Skip to content

clearscale/tf-aws-container-ecr

BranchesTags

Repository files navigation

Terraform AWS/ECR Registry

This module is designed for the creation and management of ECR Docker image repositories and registries. It automatically applies best practices to configure each repository, while also providing flexibility to override specific values as needed.

Defaults

Rule Notes
Support encryption. If var.ecr_encryption_type is set to KMS and var.ecr_kms_key_arn is not specified. A KMS key will be created and used automatically. The generated KMS key settings can be overridden with var.ecr_kms_key. KMS is used by default, but AES256 can be specified with var.ecr_encryption_type as an alternative.
Private repository by default. Repositories are marked as private by default and can be changed with var.private == false.
Support a default policy. A default IAM security policy is intact. Additional policies can be added using var.ecr_policy_statements. If repository READONLY access is the only permission provided. Read, Write, and Copy permissions can be given using var.read, var.write, and var.copy respectively. The default policy can be overridden with var.policy.
Support a default lifecycle policy. The default lifecycle is set to expire any untagged images that are older than 7 days.
Perform automatic security scanning. Images are set to scan by default every time an image or updated image is pushed to the repository.

Usage

module "ecr" {
  source = "github.com/clearscale/tf-aws-container-ecr.git?ref=v1.0.0"

  account = {
    id = "*", name = "shared", provider = "aws", key = "current", region = "us-east-1"
  }

  prefix  = local.context.prefix
  client  = local.context.client
  project = local.context.project
  env     = local.account.name
  region  = local.region.name
  name    = local.name

  services = {
    codebuild = true
  }
}

Plan

terraform plan -var='name=test'

Apply

terraform apply -var='name=test'

Destroy

terraform destroy -var='name=test'

Requirements

Name Version
terraform >= 1.5.6
aws ~> 5.0

Providers

Name Version
aws 5.56.1

Modules

Name Source Version
ecr git::https://github.com/terraform-aws-modules/terraform-aws-ecr.git 9daab0795f9759922a0664c8eca09ade5262cb3e
kms github.com/clearscale/tf-aws-kms.git v1.0.0
ssm git::https://github.com/terraform-aws-modules/terraform-aws-ssm-parameter.git b7659e8b46aa626065c60fbfa7b78c1fedf43d7c
std git::https://github.com/clearscale/tf-standards.git c1ef5c7b2df858153a3e6ee90d92d70783029704

Resources

Name Type
aws_caller_identity.this data source
aws_iam_policy_document.this data source
aws_partition.this data source

Inputs

Name Description Type Default Required
account (Optional). Current cloud provider account info. 
object({
    key      = optional(string, "current")
    provider = optional(string, "aws")
    id       = optional(string, "*") 
    name     = string
    region   = optional(string, null)
  })
 
