cloudposse / terraform-aws-ecr Goto Github PK
View Code? Open in Web Editor NEWTerraform Module to manage Docker Container Registries on AWS ECR
Home Page: https://cloudposse.com/accelerate
License: Apache License 2.0
terraform-aws-ecr's Issues
Getting error from downloading module when running terraform init
I am getting this error when I run against the master branch. Currently I am skipping the latest commit and fetch from the second to last commit, it worked as expected. I am suspecting the last commit could have caused the issue
Error downloading modules: Error loading modules: module alert-engine-ecr: Error parsing .terraform/modules/612474be353f3466b76e6152fc91c0be/main.tf: At 2:42: Unknown token: 2:42 IDENT length
Make it TF 0.13 compatible
Describe the Bug
Not bug but enhancement.
Allow for using TF 0.13 which allows for for_each in modules.
Expected Behavior
A clear and concise description of what you expected to happen.
Steps to Reproduce
[et2448@Davids-Work-MacBook-Pro tf-ecr (⎈ |icp-global-context:dependency-track)]$ terraform13 init
Initializing modules...
Error: Unsupported Terraform Core version
on .terraform/modules/ecr.label/versions.tf line 2, in terraform:
2: required_version = "~> 0.12.0"
Module module.ecr.module.label (from
git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.16.0)
does not support Terraform version 0.13.0-beta2. To proceed, either choose
another supported Terraform version or update this version constraint. Version
constraints are normally set for good reason, so updating the constraint may
lead to other errors or unexpected behavior.
Error: Unsupported Terraform Core version
on .terraform/modules/ecr/terraform-aws-ecr-0.16.0/versions.tf line 2, in terraform:
2: required_version = "~> 0.12.0"
Module module.ecr (from cloudposse/ecr/aws) does not support Terraform version
0.13.0-beta2. To proceed, either choose another supported Terraform version or
update this version constraint. Version constraints are normally set for good
reason, so updating the constraint may lead to other errors or unexpected
behavior.
Screenshots
If applicable, add screenshots or logs to help explain your problem.
Environment (please complete the following information):
Anything that will help us triage the bug will help. Here are some ideas:
- OS: [e.g. Linux, OSX, WSL, etc]
- Version [e.g. 10.15]
Additional Context
Add any other context about the problem here.
It looks like the README mentions a role functionality that is no longer available.
Based on this PR: https://github.com/cloudposse/terraform-aws-ecr/pull/21/files it seems that the usage docs may need to be updated.
Possibly instead of:
The module works in two distinct modes:
If you provide the existing IAM Role names in the roles attribute, the Roles will be granted permissions to work with the created registry.
If the roles attribute is omitted or is an empty list, a new IAM Role will be created and granted all the required permissions to work with the registry. The Role name will be assigned to the output variable role_name. In addition, an EC2 Instance Profile will be created from the new IAM Role, which might be assigned to EC2 instances granting them permissions to work with the ECR registry.
It could say something like:
The module works in two distinct modes:
If you provide the existing IAM Role names in the principals_full_access or principals_readonly_access attributes, the Roles will be granted permissions to work with the created registry.
If the principals_full_access and principals_readonly_access attributes are omitted or are an empty list no roles will be assigned to the cluster.
Happy to submit a PR, but also not sure if any variables should be required or what else is needed to update the README.
0.15 -> 0.16 transition wants to destroy and recreate all repos
Describe the Bug
When I update my configuration to use tagged version 0.16.0, from 0.15.0, terraform tries to destroy my repositories and create new ones in their places. It looks like the internal resource naming has changed. Do I need to run terraform state mv for all of my repos? I have a lot of repos.
Expected Behavior
If the new module is going to change the repositories, I expect them to be modified in place. Destroying them will delete my entire ECS infrastructure.
Steps to Reproduce
Steps to reproduce the behavior:
- Create a repository using Terraform and module source
git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.15.0 - Modify the configuration to use version 0.16.0 (or any later version up to 0.20.0), so
git diffmight output e.g.
module "ecr_dev" {
- source = "git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.15.0"
+ source = "git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.16.0"
name = "my-repo"
- Run
terraform plan
Screenshots
If applicable, add screenshots or logs to help explain your problem.
module.ecr_dev.aws_ecr_repository.default[0] will be destroyed
module.ecr_dev.aws_ecr_repository.name["my-repo"] will be created
Environment (please complete the following information):
Anything that will help us triage the bug will help. Here are some ideas:
terraform 0.12.25 on OS X.
