This module builds and configures private and public ECR registries and repositories
This repository is a READ-ONLY sub-tree split. See https://github.com/FriendsOfTerraform/modules to create issues or submit pull requests.
This example demonstrates basic repository management
module "basic_usage" {
source = "github.com/FriendsOfTerraform/aws-ecr.git?ref=v1.0.0"
private_registry = {
# Manages multiple ecr repositories
# The keys of the map will be the repository's name
repositories = {
demo-repo = {}
demo-repo-with-lifecycle-policy = {
lifecycle_policy_rules = [
{
priority = "1"
match_criteria = { days_since_image_pushed = 15 }
description = "expires all untagged images that are pushed 15 days ago"
},
{
priority = "2"
match_criteria = { image_count_more_than = 3 }
tag_filters = ["uat*", "dev*"]
description = "expires all images beside the latest 3 with tags matching wildcard uat* or dev*"
},
{
priority = "3"
match_criteria = { image_count_more_than = 10 }
tag_filters = ["prod"]
description = "expires all images beside the latest 10 with tags prefixed with prod"
},
{
priority = "1000"
match_criteria = { image_count_more_than = 10 }
tag_filters = ["*"]
description = "expires any images that are pushed 10 days ago"
}
]
}
}
}
}This example demonstrates how to manage multiple private registry features
module "private_registry_features" {
source = "github.com/FriendsOfTerraform/aws-ecr.git?ref=v1.0.0"
private_registry = {
# Manages multiple pull through cache rules
# The keys of the map will be the rule's namespace
pull_through_cache_rules = {
gitlab = {
upstream_registry_url = "registry.gitlab.com"
credential_arn = "arn:aws:secretsmanager:us-east-1:111122223333:secret:ecr-pullthroughcache/gitlab"
}
ecr-public = {
upstream_registry_url = "public.ecr.aws"
}
}
# Manages multiple replication rules
# Each object counts as 1 separate rule, you can have a max of 10 rules
replication_rules = [
{
# you can have a max of 25 destinations per rule
# each destination is in "account_id/region" format
# if account_id is omitted, the current account will be used
destinations = [
"us-west-2",
"111122223333/us-west-2",
"111122223333/us-east-2"
]
filters = ["helloworld", "demo-application"]
},
{
destinations = [
"us-west-2",
"ap-southeast-2"
]
}
]
scanning_configuration = {
scan_type = "ENHANCED"
scan_on_push = {}
continuous_scanning = {
filters = ["helloworld", "foobar"]
}
}
}
}-
(map(string))
additional_tags_all = {}[since v1.0.0]Additional tags for all resources deployed with this module
-
(object)
private_registry = null[since v1.0.0]Manages the private registry
-
(string)
permissions = null[since v1.0.0]Specifies the JSON policy document defining the registry policy
-
(map(object))
pull_through_cache_rules = {}[since v1.0.0]Configures pull through cache rules. Please see example
-
(string)
upstream_registry_url[since v1.0.0]The registry URL of the upstream public registry to use as the source
upstream registry URL ECR Public public.ecr.aws Docker Hub registry-1.docker.io Kubernetes registry.k8s.io Quay quay.io Github Container Registry ghcr.io Azure Container Registry {custom}.azurecr.io Gitlab Container Registry registry.gitlab.com -
(string)
credential_arn = null[since v1.0.0]ARN of the Secret which will be used to authenticate against the registry. Required when using the following upstream registry: Docker Hub, Github Container Registry, Azure Container Registry, Gitlab Container Registry
-
-
(list(object))
replication_rules = [][since v1.0.0]Configures ECR replication rules. Please see example
-
(list(string))
destinations[since v1.0.0]The destinations images are replicated into. in
"account_id/region"format. ifaccount_idis omitted, the current account will be used. For cross account replication, please make sure you grant proper registry permissions -
(list(string))
filters = [][since v1.0.0]Add filters for this rule to specify the repositories to replicate. Supported filters are repository name prefixes. If no filter is added, all images in the repository are replicated.
-
-
(map(object))
repositories = {}[since v1.0.0]Manages multiple private repositories. Please see example
-
(map(string))
additional_tags = {}[since v1.0.0]Additional tags to be added to the repository
-
(bool)
enable_tag_immutability = false[since v1.0.0]When tag immutability is enabled, tags are prevented from being overwritten.
