Improve messaging and validation for registry creds

allisaurus · allisaurus · commit 3b6762937235 · 2018-10-25T11:37:17.000-07:00
diff --git a/ecs-cli/modules/cli/compose/project/project.go b/ecs-cli/modules/cli/compose/project/project.go
@@ -53,10 +53,10 @@ type Project interface {
 
 // ecsProject struct is an implementation of Project.
 type ecsProject struct {
-	containerConfigs       []adapter.ContainerConfig
-	volumes                *adapter.Volumes
-	ecsContext             *context.ECSContext
-	privateRegistryContext *regcredio.ECSRegistryCredsOutput // TODO: rename to 'ecsRegistryCreds'
+	containerConfigs []adapter.ContainerConfig
+	volumes          *adapter.Volumes
+	ecsContext       *context.ECSContext
+	ecsRegistryCreds *regcredio.ECSRegistryCredsOutput
 
 	// TODO: track a map of entities [taskDefinition -> Entity]
 	// 1 task definition for every disjoint set of containers in the compose file
@@ -126,7 +126,7 @@ func (p *ecsProject) Parse() error {
 		return err
 	}
 
-	if err := p.parsePrivateRegistryContext(); err != nil {
+	if err := p.parseECSRegistryCreds(); err != nil {
 		return err
 	}
 
@@ -180,15 +180,15 @@ func (p *ecsProject) parseECSParams() error {
 	return nil
 }
 
-func (p *ecsProject) parsePrivateRegistryContext() error {
+func (p *ecsProject) parseECSRegistryCreds() error {
 	logrus.Debug("Parsing the ecs-registry-creds yaml...")
 	registryCredsFileName := p.ecsContext.CLIContext.GlobalString(flags.RegistryCredsFileNameFlag)
 	regCreds, err := regcredio.ReadCredsOutput(registryCredsFileName)
 	if err != nil {
 		return err
 	}
 
-	p.privateRegistryContext = regCreds
+	p.ecsRegistryCreds = regCreds
 
 	return nil
 }
@@ -212,7 +212,7 @@ func (p *ecsProject) transformTaskDefinition() error {
 		Volumes:                p.VolumeConfigs(),
 		ContainerConfigs:       p.ContainerConfigs(), // TODO Change to pointer on project?
 		ECSParams:              ecsContext.ECSParams,
-		PrivRegistryContext:    p.privateRegistryContext,
+		ECSRegistryCreds:       p.ecsRegistryCreds,
 	}
 
 	taskDefinition, err := utils.ConvertToTaskDefinition(convertParams)
diff --git a/ecs-cli/modules/cli/compose/project/project_test.go b/ecs-cli/modules/cli/compose/project/project_test.go
@@ -296,11 +296,11 @@ func setupTestProject(t *testing.T) *ecsProject {
 }
 
 func setupTestProjectWithEcsParams(t *testing.T, ecsParamsFileName string) *ecsProject {
-	return setupTestProjectWithPrivateRegistryContext(t, ecsParamsFileName, "")
+	return setupTestProjectWithECSRegistryCreds(t, ecsParamsFileName, "")
 }
 
 // TODO: refactor into all-purpose 'setupTestProject' func
-func setupTestProjectWithPrivateRegistryContext(t *testing.T, ecsParamsFileName, credFileName string) *ecsProject {
+func setupTestProjectWithECSRegistryCreds(t *testing.T, ecsParamsFileName, credFileName string) *ecsProject {
 	envLookup, err := utils.GetDefaultEnvironmentLookup()
 	assert.NoError(t, err, "Unexpected error setting up environment lookup")
 
@@ -326,7 +326,7 @@ func setupTestProjectWithPrivateRegistryContext(t *testing.T, ecsParamsFileName,
 	}
 }
 
