Skip to main content
Service Catalog Version 0.96.9Last updated in version 0.95.1

Amazon ECR Repositories

View SourceRelease Notes

Overview

This service contains code to create and manage multiple Amazon Elastic Container Repository (ECR) Repositories that can be used for storing and distributing container images.

ECR architectureECR architecture

Features

  • Create and manage multiple ECR repositories
  • Store private Docker images for use in any Docker Orchestration system (e.g., Kubernetes, ECS, etc)
  • Share repositories across accounts
  • Fine grained access control
  • Automatically scan Docker images for security vulnerabilities

Learn

note

This repo is a part of the Gruntwork Service Catalog, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Service Catalog before, make sure to read How to use the Gruntwork Service Catalog!

  • ECR documentation: Amazon’s docs for ECR that cover core concepts such as repository URLs, image scanning, and access control.

Deploy

Non-production deployment (quick start for learning)

If you just want to try this repo out for experimenting and learning, check out the following resources:

  • examples/for-learning-and-testing folder: The examples/for-learning-and-testing folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage).

Production deployment

If you want to deploy this repo in production, check out the following resources:

Reference

Required

repositoriesanyrequired

A map of repo names to configurations for that repository.

Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.

Optional

Whether or not to enable image scanning on all the repos. Can be overridden on a per repo basis by the enable_automatic_image_scanning property in the repositories map.

true
default_encryption_configobject(…)optional

The default encryption configuration to apply to the created ECR repository. When null, the images in the ECR repo will not be encrypted at rest. Can be overridden on a per repo basis by the encryption_config property in the repositories map.

object({
    # The encryption type to use for the repository. Must be AES256 or KMS.
    encryption_type = string
    # The KMS key to use for encrypting the images. Only used when encryption_type is KMS. If not specified, defaults to
    # the default AWS managed key for ECR.
    kms_key = string
  })
{
  encryption_type = "AES256",
  kms_key = null
}

The default list of AWS account IDs for external AWS accounts that should be able to create Lambda functions based on container images in these ECR repos. Can be overridden on a per repo basis by the external_account_ids_with_lambda_access property in the repositories map.

[]

The default list of AWS account IDs for external AWS accounts that should be able to pull images from these ECR repos. Can be overridden on a per repo basis by the external_account_ids_with_read_access property in the repositories map.

[]

The default list of AWS account IDs for external AWS accounts that should be able to pull and push images to these ECR repos. Can be overridden on a per repo basis by the external_account_ids_with_write_access property in the repositories map.

[]

The tag mutability setting for all the repos. Must be one of: MUTABLE or IMMUTABLE. Can be overridden on a per repo basis by the image_tag_mutability property in the repositories map.

"MUTABLE"

Add lifecycle policy to ECR repo.

Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo.
[]
global_tagsmap(string)optional

A map of tags (where the key and value correspond to tag keys and values) that should be assigned to all ECR repositories.

{}
replication_regionslist(string)optional

List of regions (e.g., us-east-1) to replicate the ECR repository to.

[]