AWS Amazon ECR Repository
This page shows how to write Terraform and CloudFormation for Amazon ECR Repository and write them securely.
aws_ecrpublic_repository (Terraform)
The Repository in Amazon ECR can be configured in Terraform with the resource name aws_ecrpublic_repository. The following sections describe 5 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_ecrpublic_repository" "falcosidekick" {
provider = aws.us
repository_name = "falcosidekick"
catalog_data {
resource "aws_ecrpublic_repository" "app" {
repository_name = "somleng-switch"
provider = aws.us-east-1
catalog_data {
about_text = "Somleng Switch"
resource "aws_ecrpublic_repository" "ecr_payment_cash" {
provider = aws.us_east_1
repository_name = "nautible-app-payment-cash"
}
resource "aws_ecrpublic_repository" "ecr_payment_convenience" {
resource "aws_ecrpublic_repository" "app" {
repository_name = "scfm"
provider = aws.us-east-1
catalog_data {
about_text = "Somleng Simple Call Flow Manager (Somleng SCFM)"
resource "aws_ecrpublic_repository" "app" {
repository_name = "somleng"
provider = aws.us-east-1
catalog_data {
about_text = "Somleng"
Parameters
-
arnoptional computed - string -
force_destroyoptional - bool -
idoptional computed - string -
registry_idoptional computed - string -
repository_namerequired - string -
repository_urioptional computed - string -
catalog_datalist block-
about_textoptional - string -
architecturesoptional - set of string -
descriptionoptional - string -
logo_image_bloboptional computed - string -
operating_systemsoptional - set of string -
usage_textoptional - string
-
-
timeoutssingle block-
deleteoptional - string
-
Explanation in Terraform Registry
Provides a Public Elastic Container Registry Repository.
NOTE: This resource can only be used with
us-east-1region.
Tips: Best Practices for The Other AWS Amazon ECR Resources
In addition to the aws_ecr_repository, AWS Amazon ECR has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_ecr_repository
Ensure to enable ECR image scan
It is better to enbale ECR image scan. AWS ECR provides a feature to scan container images and discover vulnerable software.
AWS::ECR::PublicRepository (CloudFormation)
The PublicRepository in ECR can be configured in CloudFormation with the resource name AWS::ECR::PublicRepository. The following sections describe 8 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::ECR::PublicRepository
Properties:
RepositoryName: "ps-build"
RepositoryCatalogData:
UsageText: "This image used exclusively for Percona Jenkins pipelines"
AboutText: "This image contains all build utilities to create proper builds and execute tests"
Type: AWS::ECR::PublicRepository
Properties:
RepositoryName: mecab
RepositoryCatalogData:
OperatingSystems: [ Linux ]
Architectures: [ x86-64, "ARM 64" ]
Type: AWS::ECR::PublicRepository
Properties:
RepositoryName: "cdn-ops"
RepositoryCatalogData:
OperatingSystems:
- "Linux"
Type: AWS::ECR::PublicRepository
Properties:
RepositoryName: brighid/base
RepositoryPolicyText:
Version: 2012-10-17
Statement:
Type: AWS::ECR::PublicRepository
Properties:
RepositoryName: decrs
RepositoryPolicyText:
Version: 2012-10-17
Statement:
"Type": "AWS::ECR::PublicRepository",
"Properties": {},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "03695c64-0d50-4216-b237-c0f3fd418239"
}
"resourceType": "AWS::ECR::PublicRepository",
"filePath": null
}
]
},
{
"AWS::ECR::PublicRepository": {
"Type": "AWS::ECR::PublicRepository",
"Properties": {}
},
"AWS::MediaConvert::Preset": {
"Type": "AWS::MediaConvert::Preset",
Parameters
RepositoryCatalogData
The details about the repository that are publicly visible in the Amazon ECR Public Gallery. For more information, see Amazon ECR Public repository catalog data in the Amazon ECR Public User Guide.
Required: No
Type: Json
Update requires: No interruption
RepositoryName
The name to use for the public repository. The repository name may be specified on its own (such as nginx-web-app) or it can be prepended with a namespace to group the repository into a category (such as project-a/nginx-web-app). If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the repository name. For more information, see Name Type.
If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
Required: No
Type: String
Update requires: Replacement
RepositoryPolicyText
The JSON repository policy text to apply to the public repository. For more information, see Amazon ECR Public repository policies in the Amazon ECR Public User Guide.
Required: No
Type: Json
Update requires: No interruption
Tags
An array of key-value pairs to apply to this resource.
Required: No
Type: List of Tag
Update requires: No interruption
Explanation in CloudFormation Registry
The
AWS::ECR::PublicRepositoryresource specifies an Amazon Elastic Container Registry Public (Amazon ECR Public) repository, where users can push and pull Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts. For more information, see Amazon ECR public repositories in the Amazon ECR Public User Guide.
Frequently asked questions
What is AWS Amazon ECR Repository?
AWS Amazon ECR Repository is a resource for Amazon ECR of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon ECR Repository?
For Terraform, the falcosecurity/test-infra, somleng/somleng-switch and nautible/nautible-infra source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the Percona-Lab/jenkins-pipelines, shogo82148/mecab-docker and matsoo5g/aws-cloudformation source code examples are useful. See the CloudFormation Example section for further details.
