ecr (terraform)

Reference

TBD

Example

Create repos and allow pulling from other accounts (hashicorp/aws 5.x)

<env>/main.tf

locals {

  ecr_repos = [

    {

      name         = "${local.ci}_api"

      scan_on_push = false

    },

    {

      name         = "${local.ci}_autors"

      scan_on_push = false

    }

  ]

}

modules/ecr/variables.tf

variable "repos" {

  description = "A list of repository objects with 'name' and 'scan_on_push' attributes."

  type = list(object({

    name         = string

    scan_on_push = bool

  }))

}

modules/ecr/ecr.tf

# Create repos

resource "aws_ecr_repository" "repo" {

  for_each = { for repo in var.repos : repo.name => repo }

  name                 = each.value.name

  image_tag_mutability = "MUTABLE" # "MUTABLE" or "IMMUTABLE"

  image_scanning_configuration {

    scan_on_push = each.value.scan_on_push

  }

}

# Policy for allowing other accounts to pull image from the repos

resource "aws_ecr_repository_policy" "repo_policy" {

  for_each = aws_ecr_repository.repo

  repository = each.value.name

  policy = <<EOF

  {

    "Version": "2008-10-17",

    "Statement": [

      {

        "Sid": "Adds full ecr access to the repository and AllowCrossAccountPull",

        "Effect": "Allow",

        "Principal": {

          "AWS" : [

             "arn:aws:iam::279642032772:root",

             "arn:aws:iam::726690249727:root",

             "arn:aws:iam::773096172122:root"

            ]

        },

        "Action": [

          "ecr:BatchCheckLayerAvailability",

          "ecr:BatchGetImage",

          "ecr:CompleteLayerUpload",

          "ecr:GetDownloadUrlForLayer",

          "ecr:GetLifecyclePolicy",

          "ecr:InitiateLayerUpload",

          "ecr:PutImage",

          "ecr:UploadLayerPart"

        ]

      }

    ]

  }

  EOF

}

Create a repo and allow pulling from other accounts (hashicorp/aws 4.x)

modules/ecr/variables.tf

variable "tags_common" {

  description = "Common tags map: env, ci, department, program"

  type        = map(string)

  nullable    = false

}

variable "create_repo" {

  description = "Create the ECR repo?"

  type        = bool

  nullable    = false

}

variable "ecr_name" {

  description = "Repository name"

  type        = string

  nullable    = false

}

modules/ecr/ecr.tf

# Elastic Container Registry (ecr)

# --------------------------------

# Create ECR repo, only in 'test' AWS account

resource "aws_ecr_repository" "repo" {

  count                = var.create_repo ? 1 : 0

  name                 = var.ecr_name

  image_tag_mutability = "MUTABLE"

  image_scanning_configuration {

    scan_on_push = false

  }

  tags = var.tags_common

}

# Policy for allowing other accounts to pull image from the repo created in 'test' AWS account

resource "aws_ecr_repository_policy" "repo_policy" {

  count      = var.create_repo ? 1 : 0

  repository = aws_ecr_repository.repo[0].name

  policy     = <<EOF

  {

    "Version": "2008-10-17",

    "Statement": [

      {

        "Sid": "adds full ecr access to the repository and AllowCrossAccountPull",

        "Effect": "Allow",

        "Principal": {

          "AWS" : [

             "arn:aws:iam::279642032772:root",

             "arn:aws:iam::726690249727:root",

             "arn:aws:iam::773096172122:root"

            ]

        },

        "Action": [

          "ecr:BatchCheckLayerAvailability",

          "ecr:BatchGetImage",

          "ecr:CompleteLayerUpload",

          "ecr:GetDownloadUrlForLayer",

          "ecr:GetLifecyclePolicy",

          "ecr:InitiateLayerUpload",

          "ecr:PutImage",

          "ecr:UploadLayerPart"

        ]

      }

    ]

  }

  EOF

}