-func TestParsePrivateRegistryContext(t *testing.T) {
+func TestParseECSRegistryCreds(t *testing.T) {
 	credsInputString := `version: "1"
 registry_credential_outputs:
   task_execution_role: someTestRole
@@ -349,16 +349,16 @@ registry_credential_outputs:
 	credFileName := tmpfile.Name()
 	defer os.Remove(credFileName)
 
-	project := setupTestProjectWithPrivateRegistryContext(t, "", credFileName)
+	project := setupTestProjectWithECSRegistryCreds(t, "", credFileName)
 
 	_, err = tmpfile.Write(content)
 	assert.NoError(t, err, "Could not write data to ecs registry creds tempfile")
 
-	if err := project.parsePrivateRegistryContext(); err != nil {
+	if err := project.parseECSRegistryCreds(); err != nil {
 		t.Fatalf("Unexpected error parsing the "+regcredio.ECSCredFileBaseName+" data [%s]: %v", credsInputString, err)
 	}
 
-	ecsRegCreds := project.privateRegistryContext
+	ecsRegCreds := project.ecsRegistryCreds
 	assert.NotNil(t, ecsRegCreds, "Expected "+regcredio.ECSCredFileBaseName+" to be set on project")
 	assert.Equal(t, "1", ecsRegCreds.Version, "Expected Version to match")
 
@@ -380,10 +380,10 @@ registry_credential_outputs:
 	assert.ElementsMatch(t, []string{"test"}, secondOutputEntry.ContainerNames)
 }
 
-func TestParsePrivateRegistryContext_NoFile(t *testing.T) {
+func TestParseECSRegistryCreds_NoFile(t *testing.T) {
 	project := setupTestProject(t)
-	err := project.parsePrivateRegistryContext()
+	err := project.parseECSRegistryCreds()
 	if assert.NoError(t, err) {
-		assert.Nil(t, project.privateRegistryContext)
+		assert.Nil(t, project.ecsRegistryCreds)
 	}
 }
diff --git a/ecs-cli/modules/cli/regcreds/regcreds_app.go b/ecs-cli/modules/cli/regcreds/regcreds_app.go
@@ -31,6 +31,10 @@ import (
 	"github.com/urfave/cli"
 )
 
+const (
+	maxContainersPerTaskDef = 10
+)
+
 // Up creates or updates registry credential secrets and an ECS task execution role needed to use them in a task def
 func Up(c *cli.Context) {
 	args := c.Args()
@@ -105,6 +109,8 @@ func Up(c *cli.Context) {
 	} else {
 		log.Info("Skipping generation of registry credentials output file.")
 	}
+
+	log.Info("\nIf your input file contains sensitive information, make sure that you delete it after use.")
 }
 
 func getOrCreateRegistryCredentials(entryMap regcredio.RegistryCreds, smClient secretsClient.SMClient, updateAllowed bool) (map[string]regcredio.CredsOutputEntry, error) {
@@ -208,6 +214,9 @@ func validateCredsInput(input regcredio.ECSRegCredsInput, kmsClient kms.Client)
 	if len(inputRegCreds) == 0 {
 		return nil, errors.New("provided credentials must contain at least one registry")
 	}
+	if len(inputRegCreds) > maxContainersPerTaskDef {
+		return nil, errors.New("no more than" + string(maxContainersPerTaskDef) + "registry credential entries can be created at one time")
+	}
 
