Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/terraform-aws-modules/terraform-aws-ecr

Terraform module to create AWS ECR resources πŸ‡ΊπŸ‡¦
https://github.com/terraform-aws-modules/terraform-aws-ecr

aws aws-ecr ecr ecr-repositories terraform terraform-module

Last synced: 12 days ago
JSON representation

Terraform module to create AWS ECR resources πŸ‡ΊπŸ‡¦

Awesome Lists containing this project

README 

        
# Amazon ECR Terraform module



Terraform module which creates Amazon ECR resources.



## Usage



See [`examples`](https://github.com/terraform-aws-modules/terraform-aws-ecr/tree/master/examples) directory for working examples to reference:



### Private Repository



```hcl

module "ecr" {

  source = "terraform-aws-modules/ecr/aws"



  repository_name = "private-example"



  repository_read_write_access_arns = ["arn:aws:iam::012345678901:role/terraform"]

  repository_lifecycle_policy = jsonencode({

    rules = [

      {

        rulePriority = 1,

        description  = "Keep last 30 images",

        selection = {

          tagStatus     = "tagged",

          tagPrefixList = ["v"],

          countType     = "imageCountMoreThan",

          countNumber   = 30

        },

        action = {

          type = "expire"

        }

      }

    ]

  })



  tags = {

    Terraform   = "true"

    Environment = "dev"

  }

}

```



### Public Repository



```hcl

module "public_ecr" {

  source = "terraform-aws-modules/ecr/aws"



  repository_name = "public-example"

  repository_type = "public"



  repository_read_write_access_arns = ["arn:aws:iam::012345678901:role/terraform"]



  public_repository_catalog_data = {

    description       = "Docker container for some things"

    about_text        = file("${path.module}/files/ABOUT.md")

    usage_text        = file("${path.module}/files/USAGE.md")

    operating_systems = ["Linux"]

    architectures     = ["x86"]

    logo_image_blob   = filebase64("${path.module}/files/clowd.png")

  }



  tags = {

    Terraform   = "true"

    Environment = "dev"

  }

}

```



### Registry Management



```hcl

module "ecr_registry" {

  source = "terraform-aws-modules/ecr/aws"



  repository_name = "registry-example"



  create_repository = false



  # Registry Policy

  create_registry_policy = true

  registry_policy        = jsonencode({

    Version = "2012-10-17",

    Statement = [

      {

        Sid    = "testpolicy",

        Effect = "Allow",

        Principal = {

          "AWS" : "arn:aws:iam::012345678901:root"

        },

        Action = [

          "ecr:ReplicateImage"

        ],

        Resource = [

          "arn:aws:ecr:us-east-1:012345678901:repository/*"

        ]

      }, {

        Sid    = "dockerhub",

        Effect = "Allow",

        Principal = {

          "AWS" : "arn:aws:iam::012345678901:root"

        },

        Action = [

          "ecr:CreateRepository",

          "ecr:BatchImportUpstreamImage"

        ],

        Resource = [

          "arn:aws:ecr:us-east-1:012345678901:repository/dockerhub/*"

        ]

      }

    ]

  })



  # Registry Pull Through Cache Rules

  registry_pull_through_cache_rules = {

    pub = {

      ecr_repository_prefix = "ecr-public"

      upstream_registry_url = "public.ecr.aws"

    }

    dockerhub = {

      ecr_repository_prefix = "dockerhub"

      upstream_registry_url = "registry-1.docker.io"

      credential_arn        = "arn:aws:secretsmanager:us-east-1:123456789:secret:ecr-pullthroughcache/dockerhub"

    }

  }



  # Registry Scanning Configuration

  manage_registry_scanning_configuration = true

  registry_scan_type                     = "ENHANCED"

  registry_scan_rules = [

    {

      scan_frequency = "SCAN_ON_PUSH"

      filter = [

        {

          filter      = "example1"

          filter_type = "WILDCARD"

        },

        { filter      = "example2"

          filter_type = "WILDCARD"

        }

      ]

    }, {

      scan_frequency = "CONTINUOUS_SCAN"

      filter = [

        {

          filter      = "example"

          filter_type = "WILDCARD"

        }

      ]

    }

  ]



  # Registry Replication Configuration

  create_registry_replication_configuration = true

  registry_replication_rules = [

    {

      destinations = [{

        region      = "us-west-2"

        registry_id = "012345678901"

        }, {

        region      = "eu-west-1"

        registry_id = "012345678901"

      }]



      repository_filters = [{

        filter      = "prod-microservice"

        filter_type = "PREFIX_MATCH"

      }]

    }

  ]



  tags = {

    Terraform   = "true"

    Environment = "dev"

  }

}

```



## Module wrappers



Users of this Terraform module can create multiple similar resources by using [`for_each` meta-argument within `module` block](https://www.terraform.io/language/meta-arguments/for_each) which became available in Terraform 0.13.



Users of Terragrunt can achieve similar results by using modules provided in the [wrappers](https://github.com/terraform-aws-modules/terraform-aws-ecr/tree/master/wrappers) directory, if they prefer to reduce amount of configuration files.



## Examples



Examples codified under the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-ecr/tree/master/examples) are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!



- [Complete](https://github.com/terraform-aws-modules/terraform-aws-ecr/tree/master/examples/complete)

- [Repository Template](https://github.com/terraform-aws-modules/terraform-aws-ecr/tree/master/examples/repository-template)



## Requirements



| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.0 |

|  [aws](#requirement\_aws) | >= 5.93 |



## Providers



| Name | Version |

|------|---------|

|  [aws](#provider\_aws) | >= 5.93 |



## Modules



No modules.



## Resources



| Name | Type |

|------|------|

| [aws_ecr_lifecycle_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |

| [aws_ecr_pull_through_cache_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_pull_through_cache_rule) | resource |

| [aws_ecr_registry_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_registry_policy) | resource |

| [aws_ecr_registry_scanning_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_registry_scanning_configuration) | resource |

| [aws_ecr_replication_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_replication_configuration) | resource |

| [aws_ecr_repository.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |

| [aws_ecr_repository_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy) | resource |

| [aws_ecrpublic_repository.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecrpublic_repository) | resource |

| [aws_ecrpublic_repository_policy.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecrpublic_repository_policy) | resource |

| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |

| [aws_iam_policy_document.repository](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |



## Inputs



| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [attach\_repository\_policy](#input\_attach\_repository\_policy) | Determines whether a repository policy will be attached to the repository | `bool` | `true` | no |

|  [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |

|  [create\_lifecycle\_policy](#input\_create\_lifecycle\_policy) | Determines whether a lifecycle policy will be created | `bool` | `true` | no |

|  [create\_registry\_policy](#input\_create\_registry\_policy) | Determines whether a registry policy will be created | `bool` | `false` | no |

|  [create\_registry\_replication\_configuration](#input\_create\_registry\_replication\_configuration) | Determines whether a registry replication configuration will be created | `bool` | `false` | no |

|  [create\_repository](#input\_create\_repository) | Determines whether a repository will be created | `bool` | `true` | no |

|  [create\_repository\_policy](#input\_create\_repository\_policy) | Determines whether a repository policy will be created | `bool` | `true` | no |

|  [manage\_registry\_scanning\_configuration](#input\_manage\_registry\_scanning\_configuration) | Determines whether the registry scanning configuration will be managed | `bool` | `false` | no |

|  [public\_repository\_catalog\_data](#input\_public\_repository\_catalog\_data) | Catalog data configuration for the repository | `any` | `{}` | no |

|  [registry\_policy](#input\_registry\_policy) | The policy document. This is a JSON formatted string | `string` | `null` | no |

|  [registry\_pull\_through\_cache\_rules](#input\_registry\_pull\_through\_cache\_rules) | List of pull through cache rules to create | `map(map(string))` | `{}` | no |

|  [registry\_replication\_rules](#input\_registry\_replication\_rules) | The replication rules for a replication configuration. A maximum of 10 are allowed | `any` | `[]` | no |

|  [registry\_scan\_rules](#input\_registry\_scan\_rules) | One or multiple blocks specifying scanning rules to determine which repository filters are used and at what frequency scanning will occur | `any` | `[]` | no |

|  [registry\_scan\_type](#input\_registry\_scan\_type) | the scanning type to set for the registry. Can be either `ENHANCED` or `BASIC` | `string` | `"ENHANCED"` | no |

|  [repository\_encryption\_type](#input\_repository\_encryption\_type) | The encryption type for the repository. Must be one of: `KMS` or `AES256`. Defaults to `AES256` | `string` | `null` | no |

|  [repository\_force\_delete](#input\_repository\_force\_delete) | If `true`, will delete the repository even if it contains images. Defaults to `false` | `bool` | `null` | no |

|  [repository\_image\_scan\_on\_push](#input\_repository\_image\_scan\_on\_push) | Indicates whether images are scanned after being pushed to the repository (`true`) or not scanned (`false`) | `bool` | `true` | no |

|  [repository\_image\_tag\_mutability](#input\_repository\_image\_tag\_mutability) | The tag mutability setting for the repository. Must be one of: `MUTABLE` or `IMMUTABLE`. Defaults to `IMMUTABLE` | `string` | `"IMMUTABLE"` | no |

|  [repository\_kms\_key](#input\_repository\_kms\_key) | The ARN of the KMS key to use when encryption\_type is `KMS`. If not specified, uses the default AWS managed key for ECR | `string` | `null` | no |

|  [repository\_lambda\_read\_access\_arns](#input\_repository\_lambda\_read\_access\_arns) | The ARNs of the Lambda service roles that have read access to the repository | `list(string)` | `[]` | no |

|  [repository\_lifecycle\_policy](#input\_repository\_lifecycle\_policy) | The policy document. This is a JSON formatted string. See more details about [Policy Parameters](http://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html#lifecycle_policy_parameters) in the official AWS docs | `string` | `""` | no |

|  [repository\_name](#input\_repository\_name) | The name of the repository | `string` | `""` | no |

|  [repository\_policy](#input\_repository\_policy) | The JSON policy to apply to the repository. If not specified, uses the default policy | `string` | `null` | no |

|  [repository\_policy\_statements](#input\_repository\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `any` | `{}` | no |

|  [repository\_read\_access\_arns](#input\_repository\_read\_access\_arns) | The ARNs of the IAM users/roles that have read access to the repository | `list(string)` | `[]` | no |

|  [repository\_read\_write\_access\_arns](#input\_repository\_read\_write\_access\_arns) | The ARNs of the IAM users/roles that have read/write access to the repository | `list(string)` | `[]` | no |

|  [repository\_type](#input\_repository\_type) | The type of repository to create. Either `public` or `private` | `string` | `"private"` | no |

|  [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |



## Outputs



| Name | Description |

|------|-------------|

|  [repository\_arn](#output\_repository\_arn) | Full ARN of the repository |

|  [repository\_name](#output\_repository\_name) | Name of the repository |

|  [repository\_registry\_id](#output\_repository\_registry\_id) | The registry ID where the repository was created |

|  [repository\_url](#output\_repository\_url) | The URL of the repository |



## License



Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-ecr/blob/master/LICENSE).