'aws_iam_role.default' not found
I've used the default assumerole role name
OrganizationAccountAccessRole
data "aws_iam_role" "ecr" {
name = "OrganizationAccountAccessRole"
}
and got the following error planning with TF 0.11
Error: Error running plan: 1 error(s) occurred:
* module.ecr.output.role_name: Resource 'aws_iam_role.default' not found for variable 'aws_iam_role.default.name'
Dependency Dashboard
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
This repository currently has no open or pending branches.
Detected dependencies
terraform
versions.tf
hashicorp/terraform >= 0.13.0aws >= 3.30.0
- Check this box to trigger a request for Renovate to run again on this repository
4.0.0 deprecated warning
Found a bug? Maybe our Slack Community can help.
Describe the Bug
When upgrading to 4.0.0, aws_iam_policy_document source_json should be replaced with source_policy_documents
│ with module.ecr.data.aws_iam_policy_document.resource,
│ on .terraform/modules/ecr/main.tf line 138, in data "aws_iam_policy_document" "resource":
│ 138: source_json = local.principals_readonly_access_non_empty ? join("", [data.aws_iam_policy_document.resource_readonly_access[0].json]) : join("", [data.aws_iam_policy_document.empty[0].json])
│
│ Use the attribute "source_policy_documents" instead.
│
│ (and one more similar warning elsewhere)
Expected Behavior
No deprecation warning
Steps to Reproduce
Steps to reproduce the behavior:
- Go to
cloudposse/terraform-aws-ecr/examples/complete - Run
terraform plan -var 'region=us-east-1'
3. Enter '....' - See
errordeprecation warning
Screenshots
If applicable, add screenshots or logs to help explain your problem.
Environment (please complete the following information):
Anything that will help us triage the bug will help. Here are some ideas:
- OS: [e.g. Linux, OSX, WSL, etc]
- Version [e.g. 10.15]
Additional Context
Add any other context about the problem here.
Module requires aws provider version 3.1.0
versions.tf requires aws = ">= 2.34"
But encryption_configuration in main.tf was introduced with aws provider version 3.1.0
module doesn't seem to work on fresh account
terraform version: 0.11.8
terraform-aws-ecr: 0.2.10 (master)
expected result:
a new ECR called cloud/databank_fe with default roles provided by the module (no roles are provided)
This ECR is created on another newly created account, the script is executed from the master account and TF will use a provider with assume role.
terraform main.tf
provider "aws" {
version = "~> 1.29"
region = "eu-west-1"
}
terraform {
backend "s3" {
bucket = "my-bucket"
key = "devops-aws/repo/terraform.tfstate"
region = "eu-west-1"
encrypt = true
dynamodb_table = "terraform-lock-table"
}
}
# read root state to retrieve account_repo.id
data "terraform_remote_state" "root" {
backend = "s3"
config {
bucket = "my-bucket"
key = "devops-aws/root/terraform.tfstate"
region = "eu-west-1"
encrypt = true
}
}
provider "aws" {
alias = "assume_repo_admin"
assume_role {
role_arn = "arn:aws:iam::${data.terraform_remote_state.root.account_repo_id}:role/OrganizationAccountAccessRole"
session_name = "setup_account_repo"
}
}
# create ECR repositories
module "ecr" {
providers = {
aws = "aws.assume_repo_admin"
}
source = "git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=master"
name = "cloud/databank_fe"
namespace = "repo"
stage = "travis"
}
actual result:
$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
data.terraform_remote_state.root: Refreshing state...
data.aws_iam_policy_document.login: Refreshing state...
data.aws_iam_policy_document.assume_role: Refreshing state...