 	namedContainers := make(map[string]bool)
 	outputRegCreds := make(map[string]regcredio.RegistryCredEntry)
@@ -219,13 +228,16 @@ func validateCredsInput(input regcredio.ECSRegCredsInput, kmsClient kms.Client)
 		if len(credentialEntry.ContainerNames) > 0 {
 			for _, container := range credentialEntry.ContainerNames {
 				if namedContainers[container] {
-					return nil, fmt.Errorf("container '%s' appears in more than one registry; container names must be unique across a set of registry credentials", container)
+					return nil, fmt.Errorf("container '%s' appears in more than one registry; container names must be unique across given registry credentials", container)
 				}
 				namedContainers[container] = true
 			}
 		}
+		if len(credentialEntry.ContainerNames) == 0 {
+			log.Warnf("No container names given for registry '%s'; output cannot be incorporated into a task definition when running 'compose' command", registryName)
+		}
 		if credentialEntry.SecretManagerARN != "" && !isARN(credentialEntry.SecretManagerARN) {
-			return nil, fmt.Errorf("invalid secret_manager_arn for registry %s", registryName)
+			return nil, fmt.Errorf("invalid secrets_manager_arn for registry %s", registryName)
 		}
 		// if key specified as ID or alias, validate & get ARN
 		if credentialEntry.KmsKeyID != "" {
@@ -241,7 +253,7 @@ func validateCredsInput(input regcredio.ECSRegCredsInput, kmsClient kms.Client)
 			keyRegion := strings.Split(credentialEntry.KmsKeyID, ":")[3]
 
 			if secretRegion != keyRegion {
-				return nil, fmt.Errorf("region of 'secret_manager_arn'(%s) and 'kms_key_id'(%s) for registry %s do not match; secret and encryption key must be in same region", secretRegion, keyRegion, registryName)
+				return nil, fmt.Errorf("region of 'secrets_manager_arn'(%s) and 'kms_key_id'(%s) for registry %s do not match; secret and encryption key must be in same region", secretRegion, keyRegion, registryName)
 			}
 		}
 		outputRegCreds[registryName] = credentialEntry
diff --git a/ecs-cli/modules/commands/regcreds/regcreds_command.go b/ecs-cli/modules/commands/regcreds/regcreds_command.go
@@ -36,9 +36,9 @@ func RegistryCredsCommand() cli.Command {
 func upCommand() cli.Command {
 	return cli.Command{
 		Name:         "up",
-		Usage:        "Generates AWS Secrets Manager secrets and an IAM Task Execution Role for use in an ECS Task Definition.",
+		Usage:        "Uses a YAML input file to generate AWS Secrets Manager secrets and an IAM Task Execution Role for use in an ECS Task Definition.",
 		Action:       regcreds.Up,
-		Flags:        regcredsUpFlags(),
+		Flags:        flags.AppendFlags(flags.OptionalRegionAndProfileFlags(), regcredsUpFlags()),
 		OnUsageError: flags.UsageErrorFactory("up"),
 	}
 }
diff --git a/ecs-cli/modules/utils/compose/convert_task_definition.go b/ecs-cli/modules/utils/compose/convert_task_definition.go
@@ -46,7 +46,7 @@ type ConvertTaskDefParams struct {
 	Volumes                *adapter.Volumes
 	ContainerConfigs       []adapter.ContainerConfig
 	ECSParams              *ECSParams
-	PrivRegistryContext    *regcredio.ECSRegistryCredsOutput
+	ECSRegistryCreds       *regcredio.ECSRegistryCredsOutput
 }
 
 // ConvertToTaskDefinition transforms the yaml configs to its ecs equivalent (task definition)
@@ -99,15 +99,15 @@ func ConvertToTaskDefinition(params ConvertTaskDefParams) (*ecs.TaskDefinition,
 	executionRoleArn := taskDefParams.executionRoleArn
 
 	// Check for and apply provided ecs-registry-creds values
-	if params.PrivRegistryContext != nil {
-		err := addRegistryCredsToContainerDefs(containerDefinitions, params.PrivRegistryContext.CredentialResources.ContainerCredentials)
+	if params.ECSRegistryCreds != nil {
+		err := addRegistryCredsToContainerDefs(containerDefinitions, params.ECSRegistryCreds.CredentialResources.ContainerCredentials)
 		if err != nil {
 			return nil, err
 		}
 
