Terraform module which creates AWS ECR resources.
See examples
directory for working examples to reference:
module "ecr" {
source = "terraform-aws-modules/ecr/aws"
repository_name = "private-example"
repository_read_write_access_arns = ["arn:aws:iam::012345678901:role/terraform"]
repository_lifecycle_policy = jsonencode({
rules = [
{
rulePriority = 1,
description = "Keep last 30 images",
selection = {
tagStatus = "tagged",
tagPrefixList = ["v"],
countType = "imageCountMoreThan",
countNumber = 30
},
action = {
type = "expire"
}
}
]
})
tags = {
Terraform = "true"
Environment = "dev"
}
}
module "public_ecr" {
source = "terraform-aws-modules/ecr/aws"
repository_name = "public-example"
repository_type = "public"
repository_read_write_access_arns = ["arn:aws:iam::012345678901:role/terraform"]
public_repository_catalog_data = {
description = "Docker container for some things"
about_text = file("${path.module}/files/ABOUT.md")
usage_text = file("${path.module}/files/USAGE.md")
operating_systems = ["Linux"]
architectures = ["x86"]
logo_image_blob = filebase64("${path.module}/files/clowd.png")
}
tags = {
Terraform = "true"
Environment = "dev"
}
}
module "ecr_registry" {
source = "terraform-aws-modules/ecr/aws"
repository_name = "registry-example"
create_repository = false
# Registry Policy
create_registry_policy = true
registry_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Sid = "testpolicy",
Effect = "Allow",
Principal = {
"AWS" : "arn:aws:iam::012345678901:root"
},
Action = [
"ecr:ReplicateImage"
],
Resource = [
"arn:aws:ecr:us-east-1:012345678901:repository/*"
]
}, {
Sid = "dockerhub",
Effect = "Allow",
Principal = {
"AWS" : "arn:aws:iam::012345678901:root"
},
Action = [
"ecr:CreateRepository",
"ecr:BatchImportUpstreamImage"
],
Resource = [
"arn:aws:ecr:us-east-1:012345678901:repository/dockerhub/*"
]
}
]
})
# Registry Pull Through Cache Rules
registry_pull_through_cache_rules = {
pub = {
ecr_repository_prefix = "ecr-public"
upstream_registry_url = "public.ecr.aws"
}
dockerhub = {
ecr_repository_prefix = "dockerhub"
upstream_registry_url = "registry-1.docker.io"
credential_arn = "arn:aws:secretsmanager:us-east-1:123456789:secret:ecr-pullthroughcache/dockerhub"
}
}
# Registry Scanning Configuration
manage_registry_scanning_configuration = true
registry_scan_type = "ENHANCED"
registry_scan_rules = [
{
scan_frequency = "SCAN_ON_PUSH"
filter = [
{
filter = "example1"
filter_type = "WILDCARD"
},
{ filter = "example2"
filter_type = "WILDCARD"
}
]
}, {
scan_frequency = "CONTINUOUS_SCAN"
filter = [
{
filter = "example"
filter_type = "WILDCARD"
}
]
}
]
# Registry Replication Configuration
create_registry_replication_configuration = true
registry_replication_rules = [
{
destinations = [{
region = "us-west-2"
registry_id = "012345678901"
}, {
region = "eu-west-1"
registry_id = "012345678901"
}]
repository_filters = [{
filter = "prod-microservice"
filter_type = "PREFIX_MATCH"
}]
}
]
tags = {
Terraform = "true"
Environment = "dev"
}
}
Users of this Terraform module can create multiple similar resources by using for_each
meta-argument within module
block which became available in Terraform 0.13.
Users of Terragrunt can achieve similar results by using modules provided in the wrappers directory, if they prefer to reduce amount of configuration files.
Examples codified under the examples
are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
Name | Version |
---|---|
terraform | >= 1.0 |
aws | >= 5.37 |
Name | Version |
---|---|
aws | >= 5.37 |
No modules.
Name | Type |
---|---|
aws_ecr_lifecycle_policy.this | resource |
aws_ecr_pull_through_cache_rule.this | resource |
aws_ecr_registry_policy.this | resource |
aws_ecr_registry_scanning_configuration.this | resource |
aws_ecr_replication_configuration.this | resource |
aws_ecr_repository.this | resource |
aws_ecr_repository_policy.this | resource |
aws_ecrpublic_repository.this | resource |
aws_ecrpublic_repository_policy.example | resource |
aws_caller_identity.current | data source |
aws_iam_policy_document.repository | data source |
aws_partition.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
attach_repository_policy | Determines whether a repository policy will be attached to the repository | bool |
true |
no |
create | Determines whether resources will be created (affects all resources) | bool |
true |
no |
create_lifecycle_policy | Determines whether a lifecycle policy will be created | bool |
true |
no |
create_registry_policy | Determines whether a registry policy will be created | bool |
false |
no |
create_registry_replication_configuration | Determines whether a registry replication configuration will be created | bool |
false |
no |
create_repository | Determines whether a repository will be created | bool |
true |
no |
create_repository_policy | Determines whether a repository policy will be created | bool |
true |
no |
manage_registry_scanning_configuration | Determines whether the registry scanning configuration will be managed | bool |
false |
no |
public_repository_catalog_data | Catalog data configuration for the repository | any |
{} |
no |
registry_policy | The policy document. This is a JSON formatted string | string |
null |
no |
registry_pull_through_cache_rules | List of pull through cache rules to create | map(map(string)) |
{} |
no |
registry_replication_rules | The replication rules for a replication configuration. A maximum of 10 are allowed | any |
[] |
no |
registry_scan_rules | One or multiple blocks specifying scanning rules to determine which repository filters are used and at what frequency scanning will occur | any |
[] |
no |
registry_scan_type | the scanning type to set for the registry. Can be either ENHANCED or BASIC |
string |
"ENHANCED" |
no |
repository_encryption_type | The encryption type for the repository. Must be one of: KMS or AES256 . Defaults to AES256 |
string |
null |
no |
repository_force_delete | If true , will delete the repository even if it contains images. Defaults to false |
bool |
null |
no |
repository_image_scan_on_push | Indicates whether images are scanned after being pushed to the repository (true ) or not scanned (false ) |
bool |
true |
no |
repository_image_tag_mutability | The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE . Defaults to IMMUTABLE |
string |
"IMMUTABLE" |
no |
repository_kms_key | The ARN of the KMS key to use when encryption_type is KMS . If not specified, uses the default AWS managed key for ECR |
string |
null |
no |
repository_lambda_read_access_arns | The ARNs of the Lambda service roles that have read access to the repository | list(string) |
[] |
no |
repository_lifecycle_policy | The policy document. This is a JSON formatted string. See more details about Policy Parameters in the official AWS docs | string |
"" |
no |
repository_name | The name of the repository | string |
"" |
no |
repository_policy | The JSON policy to apply to the repository. If not specified, uses the default policy | string |
null |
no |
repository_policy_statements | A map of IAM policy statements for custom permission usage | any |
{} |
no |
repository_read_access_arns | The ARNs of the IAM users/roles that have read access to the repository | list(string) |
[] |
no |
repository_read_write_access_arns | The ARNs of the IAM users/roles that have read/write access to the repository | list(string) |
[] |
no |
repository_type | The type of repository to create. Either public or private |
string |
"private" |
no |
tags | A map of tags to add to all resources | map(string) |
{} |
no |
Name | Description |
---|---|
repository_arn | Full ARN of the repository |
repository_name | Name of the repository |
repository_registry_id | The registry ID where the repository was created |
repository_url | The URL of the repository |
Apache-2.0 Licensed. See LICENSE.