func validateCredsInput()

in ecs-cli/modules/cli/regcreds/regcreds_app.go [229:282]

• 46 lines of code
• 16 McCabe index (conditional complexity)

func validateCredsInput(input regcredio.ECSRegCredsInput, kmsClient kms.Client) (map[string]regcredio.RegistryCredEntry, error) {
	// TODO: validate version?

	inputRegCreds := input.RegistryCredentials

	if len(inputRegCreds) == 0 {
		return nil, errors.New("provided credentials must contain at least one registry")
	}
	if len(inputRegCreds) > maxContainersPerTaskDef {
		return nil, errors.New("no more than" + string(maxContainersPerTaskDef) + "registry credential entries can be created at one time")
	}

	namedContainers := make(map[string]bool)
	outputRegCreds := make(map[string]regcredio.RegistryCredEntry)

	for registryName, credentialEntry := range inputRegCreds {
		if !credentialEntry.HasRequiredFields() {
			return nil, fmt.Errorf("missing required field(s) for registry %s; registry credentials should contain an existing secret ARN or username + password", registryName)
		}
		if len(credentialEntry.ContainerNames) > 0 {
			for _, container := range credentialEntry.ContainerNames {
				if namedContainers[container] {
					return nil, fmt.Errorf("container '%s' appears in more than one registry; container names must be unique across given registry credentials", container)
				}
				namedContainers[container] = true
			}
		}
		if len(credentialEntry.ContainerNames) == 0 {
			log.Warnf("No container names given for registry '%s'; output cannot be incorporated into a task definition when running 'compose' command", registryName)
		}
		if credentialEntry.SecretManagerARN != "" && !isARN(credentialEntry.SecretManagerARN) {
			return nil, fmt.Errorf("invalid secrets_manager_arn for registry %s", registryName)
		}
		// if key specified as ID or alias, validate & get ARN
		if credentialEntry.KmsKeyID != "" {
			keyARN, err := kmsClient.GetValidKeyARN(credentialEntry.KmsKeyID)
			if err != nil {
				return nil, err
			}
			credentialEntry.KmsKeyID = keyARN
		}
		// if both present, validate secret ARN & key are in same region
		if credentialEntry.SecretManagerARN != "" && credentialEntry.KmsKeyID != "" {
			secretRegion := strings.Split(credentialEntry.SecretManagerARN, ":")[3]
			keyRegion := strings.Split(credentialEntry.KmsKeyID, ":")[3]

			if secretRegion != keyRegion {
				return nil, fmt.Errorf("region of 'secrets_manager_arn'(%s) and 'kms_key_id'(%s) for registry %s do not match; secret and encryption key must be in same region", secretRegion, keyRegion, registryName)
			}
		}
		outputRegCreds[registryName] = credentialEntry
	}
	return outputRegCreds, nil
}