AWS Amazon ECR Repository Policy
This page shows how to write Terraform and CloudFormation for Amazon ECR Repository Policy and write them securely.
aws_ecr_repository_policy (Terraform)
The Repository Policy in Amazon ECR can be configured in Terraform with the resource name aws_ecr_repository_policy
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_ecr_repository_policy" "ecr1" {
repository = aws_ecr_repository.ecr1.name
policy = data.aws_iam_policy_document.access_policy.json
}
resource "aws_ecr_repository" "ecr3" {
name = "ecr3"
resource "aws_ecr_repository_policy" "formio-enterprise" {
repository = aws_ecr_repository.formio-enterprise.name
policy = var.ecr_policy
}
resource "aws_ecr_repository_policy" "ecr_allow_no_wildcard" {
repository = "ecr-repo"
policy = <<EOF
{
"Version": "2008-10-17",
resource "aws_ecr_repository_policy" "registry-policy-carts" {
repository = aws_ecr_repository.repository_carts.name
policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
resource "aws_ecr_repository_policy" "repo_apiserver" {
repository = aws_ecr_repository.repo_apiserver.name
policy = data.aws_iam_policy_document.repo_permission_policy.json
}
resource "aws_ecr_lifecycle_policy" "repo_apiserver" {
Parameters
-
id
optional computed - string -
policy
required - string -
registry_id
optional computed - string -
repository
required - string
Explanation in Terraform Registry
Provides an Elastic Container Registry Repository Policy. Note that currently only one policy may be applied to a repository.
Tips: Best Practices for The Other AWS Amazon ECR Resources
In addition to the aws_ecr_repository, AWS Amazon ECR has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_ecr_repository
Ensure to enable ECR image scan
It is better to enbale ECR image scan. AWS ECR provides a feature to scan container images and discover vulnerable software.
AWS::ECR::Repository (CloudFormation)
The Repository in ECR can be configured in CloudFormation with the resource name AWS::ECR::Repository
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::ECR::Repository
Properties:
RepositoryName: almanack
Migrant:
Type: AWS::ECR::Repository
Properties:
Type: "AWS::ECR::Repository"
Properties:
RepositoryName: !Join ['', [!Ref 'Environment', "/", "park/builder"]]
parkIdmDependencies:
Type: "AWS::ECR::Repository"
Properties:
Type: AWS::ECR::Repository
Properties:
LifecyclePolicy:
LifecyclePolicyText: |
{
"rules": [{
Type: AWS::ECR::Repository
Properties:
RepositoryName: pm-av-webui-app
PropertyEcr:
Type: AWS::ECR::Repository
Properties:
Type: 'AWS::ECR::Repository'
Properties:
RepositoryName: location-service
DEMANDSERVICE:
Type: 'AWS::ECR::Repository'
Properties:
"Type" : "AWS::ECR::Repository",
"Properties" : {
"RepositoryName" : "autopilot"
}
},
"spotSigHandlerECR" : {
"Type" : "AWS::ECR::Repository",
"Properties" : {
"RepositoryName" : "autopilot"
}
},
"spotSigHandlerECR" : {
"Type" : "AWS::ECR::Repository",
"Properties" : {
"RepositoryName" : "autopilot"
}
},
"spotSigHandlerECR" : {
"Type" : "AWS::ECR::Repository",
"Properties" : {
"RepositoryName" : "autopilot"
}
},
"spotSigHandlerECR" : {
"Type" : "AWS::ECR::Repository",
"Properties" : {
"RepositoryName" : "autopilot"
}
},
"spotSigHandlerECR" : {
Parameters
-
LifecyclePolicy
optional - LifecyclePolicy -
RepositoryName
optional - String -
RepositoryPolicyText
optional - Json -
Tags
optional - List of Tag -
ImageTagMutability
optional - String -
ImageScanningConfiguration
optional - ImageScanningConfiguration -
EncryptionConfiguration
optional - EncryptionConfiguration
Explanation in CloudFormation Registry
The
AWS::ECR::Repository
resource specifies an Amazon Elastic Container Registry (Amazon ECR) repository, where users can push and pull Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts. For more information, see Amazon ECR private repositories in the Amazon ECR User Guide.
Frequently asked questions
What is AWS Amazon ECR Repository Policy?
AWS Amazon ECR Repository Policy is a resource for Amazon ECR of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon ECR Repository Policy?
For Terraform, the moshinde/terraform-atlantis-envs, 18F/formservice-iac-modules and ffsclyh/config-lint source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the matchVote/matchvote_ops, saiganesh12/alexa-video-skills and morphologue/CfnTemplates source code examples are useful. See the CloudFormation Example section for further details.