Service Catalog Version 0.78.1

Amazon ECR Repositories

View SourceFiltered Release Notes

Overview

This service contains code to create and manage multiple Amazon Elastic Container Repository (ECR) Repositories that can be used for storing and distributing container images.

ECR architecture

Features

• Create and manage multiple ECR repositories
• Store private Docker images for use in any Docker Orchestration system (e.g., Kubernetes, ECS, etc)
• Share repositories across accounts
• Fine grained access control
• Automatically scan Docker images for security vulnerabilities

Learn

note

This repo is a part of the Gruntwork Service Catalog, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Service Catalog before, make sure to read How to use the Gruntwork Service Catalog!

• ECR documentation: Amazon’s docs for ECR that cover core concepts such as repository URLs, image scanning, and access control.

Deploy

Non-production deployment (quick start for learning)

If you just want to try this repo out for experimenting and learning, check out the following resources:

• examples/for-learning-and-testing folder: The examples/for-learning-and-testing folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage).

Production deployment

If you want to deploy this repo in production, check out the following resources:

• examples/for-production folder: The examples/for-production folder contains sample code optimized for direct usage in production. This is code from the Gruntwork Reference Architecture, and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog.

Reference

Inputs

• default_automatic_image_scanning — Whether or not to enable image scanning on all the repos. Can be overridden on a per repo basis by the enable_automatic_image_scanning property in the repositories map.

• default_encryption_config — The default encryption configuration to apply to the created ECR repository. When null, the images in the ECR repo will not be encrypted at rest. Can be overridden on a per repo basis by the encryption_config property in the repositories map.

• default_external_account_ids_with_read_access — The default list of AWS account IDs for external AWS accounts that should be able to pull images from these ECR repos. Can be overridden on a per repo basis by the external_account_ids_with_read_access property in the repositories map.

• default_external_account_ids_with_write_access — The default list of AWS account IDs for external AWS accounts that should be able to pull and push images to these ECR repos. Can be overridden on a per repo basis by the external_account_ids_with_write_access property in the repositories map.

• default_image_tag_mutability — The tag mutability setting for all the repos. Must be one of: MUTABLE or IMMUTABLE. Can be overridden on a per repo basis by the image_tag_mutability property in the repositories map.

• default_lifecycle_policy_rules — Add lifecycle policy to ECR repo.

• global_tags — A map of tags (where the key and value correspond to tag keys and values) that should be assigned to all ECR repositories.

• replication_regions — List of regions (e.g., us-east-1) to replicate the ECR repository to.

• repositories — A map of repo names to configurations for that repository.

Outputs

• ecr_read_policy_actions — A list of IAM policy actions necessary for ECR read access.

• ecr_repo_arns — A map of repository name to its ECR ARN.

• ecr_repo_urls — A map of repository name to its URL.

• ecr_write_policy_actions — A list of IAM policy actions necessary for ECR write access.