AWS Amazon ECR Repository
This page shows how to write Terraform and CloudFormation for Amazon ECR Repository and write them securely.
aws_ecr_repository (Terraform)
The Repository in Amazon ECR can be configured in Terraform with the resource name aws_ecr_repository
. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_ecr_repository" "update_jobs" {
name = "test-infra/update-jobs"
encryption_configuration {
encryption_type = "KMS"
}
}
resource "aws_ecr_repository" "fascia" {
name = "h3poteto/fascia"
}
resource "aws_ecr_repository" "seiyuwatch" {
name = "h3poteto/seiyuwatch"
resource "aws_ecr_repository" "nginx_services" {
name = "uk.ac.wellcome/nginx_services"
}
resource "aws_ecr_repository" "transformer_miro" {
name = "uk.ac.wellcome/transformer_miro"
resource "aws_ecr_repository" "gp-to-repo" {
name = "deductions/gp-to-repo"
image_tag_mutability = var.immutable_ecr_repositories ? "IMMUTABLE" : "MUTABLE"
tags = {
CreatedBy = var.repo_name
}
resource "aws_ecr_repository" "devl-auth" {
name = "dgp-reg/authserver"
image_tag_mutability = "IMMUTABLE"
image_scanning_configuration {
scan_on_push = false
Security Best Practices for aws_ecr_repository
There are 3 settings in aws_ecr_repository that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure to enable ECR image scan
It is better to enbale ECR image scan. AWS ECR provides a feature to scan container images and discover vulnerable software.
Ensure to use a customer-managed key for the encryption of ECR
It is better to use a customer-managed key for the encryption of ECR. It can be gain more control over the encryption by using customer-managed keys (CMK).
Ensure to force ECR image tags immutable
It is better to force ECR image tags immutable to prevent code injection through image mutation.
Parameters
-
arn
optional computed - string -
id
optional computed - string -
image_tag_mutability
optional - string -
name
required - string -
registry_id
optional computed - string -
repository_url
optional computed - string -
tags
optional - map from string to string -
encryption_configuration
list block-
encryption_type
optional - string -
kms_key
optional computed - string
-
-
image_scanning_configuration
list block-
scan_on_push
required - bool
-
-
timeouts
single block-
delete
optional - string
-
Explanation in Terraform Registry
Provides an Elastic Container Registry Repository.
AWS::ECR::Repository (CloudFormation)
The Repository in ECR can be configured in CloudFormation with the resource name AWS::ECR::Repository
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: "AWS::ECR::Repository"
Properties:
RepositoryName: !Join ['', [!Ref 'Environment', "/", "park/builder"]]
parkIdmDependencies:
Type: "AWS::ECR::Repository"
Properties:
Type: AWS::ECR::Repository
Properties:
RepositoryName: almanack
Migrant:
Type: AWS::ECR::Repository
Properties:
Type: AWS::ECR::Repository
Properties:
RepositoryName: pm-av-webui-app
PropertyEcr:
Type: AWS::ECR::Repository
Properties:
Type: AWS::ECR::Repository
Properties:
LifecyclePolicy:
LifecyclePolicyText: |
{
"rules": [{
Type: "AWS::ECR::Repository"
Properties:
RepositoryName: !Sub "${ProjectName}-api"
DocsRepository:
Type: "AWS::ECR::Repository"
Properties:
"Type" : "AWS::ECR::Repository",
"Properties" : {
"RepositoryName" : "autopilot"
}
},
"spotSigHandlerECR" : {
"Type" : "AWS::ECR::Repository",
"Properties" : {
"RepositoryName" : "autopilot"
}
},
"spotSigHandlerECR" : {
"Type" : "AWS::ECR::Repository",
"Properties" : {
"RepositoryName" : "autopilot"
}
},
"spotSigHandlerECR" : {
"Type" : "AWS::ECR::Repository",
"Properties" : {
"RepositoryName" : "autopilot"
}
},
"spotSigHandlerECR" : {
"Type": "AWS::ECR::Repository",
"Properties": {
"RepositoryName": "baseball-ui"
}
},
"APIRepository": {
Parameters
-
LifecyclePolicy
optional - LifecyclePolicy -
RepositoryName
optional - String -
RepositoryPolicyText
optional - Json -
Tags
optional - List of Tag -
ImageTagMutability
optional - String -
ImageScanningConfiguration
optional - ImageScanningConfiguration -
EncryptionConfiguration
optional - EncryptionConfiguration
Explanation in CloudFormation Registry
The
AWS::ECR::Repository
resource specifies an Amazon Elastic Container Registry (Amazon ECR) repository, where users can push and pull Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts. For more information, see Amazon ECR private repositories in the Amazon ECR User Guide.
Frequently asked questions
What is AWS Amazon ECR Repository?
AWS Amazon ECR Repository is a resource for Amazon ECR of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon ECR Repository?
For Terraform, the falcosecurity/test-infra, h3poteto/h3poteto-terraform-aws and wellcomecollection/catalogue-pipeline source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the saiganesh12/alexa-video-skills, matchVote/matchvote_ops and okram999/ecs-fargate source code examples are useful. See the CloudFormation Example section for further details.