{
  "id": "*",
  "name": "shared"
}
 no
client (Optional). Name of the client string "ClearScale" no
copy (Optional). Configuration for registry replication rules including destinations and repository filters. 
list(object({
    destinations = optional(list(object({
      region      = optional(string)
      registry_id = optional(string)
    })), [])
    repository_filters = optional(list(object({
      filter      = optional(string)
      filter_type = optional(string)
    })), [])
  }))
 [] no
create (Optional). Whether or not to create the repository. Does it need to be created or do the settings need to be configured? bool true no
ecr_encryption_type (Optional). The encryption type for the repository. Must be one of: KMS or AES256. Defaults to KMS. string "KMS" no
ecr_force_delete (Optional). If true, will delete the repository even if it contains images. Defaults to false. bool false no
ecr_image_scan_on_push (Optional). Indicates whether images are scanned after being pushed to the repository (true) or not scanned (false). bool true no
ecr_image_tag_mutability (Optional). The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE. Defaults to IMMUTABLE. string "IMMUTABLE" no
ecr_kms_key (Optional). KMS settings for the ECR repository. It's advised to create your own KMS key and pass the ARN to var.ecr_kms_key_arn instead. Like var.ecr_kms_key_arn this variable is only used if var.ecr_encryption_type = 'KMS'. 
object({
    description                            = optional(string, null)
    aliases                                = optional(list(string), null)
    computed_aliases                       = optional(any, {})
    aliases_use_name_prefix                = optional(bool, false)
    multi_region                           = optional(bool, false)
    enable_key_rotation                    = optional(bool, true)
    rotation_period_in_days                = optional(number, 365)
    deletion_window_in_days                = optional(number, 30)
    create_external                        = optional(bool, false)
    bypass_policy_lockout_safety_check     = optional(bool, false)
    custom_key_store_id                    = optional(string, null)
    customer_master_key_spec               = optional(string, "SYMMETRIC_DEFAULT")
    key_material_base64                    = optional(string, null)
    key_usage                              = optional(string, "ENCRYPT_DECRYPT")
    policy                                 = optional(string, null)
    valid_to                               = optional(string, null)
    key_owners                             = optional(list(string), [])
    key_administrators                     = optional(list(string), [])
    key_users                              = optional(list(string), [])
    key_service_users                      = optional(list(string), [])
    key_service_roles_for_autoscaling      = optional(list(string), [])
    key_symmetric_encryption_users         = optional(list(string), [])
    key_hmac_users                         = optional(list(string), [])
    key_asymmetric_public_encryption_users = optional(list(string), [])
    key_asymmetric_sign_verify_users       = optional(list(string), [])
    key_statements                         = optional(any, {})
    source_policy_documents                = optional(list(string), [])
    override_policy_documents              = optional(list(string), [])
    enable_route53_dnssec                  = optional(bool, false)
    route53_dnssec_sources                 = optional(list(any), [])
    create_replica                         = optional(bool, false)
    primary_key_arn                        = optional(string, null)
    create_replica_external                = optional(bool, false)
    primary_external_key_arn               = optional(string, null)
    grants                                 = optional(any, {})
    tags                                   = optional(map(string), null)
  })
 {} no
ecr_kms_key_arn (Optional). The ARN of the KMS key to use when encryption_type is KMS. If not specified, and var.ecr_encryption_type = 'KMS', a KMS key will be generated. Otherwise, it uses the default AWS managed key for ECR. string null no
ecr_lifecycle_policy (Optional). Lifecycle policy for the ECR repository. 
object({
    rules = list(object({
      rulePriority = number
      description  = string
      selection    = object({
        tagStatus   = string
        countType   = string
        countUnit   = string
        countNumber = number
      })
      action = object({
        type = string
      })
    }))
  })
 
{
  "rules": [
    {
      "action": {
        "type": "expire"
      },
      "description": "Expire untagged images older than 7 days.",
      "rulePriority": 1,
      "selection": {
        "countNumber": 7,
        "countType": "sinceImagePushed",
        "countUnit": "days",
        "tagStatus": "untagged"
      }
    }
  ]
}
 no
ecr_policy_statements (Optional). A map of IAM policy statements for custom permission usage. any {} no
ecr_public_repository_catalog_data (Optional). Catalog data configuration for the repository any {} no
ecr_registry_manage_scanning (Optional). Determines whether the registry scanning configuration will be managed. bool false no
ecr_registry_policy (Optional). The policy document. This is a JSON formatted string string null no
ecr_registry_pull_through_cache_rules (Optional). List of pull through cache rules to create map(map(string)) {} no
ecr_scan_rules (Optional). The rules for the registry scan. 
list(object({
    scan_frequency = string
    filter = list(object({
      filter      = string
      filter_type = string
    }))
  }))
 
[
  {
    "filter": [
      {
        "filter": "*",
        "filter_type": "WILDCARD"
      }
    ],
    "scan_frequency": "SCAN_ON_PUSH"
  }
]
 no
ecr_scan_type (Optional). The type of scan to perform on the registry. string "ENHANCED" no
env (Optional). Name of the current environment. string "dev" no
name (Optional). The name of the resource, application, or service. string n/a yes
policy (Optional). A aws_iam_policy_document json encoded string to override the default repository policy. string null no
prefix (Optional). Prefix override for all generated naming conventions. string "cs" no
private (Optional). Private or public repository? bool true no
project (Optional). Name of the client project. string "pmod" no
read (Optional). ARNs of resources or services to give read (pull) access to. Any Lambda ARNs will be automatically parsed and moved to repository_lambda_read_access_arns. list(string) [] no
region (Optional). Name of the region. string "us-west-1" no
services (Optional). Toggle AWS service access on or off. 
object({
    ecr       = optional(bool, false)
    eks       = optional(bool, false)
    codebuild = optional(bool, false)
    lambda    = optional(bool, false)
    beanstalk = optional(bool, false)
    sagemaker = optional(bool, false)
    batch     = optional(bool, false)
  })
 {} no
ssm_parameter_name (Required). SSM parameter name to store resource ARN. string null no
tags (Optional). A map of tags to assign to the resources map(string) null no
write (Optional). ARNs of resources or services to give write (push) access to. Write access also provides read access. list(string) [] no

Outputs

Name Description
repository_arn n/a
repository_registry_id n/a
repository_url n/a

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

7 tags

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages