: accountID, + identityVal: "arn:aws:iam::123456789012:role/test-role", + } + + digest, err := registry.GetLatestDigestForRepository(context.Background(), creds, "test-repo") + + assert.ErrorIs(t, err, ErrECRDeprecated) + assert.Empty(t, digest) +} + +func TestGetLatestImageForRepository_Deprecated(t *testing.T) { accountID := "123456789012" registry := NewRegistry(accountID, "us-west-2") - // Create a mock credentials object creds := &MockCredentials{ accountIDVal: accountID, identityVal: "arn:aws:iam::123456789012:role/test-role", } - // Test that the function doesn't panic - assert.NotPanics(t, func() { - registry.GetLatestImageForRepository(context.Background(), creds, "test-repo") - }) + details, err := registry.GetLatestImageForRepository(context.Background(), creds, "test-repo") - // Without mocking the AWS SDK, we can't fully test this function - // A full test would verify it correctly calls through to LatestImageForRepository + assert.ErrorIs(t, err, ErrECRDeprecated) + assert.Empty(t, details.Digest) + assert.Nil(t, details.Tags) } // Mock credentials implementation for testing diff --git a/python-pulumi/src/ptd/__init__.py b/python-pulumi/src/ptd/__init__.py index 7781939..f554f1d 100644 --- a/python-pulumi/src/ptd/__init__.py +++ b/python-pulumi/src/ptd/__init__.py @@ -279,14 +279,6 @@ class ComponentImages(enum.StrEnum): FLIGHTDECK = "ptd-flightdeck" -# Deprecated ECR repositories that should be deleted with force_delete=True -# Remove this list after all workloads have been cleaned up -DEPRECATED_ECR_REPOS = [ - "ptd-controller", - "ptd-home", -] - - class ComponentNames(enum.StrEnum): CHRONICLE = "chronicle" CHRONICLE_AGENT = "chronicleAgent" diff --git a/python-pulumi/src/ptd/aws_control_room.py b/python-pulumi/src/ptd/aws_control_room.py index fbdb34a..37bb429 100644 --- a/python-pulumi/src/ptd/aws_control_room.py +++ b/python-pulumi/src/ptd/aws_control_room.py @@ -49,7 +49,6 @@ class AWSControlRoomConfig: eks_node_group_min: int = 3 eks_node_instance_type: str = "m6a.xlarge" hosted_zone_id: str | None = None - manage_ecr_repositories: bool = True protect_persistent_resources: bool = True region: str = "us-east-2" resource_tags: dict[str, str] = dataclasses.field(default_factory=dict) diff --git a/python-pulumi/src/ptd/aws_workload.py b/python-pulumi/src/ptd/aws_workload.py index ccd0b44..277166b 100644 --- a/python-pulumi/src/ptd/aws_workload.py +++ b/python-pulumi/src/ptd/aws_workload.py @@ -23,8 +23,6 @@ [ "ec2", "ec2messages", - "ecr.api", - "ecr.dkr", "fsx", "kms", "s3", @@ -37,8 +35,6 @@ STANDARD_VPC_ENDPOINT_SERVICES = ( "ec2", "ec2messages", - "ecr.api", - "ecr.dkr", "kms", "s3", "ssm", diff --git a/python-pulumi/src/ptd/junkdrawer.py b/python-pulumi/src/ptd/junkdrawer.py index a5b2a37..f5ad43c 100644 --- a/python-pulumi/src/ptd/junkdrawer.py +++ b/python-pulumi/src/ptd/junkdrawer.py @@ -44,14 +44,6 @@ def octet_signature(s: str) -> int: return sum([ord(c) for c in list(s)]) % 255 -def ecr_repository_url(aws_account_id: str, repo_name: str, region: str = "us-east-2") -> str: - return f"{aws_account_id}.dkr.ecr.{region}.amazonaws.com/{repo_name}" - - -def ecr_repository_arn(aws_account_id: str, repo_name: str, region: str = "us-east-2") -> str: - return f"arn:aws:ecr:{region}:{aws_account_id}:repository/{repo_name}" - - def import_string(import_name: str) -> typing.Any: """This function in borrowed and modified from werkzeug.utils.import_string""" try: diff --git a/python-pulumi/src/ptd/pulumi_resources/aws_control_room_persistent.py b/python-pulumi/src/ptd/pulumi_resources/aws_control_room_persistent.py index 5ffc141..0ee1508 100644 --- a/python-pulumi/src/ptd/pulumi_resources/aws_control_room_persistent.py +++ b/python-pulumi/src/ptd/pulumi_resources/aws_control_room_persistent.py @@ -1,7 +1,6 @@ from __future__ import annotations import ipaddress -import json import typing import pulumi @@ -26,8 +25,6 @@ class AWSControlRoomPersistent(pulumi.ComponentResource): vpc: ptd.pulumi_resources.aws_vpc.AWSVpc private_subnet_ids: list[pulumi.Output[str]] | list[str] - ecrs: dict[str, aws.ecr.Repository | None] - ecr_lifecycle_policies: dict[str, aws.ecr.LifecyclePolicy | None] db: aws.rds.Instance releases_bucket: aws.s3.Bucket @@ -53,13 +50,9 @@ def __init__(self, control_room: ptd.aws_control_room.AWSControlRoom, *args, **k self.cidr_block = typing.cast(ipaddress.IPv4Network, ipaddress.ip_network(f"10.