 		// if provided, add or replace existing executionRoleArn with value from cred file
-		if params.PrivRegistryContext.CredentialResources.TaskExecutionRole != "" {
-			newExecutionRole := params.PrivRegistryContext.CredentialResources.TaskExecutionRole
+		if params.ECSRegistryCreds.CredentialResources.TaskExecutionRole != "" {
+			newExecutionRole := params.ECSRegistryCreds.CredentialResources.TaskExecutionRole
 
 			if executionRoleArn != "" {
 				// TODO: refactor 'showResourceOverrideMsg()' to take in override src and use here
@@ -464,7 +464,18 @@ func addRegistryCredsToContainerDefs(containerDefs []*ecs.ContainerDefinition, c
 					CredentialsParameter: aws.String(foundCredParam),
 				}
 				containerDef.RepositoryCredentials = &containerRepoCreds
+
+				// remove container entry from cred map
+				delete(credsMap, containerName)
+			}
+		}
+		// if credMap contains container names not present in our container definitions, log a warning
+		if len(credsMap) > 0 {
+			unusedContainers := make([]string, 0, len(credsMap))
+			for container := range credsMap {
+				unusedContainers = append(unusedContainers, container)
 			}
+			log.Warnf("Containers listed with registry credentials but not used: %v", unusedContainers)
 		}
 	}
 	return nil
diff --git a/ecs-cli/modules/utils/compose/convert_task_definition_test.go b/ecs-cli/modules/utils/compose/convert_task_definition_test.go
@@ -1523,7 +1523,7 @@ task_definition:
 // helper functions //
 //////////////////////
 
-func TestConvertToTaskDefinitionWithPrivRegContext(t *testing.T) {
+func TestConvertToTaskDefinitionWithECSRegistryCreds(t *testing.T) {
 	containerConfigs := testContainerConfigs([]string{"mysql", "wordpress"})
 	credsFileString := `version: "1"
 registry_credential_outputs:
@@ -1557,7 +1557,7 @@ registry_credential_outputs:
 	assert.Equal(t, "arn:aws:secretsmanager::secret:amazon-ecs-cli-setup-my.example.registry.net", aws.StringValue(mysqlContainer.RepositoryCredentials.CredentialsParameter))
 }
 
-func TestConvertToTaskDefinitionWithPrivRegContext_EmptyContainerCredMap(t *testing.T) {
+func TestConvertToTaskDefinitionWithECSRegistryCreds_EmptyContainerCredMap(t *testing.T) {
 	containerConfigs := testContainerConfigs([]string{"mysql", "wordpress"})
 	credsNoContainersFileString := `version: "1"
 registry_credential_outputs:
@@ -1589,7 +1589,7 @@ registry_credential_outputs:
 	assert.Empty(t, mysqlContainer.RepositoryCredentials)
 }
 
-func TestConvertToTaskDefinitionWithPrivRegContext_OverrideECSParamsValues(t *testing.T) {
+func TestConvertToTaskDefinitionWithECSRegistryCreds_OverrideECSParamsValues(t *testing.T) {
 	containerConfigs := testContainerConfigs([]string{"mysql", "wordpress"})
 
 	// set up reg cred file
@@ -1654,7 +1654,7 @@ task_definition:
 	assert.Equal(t, "arn:aws:secretsmanager::secret:amazon-ecs-cli-setup-my.example.registry.net", aws.StringValue(mysqlContainer.RepositoryCredentials.CredentialsParameter))
 }
 
-func TestConvertToTaskDefinitionWithPrivRegContext_ErrorOnDuplicateContainers(t *testing.T) {
+func TestConvertToTaskDefinitionWithECSRegistryCreds_ErrorOnDuplicateContainers(t *testing.T) {
 	containerConfigs := testContainerConfigs([]string{"mysql", "wordpress"})
 	credsDuplicateContainersFileString := `version: "1"
 registry_credential_outputs:
@@ -1698,7 +1698,7 @@ func convertToTaskDefinitionForTest(t *testing.T, containerConfigs []adapter.Con
 		Volumes:                volumeConfigs,
 		ContainerConfigs:       containerConfigs,
 		ECSParams:              ecsParams,
-		PrivRegistryContext:    ecsRegCreds,
+		ECSRegistryCreds:       ecsRegCreds,
 	}
 
