Amazon ECR Terraform module
Terraform module which creates Amazon ECR resources.
Usage
See examples directory for working examples to reference:
Private Repository
module "ecr" {
source = "terraform-aws-modules/ecr/aws"
repository_name = "private-example"
repository_read_write_access_arns = ["arn:aws:iam::012345678901:role/terraform"]
repository_lifecycle_policy = jsonencode({
rules = [
{
rulePriority = 1,
description = "Keep last 30 images",
selection = {
tagStatus = "tagged",
tagPrefixList = ["v"],
countType = "imageCountMoreThan",
countNumber = 30
},
action = {
type = "expire"
}
}
]
})
tags = {
Terraform = "true"
Environment = "dev"
}
}
Public Repository
module "public_ecr" {
source = "terraform-aws-modules/ecr/aws"
repository_name = "public-example"
repository_type = "public"
repository_read_write_access_arns = ["arn:aws:iam::012345678901:role/terraform"]
public_repository_catalog_data = {
description = "Docker container for some things"
about_text = file("${path.module}/files/ABOUT.md")
usage_text = file("${path.module}/files/USAGE.md")
operating_systems = ["Linux"]
architectures = ["x86"]
logo_image_blob = filebase64("${path.module}/files/clowd.png")
}
tags = {
Terraform = "true"
Environment = "dev"
}
}
Registry Management
module "ecr_registry" {
source = "terraform-aws-modules/ecr/aws"
repository_name = "registry-example"
create_repository = false
# Registry Policy
create_registry_policy = true
registry_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Sid = "testpolicy",
Effect = "Allow",
Principal = {
"AWS" : "arn:aws:iam::012345678901:root"
},
Action = [
"ecr:ReplicateImage"
],
Resource = [
"arn:aws:ecr:us-east-1:012345678901:repository/*"
]
}, {
Sid = "dockerhub",
Effect = "Allow",
Principal = {
"AWS" : "arn:aws:iam::012345678901:root"
},
Action = [
"ecr:CreateRepository",
"ecr:BatchImportUpstreamImage"
],
Resource = [
"arn:aws:ecr:us-east-1:012345678901:repository/dockerhub/*"
]
}
]
})
# Registry Pull Through Cache Rules
registry_pull_through_cache_rules = {
pub = {
ecr_repository_prefix = "ecr-public"
upstream_registry_url = "public.ecr.aws"
}
dockerhub = {
ecr_repository_prefix = "dockerhub"
upstream_registry_url = "registry-1.docker.io"
credential_arn = "arn:aws:secretsmanager:us-east-1:123456789:secret:ecr-pullthroughcache/dockerhub"
}
}
# Registry Scanning Configuration
manage_registry_scanning_configuration = true
registry_scan_type = "ENHANCED"
registry_scan_rules = [
{
scan_frequency = "SCAN_ON_PUSH"
filter = [
{
filter = "example1"
filter_type = "WILDCARD"
},
{ filter = "example2"
filter_type = "WILDCARD"
}
]
}, {
scan_frequency = "CONTINUOUS_SCAN"
filter = [
{
filter = "example"
filter_type = "WILDCARD"
}
]
}
]
# Registry Replication Configuration
create_registry_replication_configuration = true
registry_replication_rules = [
{
destinations = [{
region = "us-west-2"
registry_id = "012345678901"
}, {
region = "eu-west-1"
registry_id = "012345678901"
}]
repository_filters = [{
filter = "prod-microservice"
filter_type = "PREFIX_MATCH"
}]
}
]
tags = {
Terraform = "true"
Environment = "dev"
}
}
Module wrappers
Users of this Terraform module can create multiple similar resources by using for_each meta-argument within module block which became available in Terraform 0.13.
Users of Terragrunt can achieve similar results by using modules provided in the wrappers directory, if they prefer to reduce amount of configuration files.
Examples
Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
License
Apache-2.0 Licensed. See LICENSE.