This module is designed for the creation and management of ECR Docker image repositories and registries. It automatically applies best practices to configure each repository, while also providing flexibility to override specific values as needed.
Rule | Notes |
---|---|
Support encryption. | If var.ecr_encryption_type is set to KMS and var.ecr_kms_key_arn is not specified. A KMS key will be created and used automatically. The generated KMS key settings can be overridden with var.ecr_kms_key . KMS is used by default, but AES256 can be specified with var.ecr_encryption_type as an alternative. |
Private repository by default. | Repositories are marked as private by default and can be changed with var.private == false . |
Support a default policy. | A default IAM security policy is intact. Additional policies can be added using var.ecr_policy_statements . If repository READONLY access is the only permission provided. Read, Write, and Copy permissions can be given using var.read , var.write , and var.copy respectively. The default policy can be overridden with var.policy . |
Support a default lifecycle policy. | The default lifecycle is set to expire any untagged images that are older than 7 days. |
Perform automatic security scanning. | Images are set to scan by default every time an image or updated image is pushed to the repository. |
module "ecr" {
source = "github.com/clearscale/tf-aws-container-ecr.git?ref=v1.0.0"
account = {
id = "*", name = "shared", provider = "aws", key = "current", region = "us-east-1"
}
prefix = local.context.prefix
client = local.context.client
project = local.context.project
env = local.account.name
region = local.region.name
name = local.name
services = {
codebuild = true
}
}
terraform plan -var='name=test'
terraform apply -var='name=test'
terraform destroy -var='name=test'
Name | Version |
---|---|
terraform | >= 1.5.6 |
aws | ~> 5.0 |
Name | Version |
---|---|
aws | 5.56.1 |
Name | Source | Version |
---|---|---|
ecr | git::https://github.com/terraform-aws-modules/terraform-aws-ecr.git | 9daab0795f9759922a0664c8eca09ade5262cb3e |
kms | github.com/clearscale/tf-aws-kms.git | v1.0.0 |
ssm | git::https://github.com/terraform-aws-modules/terraform-aws-ssm-parameter.git | b7659e8b46aa626065c60fbfa7b78c1fedf43d7c |
std | git::https://github.com/clearscale/tf-standards.git | c1ef5c7b2df858153a3e6ee90d92d70783029704 |
Name | Type |
---|---|
aws_caller_identity.this | data source |
aws_iam_policy_document.this | data source |
aws_partition.this | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
account | (Optional). Current cloud provider account info. | object({ |
{ |
no |
client | (Optional). Name of the client | string |
"ClearScale" |
no |
copy | (Optional). Configuration for registry replication rules including destinations and repository filters. | list(object({ |
[] |
no |
create | (Optional). Whether or not to create the repository. Does it need to be created or do the settings need to be configured? | bool |
true |
no |
ecr_encryption_type | (Optional). The encryption type for the repository. Must be one of: KMS or AES256 . Defaults to KMS . |
string |
"KMS" |
no |
ecr_force_delete | (Optional). If true , will delete the repository even if it contains images. Defaults to false . |
bool |
false |
no |
ecr_image_scan_on_push | (Optional). Indicates whether images are scanned after being pushed to the repository (true ) or not scanned (false ). |
bool |
true |
no |
ecr_image_tag_mutability | (Optional). The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE . Defaults to IMMUTABLE . |
string |
"IMMUTABLE" |
no |
ecr_kms_key | (Optional). KMS settings for the ECR repository. It's advised to create your own KMS key and pass the ARN to var.ecr_kms_key_arn instead. Like var.ecr_kms_key_arn this variable is only used if var.ecr_encryption_type = 'KMS'. |
object({ |
{} |
no |
ecr_kms_key_arn | (Optional). The ARN of the KMS key to use when encryption_type is KMS . If not specified, and var.ecr_encryption_type = 'KMS', a KMS key will be generated. Otherwise, it uses the default AWS managed key for ECR. |
string |
null |
no |
ecr_lifecycle_policy | (Optional). Lifecycle policy for the ECR repository. | object({ |
{ |
no |
ecr_policy_statements | (Optional). A map of IAM policy statements for custom permission usage. | any |
{} |
no |
ecr_public_repository_catalog_data | (Optional). Catalog data configuration for the repository | any |
{} |
no |
ecr_registry_manage_scanning | (Optional). Determines whether the registry scanning configuration will be managed. | bool |
false |
no |
ecr_registry_policy | (Optional). The policy document. This is a JSON formatted string | string |
null |
no |
ecr_registry_pull_through_cache_rules | (Optional). List of pull through cache rules to create | map(map(string)) |
{} |
no |
ecr_scan_rules | (Optional). The rules for the registry scan. | list(object({ |
[ |
no |
ecr_scan_type | (Optional). The type of scan to perform on the registry. | string |
"ENHANCED" |
no |
env | (Optional). Name of the current environment. | string |
"dev" |
no |
name | (Optional). The name of the resource, application, or service. | string |
n/a | yes |
policy | (Optional). A aws_iam_policy_document json encoded string to override the default repository policy. | string |
null |
no |
prefix | (Optional). Prefix override for all generated naming conventions. | string |
"cs" |
no |
private | (Optional). Private or public repository? | bool |
true |
no |
project | (Optional). Name of the client project. | string |
"pmod" |
no |
read | (Optional). ARNs of resources or services to give read (pull) access to. Any Lambda ARNs will be automatically parsed and moved to repository_lambda_read_access_arns . |
list(string) |
[] |
no |
region | (Optional). Name of the region. | string |
"us-west-1" |
no |
services | (Optional). Toggle AWS service access on or off. | object({ |
{} |
no |
ssm_parameter_name | (Required). SSM parameter name to store resource ARN. | string |
null |
no |
tags | (Optional). A map of tags to assign to the resources | map(string) |
null |
no |
write | (Optional). ARNs of resources or services to give write (push) access to. Write access also provides read access. | list(string) |
[] |
no |
Name | Description |
---|---|
repository_arn | n/a |
repository_registry_id | n/a |
repository_url | n/a |