cloudposse / terraform-aws-ecr Goto Github PK
View Code? Open in Web Editor NEWTerraform Module to manage Docker Container Registries on AWS ECR
Home Page: https://cloudposse.com/accelerate
License: Apache License 2.0
Terraform Module to manage Docker Container Registries on AWS ECR
Home Page: https://cloudposse.com/accelerate
License: Apache License 2.0
I am getting this error when I run against the master
branch. Currently I am skipping the latest commit and fetch from the second to last commit, it worked as expected. I am suspecting the last commit could have caused the issue
Error downloading modules: Error loading modules: module alert-engine-ecr: Error parsing .terraform/modules/612474be353f3466b76e6152fc91c0be/main.tf: At 2:42: Unknown token: 2:42 IDENT length
Not bug but enhancement.
Allow for using TF 0.13 which allows for for_each in modules.
A clear and concise description of what you expected to happen.
[et2448@Davids-Work-MacBook-Pro tf-ecr (⎈ |icp-global-context:dependency-track)]$ terraform13 init
Initializing modules...
Error: Unsupported Terraform Core version
on .terraform/modules/ecr.label/versions.tf line 2, in terraform:
2: required_version = "~> 0.12.0"
Module module.ecr.module.label (from
git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.16.0)
does not support Terraform version 0.13.0-beta2. To proceed, either choose
another supported Terraform version or update this version constraint. Version
constraints are normally set for good reason, so updating the constraint may
lead to other errors or unexpected behavior.
Error: Unsupported Terraform Core version
on .terraform/modules/ecr/terraform-aws-ecr-0.16.0/versions.tf line 2, in terraform:
2: required_version = "~> 0.12.0"
Module module.ecr (from cloudposse/ecr/aws) does not support Terraform version
0.13.0-beta2. To proceed, either choose another supported Terraform version or
update this version constraint. Version constraints are normally set for good
reason, so updating the constraint may lead to other errors or unexpected
behavior.
If applicable, add screenshots or logs to help explain your problem.
Anything that will help us triage the bug will help. Here are some ideas:
Add any other context about the problem here.
Based on this PR: https://github.com/cloudposse/terraform-aws-ecr/pull/21/files it seems that the usage docs may need to be updated.
Possibly instead of:
The module works in two distinct modes:
If you provide the existing IAM Role names in the roles attribute, the Roles will be granted permissions to work with the created registry.
If the roles attribute is omitted or is an empty list, a new IAM Role will be created and granted all the required permissions to work with the registry. The Role name will be assigned to the output variable role_name. In addition, an EC2 Instance Profile will be created from the new IAM Role, which might be assigned to EC2 instances granting them permissions to work with the ECR registry.
It could say something like:
The module works in two distinct modes:
If you provide the existing IAM Role names in the principals_full_access or principals_readonly_access attributes, the Roles will be granted permissions to work with the created registry.
If the principals_full_access and principals_readonly_access attributes are omitted or are an empty list no roles will be assigned to the cluster.
Happy to submit a PR, but also not sure if any variables should be required or what else is needed to update the README.
When I update my configuration to use tagged version 0.16.0, from 0.15.0, terraform tries to destroy my repositories and create new ones in their places. It looks like the internal resource naming has changed. Do I need to run terraform state mv
for all of my repos? I have a lot of repos.
If the new module is going to change the repositories, I expect them to be modified in place. Destroying them will delete my entire ECS infrastructure.
Steps to reproduce the behavior:
git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.15.0
git diff
might output e.g. module "ecr_dev" {
- source = "git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.15.0"
+ source = "git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.16.0"
name = "my-repo"
terraform plan
If applicable, add screenshots or logs to help explain your problem.
module.ecr_dev.aws_ecr_repository.default[0] will be destroyed
module.ecr_dev.aws_ecr_repository.name["my-repo"] will be created
Anything that will help us triage the bug will help. Here are some ideas:
terraform 0.12.25 on OS X.
I've used the default assumerole role name
OrganizationAccountAccessRole
data "aws_iam_role" "ecr" {
name = "OrganizationAccountAccessRole"
}
and got the following error planning with TF 0.11
Error: Error running plan: 1 error(s) occurred:
* module.ecr.output.role_name: Resource 'aws_iam_role.default' not found for variable 'aws_iam_role.default.name'
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
This repository currently has no open or pending branches.
versions.tf
hashicorp/terraform >= 0.13.0
aws >= 3.30.0
Found a bug? Maybe our Slack Community can help.