 	taskDefinition, err := ConvertToTaskDefinition(testParams)
diff --git a/ecs-cli/modules/utils/regcredio/creds_readers_test.go b/ecs-cli/modules/utils/regcredio/creds_readers_test.go
@@ -32,7 +32,7 @@ registry_credentials:
       - nginx-custom
       - logging
   other-registry.net:
-    secret_manager_arn: aws:arn:secretsmanager:secret/repocreds-776ytg
+    secrets_manager_arn: aws:arn:secretsmanager:secret/repocreds-776ytg
     container_names:
       - metrics`
 
@@ -93,7 +93,7 @@ func TestReadCredsInputWithEnvVarsFromShell(t *testing.T) {
 	inputFileString := `version: 1
 registry_credentials:
   myrepo.someregistry.io:
-    secret_manager_arn: ${MY_SECRET_ARN}
+    secrets_manager_arn: ${MY_SECRET_ARN}
     username: ${MY_REG_USRNAME}
     password: ${MY_REG_PASSWORD}
     kms_key_id: ${MY_KEY_ARN}
@@ -135,7 +135,7 @@ func TestReadCredsInput_ErrorBadYaml(t *testing.T) {
 	badCredEntryFileString := `version: 1
 registry_credentials:
   myrepo.someregistry.io:
-  secret_manager_arn: arn:aws:secretmanager:some-secret
+  secrets_manager_arn: arn:aws:secretmanager:some-secret
   container_names:
 	  - test`
 
diff --git a/ecs-cli/modules/utils/regcredio/types.go b/ecs-cli/modules/utils/regcredio/types.go
@@ -26,7 +26,7 @@ type RegistryCreds map[string]RegistryCredEntry
 
 // RegistryCredEntry contains info needed to create an AWS Secrets Manager secret and match it to an ECS container(s)
 type RegistryCredEntry struct {
-	SecretManagerARN string   `yaml:"secret_manager_arn"`
+	SecretManagerARN string   `yaml:"secrets_manager_arn"`
 	Username         string   `yaml:"username"`
 	Password         string   `yaml:"password"`
 	KmsKeyID         string   `yaml:"kms_key_id"`

