{"id":15779800,"url":"https://github.com/rgl/terramate-aws-ecr-example","last_synced_at":"2025-03-14T08:32:33.813Z","repository":{"id":225524861,"uuid":"766206129","full_name":"rgl/terramate-aws-ecr-example","owner":"rgl","description":"an example private container image repository hosted in the AWS Elastic Container Registry (ECR) of your AWS Account using terramate with terraform","archived":false,"fork":false,"pushed_at":"2024-09-01T17:11:52.000Z","size":58,"stargazers_count":8,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-12-31T11:06:17.095Z","etag":null,"topics":["aws","container-registry","ecr","terraform","terramate"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rgl.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2024-03-02T16:17:46.000Z","updated_at":"2024-12-16T15:59:43.000Z","dependencies_parsed_at":"2024-03-31T13:32:19.481Z","dependency_job_id":"0d7953ea-20c5-4251-ab99-d9baffbc84be","html_url":"https://github.com/rgl/terramate-aws-ecr-example","commit_stats":null,"previous_names":["rgl/terramate-aws-ecr-example"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fterramate-aws-ecr-example","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fterramate-aws-ecr-example/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fterramate-aws-ecr-example/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgl%2Fterramate-aws-ecr-example/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rgl","download_url":"https://codeload.github.com/rgl/terramate-aws-ecr-example/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243547609,"owners_count":20308738,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","container-registry","ecr","terraform","terramate"],"created_at":"2024-10-04T18:21:30.896Z","updated_at":"2025-03-14T08:32:33.509Z","avatar_url":"https://github.com/rgl.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# About\n\n[![Lint](https://github.com/rgl/terramate-aws-ecr-example/actions/workflows/lint.yml/badge.svg)](https://github.com/rgl/terramate-aws-ecr-example/actions/workflows/lint.yml)\n\nThis creates private container image repositories hosted in the [AWS Elastic Container Registry (ECR)](https://aws.amazon.com/ecr/) of your AWS Account using a Terramate project.\n\nFor equivalent examples see:\n\n* [terraform](https://github.com/rgl/terraform-aws-ecr-example)\n* [pulumi (aws classic provider)](https://github.com/rgl/pulumi-typescript-aws-classic-ecr-example)\n* [pulumi (aws native provider)](https://github.com/rgl/pulumi-typescript-aws-native-ecr-example)\n\n# Usage (on a Ubuntu Desktop)\n\nInstall the dependencies:\n\n* [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).\n* [Terraform](https://www.terraform.io/downloads.html).\n* [Terramate](https://terramate.io/docs/cli/installation).\n* [Crane](https://github.com/google/go-containerregistry/releases).\n* [Docker](https://docs.docker.com/engine/install/).\n\nSet the AWS Account credentials using SSO, e.g.:\n\n```bash\n# set the account credentials.\n# NB the aws cli stores these at ~/.aws/config.\n# NB this is equivalent to manually configuring SSO using aws configure sso.\n# see https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-manual\n# see https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-auto-sso\ncat \u003esecrets-example.sh \u003c\u003c'EOF'\n# set the environment variables to use a specific profile.\n# NB use aws configure sso to configure these manually.\n# e.g. use the pattern \u003caws-sso-session\u003e-\u003caws-account-id\u003e-\u003caws-role-name\u003e\nexport aws_sso_session='example'\nexport aws_sso_start_url='https://example.awsapps.com/start'\nexport aws_sso_region='eu-west-1'\nexport aws_sso_account_id='123456'\nexport aws_sso_role_name='AdministratorAccess'\nexport AWS_PROFILE=\"$aws_sso_session-$aws_sso_account_id-$aws_sso_role_name\"\nunset AWS_ACCESS_KEY_ID\nunset AWS_SECRET_ACCESS_KEY\nunset AWS_DEFAULT_REGION\n# configure the ~/.aws/config file.\n# NB unfortunately, I did not find a way to create the [sso-session] section\n#    inside the ~/.aws/config file using the aws cli. so, instead, manage that\n#    file using python.\npython3 \u003c\u003c'PY_EOF'\nimport configparser\nimport os\naws_sso_session = os.getenv('aws_sso_session')\naws_sso_start_url = os.getenv('aws_sso_start_url')\naws_sso_region = os.getenv('aws_sso_region')\naws_sso_account_id = os.getenv('aws_sso_account_id')\naws_sso_role_name = os.getenv('aws_sso_role_name')\naws_profile = os.getenv('AWS_PROFILE')\nconfig = configparser.ConfigParser()\naws_config_directory_path = os.path.expanduser('~/.aws')\naws_config_path = os.path.join(aws_config_directory_path, 'config')\nif os.path.exists(aws_config_path):\n  config.read(aws_config_path)\nconfig[f'sso-session {aws_sso_session}'] = {\n  'sso_start_url': aws_sso_start_url,\n  'sso_region': aws_sso_region,\n  'sso_registration_scopes': 'sso:account:access',\n}\nconfig[f'profile {aws_profile}'] = {\n  'sso_session': aws_sso_session,\n  'sso_account_id': aws_sso_account_id,\n  'sso_role_name': aws_sso_role_name,\n  'region': aws_sso_region,\n}\nos.makedirs(aws_config_directory_path, mode=0o700, exist_ok=True)\nwith open(aws_config_path, 'w') as f:\n  config.write(f)\nPY_EOF\nunset aws_sso_start_url\nunset aws_sso_region\nunset aws_sso_session\nunset aws_sso_account_id\nunset aws_sso_role_name\n# show the user, user amazon resource name (arn), and the account id, of the\n# profile set in the AWS_PROFILE environment variable.\nif ! aws sts get-caller-identity \u003e/dev/null 2\u003e\u00261; then\n  aws sso login\nfi\naws sts get-caller-identity\nEOF\n```\n\nOr, set the AWS Account credentials using an Access Key, e.g.:\n\n```bash\n# set the account credentials.\n# NB get these from your aws account iam console.\n#    see Managing access keys (console) at\n#        https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey\ncat \u003esecrets-example.sh \u003c\u003c'EOF'\nexport AWS_ACCESS_KEY_ID='TODO'\nexport AWS_SECRET_ACCESS_KEY='TODO'\nunset AWS_PROFILE\n# set the default region.\nexport AWS_DEFAULT_REGION='eu-west-1'\n# show the user, user amazon resource name (arn), and the account id.\naws sts get-caller-identity\nEOF\n```\n\nLoad the secrets:\n\n```bash\nsource secrets-example.sh\n```\n\nReview the files:\n\n* [`config.tm.hcl`](config.tm.hcl)\n* [`stacks/ecr/main.tf`](stacks/ecr/main.tf)\n\nInitialize the project:\n\n```bash\nterramate run terraform init -lockfile=readonly\n```\n\nLaunch the example:\n\n```bash\nterramate run terraform apply\n```\n\nShow the terraform state:\n\n```bash\nterramate run terraform state list\nterramate run terraform show\n```\n\nLog in the container registry:\n\n**NB** You are logging in at the registry level. You are not logging in at the\nrepository level.\n\n```bash\naws ecr get-login-password \\\n  --region \"$(terramate run -C stacks/ecr terraform output -raw registry_region)\" \\\n  | docker login \\\n      --username AWS \\\n      --password-stdin \\\n      \"$(terramate run -C stacks/ecr terraform output -raw registry_domain)\"\n```\n\n**NB** This saves the credentials in the `~/.docker/config.json` local file.\n\nInspect the created example container image:\n\n```bash\nimage=\"$(terramate run -C stacks/ecr terraform output -json images | jq -r .example)\"\ncrane manifest \"$image\" | jq .\n```\n\nDownload the created example container image from the created container image\nrepository, and execute it locally:\n\n```bash\ndocker run --rm \"$image\"\n```\n\nDelete the local copy of the created container image:\n\n```bash\ndocker rmi \"$image\"\n```\n\nLog out the container registry:\n\n```bash\ndocker logout \\\n  \"$(terramate run -C stacks/ecr terraform output -raw registry_domain)\"\n```\n\nDelete the example image resource:\n\n```bash\nterramate run -C stacks/ecr \\\n  terraform destroy -target='terraform_data.ecr_image[\"example\"]'\n```\n\nAt the ECR AWS Management Console, verify that the example image no longer\nexists (actually, it's the image index/tag that no longer exists).\n\nDo an `terraform apply` to verify that it recreates the example image:\n\n```bash\nterramate run terraform apply\n```\n\nDestroy the example:\n\n```bash\nterramate run --reverse terraform destroy\n```\n\nList this repository dependencies (and which have newer versions):\n\n```bash\nGITHUB_COM_TOKEN='YOUR_GITHUB_PERSONAL_TOKEN' ./renovate.sh\n```\n\n# Notes\n\n* Its not possible to create multiple container image registries.\n  * A single registry is automatically created when the AWS Account is created.\n  * You have to create a separate repository for each of your container images.\n    * A repository name can include several path segments (e.g. `hello/world`).\n* Terramate does not support flowing Terraform outputs into other Terraform\n  program input variables. Instead, Terraform programs should use Terraform\n  data sources to find the resources that are already created. Those resources\n  can normally be found by the resource tag (e.g. `stack`) defined in a\n  Terramate global.\n  * See https://github.com/terramate-io/terramate/discussions/525\n  * See https://github.com/terramate-io/terramate/discussions/571#discussioncomment-3542867\n  * See https://github.com/terramate-io/terramate/discussions/1090#discussioncomment-6659130\n\n# References\n\n* [Environment variables to configure the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html)\n* [Token provider configuration with automatic authentication refresh for AWS IAM Identity Center](https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html) (SSO)\n* [Managing access keys (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey)\n* [AWS General Reference](https://docs.aws.amazon.com/general/latest/gr/Welcome.html)\n  * [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)\n* [Amazon ECR private registry](https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html)\n  * [Private registry authentication](https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html)\n* [terramate-quickstart-aws](https://github.com/terramate-io/terramate-quickstart-aws)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frgl%2Fterramate-aws-ecr-example","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frgl%2Fterramate-aws-ecr-example","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frgl%2Fterramate-aws-ecr-example/lists"}