When upgrading to 4.0.0, aws_iam_policy_document
source_json
should be replaced with source_policy_documents
│ with module.ecr.data.aws_iam_policy_document.resource,
│ on .terraform/modules/ecr/main.tf line 138, in data "aws_iam_policy_document" "resource":
│ 138: source_json = local.principals_readonly_access_non_empty ? join("", [data.aws_iam_policy_document.resource_readonly_access[0].json]) : join("", [data.aws_iam_policy_document.empty[0].json])
│
│ Use the attribute "source_policy_documents" instead.
│
│ (and one more similar warning elsewhere)
No deprecation warning
Steps to reproduce the behavior:
cloudposse/terraform-aws-ecr/examples/complete
terraform plan -var 'region=us-east-1'
If applicable, add screenshots or logs to help explain your problem.
Anything that will help us triage the bug will help. Here are some ideas:
Add any other context about the problem here.
versions.tf requires aws = ">= 2.34"
But encryption_configuration in main.tf was introduced with aws provider version 3.1.0
terraform version: 0.11.8
terraform-aws-ecr: 0.2.10 (master)
expected result:
a new ECR called cloud/databank_fe with default roles provided by the module (no roles are provided)
This ECR is created on another newly created account, the script is executed from the master account and TF will use a provider with assume role.
terraform main.tf
provider "aws" {
version = "~> 1.29"
region = "eu-west-1"
}
terraform {
backend "s3" {
bucket = "my-bucket"
key = "devops-aws/repo/terraform.tfstate"
region = "eu-west-1"
encrypt = true
dynamodb_table = "terraform-lock-table"
}
}
# read root state to retrieve account_repo.id
data "terraform_remote_state" "root" {
backend = "s3"
config {
bucket = "my-bucket"
key = "devops-aws/root/terraform.tfstate"
region = "eu-west-1"
encrypt = true
}
}
provider "aws" {
alias = "assume_repo_admin"
assume_role {
role_arn = "arn:aws:iam::${data.terraform_remote_state.root.account_repo_id}:role/OrganizationAccountAccessRole"
session_name = "setup_account_repo"
}
}
# create ECR repositories
module "ecr" {
providers = {
aws = "aws.assume_repo_admin"
}
source = "git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=master"
name = "cloud/databank_fe"
namespace = "repo"
stage = "travis"
}
actual result:
$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
data.terraform_remote_state.root: Refreshing state...
data.aws_iam_policy_document.login: Refreshing state...
data.aws_iam_policy_document.assume_role: Refreshing state...
------------------------------------------------------------------------
Error: Error running plan: 11 error(s) occurred:
* module.ecr.output.policy_write_name: Resource 'aws_iam_policy.write' not found for variable 'aws_iam_policy.write.name'
* module.ecr.output.role_arn: Resource 'aws_iam_role.default' does not have attribute 'arn' for variable 'aws_iam_role.default.*.arn'
* module.ecr.output.role_name: Resource 'aws_iam_role.default' does not have attribute 'name' for variable 'aws_iam_role.default.*.name'
* module.ecr.aws_iam_instance_profile.default: 1 error(s) occurred:
* module.ecr.aws_iam_instance_profile.default: Resource 'aws_iam_role.default' not found for variable 'aws_iam_role.default.name'
* module.ecr.output.policy_write_arn: Resource 'aws_iam_policy.write' not found for variable 'aws_iam_policy.write.arn'
* module.ecr.aws_iam_role_policy_attachment.default_ecr: 1 error(s) occurred:
* module.ecr.aws_iam_role_policy_attachment.default_ecr: Resource 'aws_iam_role.default' not found for variable 'aws_iam_role.default.name'
* module.ecr.output.policy_login_name: Resource 'aws_iam_policy.login' not found for variable 'aws_iam_policy.login.name'
* module.ecr.output.policy_read_arn: Resource 'aws_iam_policy.read' not found for variable 'aws_iam_policy.read.arn'
* module.ecr.output.policy_read_name: Resource 'aws_iam_policy.read' not found for variable 'aws_iam_policy.read.name'
* module.ecr.output.policy_login_arn: Resource 'aws_iam_policy.login' not found for variable 'aws_iam_policy.login.arn'
* module.ecr.data.aws_iam_policy_document.default_ecr: 1 error(s) occurred:
* module.ecr.data.aws_iam_policy_document.default_ecr: Resource 'aws_iam_role.default' not found for variable 'aws_iam_role.default.arn'
The problem also seems to occur if I try to create it on the same account.
Public ECR support is dropping later today (possibly), would be a nice addition to the module (I think) hashicorp/terraform-provider-aws#16540
Allow for other principals other than AWS for access control.
Allow Service or other values in principals_readonly_access.
For letting services like lambda pull from the repository.
To specify the type of principals when the value is not AWS, you could also specify the whole access policy.
Using other modules.
Have a question? Please checkout our Slack Community or visit our Slack Archive.
Unless I missed it, the current rule available for images expiracy is based on the max number of images for a repo (max_image_count).
Adding the possibility to use the countType "sinceImagePushed" would obviously extend the capabilities of this module.
Have the ability to choose between a lifecycle based on either the total number of images or the number of days since their last push.
If both options are set, obviously this should not be allowed.
For the moment I manage the policies outside the module, directly with the resource aws_ecr_lifecycle_policy
which will iterate on the list of images on which I want to apply it.
using the provided example in multi-repo
, the repositories that are created are simply just redis
or nginx
and they are not namespaced at all like the documentation states (something like eg/reds
or eg/nginx
From the README
If you provide 1 or more names in image_names then one repository will be created for each of the names you provide. Those names can include "namespaces", which are just prefixes ending with a slash (/).
+ resource "aws_ecr_repository" "name" {
+ arn = (known after apply)
+ id = (known after apply)
+ image_tag_mutability = "IMMUTABLE"
+ name = "nginx"
+ registry_id = (known after apply)
+ repository_url = (known after apply)
+ tags = {
+ "Name" = "eg-dev-app"
+ "Namespace" = "eg"
+ "Stage" = "dev"
}
+ tags_all = {
+ "Name" = "eg-dev-app"
+ "Namespace" = "eg"
+ "Stage" = "dev"
}
+ image_scanning_configuration {
+ scan_on_push = true
}
}
+ resource "aws_ecr_repository" "name" {
+ arn = (known after apply)
+ id = (known after apply)
+ image_tag_mutability = "IMMUTABLE"
+ name = "eg/nginx"
+ registry_id = (known after apply)
+ repository_url = (known after apply)
+ tags = {
+ "Name" = "eg-dev-app"
+ "Namespace" = "eg"
+ "Stage" = "dev"
}
+ tags_all = {
+ "Name" = "eg-dev-app"
+ "Namespace" = "eg"
+ "Stage" = "dev"
}
+ image_scanning_configuration {
+ scan_on_push = true
}
}
For certain users, AWS is not allowing restricting the ECR read for specific resource. The policy can be updated to all [*]
resources only.
data "aws_iam_policy_document" "token" {
statement {
sid = "ECRGetAuthorizationToken"
effect = "Allow"
actions = ["ecr:GetAuthorizationToken"]
resources = ["*"] //it's working
//resources = ["${aws_ecr_repository.default.arn}"] --> not working
}
}
Though I think this is by design rather than a bug, it should be discussed.
Slashes are removed from the name
variable even when use_fullname
is true
Characters valid for the service should be valid for the module. Whilst regex_replace_chars
does a good job of keeping the most valid characters, another regex
var is required for when name
is used alongside a use_fullname=true
. We should be overriding regex_replace_chars
as it has a wider impact than just the name
variable.
Maybe even take this a step further and use the namespace
before adding a slash when use_fullname=false
?
Apply the module with a name
that contains a /
and use_fullname=true
, the slash will not be in the name of the ECR repository.
In scenarios where there are many AWS accounts in the AWS Org, it is often more practical to allow the whole org
to pull images than dozens individual accounts.
From each AWS account users and services can execute non-modifying actions, e.g. pulling the images, list images, etc.
A pseudo-policy:
{
"Sid": "AllowOrgPull",
"Effect": "Allow",
"Principal": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": ${jsonencode(data.aws_organizations_organization.current.id)}
}
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CreateRepository",
"ecr:DescribeImages",
"ecr:DescribeImageScanFindings",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:ListTagsForResource"
]
},
As of terraform aws provider 2.34.0 the ECR image repository now has an additional setting to enable image scanning for CVE vulnerabilities.
https://www.terraform.io/docs/providers/aws/r/ecr_repository.html
Resource: aws_ecr_repository
image_tag_mutability - (Optional) The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE. Defaults to MUTABLE.
Appreciate all your efforts
using the provided example in multi-repo, the repositories that are created are simply just app
or worker
and they are not namespaced at all like the documentation states (something like my-app/app
or my-app/worker
If you provide 1 or more names in image_names then one repository will be created for each of the names you provide. Those names can include "namespaces", which are just prefixes ending with a slash (/).
If you do not provide any names in image_names, the module will create a single ECR repo named namespace-stage-name or just name depending on the value of use_fullname.
module "ecr" {
source = "cloudposse/ecr/aws"
namespace = "my-app"
environment = "ca"
stage = "prod"
use_fullname = true
image_names = ["worker","app"]
}
# module.ecr.aws_ecr_repository.name["app"] will be created
+ resource "aws_ecr_repository" "name" {
+ arn = (known after apply)
+ id = (known after apply)
+ image_tag_mutability = "IMMUTABLE"
+ name = "app"
+ registry_id = (known after apply)
+ repository_url = (known after apply)
+ tags = {
+ "Environment" = "ca"
+ "Name" = "my-app-ca-prod" <-- Name
+ "Namespace" = "my-app"
+ "Stage" = "prod"
}
+ tags_all = {
+ "Environment" = "ca"
+ "Name" = "my-app-ca-prod" <-- Name
+ "Namespace" = "my-app"
+ "Stage" = "prod"
}
+ image_scanning_configuration {
+ scan_on_push = true
}
}
# module.ecr.aws_ecr_repository.name["circleci-with-prince"] will be created
+ resource "aws_ecr_repository" "name" {
+ arn = (known after apply)
+ id = (known after apply)
+ image_tag_mutability = "IMMUTABLE"
+ name = "worker"
+ registry_id = (known after apply)
+ repository_url = (known after apply)
+ tags = {
+ "Environment" = "ca"
+ "Name" = "my-app-ca-prod" <-- Name
+ "Namespace" = "my-app"
+ "Stage" = "prod"
}
+ tags_all = {
+ "Environment" = "ca"
+ "Name" = "my-app-ca-prod" <-- Name
+ "Namespace" = "my-app"
+ "Stage" = "prod"
}
+ image_scanning_configuration {
+ scan_on_push = true
}
}
# module.ecr.aws_ecr_repository.name["app"] will be created
+ resource "aws_ecr_repository" "name" {
+ arn = (known after apply)
+ id = (known after apply)
+ image_tag_mutability = "IMMUTABLE"
+ name = "my-app/app" <-- Name with namespace or full `ns-env-stage/name`
+ registry_id = (known after apply)
+ repository_url = (known after apply)
+ tags = {
+ "Environment" = "ca"
+ "Name" = "my-app-ca-prod" <-- Name
+ "Namespace" = "my-app"
+ "Stage" = "prod"
}
+ tags_all = {
+ "Environment" = "ca"
+ "Name" = "my-app-ca-prod" <-- Name
+ "Namespace" = "my-app"
+ "Stage" = "prod"
}
+ image_scanning_configuration {
+ scan_on_push = true
}
}
# module.ecr.aws_ecr_repository.name["circleci-with-prince"] will be created
+ resource "aws_ecr_repository" "name" {
+ arn = (known after apply)
+ id = (known after apply)
+ image_tag_mutability = "IMMUTABLE"
+ name = "my-app/worker" <-- Name with namespace or full `ns-env-stage/name`
+ registry_id = (known after apply)
+ repository_url = (known after apply)
+ tags = {
+ "Environment" = "ca"
+ "Name" = "my-app-ca-prod" <-- Name
+ "Namespace" = "my-app"
+ "Stage" = "prod"
}
+ tags_all = {
+ "Environment" = "ca"
+ "Name" = "my-app-ca-prod" <-- Name
+ "Namespace" = "my-app"
+ "Stage" = "prod"
}
+ image_scanning_configuration {
+ scan_on_push = true
}
}
Anything that will help us triage the bug will help. Here are some ideas:
╷
│ Error: Invalid for_each argument
│
│ on ecr/modules/ecr/main.tf line 310, in resource "aws_ecr_repository_policy" "name":
│ 310: for_each = toset(local.ecr_need_policy && module.this.enabled ? local.image_names : [])
│ ├────────────────
│ │ local.ecr_need_policy is a bool, known only after apply
│ │ local.image_names is list of string with 2 elements
│ │ module.this.enabled is true
│
│ The "for_each" set includes values derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource.
│
│ When working with unknown values in for_each, it's better to use a map value where the keys are defined statically in your configuration and where only the values contain apply-time results.
│
│ Alternatively, you could use the -target planning option to first apply only the resources that the for_each value depends on, and then apply a second time to fully converge.
╵
no issues
fresh deployment using ecr, using
module "ecr" {
source = "cloudposse/ecr/aws"
version = "0.40.0"
}
No response
No response
No response
Hello, I wanted to import multiple ECR repositories into one ECR module. I was able to import only first repository. The rest of them gave me output errors like below:
First import:
terraform import 'module.ecs.module.ecr.aws_ecr_repository.name["YYYYYYYYYY"]' YYYYYYYYYY
module.ecs.module.ecr.aws_ecr_repository.name["YYYYYYYYYY"]: Importing from ID "YYYYYYYYYY"...
module.ecs.module.ecr.aws_ecr_repository.name["YYYYYYYYYY"]: Import prepared!
Prepared aws_ecr_repository for import
module.ecs.module.ecr.aws_ecr_repository.name["YYYYYYYYYY"]: Refreshing state... [id=YYYYYYYYYY]
Import successful!
second import:
terraform import 'module.ecs.module.ecr.aws_ecr_repository.name["XXXXXXXXXXX"]' XXXXXXXXXXX
module.ecs.module.ecr.aws_ecr_repository.name["XXXXXXXXXXX"]: Importing from ID "XXXXXXXXXXX"...
module.ecs.module.ecr.aws_ecr_repository.name["XXXXXXXXXXX"]: Import prepared!
Prepared aws_ecr_repository for import
module.ecs.module.ecr.aws_ecr_repository.name["XXXXXXXXXXX"]: Refreshing state... [id=XXXXXXXXXXX]
Error: Invalid index
on .terraform/modules/ecs.ecr/outputs.tf line 2, in output "registry_id":
2: value = module.this.enabled ? aws_ecr_repository.name[local.image_names[0]].registry_id : ""
|----------------
| aws_ecr_repository.name is object with 1 attribute "YYYYYYYYYY"
| local.image_names[0] is "XXXXXXXXXXX"
The given key does not identify an element in this collection value.
Error: Invalid index
on .terraform/modules/ecs.ecr/outputs.tf line 7, in output "repository_name":
7: value = module.this.enabled ? aws_ecr_repository.name[local.image_names[0]].name : ""
|----------------
| aws_ecr_repository.name is object with 1 attribute "YYYYYYYYYY"
| local.image_names[0] is "XXXXXXXXXXX"
The given key does not identify an element in this collection value.
Error: Invalid index
on .terraform/modules/ecs.ecr/outputs.tf line 12, in output "repository_url":
12: value = module.this.enabled ? aws_ecr_repository.name[local.image_names[0]].repository_url : ""
|----------------
| aws_ecr_repository.name is object with 1 attribute "YYYYYYYYYY"
| local.image_names[0] is "XXXXXXXXXXX"
The given key does not identify an element in this collection value.
Error: Invalid index
on .terraform/modules/ecs.ecr/outputs.tf line 17, in output "repository_arn":
17: value = module.this.enabled ? aws_ecr_repository.name[local.image_names[0]].arn : ""
|----------------
| aws_ecr_repository.name is object with 1 attribute "YYYYYYYYYY"
| local.image_names[0] is "XXXXXXXXXXX"
The given key does not identify an element in this collection value.
All imports are working without issue.
Steps to reproduce the behavior:
image_names
Anything that will help us triage the bug will help. Here are some ideas:
This is our code for ecr module
module "ecr" {
source = "git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.32.2"
enabled = var.enabled && var.ecr_enabled
name = var.name
namespace = var.namespace
stage = var.stage
tags = module.label.tags
protected_tags = var.ecr_protected_tag_prefixes
max_image_count = var.ecr_max_image_count
image_tag_mutability = var.ecr_image_tag_mutability
image_names = ["XXXXXXXXXXX", "YYYYYYYYYY"]
}
Using v0.12.0 of this module, is there support for namespaced repositories? I can manually create a repository in ECR as mycompany/niftyimage
, but it looks like the null-label module munges namespace together with name into mycompany-niftyimage
. Putting the namespace into the name
attribute (name = mycompany/niftyimage
) together with use_fullname = false
, gives a computed name of mycompanyniftyimage
.
I don't see a way to get a Docker-standard repository/namespace/image structure using the module at the moment. Any thoughts?
Thanks for the work on this module!
Apologies in advance for this possibly naive question, but...
We have existing code that wants to push to an azure container registry via basic auth username / password. To use ecr, looking to replicate the same thing here.
The $ aws ecr get-login
command returns -u AWS
and -p {STS_TOKEN_REALLY_LONG_STRING_HERE}
.
Is it possible to fetch this information via the outputs of this terraform module? If not, what is the recommended approach to that? (getting the STS token)
Found a bug? Maybe our Slack Community can help.
I invoke the module as follows:
module "ecr" {
#source = "git::[email protected]:cloudposse/terraform-aws-ecr?ref=tags/0.15.0"
#source = "git::[email protected]:carnegierobotics/terraform-aws-ecr?ref=fix/policy"
source = "/home/jhosteny/src/github/crl/terraform-aws-ecr"
name = var.name
namespace = var.namespace
stage = var.stage
tags = var.tags
attributes = var.attributes
delimiter = var.delimiter
image_names = var.image_names
principals_full_access = [var.sidecred_ecr_writer_role_arn]
}
This produces the following plan:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# module.ecr.aws_ecr_repository_policy.default[0] will be created
+ resource "aws_ecr_repository_policy" "default" {
+ id = (known after apply)
+ policy = "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"FullAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecr:UploadLayerPart\",\n \"ecr:StartImageScan\",\n \"ecr:SetRepositoryPolicy\",\n \"ecr:PutImage\",\n \"ecr:ListImages\",\n \"ecr:InitiateLayerUpload\",\n \"ecr:GetRepositoryPolicy\",\n \"ecr:GetDownloadUrlForLayer\",\n \"ecr:GetAuthorizationToken\",\n \"ecr:DescribeRepositories\",\n \"ecr:DescribeImages\",\n \"ecr:DescribeImageScanFindings\",\n \"ecr:DeleteRepositoryPolicy\",\n \"ecr:DeleteRepository\",\n \"ecr:CompleteLayerUpload\",\n \"ecr:BatchGetImage\",\n \"ecr:BatchDeleteImage\",\n \"ecr:BatchCheckLayerAvailability\"\n ],\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::919264070010:role/tai-prod-sidecred-ecr-writer\"\n }\n }\n ]\n}{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"FullAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecr:UploadLayerPart\",\n \"ecr:StartImageScan\",\n \"ecr:SetRepositoryPolicy\",\n \"ecr:PutImage\",\n \"ecr:ListImages\",\n \"ecr:InitiateLayerUpload\",\n \"ecr:GetRepositoryPolicy\",\n \"ecr:GetDownloadUrlForLayer\",\n \"ecr:GetAuthorizationToken\",\n \"ecr:DescribeRepositories\",\n \"ecr:DescribeImages\",\n \"ecr:DescribeImageScanFindings\",\n \"ecr:DeleteRepositoryPolicy\",\n \"ecr:DeleteRepository\",\n \"ecr:CompleteLayerUpload\",\n \"ecr:BatchGetImage\",\n \"ecr:BatchDeleteImage\",\n \"ecr:BatchCheckLayerAvailability\"\n ],\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::919264070010:role/tai-prod-sidecred-ecr-writer\"\n }\n }\n ]\n}"
+ registry_id = (known after apply)
+ repository = "knightbase-ubuntu18"
}
# module.ecr.aws_ecr_repository_policy.default[1] will be created
+ resource "aws_ecr_repository_policy" "default" {
+ id = (known after apply)
+ policy = "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"FullAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecr:UploadLayerPart\",\n \"ecr:StartImageScan\",\n \"ecr:SetRepositoryPolicy\",\n \"ecr:PutImage\",\n \"ecr:ListImages\",\n \"ecr:InitiateLayerUpload\",\n \"ecr:GetRepositoryPolicy\",\n \"ecr:GetDownloadUrlForLayer\",\n \"ecr:GetAuthorizationToken\",\n \"ecr:DescribeRepositories\",\n \"ecr:DescribeImages\",\n \"ecr:DescribeImageScanFindings\",\n \"ecr:DeleteRepositoryPolicy\",\n \"ecr:DeleteRepository\",\n \"ecr:CompleteLayerUpload\",\n \"ecr:BatchGetImage\",\n \"ecr:BatchDeleteImage\",\n \"ecr:BatchCheckLayerAvailability\"\n ],\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::919264070010:role/tai-prod-sidecred-ecr-writer\"\n }\n }\n ]\n}{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"FullAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecr:UploadLayerPart\",\n \"ecr:StartImageScan\",\n \"ecr:SetRepositoryPolicy\",\n \"ecr:PutImage\",\n \"ecr:ListImages\",\n \"ecr:InitiateLayerUpload\",\n \"ecr:GetRepositoryPolicy\",\n \"ecr:GetDownloadUrlForLayer\",\n \"ecr:GetAuthorizationToken\",\n \"ecr:DescribeRepositories\",\n \"ecr:DescribeImages\",\n \"ecr:DescribeImageScanFindings\",\n \"ecr:DeleteRepositoryPolicy\",\n \"ecr:DeleteRepository\",\n \"ecr:CompleteLayerUpload\",\n \"ecr:BatchGetImage\",\n \"ecr:BatchDeleteImage\",\n \"ecr:BatchCheckLayerAvailability\"\n ],\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::919264070010:role/tai-prod-sidecred-ecr-writer\"\n }\n }\n ]\n}"
+ registry_id = (known after apply)
+ repository = "test"
}
Plan: 2 to add, 0 to change, 0 to destroy.
For clarity, here is what the proposed document for one of the repositories looks like when pretty printed:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullAccess",
"Effect": "Allow",
"Action": [
"ecr:UploadLayerPart",
"ecr:StartImageScan",
"ecr:SetRepositoryPolicy",
"ecr:PutImage",
"ecr:ListImages",
"ecr:InitiateLayerUpload",
"ecr:GetRepositoryPolicy",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken",
"ecr:DescribeRepositories",
"ecr:DescribeImages",
"ecr:DescribeImageScanFindings",
"ecr:DeleteRepositoryPolicy",
"ecr:DeleteRepository",
"ecr:CompleteLayerUpload",
"ecr:BatchGetImage",
"ecr:BatchDeleteImage",
"ecr:BatchCheckLayerAvailability"
],
"Principal": {
"AWS": "arn:aws:iam::919264070010:role/tai-prod-sidecred-core"
}
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullAccess",
"Effect": "Allow",
"Action": [
"ecr:UploadLayerPart",
"ecr:StartImageScan",
"ecr:SetRepositoryPolicy",
"ecr:PutImage",
"ecr:ListImages",
"ecr:InitiateLayerUpload",
"ecr:GetRepositoryPolicy",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken",
"ecr:DescribeRepositories",
"ecr:DescribeImages",
"ecr:DescribeImageScanFindings",
"ecr:DeleteRepositoryPolicy",
"ecr:DeleteRepository",
"ecr:CompleteLayerUpload",
"ecr:BatchGetImage",
"ecr:BatchDeleteImage",
"ecr:BatchCheckLayerAvailability"
],
"Principal": {
"AWS": "arn:aws:iam::919264070010:role/tai-prod-sidecred-core"
}
}
]
}
You can see that the document is concatenated twice. This is due to this join. I will have a PR shortly.
The plan should have been:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# module.ecr.aws_ecr_repository_policy.default[0] will be created
+ resource "aws_ecr_repository_policy" "default" {
+ id = (known after apply)
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "ecr:UploadLayerPart",
+ "ecr:StartImageScan",
+ "ecr:SetRepositoryPolicy",
+ "ecr:PutImage",
+ "ecr:ListImages",
+ "ecr:InitiateLayerUpload",
+ "ecr:GetRepositoryPolicy",
+ "ecr:GetDownloadUrlForLayer",
+ "ecr:GetAuthorizationToken",
+ "ecr:DescribeRepositories",
+ "ecr:DescribeImages",
+ "ecr:DescribeImageScanFindings",
+ "ecr:DeleteRepositoryPolicy",
+ "ecr:DeleteRepository",
+ "ecr:CompleteLayerUpload",
+ "ecr:BatchGetImage",
+ "ecr:BatchDeleteImage",
+ "ecr:BatchCheckLayerAvailability",
]
+ Effect = "Allow"
+ Principal = {
+ AWS = "arn:aws:iam::919264070010:role/tai-prod-sidecred-ecr-writer"
}
+ Sid = "FullAccess"
},
]
+ Version = "2012-10-17"
}
)
+ registry_id = (known after apply)
+ repository = "knightbase-ubuntu18"
}
# module.ecr.aws_ecr_repository_policy.default[1] will be created
+ resource "aws_ecr_repository_policy" "default" {
+ id = (known after apply)
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "ecr:UploadLayerPart",
+ "ecr:StartImageScan",
+ "ecr:SetRepositoryPolicy",
+ "ecr:PutImage",
+ "ecr:ListImages",
+ "ecr:InitiateLayerUpload",
+ "ecr:GetRepositoryPolicy",
+ "ecr:GetDownloadUrlForLayer",
+ "ecr:GetAuthorizationToken",
+ "ecr:DescribeRepositories",
+ "ecr:DescribeImages",
+ "ecr:DescribeImageScanFindings",
+ "ecr:DeleteRepositoryPolicy",
+ "ecr:DeleteRepository",
+ "ecr:CompleteLayerUpload",
+ "ecr:BatchGetImage",
+ "ecr:BatchDeleteImage",
+ "ecr:BatchCheckLayerAvailability",
]
+ Effect = "Allow"
+ Principal = {
+ AWS = "arn:aws:iam::919264070010:role/tai-prod-sidecred-ecr-writer"
}
+ Sid = "FullAccess"
},
]
+ Version = "2012-10-17"
}
)
+ registry_id = (known after apply)
+ repository = "test"
}
Plan: 2 to add, 0 to change, 0 to destroy.
Steps to reproduce the behavior:
Create an ECR module with multiple images and a principal.
With version 3.70 of the Terraform AWS provider it is now possible to make use of scan_types to enable enhanced scanning.
Currently there is no such feature implemented in the code.
Enhanced scanning—
Amazon ECR integrates with Amazon Inspector to provide automated, continuous scanning of your repositories. Your container images are scanned for both operating systems and programing language package vulnerabilities. As new vulnerabilities appear, the scan results are updated and Amazon Inspector emits an event to EventBridge to notify you.
Being able to set options on what scanning type is/will be used for ECR images. As per:
Added value will come from being in line with what the Terraform provider is able to, well, provide. Allowing users of the module to make use of new capabilities provided by Terraform and AWS.
Using the scan_type flag in the terraform module to set this to ENHANCED instead of perhaps a default BASIC. This way the images will be continually scanned, which leads to a better security posture overall.
If the data source resource_full_access
is truly for full access, then https://github.com/cloudposse/terraform-aws-ecr/blob/master/main.tf#L116 is missing the following permissions
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
Have those permissions above
There are a few ways we can solve this and my preference is the first.
resource_full_access
documentresource_full_access
all the ecr perms using ecr:*
Have a question? Please checkout our Slack Community or visit our Slack Archive.
Is it good to have multi region(s) ECR creation and replication so that same can be used for DR strategy.
Multi Region with replication support
If team want to setup full DR it would be nice to have ECR replication feature which will automatically push new ECR changes to DR or other regions. and can be used by local resources reduce the data transfer as well.
Create an input variable for Principal ARNs to provide power user access to ECR.
Principal ARNs will be provided with actions that match the policy AmazonEC2ContainerRegistryPowerUser which provides full access to Amazon EC2 Container Registry repositories, but does not allow repository deletion or policy changes.
A centrally managed environment where Principal ARNs are allowed to update images in ECR repos but not alter policies or delete repos. This will add a guardrail to prevent unintentional/intentional deletion of repos containing nonrecoverable container images.
Grant the ability create custom policies to attach to either current Principal ARN input.
Found a bug? Maybe our Slack Community can help.
Currently CrossAccountPermission
permission also being added to the ECR policy when principle_lambda
variable is added. which will allow members form other account to use image apart from lambda also. and it is also working without adding that CrossAccountPermission
as well
{
"Sid": "WriteOnlyAccess",
"Effect": "Allow",
"Principal": {
"AWS": "priniciple_arn"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
Found a bug? Maybe our Slack Community can help.
Specifying Encryption type "KMS" with a custom KMS key specifies a destroy/create of all defined registries for each new Terraform plan
No changes should be identified. Works as expected when not configuring a custom KMS key.
Steps to reproduce the behavior:
See above
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.