Original file line number	Diff line number	Diff line change
`@@ -296,11 +296,11 @@ func setupTestProject(t testing.T) ecsProject {`
`296`	`296`	`}`
`297`	`297`
`298`	`298`	`func setupTestProjectWithEcsParams(t testing.T, ecsParamsFileName string) ecsProject {`
`299`		`- return setupTestProjectWithPrivateRegistryContext(t, ecsParamsFileName, "")`
	`299`	`+ return setupTestProjectWithECSRegistryCreds(t, ecsParamsFileName, "")`
`300`	`300`	`}`
`301`	`301`
`302`	`302`	`// TODO: refactor into all-purpose 'setupTestProject' func`
`303`		`-func setupTestProjectWithPrivateRegistryContext(t testing.T, ecsParamsFileName, credFileName string) ecsProject {`
	`303`	`+func setupTestProjectWithECSRegistryCreds(t testing.T, ecsParamsFileName, credFileName string) ecsProject {`
`304`	`304`	`envLookup, err := utils.GetDefaultEnvironmentLookup()`
`305`	`305`	`assert.NoError(t, err, "Unexpected error setting up environment lookup")`
`306`	`306`
`@@ -326,7 +326,7 @@ func setupTestProjectWithPrivateRegistryContext(t *testing.T, ecsParamsFileName,`
`326`	`326`	`}`
`327`	`327`	`}`
`328`	`328`
`329`		`-func TestParsePrivateRegistryContext(t *testing.T) {`
	`329`	`+func TestParseECSRegistryCreds(t *testing.T) {`
`330`	`330`	credsInputString := `version: "1"
`331`	`331`	`registry_credential_outputs:`
`332`	`332`	`task_execution_role: someTestRole`
`@@ -349,16 +349,16 @@ registry_credential_outputs:`
`349`	`349`	`credFileName := tmpfile.Name()`
`350`	`350`	`defer os.Remove(credFileName)`
`351`	`351`
`352`		`- project := setupTestProjectWithPrivateRegistryContext(t, "", credFileName)`
	`352`	`+ project := setupTestProjectWithECSRegistryCreds(t, "", credFileName)`
`353`	`353`
`354`	`354`	`_, err = tmpfile.Write(content)`
`355`	`355`	`assert.NoError(t, err, "Could not write data to ecs registry creds tempfile")`
`356`	`356`
`357`		`- if err := project.parsePrivateRegistryContext(); err != nil {`
	`357`	`+ if err := project.parseECSRegistryCreds(); err != nil {`
`358`	`358`	`t.Fatalf("Unexpected error parsing the "+regcredio.ECSCredFileBaseName+" data [%s]: %v", credsInputString, err)`
`359`	`359`	`}`
`360`	`360`
`361`		`- ecsRegCreds := project.privateRegistryContext`
	`361`	`+ ecsRegCreds := project.ecsRegistryCreds`
`362`	`362`	`assert.NotNil(t, ecsRegCreds, "Expected "+regcredio.ECSCredFileBaseName+" to be set on project")`
`363`	`363`	`assert.Equal(t, "1", ecsRegCreds.Version, "Expected Version to match")`
`364`	`364`
`@@ -380,10 +380,10 @@ registry_credential_outputs:`
`380`	`380`	`assert.ElementsMatch(t, []string{"test"}, secondOutputEntry.ContainerNames)`
`381`	`381`	`}`
`382`	`382`
`383`		`-func TestParsePrivateRegistryContext_NoFile(t *testing.T) {`
	`383`	`+func TestParseECSRegistryCreds_NoFile(t *testing.T) {`
`384`	`384`	`project := setupTestProject(t)`
`385`		`- err := project.parsePrivateRegistryContext()`
	`385`	`+ err := project.parseECSRegistryCreds()`
`386`	`386`	`if assert.NoError(t, err) {`
`387`		`- assert.Nil(t, project.privateRegistryContext)`
	`387`	`+ assert.Nil(t, project.ecsRegistryCreds)`
`388`	`388`	`}`
`389`	`389`	`}`
Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,10 @@ import (`
`31`	`31`	`"github.com/urfave/cli"`
`32`	`32`	`)`
`33`	`33`
	`34`	`+const (`
	`35`	`+ maxContainersPerTaskDef = 10`
	`36`	`+)`
	`37`	`+`
`34`	`38`	`// Up creates or updates registry credential secrets and an ECS task execution role needed to use them in a task def`
`35`	`39`	`func Up(c *cli.Context) {`
`36`	`40`	`args := c.Args()`
`@@ -105,6 +109,8 @@ func Up(c *cli.Context) {`
`105`	`109`	`} else {`
`106`	`110`	`log.Info("Skipping generation of registry credentials output file.")`
`107`	`111`	`}`
	`112`	`+`
	`113`	`+ log.Info("\nIf your input file contains sensitive information, make sure that you delete it after use.")`
