https://github.com/lgallard/terraform-aws-ecr

Terraform module to create AWS ECR (Elastic Container Registry)
https://github.com/lgallard/terraform-aws-ecr

aws aws-ecr aws-ecr-terraform ecr-registry terraform terraform-module terraform-modules

Last synced: 2 months ago
JSON representation

Terraform module to create AWS ECR (Elastic Container Registry)

• Host: GitHub
• URL: https://github.com/lgallard/terraform-aws-ecr
• Owner: lgallard
• License: apache-2.0
• Created: 2020-04-30T19:59:34.000Z (about 5 years ago)
• Default Branch: master
• Last Pushed: 2025-04-19T00:45:57.000Z (3 months ago)
• Last Synced: 2025-05-05T14:05:40.505Z (2 months ago)
• Topics: aws, aws-ecr, aws-ecr-terraform, ecr-registry, terraform, terraform-module, terraform-modules
• Language: HCL
• Homepage:
• Size: 81.1 KB
• Stars: 11
• Watchers: 2
• Forks: 20
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE

Awesome Lists containing this project

README

        
![Terraform](https://lgallardo.com/images/terraform.jpg)

# terraform-aws-ecr

Terraform module to create [AWS ECR](https://aws.amazon.com/ecr/) (Elastic Container Registry) which is a fully-managed Docker container registry.

## Usage

You can use this module to create an ECR registry using few parameters (simple example) or define in detail every aspect of the registry (complete example).

Check the [examples](examples/) for the  **simple** and the **complete** snippets.

### Simple example

This example creates an ECR registry using few parameters

```hcl

module "ecr" {

  source = "lgallard/ecr/aws"

  name         = "ecr-repo-dev"

  # Tags

  tags = {

    Owner       = "DevOps team"

    Environment = "dev"

    Terraform   = true

  }

}

```

### Complete example with logging

In this example, the registry is defined in detail including CloudWatch logging:

```hcl

module "ecr" {

  source = "lgallard/ecr/aws"

  name                 = "ecr-repo-dev"

  scan_on_push        = true

  timeouts_delete     = "60m"

  image_tag_mutability = "IMMUTABLE"

  encryption_type     = "KMS"

  

  # Enable CloudWatch logging

  enable_logging     = true

  log_retention_days = 14

  // ...rest of configuration...

}

```

### CloudWatch Logging

The module supports sending ECR API actions and image push/pull events to CloudWatch Logs. When enabled:

- Creates a CloudWatch Log Group `/aws/ecr/{repository-name}`

- Sets up necessary IAM roles and policies for ECR to write logs

- Configurable log retention period (default: 30 days)

To enable logging:

```hcl

module "ecr" {

  source = "lgallard/ecr/aws"

  

  name           = "ecr-repo-dev"

  enable_logging = true

  

  # Optional: customize retention period (in days)

  log_retention_days = 14  # Valid values: 0,1,3,5,7,14,30,60,90,120,150,180,365,400,545,731,1827,3653

}

```

The module outputs logging-related ARNs:

