AWS Amazon ECR Lifecycle Policy
This page shows how to write Terraform and CloudFormation for Amazon ECR Lifecycle Policy and write them securely.
aws_ecr_lifecycle_policy (Terraform)
The Lifecycle Policy in Amazon ECR can be configured in Terraform with the resource name aws_ecr_lifecycle_policy. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_ecr_lifecycle_policy" "fascia_last" {
repository = aws_ecr_repository.fascia.name
policy = file("aws_ecr_lifecycle_policy/last.json")
}
resource "aws_ecr_lifecycle_policy" "app" {
repository = aws_ecr_repository.app.name
policy = <<EOF
{
"rules": [
resource "aws_ecr_lifecycle_policy" "app" {
repository = aws_ecr_repository.app.name
policy = <<EOF
{
"rules": [
resource "aws_ecr_lifecycle_policy" "repo_apiserver" {
repository = aws_ecr_repository.repo_apiserver.name
policy = local.repo_lifecycle_policy
}
Parameters
-
idoptional computed - string -
policyrequired - string -
registry_idoptional computed - string -
repositoryrequired - string
Explanation in Terraform Registry
Manages an ECR repository lifecycle policy.
NOTE: Only one
aws_ecr_lifecycle_policyresource can be used with the same ECR repository. To apply multiple rules, they must be combined in thepolicyJSON. NOTE: The AWS ECR API seems to reorder rules based onrulePriority. If you define multiple rules that are not sorted in ascendingrulePriorityorder in the Terraform code, the resource will be flagged for recreation everyterraform plan.
Tips: Best Practices for The Other AWS Amazon ECR Resources
In addition to the aws_ecr_repository, AWS Amazon ECR has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_ecr_repository
Ensure to enable ECR image scan
It is better to enbale ECR image scan. AWS ECR provides a feature to scan container images and discover vulnerable software.
AWS::ECR::Repository LifecyclePolicy (CloudFormation)
The Repository LifecyclePolicy in ECR can be configured in CloudFormation with the resource name AWS::ECR::Repository LifecyclePolicy. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
LifecyclePolicyText
The JSON repository policy text to apply to the repository.
Required: No
Type: String
Minimum: 100
Maximum: 30720
Update requires: No interruption
RegistryId
The AWS account ID associated with the registry that contains the repository. If you do
not specify a registry, the default registry is assumed.
Required: No
Type: String
Pattern: [0-9]{12}
Update requires: No interruption
Explanation in CloudFormation Registry
The
LifecyclePolicyproperty type specifies a lifecycle policy. For information about lifecycle policy syntax, see Lifecycle policy template in the Amazon ECR User Guide.
Frequently asked questions
What is AWS Amazon ECR Lifecycle Policy?
AWS Amazon ECR Lifecycle Policy is a resource for Amazon ECR of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon ECR Lifecycle Policy?
For Terraform, the h3poteto/h3poteto-terraform-aws, kshina76/centos-backup and kshina76/centos-backup source code examples are useful. See the Terraform Example section for further details.