------------------------------------------------------------------------
Error: Error running plan: 11 error(s) occurred:
* module.ecr.output.policy_write_name: Resource 'aws_iam_policy.write' not found for variable 'aws_iam_policy.write.name'
* module.ecr.output.role_arn: Resource 'aws_iam_role.default' does not have attribute 'arn' for variable 'aws_iam_role.default.*.arn'
* module.ecr.output.role_name: Resource 'aws_iam_role.default' does not have attribute 'name' for variable 'aws_iam_role.default.*.name'
* module.ecr.aws_iam_instance_profile.default: 1 error(s) occurred:
* module.ecr.aws_iam_instance_profile.default: Resource 'aws_iam_role.default' not found for variable 'aws_iam_role.default.name'
* module.ecr.output.policy_write_arn: Resource 'aws_iam_policy.write' not found for variable 'aws_iam_policy.write.arn'
* module.ecr.aws_iam_role_policy_attachment.default_ecr: 1 error(s) occurred:
* module.ecr.aws_iam_role_policy_attachment.default_ecr: Resource 'aws_iam_role.default' not found for variable 'aws_iam_role.default.name'
* module.ecr.output.policy_login_name: Resource 'aws_iam_policy.login' not found for variable 'aws_iam_policy.login.name'
* module.ecr.output.policy_read_arn: Resource 'aws_iam_policy.read' not found for variable 'aws_iam_policy.read.arn'
* module.ecr.output.policy_read_name: Resource 'aws_iam_policy.read' not found for variable 'aws_iam_policy.read.name'
* module.ecr.output.policy_login_arn: Resource 'aws_iam_policy.login' not found for variable 'aws_iam_policy.login.arn'
* module.ecr.data.aws_iam_policy_document.default_ecr: 1 error(s) occurred:
* module.ecr.data.aws_iam_policy_document.default_ecr: Resource 'aws_iam_role.default' not found for variable 'aws_iam_role.default.arn'
The problem also seems to occur if I try to create it on the same account.
ya'll ready?! public ECR! 🔥
Public ECR support is dropping later today (possibly), would be a nice addition to the module (I think) hashicorp/terraform-provider-aws#16540
Allow other principals
Describe the Feature
Allow for other principals other than AWS for access control.
Expected Behavior
Allow Service or other values in principals_readonly_access.
Use Case
For letting services like lambda pull from the repository.
Describe Ideal Solution
To specify the type of principals when the value is not AWS, you could also specify the whole access policy.
Alternatives Considered
Using other modules.
Enable lifefycle policy based on "Since imaged pushed"
Have a question? Please checkout our Slack Community or visit our Slack Archive.
Describe the Feature
Unless I missed it, the current rule available for images expiracy is based on the max number of images for a repo (max_image_count).
Adding the possibility to use the countType "sinceImagePushed" would obviously extend the capabilities of this module.
Describe Ideal Solution
Have the ability to choose between a lifecycle based on either the total number of images or the number of days since their last push.
If both options are set, obviously this should not be allowed.
Alternatives Considered
For the moment I manage the policies outside the module, directly with the resource aws_ecr_lifecycle_policy which will iterate on the list of images on which I want to apply it.
multi-repo namespacing does not appear to work
Describe the Bug
using the provided example in multi-repo, the repositories that are created are simply just redis or nginx and they are not namespaced at all like the documentation states (something like eg/reds or eg/nginx
From the README
If you provide 1 or more names in image_names then one repository will be created for each of the names you provide. Those names can include "namespaces", which are just prefixes ending with a slash (/).
Current Behavior
+ resource "aws_ecr_repository" "name" {
+ arn = (known after apply)
+ id = (known after apply)
+ image_tag_mutability = "IMMUTABLE"
+ name = "nginx"
+ registry_id = (known after apply)
+ repository_url = (known after apply)
+ tags = {
+ "Name" = "eg-dev-app"
+ "Namespace" = "eg"
+ "Stage" = "dev"
}
+ tags_all = {
+ "Name" = "eg-dev-app"
+ "Namespace" = "eg"
+ "Stage" = "dev"
}
+ image_scanning_configuration {
+ scan_on_push = true
}
}Expected Behavior
+ resource "aws_ecr_repository" "name" {
+ arn = (known after apply)
+ id = (known after apply)
+ image_tag_mutability = "IMMUTABLE"
+ name = "eg/nginx"
+ registry_id = (known after apply)
+ repository_url = (known after apply)
+ tags = {
+ "Name" = "eg-dev-app"
+ "Namespace" = "eg"
+ "Stage" = "dev"
}
+ tags_all = {
+ "Name" = "eg-dev-app"
+ "Namespace" = "eg"
+ "Stage" = "dev"
}
+ image_scanning_configuration {
+ scan_on_push = true
}
}AWS - ECR policy issue for some accounts
For certain users, AWS is not allowing restricting the ECR read for specific resource. The policy can be updated to all [*] resources only.
data "aws_iam_policy_document" "token" {
statement {
sid = "ECRGetAuthorizationToken"
effect = "Allow"
actions = ["ecr:GetAuthorizationToken"]
resources = ["*"] //it's working
//resources = ["${aws_ecr_repository.default.arn}"] --> not working
}
}
Backslash being removed from name variable when used with use_fullname
Though I think this is by design rather than a bug, it should be discussed.
Describe the Bug
Slashes are removed from the name variable even when use_fullname is true
Expected Behavior
Characters valid for the service should be valid for the module. Whilst regex_replace_chars does a good job of keeping the most valid characters, another regex var is required for when name is used alongside a use_fullname=true. We should be overriding regex_replace_chars as it has a wider impact than just the name variable.
Maybe even take this a step further and use the namespace before adding a slash when use_fullname=false?
Steps to Reproduce
Apply the module with a name that contains a / and use_fullname=true, the slash will not be in the name of the ECR repository.
Allow the whole AWS Org for readonly
Describe the Feature
In scenarios where there are many AWS accounts in the AWS Org, it is often more practical to allow the whole org
to pull images than dozens individual accounts.
Expected Behavior
From each AWS account users and services can execute non-modifying actions, e.g. pulling the images, list images, etc.
Describe Ideal Solution
A pseudo-policy:
{
"Sid": "AllowOrgPull",
"Effect": "Allow",
"Principal": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": ${jsonencode(data.aws_organizations_organization.current.id)}
}
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CreateRepository",
"ecr:DescribeImages",
"ecr:DescribeImageScanFindings",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:ListTagsForResource"
]
},
Add new image scanning configuration to the ECR repository
As of terraform aws provider 2.34.0 the ECR image repository now has an additional setting to enable image scanning for CVE vulnerabilities.
https://www.terraform.io/docs/providers/aws/r/ecr_repository.html
Add variable to override image_tag_mutability default value
Resource: aws_ecr_repository
image_tag_mutability - (Optional) The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE. Defaults to MUTABLE.
Would you add a count attribute to this module
Appreciate all your efforts
image_names variable not working as expected
Describe the Bug
using the provided example in multi-repo, the repositories that are created are simply just app or worker and they are not namespaced at all like the documentation states (something like my-app/app or my-app/worker
Documentation
If you provide 1 or more names in image_names then one repository will be created for each of the names you provide. Those names can include "namespaces", which are just prefixes ending with a slash (/).
If you do not provide any names in image_names, the module will create a single ECR repo named namespace-stage-name or just name depending on the value of use_fullname.
Current Behavior
Code
module "ecr" {
source = "cloudposse/ecr/aws"
namespace = "my-app"
environment = "ca"
stage = "prod"
use_fullname = true
image_names = ["worker","app"]
}Output
# module.ecr.aws_ecr_repository.name["app"] will be created
+ resource "aws_ecr_repository" "name" {
+ arn = (known after apply)
+ id = (known after apply)
+ image_tag_mutability = "IMMUTABLE"
+ name = "app"
+ registry_id = (known after apply)
+ repository_url = (known after apply)
+ tags = {
+ "Environment" = "ca"
+ "Name" = "my-app-ca-prod" <-- Name
+ "Namespace" = "my-app"
+ "Stage" = "prod"
}
+ tags_all = {
+ "Environment" = "ca"
+ "Name" = "my-app-ca-prod" <-- Name
+ "Namespace" = "my-app"
+ "Stage" = "prod"
}
+ image_scanning_configuration {
+ scan_on_push = true
}
}
# module.ecr.aws_ecr_repository.name["circleci-with-prince"] will be created
+ resource "aws_ecr_repository" "name" {
+ arn = (known after apply)
+ id = (known after apply)
+ image_tag_mutability = "IMMUTABLE"
+ name = "worker"
+ registry_id = (known after apply)
+ repository_url = (known after apply)
+ tags = {
+ "Environment" = "ca"
+ "Name" = "my-app-ca-prod" <-- Name
+ "Namespace" = "my-app"
+ "Stage" = "prod"
}
+ tags_all = {
+ "Environment" = "ca"
+ "Name" = "my-app-ca-prod" <-- Name
+ "Namespace" = "my-app"
+ "Stage" = "prod"
}
+ image_scanning_configuration {
+ scan_on_push = true
}
}Expected Behavior
# module.ecr.aws_ecr_repository.name["app"] will be created
+ resource "aws_ecr_repository" "name" {
+ arn = (known after apply)
+ id = (known after apply)
+ image_tag_mutability = "IMMUTABLE"
+ name = "my-app/app" <-- Name with namespace or full `ns-env-stage/name`
+ registry_id = (known after apply)
+ repository_url = (known after apply)
+ tags = {
+ "Environment" = "ca"
+ "Name" = "my-app-ca-prod" <-- Name
+ "Namespace" = "my-app"
+ "Stage" = "prod"
}
+ tags_all = {
+ "Environment" = "ca"
+ "Name" = "my-app-ca-prod" <-- Name
+ "Namespace" = "my-app"
+ "Stage" = "prod"
}
+ image_scanning_configuration {
+ scan_on_push = true
}
}
# module.ecr.aws_ecr_repository.name["circleci-with-prince"] will be created
+ resource "aws_ecr_repository" "name" {
+ arn = (known after apply)
+ id = (known after apply)
+ image_tag_mutability = "IMMUTABLE"
+ name = "my-app/worker" <-- Name with namespace or full `ns-env-stage/name`
+ registry_id = (known after apply)
+ repository_url = (known after apply)
+ tags = {
+ "Environment" = "ca"
+ "Name" = "my-app-ca-prod" <-- Name
+ "Namespace" = "my-app"
+ "Stage" = "prod"
}
+ tags_all = {
+ "Environment" = "ca"
+ "Name" = "my-app-ca-prod" <-- Name
+ "Namespace" = "my-app"
+ "Stage" = "prod"
}
+ image_scanning_configuration {
+ scan_on_push = true
}
}Environment (please complete the following information):
Anything that will help us triage the bug will help. Here are some ideas:
- OS: MacOS Monterey 12.4
- Terraform: v1.1.5/darwin_arm64
Error: Invalid for_each argument
Describe the Bug
╷
│ Error: Invalid for_each argument
│
│ on ecr/modules/ecr/main.tf line 310, in resource "aws_ecr_repository_policy" "name":
│ 310: for_each = toset(local.ecr_need_policy && module.this.enabled ? local.image_names : [])
│ ├────────────────
│ │ local.ecr_need_policy is a bool, known only after apply
│ │ local.image_names is list of string with 2 elements
│ │ module.this.enabled is true
│
│ The "for_each" set includes values derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the full set of keys that will identify the instances of this resource.
│
│ When working with unknown values in for_each, it's better to use a map value where the keys are defined statically in your configuration and where only the values contain apply-time results.
│
│ Alternatively, you could use the -target planning option to first apply only the resources that the for_each value depends on, and then apply a second time to fully converge.
╵
Expected Behavior
no issues
Steps to Reproduce
fresh deployment using ecr, using
module "ecr" {
source = "cloudposse/ecr/aws"
version = "0.40.0"
}
Screenshots
No response
Environment
No response
Additional Context
No response
Issues on importing ECR repositories
Describe the Bug
Hello, I wanted to import multiple ECR repositories into one ECR module. I was able to import only first repository. The rest of them gave me output errors like below:
First import:
terraform import 'module.ecs.module.ecr.aws_ecr_repository.name["YYYYYYYYYY"]' YYYYYYYYYY
module.ecs.module.ecr.aws_ecr_repository.name["YYYYYYYYYY"]: Importing from ID "YYYYYYYYYY"...
module.ecs.module.ecr.aws_ecr_repository.name["YYYYYYYYYY"]: Import prepared!
Prepared aws_ecr_repository for import
module.ecs.module.ecr.aws_ecr_repository.name["YYYYYYYYYY"]: Refreshing state... [id=YYYYYYYYYY]
Import successful!second import:
terraform import 'module.ecs.module.ecr.aws_ecr_repository.name["XXXXXXXXXXX"]' XXXXXXXXXXX
module.ecs.module.ecr.aws_ecr_repository.name["XXXXXXXXXXX"]: Importing from ID "XXXXXXXXXXX"...
module.ecs.module.ecr.aws_ecr_repository.name["XXXXXXXXXXX"]: Import prepared!
Prepared aws_ecr_repository for import
module.ecs.module.ecr.aws_ecr_repository.name["XXXXXXXXXXX"]: Refreshing state... [id=XXXXXXXXXXX]
Error: Invalid index
on .terraform/modules/ecs.ecr/outputs.tf line 2, in output "registry_id":
2: value = module.this.enabled ? aws_ecr_repository.name[local.image_names[0]].registry_id : ""
|----------------
| aws_ecr_repository.name is object with 1 attribute "YYYYYYYYYY"
| local.image_names[0] is "XXXXXXXXXXX"
The given key does not identify an element in this collection value.
Error: Invalid index
on .terraform/modules/ecs.ecr/outputs.tf line 7, in output "repository_name":
7: value = module.this.enabled ? aws_ecr_repository.name[local.image_names[0]].name : ""
|----------------
| aws_ecr_repository.name is object with 1 attribute "YYYYYYYYYY"
| local.image_names[0] is "XXXXXXXXXXX"
The given key does not identify an element in this collection value.
