/terraform-aws-ecr

Terraform module to create AWS ECR resources 🇺🇦

Primary LanguageHCLApache License 2.0Apache-2.0

Amazon ECR Terraform module

Terraform module which creates Amazon ECR resources.

Usage

See examples directory for working examples to reference:

Private Repository

module "ecr" {
  source = "terraform-aws-modules/ecr/aws"

  repository_name = "private-example"

  repository_read_write_access_arns = ["arn:aws:iam::012345678901:role/terraform"]
  repository_lifecycle_policy = jsonencode({
    rules = [
      {
        rulePriority = 1,
        description  = "Keep last 30 images",
        selection = {
          tagStatus     = "tagged",
          tagPrefixList = ["v"],
          countType     = "imageCountMoreThan",
          countNumber   = 30
        },
        action = {
          type = "expire"
        }
      }
    ]
  })

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Public Repository

module "public_ecr" {
  source = "terraform-aws-modules/ecr/aws"

  repository_name = "public-example"
  repository_type = "public"

  repository_read_write_access_arns = ["arn:aws:iam::012345678901:role/terraform"]

  public_repository_catalog_data = {
    description       = "Docker container for some things"
    about_text        = file("${path.module}/files/ABOUT.md")
    usage_text        = file("${path.module}/files/USAGE.md")
    operating_systems = ["Linux"]
    architectures     = ["x86"]
    logo_image_blob   = filebase64("${path.module}/files/clowd.png")
  }

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Registry Management

module "ecr_registry" {
  source = "terraform-aws-modules/ecr/aws"

  repository_name = "registry-example"

  create_repository = false

  # Registry Policy
  create_registry_policy = true
  registry_policy        = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Sid    = "testpolicy",
        Effect = "Allow",
        Principal = {
          "AWS" : "arn:aws:iam::012345678901:root"
        },
        Action = [
          "ecr:ReplicateImage"
        ],
        Resource = [
          "arn:aws:ecr:us-east-1:012345678901:repository/*"
        ]
      }, {
        Sid    = "dockerhub",
        Effect = "Allow",
        Principal = {
          "AWS" : "arn:aws:iam::012345678901:root"
        },
        Action = [
          "ecr:CreateRepository",
          "ecr:BatchImportUpstreamImage"
        ],
        Resource = [
          "arn:aws:ecr:us-east-1:012345678901:repository/dockerhub/*"
        ]
      }
    ]
  })

  # Registry Pull Through Cache Rules
  registry_pull_through_cache_rules = {
    pub = {
      ecr_repository_prefix = "ecr-public"
      upstream_registry_url = "public.ecr.aws"
    }
    dockerhub = {
      ecr_repository_prefix = "dockerhub"
      upstream_registry_url = "registry-1.docker.io"
      credential_arn        = "arn:aws:secretsmanager:us-east-1:123456789:secret:ecr-pullthroughcache/dockerhub"
    }
  }

  # Registry Scanning Configuration
  manage_registry_scanning_configuration = true
  registry_scan_type                     = "ENHANCED"
  registry_scan_rules = [
    {
      scan_frequency = "SCAN_ON_PUSH"
      filter = [
        {
          filter      = "example1"
          filter_type = "WILDCARD"
        },
        { filter      = "example2"
          filter_type = "WILDCARD"
        }
      ]
    }, {
      scan_frequency = "CONTINUOUS_SCAN"
      filter = [
        {
          filter      = "example"
          filter_type = "WILDCARD"
        }
      ]
    }
  ]

  # Registry Replication Configuration
  create_registry_replication_configuration = true
  registry_replication_rules = [
    {
      destinations = [{
        region      = "us-west-2"
        registry_id = "012345678901"
        }, {
        region      = "eu-west-1"
        registry_id = "012345678901"
      }]

      repository_filters = [{
        filter      = "prod-microservice"
        filter_type = "PREFIX_MATCH"
      }]
    }
  ]

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Module wrappers

Users of this Terraform module can create multiple similar resources by using for_each meta-argument within module block which became available in Terraform 0.13.

Users of Terragrunt can achieve similar results by using modules provided in the wrappers directory, if they prefer to reduce amount of configuration files.

Examples

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

Requirements

Name Version
terraform >= 1.0
aws >= 5.61

Providers

Name Version
aws >= 5.61

Modules

No modules.

Resources

Name Type
aws_ecr_lifecycle_policy.this resource
aws_ecr_pull_through_cache_rule.this resource
aws_ecr_registry_policy.this resource
aws_ecr_registry_scanning_configuration.this resource
aws_ecr_replication_configuration.this resource
aws_ecr_repository.this resource
aws_ecr_repository_policy.this resource
aws_ecrpublic_repository.this resource
aws_ecrpublic_repository_policy.example resource
aws_caller_identity.current data source
aws_iam_policy_document.repository data source
aws_partition.current data source

Inputs

Name Description Type Default Required
attach_repository_policy Determines whether a repository policy will be attached to the repository bool true no
create Determines whether resources will be created (affects all resources) bool true no
create_lifecycle_policy Determines whether a lifecycle policy will be created bool true no
create_registry_policy Determines whether a registry policy will be created bool false no
create_registry_replication_configuration Determines whether a registry replication configuration will be created bool false no
create_repository Determines whether a repository will be created bool true no
create_repository_policy Determines whether a repository policy will be created bool true no
manage_registry_scanning_configuration Determines whether the registry scanning configuration will be managed bool false no
public_repository_catalog_data Catalog data configuration for the repository any {} no
registry_policy The policy document. This is a JSON formatted string string null no
registry_pull_through_cache_rules List of pull through cache rules to create map(map(string)) {} no
registry_replication_rules The replication rules for a replication configuration. A maximum of 10 are allowed any [] no
registry_scan_rules One or multiple blocks specifying scanning rules to determine which repository filters are used and at what frequency scanning will occur any [] no
registry_scan_type the scanning type to set for the registry. Can be either ENHANCED or BASIC string "ENHANCED" no
repository_encryption_type The encryption type for the repository. Must be one of: KMS or AES256. Defaults to AES256 string null no
repository_force_delete If true, will delete the repository even if it contains images. Defaults to false bool null no
repository_image_scan_on_push Indicates whether images are scanned after being pushed to the repository (true) or not scanned (false) bool true no
repository_image_tag_mutability The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE. Defaults to IMMUTABLE string "IMMUTABLE" no
repository_kms_key The ARN of the KMS key to use when encryption_type is KMS. If not specified, uses the default AWS managed key for ECR string null no
repository_lambda_read_access_arns The ARNs of the Lambda service roles that have read access to the repository list(string) [] no
repository_lifecycle_policy The policy document. This is a JSON formatted string. See more details about Policy Parameters in the official AWS docs string "" no
repository_name The name of the repository string "" no
repository_policy The JSON policy to apply to the repository. If not specified, uses the default policy string null no
repository_policy_statements A map of IAM policy statements for custom permission usage any {} no
repository_read_access_arns The ARNs of the IAM users/roles that have read access to the repository list(string) [] no
repository_read_write_access_arns The ARNs of the IAM users/roles that have read/write access to the repository list(string) [] no
repository_type The type of repository to create. Either public or private string "private" no
tags A map of tags to add to all resources map(string) {} no

Outputs

Name Description
repository_arn Full ARN of the repository
repository_name Name of the repository
repository_registry_id The registry ID where the repository was created
repository_url The URL of the repository

License

Apache-2.0 Licensed. See LICENSE.