{second_octet}.0.0/16")) - self.ecrs = dict.fromkeys([c.value for c in ptd.ComponentImages], None) - self.ecr_lifecycle_policies = {} - self._define_vpc() self._define_tailscale() self._define_db() - self._define_ecr() self._define_releases_bucket() outputs: dict[str, typing.Any] = { @@ -75,15 +68,6 @@ def __init__(self, control_room: ptd.aws_control_room.AWSControlRoom, *args, **k "releases_bucket_arn": self.releases_bucket.arn, } - for key, value in outputs.items(): - pulumi.export(key, value) - - for name, repo in self.ecrs.items(): - if repo is None: - continue - - outputs[f"{name.replace('-', '_')}_ecr"] = repo.id - for key, value in outputs.items(): pulumi.export(key, value) @@ -152,8 +136,6 @@ def _define_vpc(self): for service in ( "ec2", "ec2messages", - "ecr.api", - "ecr.dkr", "kms", "s3", "ssm", @@ -249,48 +231,6 @@ def _define_db(self): secret = self.db.master_user_secrets.apply(lambda secrets: secrets[0]) self.db_secret_arn = secret.apply(lambda s: s.secret_arn) - # TODO: this is sort-of duplicated from aws_workload_persistent... - # NOTE: ECR repositories are deprecated - images now come from public Docker Hub. - # force_delete=True is set to allow cleanup in a follow-up PR. - def _define_ecr(self): - if not self.control_room.cfg.manage_ecr_repositories: - return - - for name in list(self.ecrs.keys()): - self.ecrs[name] = aws.ecr.Repository( - f"{self.name}-ecr-{name}", - name=name, - force_delete=True, # Allow deletion even with images present - image_scanning_configuration=aws.ecr.RepositoryImageScanningConfigurationArgs( - scan_on_push=True, - ), - image_tag_mutability="IMMUTABLE", - tags=self.required_tags | {"Name": f"{name}-{self.name}"}, - opts=pulumi.ResourceOptions(parent=self), - ) - - self.ecr_lifecycle_policies[name] = aws.ecr.LifecyclePolicy( - f"{self.name}-ecr-expire-untagged-images-{name}", - repository=self.ecrs[name], - policy=json.dumps( - { - "rules": [ - { - "rulePriority": 1, - "description": "Expire images older than 14 days", - "selection": { - "tagStatus": "untagged", - "countType": "sinceImagePushed", - "countUnit": "days", - "countNumber": 14, - }, - "action": {"type": "expire"}, - } - ] - } - ), - ) - def _define_releases_bucket(self): """Define an S3 bucket for storing customer release artifacts with signed URL access.""" self.releases_bucket = aws.s3.Bucket( diff --git a/python-pulumi/src/ptd/pulumi_resources/aws_workload_persistent.py b/python-pulumi/src/ptd/pulumi_resources/aws_workload_persistent.py index df9f7d0..1c7c1eb 100644 --- a/python-pulumi/src/ptd/pulumi_resources/aws_workload_persistent.py +++ b/python-pulumi/src/ptd/pulumi_resources/aws_workload_persistent.py @@ -46,8 +46,6 @@ class AWSWorkloadPersistent(pulumi.ComponentResource): vpc: ptd.pulumi_resources.aws_vpc.AWSVpc | None vpc_id: str private_subnet_ids: list[pulumi.Output[str]] | list[str] - ecrs: dict[str, aws.ecr.Repository | None] - ecr_lifecycle_policies: dict[str, aws.ecr.LifecyclePolicy | None] db: aws.rds.Instance @@ -150,10 +148,6 @@ def __init__( self.cert_validation_records = {} # Initialize the dict to track validation records self._define_zones_and_domain_certs() - self.ecrs = dict.fromkeys([c.value for c in ptd.ComponentImages], None) - self.ecr_lifecycle_policies = {} - self._define_ecr() - self._define_fsx_openzfs() self._define_fsx_nfs_sg() self._define_efs_nfs_sg() @@ -757,56 +751,6 @@ def _define_zones_and_domain_certs(self): ), ) - # TODO: this is sort-of duplicated from aws_control_room_persistent... - # NOTE: ECR repositories are deprecated - images now come from public Docker Hub. - # force_delete=True is set to allow cleanup in a follow-up PR. - def _define_ecr(self): - for repo_name in list(self.ecrs.keys()): - self.ecrs[repo_name] = aws.ecr.Repository( - f"{self.workload.compound_name}-{repo_name}", - name=repo_name, - force_delete=True, # Allow deletion even with images present - image_scanning_configuration=aws.ecr.RepositoryImageScanningConfigurationArgs( - scan_on_push=True, - ), - image_tag_mutability="IMMUTABLE", - tags=self.required_tags | {"Name": f"{repo_name}-{self.workload.compound_name}"}, - opts=pulumi.ResourceOptions(parent=self), - ) - - self.ecr_lifecycle_policies[repo_name] = aws.ecr.LifecyclePolicy( - f"{repo_name}-ecr-expire-untagged-images", - repository=repo_name, - policy=json.dumps( - { - "rules": [ - { - "rulePriority": 1, - "description": "Expire images older than 30 days", - "selection": { - "tagStatus": "untagged", - "countType": "sinceImagePushed", - "countUnit": "days", - "countNumber": 30, - }, - "action": {"type": "expire"}, - } - ] - } - ), - opts=pulumi.ResourceOptions(parent=self.ecrs[repo_name]), - ) - - # Handle deprecated ECR repos that need to be force-deleted - # These repos are no longer in ComponentImages but may exist in existing deployments - for deprecated_repo_name in ptd.DEPRECATED_ECR_REPOS: - aws.ecr.Repository( - f"{self.workload.compound_name}-{deprecated_repo_name}", - name=deprecated_repo_name, - force_delete=True, - opts=pulumi.ResourceOptions(parent=self), - ) - def _define_fsx_openzfs(self) -> None: self.fsx_openzfs_role = aws.iam.Role( str(ptd.Roles.AWS_FSX_OPENZFS_CSI_DRIVER), diff --git a/python-pulumi/tests/test_vpc_endpoints.py b/python-pulumi/tests/test_vpc_endpoints.py index e2554a8..4cbf7e7 100644 --- a/python-pulumi/tests/test_vpc_endpoints.py +++ b/python-pulumi/tests/test_vpc_endpoints.py @@ -41,7 +41,7 @@ def test_vpc_endpoints_config_is_frozen(): def test_vpc_endpoints_config_valid_services(): """Test that VPCEndpointsConfig accepts all valid service names.""" - valid_services = ["ec2", "ec2messages", "ecr.api", "ecr.dkr", "kms", "s3", "ssm", "ssmmessages", "fsx"] + valid_services = ["ec2", "ec2messages", "kms", "s3", "ssm", "ssmmessages", "fsx"] for service in valid_services: config = ptd.aws_workload.VPCEndpointsConfig(excluded_services=[service]) @@ -63,10 +63,10 @@ def test_vpc_endpoints_config_mixed_valid_invalid_services(): def test_vpc_endpoints_config_multiple_valid_services(): """Test that VPCEndpointsConfig accepts multiple valid service names.""" config = ptd.aws_workload.VPCEndpointsConfig( - excluded_services=["fsx", "kms", "ecr.api"], + excluded_services=["fsx", "kms", "s3"], ) - assert config.excluded_services == ["fsx", "kms", "ecr.api"] + assert config.excluded_services == ["fsx", "kms", "s3"] assert len(config.excluded_services) == 3 @@ -80,14 +80,14 @@ def test_vpc_endpoints_config_disable_all_endpoints(): def test_vpc_endpoints_config_exclude_all_services(): """Test that VPCEndpointsConfig can exclude all services.""" - all_services = ["ec2", "ec2messages", "ecr.api", "ecr.dkr", "kms", "s3", "ssm", "ssmmessages", "fsx"] + all_services = ["ec2", "ec2messages", "kms", "s3", "ssm", "ssmmessages", "fsx"] config = ptd.aws_workload.VPCEndpointsConfig( enabled=True, excluded_services=all_services, ) assert config.enabled is True - assert len(config.excluded_services) == 9 + assert len(config.excluded_services) == 7 assert set(config.excluded_services) == set(all_services) @@ -211,7 +211,7 @@ def test_vpc_endpoints_config_dataclass_fields(): def test_vpc_endpoints_config_valid_services_constant(): """Test that VALID_VPC_ENDPOINT_SERVICES constant contains all expected services.""" - expected_services = {"ec2", "ec2messages", "ecr.api", "ecr.dkr", "fsx", "kms", "s3", "ssm", "ssmmessages"} + expected_services = {"ec2", "ec2messages", "fsx", "kms", "s3", "ssm", "ssmmessages"} assert expected_services == ptd.aws_workload.VALID_VPC_ENDPOINT_SERVICES