Error: Invalid index
on .terraform/modules/ecs.ecr/outputs.tf line 12, in output "repository_url":
12: value = module.this.enabled ? aws_ecr_repository.name[local.image_names[0]].repository_url : ""
|----------------
| aws_ecr_repository.name is object with 1 attribute "YYYYYYYYYY"
| local.image_names[0] is "XXXXXXXXXXX"
The given key does not identify an element in this collection value.
Error: Invalid index
on .terraform/modules/ecs.ecr/outputs.tf line 17, in output "repository_arn":
17: value = module.this.enabled ? aws_ecr_repository.name[local.image_names[0]].arn : ""
|----------------
| aws_ecr_repository.name is object with 1 attribute "YYYYYYYYYY"
| local.image_names[0] is "XXXXXXXXXXX"
The given key does not identify an element in this collection value.Expected Behavior
All imports are working without issue.
Steps to Reproduce
Steps to reproduce the behavior:
- Create manually ECR repositories
- Create manifest with the same names in variable
image_names - try to import existing images into module
- See error
Environment (please complete the following information):
Anything that will help us triage the bug will help. Here are some ideas:
- OS: Linux
- Module version 0.32.2
- Terraform 0.13/0.14
Additional Context
This is our code for ecr module
module "ecr" {
source = "git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.32.2"
enabled = var.enabled && var.ecr_enabled
name = var.name
namespace = var.namespace
stage = var.stage
tags = module.label.tags
protected_tags = var.ecr_protected_tag_prefixes
max_image_count = var.ecr_max_image_count
image_tag_mutability = var.ecr_image_tag_mutability
image_names = ["XXXXXXXXXXX", "YYYYYYYYYY"]
}
Support for namespaced repositories
Using v0.12.0 of this module, is there support for namespaced repositories? I can manually create a repository in ECR as mycompany/niftyimage, but it looks like the null-label module munges namespace together with name into mycompany-niftyimage. Putting the namespace into the name attribute (name = mycompany/niftyimage) together with use_fullname = false, gives a computed name of mycompanyniftyimage.
I don't see a way to get a Docker-standard repository/namespace/image structure using the module at the moment. Any thoughts?
Thanks for the work on this module!
How to get basic auth username / password?
Apologies in advance for this possibly naive question, but...
We have existing code that wants to push to an azure container registry via basic auth username / password. To use ecr, looking to replicate the same thing here.
The $ aws ecr get-login command returns -u AWS and -p {STS_TOKEN_REALLY_LONG_STRING_HERE}.
Is it possible to fetch this information via the outputs of this terraform module? If not, what is the recommended approach to that? (getting the STS token)
Malformed policy document when principal and multiple images supplied
Found a bug? Maybe our Slack Community can help.
Describe the Bug
I invoke the module as follows:
module "ecr" {
#source = "git::[email protected]:cloudposse/terraform-aws-ecr?ref=tags/0.15.0"
#source = "git::[email protected]:carnegierobotics/terraform-aws-ecr?ref=fix/policy"
source = "/home/jhosteny/src/github/crl/terraform-aws-ecr"
name = var.name
namespace = var.namespace
stage = var.stage
tags = var.tags
attributes = var.attributes
delimiter = var.delimiter
image_names = var.image_names
principals_full_access = [var.sidecred_ecr_writer_role_arn]
}
This produces the following plan:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# module.ecr.aws_ecr_repository_policy.default[0] will be created
+ resource "aws_ecr_repository_policy" "default" {
+ id = (known after apply)