`108`	`114`	`}`
`109`	`115`
`110`	`116`	`func getOrCreateRegistryCredentials(entryMap regcredio.RegistryCreds, smClient secretsClient.SMClient, updateAllowed bool) (map[string]regcredio.CredsOutputEntry, error) {`
`@@ -208,6 +214,9 @@ func validateCredsInput(input regcredio.ECSRegCredsInput, kmsClient kms.Client)`
`208`	`214`	`if len(inputRegCreds) == 0 {`
`209`	`215`	`return nil, errors.New("provided credentials must contain at least one registry")`
`210`	`216`	`}`
	`217`	`+ if len(inputRegCreds) > maxContainersPerTaskDef {`
	`218`	`+ return nil, errors.New("no more than" + string(maxContainersPerTaskDef) + "registry credential entries can be created at one time")`
	`219`	`+ }`
`211`	`220`
`212`	`221`	`namedContainers := make(map[string]bool)`
`213`	`222`	`outputRegCreds := make(map[string]regcredio.RegistryCredEntry)`
`@@ -219,13 +228,16 @@ func validateCredsInput(input regcredio.ECSRegCredsInput, kmsClient kms.Client)`
`219`	`228`	`if len(credentialEntry.ContainerNames) > 0 {`
`220`	`229`	`for _, container := range credentialEntry.ContainerNames {`
`221`	`230`	`if namedContainers[container] {`
`222`		`- return nil, fmt.Errorf("container '%s' appears in more than one registry; container names must be unique across a set of registry credentials", container)`
	`231`	`+ return nil, fmt.Errorf("container '%s' appears in more than one registry; container names must be unique across given registry credentials", container)`
`223`	`232`	`}`
`224`	`233`	`namedContainers[container] = true`
`225`	`234`	`}`
`226`	`235`	`}`
	`236`	`+ if len(credentialEntry.ContainerNames) == 0 {`
	`237`	`+ log.Warnf("No container names given for registry '%s'; output cannot be incorporated into a task definition when running 'compose' command", registryName)`
	`238`	`+ }`
`227`	`239`	`if credentialEntry.SecretManagerARN != "" && !isARN(credentialEntry.SecretManagerARN) {`
`228`		`- return nil, fmt.Errorf("invalid secret_manager_arn for registry %s", registryName)`
	`240`	`+ return nil, fmt.Errorf("invalid secrets_manager_arn for registry %s", registryName)`
`229`	`241`	`}`
`230`	`242`	`// if key specified as ID or alias, validate & get ARN`
`231`	`243`	`if credentialEntry.KmsKeyID != "" {`
`@@ -241,7 +253,7 @@ func validateCredsInput(input regcredio.ECSRegCredsInput, kmsClient kms.Client)`
`241`	`253`	`keyRegion := strings.Split(credentialEntry.KmsKeyID, ":")[3]`
`242`	`254`
`243`	`255`	`if secretRegion != keyRegion {`
`244`		`- return nil, fmt.Errorf("region of 'secret_manager_arn'(%s) and 'kms_key_id'(%s) for registry %s do not match; secret and encryption key must be in same region", secretRegion, keyRegion, registryName)`
	`256`	`+ return nil, fmt.Errorf("region of 'secrets_manager_arn'(%s) and 'kms_key_id'(%s) for registry %s do not match; secret and encryption key must be in same region", secretRegion, keyRegion, registryName)`
`245`	`257`	`}`
`246`	`258`	`}`
`247`	`259`	`outputRegCreds[registryName] = credentialEntry`
Original file line number	Diff line number	Diff line change
`@@ -36,9 +36,9 @@ func RegistryCredsCommand() cli.Command {`
`36`	`36`	`func upCommand() cli.Command {`
`37`	`37`	`return cli.Command{`
`38`	`38`	`Name: "up",`
`39`		`- Usage: "Generates AWS Secrets Manager secrets and an IAM Task Execution Role for use in an ECS Task Definition.",`
	`39`	`+ Usage: "Uses a YAML input file to generate AWS Secrets Manager secrets and an IAM Task Execution Role for use in an ECS Task Definition.",`
`40`	`40`	`Action: regcreds.Up,`
`41`		`- Flags: regcredsUpFlags(),`
	`41`	`+ Flags: flags.AppendFlags(flags.OptionalRegionAndProfileFlags(), regcredsUpFlags()),`
`42`	`42`	`OnUsageError: flags.UsageErrorFactory("up"),`
`43`	`43`	`}`
`44`	`44`	`}`