- `cloudwatch_log_group_arn` - The ARN of the CloudWatch Log Group

- `logging_role_arn` - The ARN of the IAM role used for logging

### Complete example

In this example the register is defined in detailed.

```

module "ecr" {

  source = "lgallard/ecr/aws"

  name                 = "ecr-repo-dev"

  scan_on_push         = true

  timeouts_delete      = "60m"

  image_tag_mutability = "MUTABLE"

  prevent_destroy      = true  # Protect repository from accidental deletion

  # Note that currently only one policy may be applied to a repository.

  policy = <

## Requirements

| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.0.0 |

|  [aws](#requirement\_aws) | >= 4.0.0 |

## Providers

| Name | Version |

|------|---------|

|  [aws](#provider\_aws) | >= 4.0.0 |

## Modules

No modules.

## Resources

| Name | Type |

|------|------|

| [aws_ecr_lifecycle_policy.lifecycle_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |

| [aws_ecr_repository.repo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |

| [aws_ecr_repository.repo_protected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |

| [aws_ecr_repository_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy) | resource |

| [aws_kms_alias.kms_key_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |

| [aws_kms_key.kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |

| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |

## Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [encryption\_type](#input\_encryption\_type) | The encryption type for the repository. Valid values are "KMS" or "AES256". | `string` | `"AES256"` | no |

|  [force\_delete](#input\_force\_delete) | Whether to delete the repository even if it contains images.
Setting this to true will delete all images in the repository when the repository is deleted.
Use with caution as this operation cannot be undone.
Defaults to false for safety. | `bool` | `false` | no |

|  [image\_scanning\_configuration](#input\_image\_scanning\_configuration) | Configuration block that defines image scanning configuration for the repository.
Set to null to use the scan\_on\_push variable setting.
Example: { scan\_on\_push = true } | 
object({
    scan_on_push = bool
  })
 | `null` | no |

|  [image\_tag\_mutability](#input\_image\_tag\_mutability) | The tag mutability setting for the repository.
- MUTABLE: Image tags can be overwritten
- IMMUTABLE: Image tags cannot be overwritten (recommended for production)
Defaults to MUTABLE to maintain backwards compatibility. | `string` | `"MUTABLE"` | no |

|  [kms\_key](#input\_kms\_key) | The ARN of an existing KMS key to use for repository encryption.
Only applicable when encryption\_type is set to 'KMS'.
If not specified when using KMS encryption, a new KMS key will be created. | `string` | `null` | no |

|  [lifecycle\_policy](#input\_lifecycle\_policy) | JSON string representing the lifecycle policy.
If null (default), no lifecycle policy will be created.
See: https://docs.aws.amazon.com/AmazonECR/latest/userguide/lifecycle_policy_examples.html | `string` | `null` | no |

|  [name](#input\_name) | Name of the ECR repository. This name must be unique within the AWS account and region. | `string` | n/a | yes |

|  [policy](#input\_policy) | JSON string representing the repository policy.
If null (default), no repository policy will be created.
See: https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html | `string` | `null` | no |

|  [prevent\_destroy](#input\_prevent\_destroy) | Whether to protect the repository from being destroyed.
When set to true, the repository will have the lifecycle block with prevent\_destroy = true.
When set to false, the repository can be destroyed.
This provides a way to dynamically control protection against accidental deletion.
Defaults to false to allow repository deletion. | `bool` | `false` | no |

|  [scan\_on\_push](#input\_scan\_on\_push) | Indicates whether images should be scanned for vulnerabilities after being pushed to the repository.
- true: Images will be automatically scanned after each push
- false: Images must be scanned manually
Only used if image\_scanning\_configuration is null. | `bool` | `true` | no |

|  [tags](#input\_tags) | A map of tags to assign to all resources created by this module.
Tags are key-value pairs that help you manage, identify, organize, search for and filter resources.
Example: { Environment = "Production", Owner = "Team" } | `map(string)` | `{}` | no |

|  [timeouts](#input\_timeouts) | Timeout configuration for repository operations.
Specify as an object with a 'delete' key containing a duration string (e.g. "20m").
Example: { delete = "20m" } | 
object({
    delete = optional(string)
  })
 | `{}` | no |

|  [timeouts\_delete](#input\_timeouts\_delete) | Deprecated: Use timeouts = { delete = "duration" } instead.
How long to wait for a repository to be deleted.
Specify as a duration string, e.g. "20m" for 20 minutes. | `string` | `null` | no |

|  [enable\_logging](#input\_enable\_logging) | Whether to enable CloudWatch logging for the repository.
When set to true, logs for ECR API actions and image push/pull events will be sent to CloudWatch Logs.
Defaults to false to disable logging. | `bool` | `false` | no |

|  [log\_retention\_days](#input\_log\_retention\_days) | The number of days to retain logs in the CloudWatch Log Group.
Valid values: 0,1,3,5,7,14,30,60,90,120,150,180,365,400,545,731,1827,3653.
Defaults to 30 days. | `number` | `30` | no |


## Outputs

| Name | Description |

|------|-------------|

|  [kms\_key\_arn](#output\_kms\_key\_arn) | The ARN of the KMS key used for repository encryption. |

|  [registry\_id](#output\_registry\_id) | ID of the ECR registry |

|  [repository\_arn](#output\_repository\_arn) | ARN of the ECR repository |

|  [repository\_name](#output\_repository\_name) | Name of the ECR repository |

|  [repository\_url](#output\_repository\_url) | URL of the ECR repository |

|  [cloudwatch\_log\_group\_arn](#output\_cloudwatch\_log\_group\_arn) | The ARN of the CloudWatch Log Group created for logging. |

|  [logging\_role\_arn](#output\_logging\_role\_arn) | The ARN of the IAM role used for logging. |