This creates private container image repositories hosted in the AWS Elastic Container Registry (ECR) of your AWS Account using a Terramate project.
For equivalent examples see:
Install the dependencies:
Set the AWS Account credentials using SSO:
# set the environment variables to use a specific profile.
# e.g. use the pattern <aws-sso-session-name>-<aws-account-name>-<aws-account-role>-<aws-account-id>
export AWS_PROFILE=example-dev-AdministratorAccess-123456
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_DEFAULT_REGION
# set the account credentials.
# see https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-auto-sso
aws configure sso
# dump the configured profile and sso-session.
cat ~/.aws/config
# show the user, user amazon resource name (arn), and the account id, of the
# profile set in the AWS_PROFILE environment variable.
aws sts get-caller-identityOr, set the AWS Account credentials using an Access Key:
# set the account credentials.
# NB get these from your aws account iam console.
# see Managing access keys (console) at
# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey
export AWS_ACCESS_KEY_ID='TODO'
export AWS_SECRET_ACCESS_KEY='TODO'
unset AWS_PROFILE
# set the default region.
export AWS_DEFAULT_REGION='eu-west-1'
# show the user, user amazon resource name (arn), and the account id.
aws sts get-caller-identityReview the files:
Initialize the project:
terramate run terraform init -lockfile=readonlyLaunch the example:
terramate run terraform applyShow the terraform state:
terramate run terraform state list
terramate run terraform showLog in the container registry:
NB You are logging in at the registry level. You are not logging in at the repository level.
aws ecr get-login-password \
--region "$(terramate run -C stacks/ecr terraform output -raw registry_region)" \
| docker login \
--username AWS \
--password-stdin \
"$(terramate run -C stacks/ecr terraform output -raw registry_domain)"NB This saves the credentials in the ~/.docker/config.json local file.
Inspect the created example container image:
image="$(terramate run -C stacks/ecr terraform output -json images | jq -r .example)"
crane manifest "$image" | jq .Download the created example container image from the created container image repository, and execute it locally:
docker run --rm "$image"Delete the local copy of the created container image:
docker rmi "$image"Log out the container registry:
docker logout \
"$(terramate run -C stacks/ecr terraform output -raw registry_domain)"Delete the example image resource:
terramate run -C stacks/ecr \
terraform destroy -target='terraform_data.ecr_image["example"]'At the ECR AWS Management Console, verify that the example image no longer exists (actually, it's the image index/tag that no longer exists).
Do an terraform apply to verify that it recreates the example image:
terramate run terraform applyDestroy the example:
terramate run --reverse terraform destroyList this repository dependencies (and which have newer versions):
GITHUB_COM_TOKEN='YOUR_GITHUB_PERSONAL_TOKEN' ./renovate.sh- Its not possible to create multiple container image registries.
- A single registry is automatically created when the AWS Account is created.
- You have to create a separate repository for each of your container images.
- A repository name can include several path segments (e.g.
hello/world).
- A repository name can include several path segments (e.g.
- Terramate does not support flowing Terraform outputs into other Terraform
program input variables. Instead, Terraform programs should use Terraform
data sources to find the resources that are already created. Those resources
can normally be found by the resource tag (e.g.
stack) defined in a Terramate global.