+ policy = "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"FullAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecr:UploadLayerPart\",\n \"ecr:StartImageScan\",\n \"ecr:SetRepositoryPolicy\",\n \"ecr:PutImage\",\n \"ecr:ListImages\",\n \"ecr:InitiateLayerUpload\",\n \"ecr:GetRepositoryPolicy\",\n \"ecr:GetDownloadUrlForLayer\",\n \"ecr:GetAuthorizationToken\",\n \"ecr:DescribeRepositories\",\n \"ecr:DescribeImages\",\n \"ecr:DescribeImageScanFindings\",\n \"ecr:DeleteRepositoryPolicy\",\n \"ecr:DeleteRepository\",\n \"ecr:CompleteLayerUpload\",\n \"ecr:BatchGetImage\",\n \"ecr:BatchDeleteImage\",\n \"ecr:BatchCheckLayerAvailability\"\n ],\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::919264070010:role/tai-prod-sidecred-ecr-writer\"\n }\n }\n ]\n}{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"FullAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecr:UploadLayerPart\",\n \"ecr:StartImageScan\",\n \"ecr:SetRepositoryPolicy\",\n \"ecr:PutImage\",\n \"ecr:ListImages\",\n \"ecr:InitiateLayerUpload\",\n \"ecr:GetRepositoryPolicy\",\n \"ecr:GetDownloadUrlForLayer\",\n \"ecr:GetAuthorizationToken\",\n \"ecr:DescribeRepositories\",\n \"ecr:DescribeImages\",\n \"ecr:DescribeImageScanFindings\",\n \"ecr:DeleteRepositoryPolicy\",\n \"ecr:DeleteRepository\",\n \"ecr:CompleteLayerUpload\",\n \"ecr:BatchGetImage\",\n \"ecr:BatchDeleteImage\",\n \"ecr:BatchCheckLayerAvailability\"\n ],\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::919264070010:role/tai-prod-sidecred-ecr-writer\"\n }\n }\n ]\n}"
+ registry_id = (known after apply)
+ repository = "knightbase-ubuntu18"
}
# module.ecr.aws_ecr_repository_policy.default[1] will be created
+ resource "aws_ecr_repository_policy" "default" {
+ id = (known after apply)
+ policy = "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"FullAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecr:UploadLayerPart\",\n \"ecr:StartImageScan\",\n \"ecr:SetRepositoryPolicy\",\n \"ecr:PutImage\",\n \"ecr:ListImages\",\n \"ecr:InitiateLayerUpload\",\n \"ecr:GetRepositoryPolicy\",\n \"ecr:GetDownloadUrlForLayer\",\n \"ecr:GetAuthorizationToken\",\n \"ecr:DescribeRepositories\",\n \"ecr:DescribeImages\",\n \"ecr:DescribeImageScanFindings\",\n \"ecr:DeleteRepositoryPolicy\",\n \"ecr:DeleteRepository\",\n \"ecr:CompleteLayerUpload\",\n \"ecr:BatchGetImage\",\n \"ecr:BatchDeleteImage\",\n \"ecr:BatchCheckLayerAvailability\"\n ],\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::919264070010:role/tai-prod-sidecred-ecr-writer\"\n }\n }\n ]\n}{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"FullAccess\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ecr:UploadLayerPart\",\n \"ecr:StartImageScan\",\n \"ecr:SetRepositoryPolicy\",\n \"ecr:PutImage\",\n \"ecr:ListImages\",\n \"ecr:InitiateLayerUpload\",\n \"ecr:GetRepositoryPolicy\",\n \"ecr:GetDownloadUrlForLayer\",\n \"ecr:GetAuthorizationToken\",\n \"ecr:DescribeRepositories\",\n \"ecr:DescribeImages\",\n \"ecr:DescribeImageScanFindings\",\n \"ecr:DeleteRepositoryPolicy\",\n \"ecr:DeleteRepository\",\n \"ecr:CompleteLayerUpload\",\n \"ecr:BatchGetImage\",\n \"ecr:BatchDeleteImage\",\n \"ecr:BatchCheckLayerAvailability\"\n ],\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::919264070010:role/tai-prod-sidecred-ecr-writer\"\n }\n }\n ]\n}"
+ registry_id = (known after apply)
+ repository = "test"
}
Plan: 2 to add, 0 to change, 0 to destroy.
For clarity, here is what the proposed document for one of the repositories looks like when pretty printed:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullAccess",
"Effect": "Allow",
"Action": [
"ecr:UploadLayerPart",
"ecr:StartImageScan",
"ecr:SetRepositoryPolicy",
"ecr:PutImage",
"ecr:ListImages",
"ecr:InitiateLayerUpload",
"ecr:GetRepositoryPolicy",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken",
"ecr:DescribeRepositories",
"ecr:DescribeImages",
"ecr:DescribeImageScanFindings",
"ecr:DeleteRepositoryPolicy",
"ecr:DeleteRepository",
"ecr:CompleteLayerUpload",
"ecr:BatchGetImage",
"ecr:BatchDeleteImage",
"ecr:BatchCheckLayerAvailability"
],
"Principal": {
"AWS": "arn:aws:iam::919264070010:role/tai-prod-sidecred-core"
}
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullAccess",
"Effect": "Allow",
"Action": [
"ecr:UploadLayerPart",
"ecr:StartImageScan",
"ecr:SetRepositoryPolicy",
"ecr:PutImage",
"ecr:ListImages",
"ecr:InitiateLayerUpload",
"ecr:GetRepositoryPolicy",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken",
"ecr:DescribeRepositories",
"ecr:DescribeImages",
"ecr:DescribeImageScanFindings",
"ecr:DeleteRepositoryPolicy",
"ecr:DeleteRepository",
"ecr:CompleteLayerUpload",
"ecr:BatchGetImage",
"ecr:BatchDeleteImage",
"ecr:BatchCheckLayerAvailability"
],
"Principal": {
"AWS": "arn:aws:iam::919264070010:role/tai-prod-sidecred-core"
}
}
]
}
You can see that the document is concatenated twice. This is due to this join. I will have a PR shortly.