-
(object)
encrypt_with_kms = null[since v1.0.0]Encrypts the repository with KMS. If unspecified, ECR will be encrypted with
AES-256by default-
(string)
kms_key_id = null[since v1.0.0]Specify the customer managed KMS key ID to be used for encryption. if unspecified, the default AWS managed key will be used.
-
-
(bool)
force_delete = false[since v1.0.0]If true, repository can be deleted even if it containes images
-
(string)
permissions = null[since v1.0.0]Specifies the JSON policy document defining the repository policy
-
(list(object))
lifecycle_policy_rules = [][since v1.0.0]Configures lifecycle police rules to automatically clean up images
-
(object)
match_criteria[since v1.0.0]Specify the count type to apply to the images. Must specify one of the below.
-
(number)
days_since_image_pushed = null[since v1.0.0]Specifies how many days should pass since pushed before an image expires
-
(number)
image_count_more_than = null[since v1.0.0]Sets a limit on the number of images that exist in the repository
-
-
(number)
priority[since v1.0.0]Specify a rule priority, which must be unique. Values do not need to be sequential across rules in a policy. Lower number has higher priority.
-
(string)
description = null[since v1.0.0]Describes the purpose of a rule within a lifecycle policy
-
(list(string))
tag_filters = null[since v1.0.0]Specify a list of image tags to match images to apply lifecycle rule towards. If not specified, untagged images will be matched. If
["*"], all images, including untagged images, willl be matched. Wildcard match will be used if wildcards are used in the filter, otherwise, prefix match will be used. Please see example
-
-
-
(object)
scanning_configuration = null[since v1.0.0]Configure image scanning. Please see example
-
(string)
scan_type = "BASIC"[since v1.0.0]Specifies the scanning type that will be used for this registry. Valid values are:
"BASIC","ENHANCED" -
(object)
continuous_scanning = null[since v1.0.0]Enables continuous scanning, which will continually scans images after it is pushed into a matching repository. This setting is only available if
scan_type = "ENHANCED"-
(list(string))
filters = ["*"][since v1.0.0]Specifies which repositories will continuously have images scanned for vulnerabilities. Filters with no wildcard will match all repository names that contain the filter. Filters with wildcards (*) will match on a repository name where the wildcard replaces zero or more characters in the repository name.
-
-
(object)
scan_on_push = null[since v1.0.0]Enables scan on push, which scans images when it is pushed into a matching repository.
-
(string)
filters = ["*"][since v1.0.0]Specifies which repositories to scan for vulnerabilities on image push. Filters with no wildcard will match all repository names that contain the filter. Filters with wildcards (*) will match on a repository name where the wildcard replaces zero or more characters in the repository name.
-
-
-
-
(object)
public_registry = null[since v1.0.0]Manages the public registry
-
(map(object))
repositories = {}[since v1.0.0]Manages multiple public repositories
-
(string)
about_text = null[since v1.0.0]Provide a detailed description of the repository. Identify what is included in the repository, any licensing details, or other relevant information.
-
(map(string))
additional_tags = {}[since v1.0.0]Additional tags to be added to the public repository
-
(list(string))
architectures = null[since v1.0.0]The system architecture that the images in the repository are compatible with. Valid values:
"ARM","ARM 64","x86","x86-64" -
(string)
description = null[since v1.0.0]The short description is displayed in search results and on the repository detail page.
-
(string)
logo_image_blob = null[since v1.0.0]The base64-encoded repository logo payload. (Only visible for verified accounts) Note that drift detection is disabled for this attribute.
-
(list(string))
operating_systems = null[since v1.0.0]The operating systems that the images in the repository are compatible with. Valid values:
"Linux","Windows" -
(string)
usage_text = null[since v1.0.0]Provide detailed information about how to use the images in the repository. This provides context, support information, and additional usage details for users of the repository.
-
-
-
(map(object))
private_repositories[since v1.0.0]Map of all private repositories
-
(string)
arn[since v1.0.0]The ARN of the repository
-
(string)
registry_id[since v1.0.0]The account ID where the repository is created
-
(string)
repository_url[since v1.0.0]The URL of the repository. In the form
aws_account_id.dkr.ecr.region.amazonaws.com/repositoryName
-