Top / Amazon Web Service / AWS Amazon ECR / Repository

AWS Amazon ECR Repository

This page shows how to write Terraform and CloudFormation for Amazon ECR Repository and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_ecr_repository (Terraform)

The Repository in Amazon ECR can be configured in Terraform with the resource name aws_ecr_repository. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

ecr.tf#L1
resource "aws_ecr_repository" "update_jobs" {
  name = "test-infra/update-jobs"
  encryption_configuration {
    encryption_type = "KMS"
  }
}
aws_ecr_repository.tf#L1
resource "aws_ecr_repository" "fascia" {
  name = "h3poteto/fascia"
}

resource "aws_ecr_repository" "seiyuwatch" {
  name = "h3poteto/seiyuwatch"
ecr.tf#L1
resource "aws_ecr_repository" "nginx_services" {
  name = "uk.ac.wellcome/nginx_services"
}

resource "aws_ecr_repository" "transformer_miro" {
  name = "uk.ac.wellcome/transformer_miro"
ecr.tf#L1
resource "aws_ecr_repository" "gp-to-repo" {
  name = "deductions/gp-to-repo"
  image_tag_mutability = var.immutable_ecr_repositories ? "IMMUTABLE" : "MUTABLE"
  tags = {
    CreatedBy = var.repo_name
  }
ecr.tf#L16
resource "aws_ecr_repository" "devl-auth" {
  name                 = "dgp-reg/authserver"
  image_tag_mutability = "IMMUTABLE"

  image_scanning_configuration {
    scan_on_push = false

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for aws_ecr_repository

There are 3 settings in aws_ecr_repository that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure to enable ECR image scan

It is better to enbale ECR image scan. AWS ECR provides a feature to scan container images and discover vulnerable software.

risk-label

Ensure to use a customer-managed key for the encryption of ECR

It is better to use a customer-managed key for the encryption of ECR. It can be gain more control over the encryption by using customer-managed keys (CMK).

risk-label

Ensure to force ECR image tags immutable

It is better to force ECR image tags immutable to prevent code injection through image mutation.

Review your AWS Amazon ECR settings

You can check if the aws_ecr_repository setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Provides an Elastic Container Registry Repository.

>> from Terraform Registry

AWS::ECR::Repository (CloudFormation)

The Repository in ECR can be configured in CloudFormation with the resource name AWS::ECR::Repository. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

repositary.yml#L8
    Type: "AWS::ECR::Repository"
    Properties:
      RepositoryName: !Join ['', [!Ref 'Environment', "/", "park/builder"]]
  parkIdmDependencies:
    Type: "AWS::ECR::Repository"
    Properties:
matchvote.yml#L8
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: almanack
  Migrant:
    Type: AWS::ECR::Repository
    Properties:
dev.ecr.yml#L5
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: pm-av-webui-app
  PropertyEcr:
    Type: AWS::ECR::Repository
    Properties:
ecr.yml#L5
    Type: AWS::ECR::Repository
    Properties:
      LifecyclePolicy:
        LifecyclePolicyText: |
          {
            "rules": [{
docker.yml#L18
    Type: "AWS::ECR::Repository"
    Properties:
      RepositoryName: !Sub "${ProjectName}-api"
  DocsRepository:
    Type: "AWS::ECR::Repository"
    Properties:
ecr-repos.json#L5
        "Type" : "AWS::ECR::Repository",
        "Properties" : {
            "RepositoryName" : "autopilot"
        }
    },
    "spotSigHandlerECR" : {
ecr-repos.json#L5
        "Type" : "AWS::ECR::Repository",
        "Properties" : {
            "RepositoryName" : "autopilot"
        }
    },
    "spotSigHandlerECR" : {
ecr-repos.json#L5
        "Type" : "AWS::ECR::Repository",
        "Properties" : {
            "RepositoryName" : "autopilot"
        }
    },
    "spotSigHandlerECR" : {
ecr-repos.json#L5
        "Type" : "AWS::ECR::Repository",
        "Properties" : {
            "RepositoryName" : "autopilot"
        }
    },
    "spotSigHandlerECR" : {
base.json#L11
      "Type": "AWS::ECR::Repository",
      "Properties": {
        "RepositoryName": "baseball-ui"
      }
    },
    "APIRepository": {

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

The AWS::ECR::Repository resource specifies an Amazon Elastic Container Registry (Amazon ECR) repository, where users can push and pull Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts. For more information, see Amazon ECR private repositories in the Amazon ECR User Guide.

>> from AWS CloudFormation Documentation

The Other Related AWS Amazon ECR Resources

Frequently asked questions

What is AWS Amazon ECR Repository?

AWS Amazon ECR Repository is a resource for Amazon ECR of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon ECR Repository?

For Terraform, the falcosecurity/test-infra, h3poteto/h3poteto-terraform-aws and wellcomecollection/catalogue-pipeline source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the saiganesh12/alexa-video-skills, matchVote/matchvote_ops and okram999/ecs-fargate source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents