{"id":25869458,"url":"https://github.com/sparkfabrik/terraform-aws-ecr-pull-through-cache","last_synced_at":"2026-06-11T05:31:24.287Z","repository":{"id":279455224,"uuid":"938682604","full_name":"sparkfabrik/terraform-aws-ecr-pull-through-cache","owner":"sparkfabrik","description":"This module creates all the needed resources to deploy an ECR pull through cache rule.","archived":false,"fork":false,"pushed_at":"2025-05-16T09:57:30.000Z","size":71,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-05-16T10:42:33.223Z","etag":null,"topics":["aws","aws-ecr","ecr","ecr-pull-through-cache"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sparkfabrik.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-02-25T10:38:12.000Z","updated_at":"2025-04-22T15:43:48.000Z","dependencies_parsed_at":"2025-04-22T16:36:26.096Z","dependency_job_id":"b7afa69d-6a1f-4938-833a-a9b4e95030c2","html_url":"https://github.com/sparkfabrik/terraform-aws-ecr-pull-through-cache","commit_stats":null,"previous_names":["sparkfabrik/terraform-aws-ecr-pull-through-cache"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/sparkfabrik/terraform-aws-ecr-pull-through-cache","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sparkfabrik%2Fterraform-aws-ecr-pull-through-cache","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sparkfabrik%2Fterraform-aws-ecr-pull-through-cache/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sparkfabrik%2Fterraform-aws-ecr-pull-through-cache/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sparkfabrik%2Fterraform-aws-ecr-pull-through-cache/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sparkfabrik","download_url":"https://codeload.github.com/sparkfabrik/terraform-aws-ecr-pull-through-cache/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sparkfabrik%2Fterraform-aws-ecr-pull-through-cache/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34184779,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-11T02:00:06.485Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-ecr","ecr","ecr-pull-through-cache"],"created_at":"2025-03-02T05:17:30.930Z","updated_at":"2026-06-11T05:31:24.282Z","avatar_url":"https://github.com/sparkfabrik.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS ECR Pull Through cache module\n\nThis module creates an ECR (Elastic Container Registry) [pull through cache role](https://docs.aws.amazon.com/AmazonECR/latest/userguide/pull-through-cache-creating-rule.html) resource and the IAM policy to use it.\n\nThe pull through cache allows you to cache images from an upstream registry in your ECR repository. This is useful for:\n- Reducing the number of requests to the upstream registry\n- Improving the performance of image pulls\n- Avoiding rate limits\n\n\u003e **Note**: This module **DOES NOT** manage the secret in AWS Secrets Manager, the secret must be created and updated manually.\n\n## Prerequisites\n\n- AWS Secrets Manager secret containing upstream registry credentials\n\n### Quick Start\n\n```hcl\nmodule \"ecr_pull_through_cache\" {\n  source = \"github.com/terraform-aws-ecr-pull-through-cache?ref=0.3.0\"\n\n  aws_region             = \"eu-west-1\"\n  upstream_registry_name = \"docker-hub\"\n  upstream_registry_url  = \"registry-1.docker.io\"\n}\n```\n\n### Upstream credentials\n\nThe upstream repository credentials must be created (and managed) manually in AWS Secrets Manager. According to the [AWS documentation](https://docs.aws.amazon.com/AmazonECR/latest/userguide/pull-through-cache-creating-rule.html#pull-through-cache-creating-rule-secretsmanager):\n- The secret must be created in the same AWS account and region as the ECR pull through cache\n- The secret name must follow the AWS required naming convention\n\n### IAM Policy\n\nAn IAM policy, with the minimum permissions to pull images, is created by the module. You need to attach this IAM policy to the resources that will use the pull through cache.\n\n### Usage Examples\n\nIn the following examples you can see how to pull Docker images using the pull through cache using the right image format for the URL:\n\n- for Docker Hub official images: `docker pull AWS_ACCOUNT_ID.dkr.ecr.AWS_REGION.amazonaws.com/docker-hub/library/image_name:tag`.\n- For all other Docker Hub images: `docker pull AWS_ACCOUNT_ID.dkr.ecr.AWS_REGION.amazonaws.com/docker-hub/repository_name/image_name:tag`.\n\nFor details about other upstream repositories (like Kubernetes, Quay, GitHub, GitLab, etc.), see the [AWS references](https://docs.aws.amazon.com/AmazonECR/latest/userguide/pull-through-cache-working-pulling.html).\n\n\n### Fallback strategy\n\nThis module gives you the option to use a fallback strategy, the upstream credentials (stored in AWS Secret Manager) could be used to populate secrets in the needed namespaces, so you can use it in the ImagePullSecrets of your Kubernetes resources.\n\n### Cache expiration\n\nThe module allows you to enable a cache expiration policy, default is false. The default policy is to keep only the last image pulled.\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | \u003e= 5.0 |\n| \u003ca name=\"provider_kubernetes\"\u003e\u003c/a\u003e [kubernetes](#provider\\_kubernetes) | \u003e= 2.23 |\n\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.5 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 5.0 |\n| \u003ca name=\"requirement_kubernetes\"\u003e\u003c/a\u003e [kubernetes](#requirement\\_kubernetes) | \u003e= 2.23 |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_aws_region\"\u003e\u003c/a\u003e [aws\\_region](#input\\_aws\\_region) | The AWS region to deploy the ECR pull through cache | `string` | `\"eu-west-1\"` | no |\n| \u003ca name=\"input_enable_cache_lifecycle\"\u003e\u003c/a\u003e [enable\\_cache\\_lifecycle](#input\\_enable\\_cache\\_lifecycle) | Enable cache lifecycle. | `bool` | `false` | no |\n| \u003ca name=\"input_fallback_namespaces\"\u003e\u003c/a\u003e [fallback\\_namespaces](#input\\_fallback\\_namespaces) | The list of namespaces to create the regcred secret in | `list(string)` | `[]` | no |\n| \u003ca name=\"input_fallback_secret_name\"\u003e\u003c/a\u003e [fallback\\_secret\\_name](#input\\_fallback\\_secret\\_name) | The name of the secrets to create | `string` | `\"regcred\"` | no |\n| \u003ca name=\"input_upstream_registry_name\"\u003e\u003c/a\u003e [upstream\\_registry\\_name](#input\\_upstream\\_registry\\_name) | The upstream registry name | `string` | `\"docker-hub\"` | no |\n| \u003ca name=\"input_upstream_registry_url\"\u003e\u003c/a\u003e [upstream\\_registry\\_url](#input\\_upstream\\_registry\\_url) | The upstream registry URL | `string` | `\"registry-1.docker.io\"` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_ecr_pullthroughcache_policy_arn\"\u003e\u003c/a\u003e [ecr\\_pullthroughcache\\_policy\\_arn](#output\\_ecr\\_pullthroughcache\\_policy\\_arn) | The ARN of the ECR pull-through cache policy. |\n| \u003ca name=\"output_ecr_pullthroughcache_policy_name\"\u003e\u003c/a\u003e [ecr\\_pullthroughcache\\_policy\\_name](#output\\_ecr\\_pullthroughcache\\_policy\\_name) | The name of the ECR pull-through cache policy. |\n| \u003ca name=\"output_ecr_pullthroughcache_repository_uri\"\u003e\u003c/a\u003e [ecr\\_pullthroughcache\\_repository\\_uri](#output\\_ecr\\_pullthroughcache\\_repository\\_uri) | The URI of the ECR pull throught cache repository URI. |\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_ecr_pull_through_cache_rule.ecr_pullthroughcache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_pull_through_cache_rule) | resource |\n| [aws_ecr_repository_creation_template.pullthroughcache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_creation_template) | resource |\n| [aws_iam_policy.ecr_pullthroughcache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |\n| [kubernetes_secret_v1.secret](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_secretsmanager_secret.ecr_pullthroughcache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |\n| [aws_secretsmanager_secret_version.ecr_pullthroughcache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |\n\n## Modules\n\nNo modules.\n\n\u003c!-- END_TF_DOCS --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsparkfabrik%2Fterraform-aws-ecr-pull-through-cache","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsparkfabrik%2Fterraform-aws-ecr-pull-through-cache","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsparkfabrik%2Fterraform-aws-ecr-pull-through-cache/lists"}