Expected Behavior
The plan should have been:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# module.ecr.aws_ecr_repository_policy.default[0] will be created
+ resource "aws_ecr_repository_policy" "default" {
+ id = (known after apply)
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "ecr:UploadLayerPart",
+ "ecr:StartImageScan",
+ "ecr:SetRepositoryPolicy",
+ "ecr:PutImage",
+ "ecr:ListImages",
+ "ecr:InitiateLayerUpload",
+ "ecr:GetRepositoryPolicy",
+ "ecr:GetDownloadUrlForLayer",
+ "ecr:GetAuthorizationToken",
+ "ecr:DescribeRepositories",
+ "ecr:DescribeImages",
+ "ecr:DescribeImageScanFindings",
+ "ecr:DeleteRepositoryPolicy",
+ "ecr:DeleteRepository",
+ "ecr:CompleteLayerUpload",
+ "ecr:BatchGetImage",
+ "ecr:BatchDeleteImage",
+ "ecr:BatchCheckLayerAvailability",
]
+ Effect = "Allow"
+ Principal = {
+ AWS = "arn:aws:iam::919264070010:role/tai-prod-sidecred-ecr-writer"
}
+ Sid = "FullAccess"
},
]
+ Version = "2012-10-17"
}
)
+ registry_id = (known after apply)
+ repository = "knightbase-ubuntu18"
}
# module.ecr.aws_ecr_repository_policy.default[1] will be created
+ resource "aws_ecr_repository_policy" "default" {
+ id = (known after apply)
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "ecr:UploadLayerPart",
+ "ecr:StartImageScan",
+ "ecr:SetRepositoryPolicy",
+ "ecr:PutImage",
+ "ecr:ListImages",
+ "ecr:InitiateLayerUpload",
+ "ecr:GetRepositoryPolicy",
+ "ecr:GetDownloadUrlForLayer",
+ "ecr:GetAuthorizationToken",
+ "ecr:DescribeRepositories",
+ "ecr:DescribeImages",
+ "ecr:DescribeImageScanFindings",
+ "ecr:DeleteRepositoryPolicy",
+ "ecr:DeleteRepository",
+ "ecr:CompleteLayerUpload",
+ "ecr:BatchGetImage",
+ "ecr:BatchDeleteImage",
+ "ecr:BatchCheckLayerAvailability",
]
+ Effect = "Allow"
+ Principal = {
+ AWS = "arn:aws:iam::919264070010:role/tai-prod-sidecred-ecr-writer"
}
+ Sid = "FullAccess"
},
]
+ Version = "2012-10-17"
}
)
+ registry_id = (known after apply)
+ repository = "test"
}
Plan: 2 to add, 0 to change, 0 to destroy.
Steps to Reproduce
Steps to reproduce the behavior:
Create an ECR module with multiple images and a principal.
Requesting to add `scan_type ` to `aws_ecr_registry_scanning_configuration`
Describe the Feature
With version 3.70 of the Terraform AWS provider it is now possible to make use of scan_types to enable enhanced scanning.
Currently there is no such feature implemented in the code.
Enhanced scanning—
Amazon ECR integrates with Amazon Inspector to provide automated, continuous scanning of your repositories. Your container images are scanned for both operating systems and programing language package vulnerabilities. As new vulnerabilities appear, the scan results are updated and Amazon Inspector emits an event to EventBridge to notify you.
Expected Behavior
Being able to set options on what scanning type is/will be used for ECR images. As per:
Use Case
Added value will come from being in line with what the Terraform provider is able to, well, provide. Allowing users of the module to make use of new capabilities provided by Terraform and AWS.
Describe Ideal Solution
Using the scan_type flag in the terraform module to set this to ENHANCED instead of perhaps a default BASIC. This way the images will be continually scanned, which leads to a better security posture overall.
resource_full_access iam document is missing a few permissions
Describe the Bug
If the data source resource_full_access is truly for full access, then https://github.com/cloudposse/terraform-aws-ecr/blob/master/main.tf#L116 is missing the following permissions
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
Expected Behavior
Have those permissions above
Additional Context
There are a few ways we can solve this and my preference is the first.
- Add the above perms to the
resource_full_accessdocument - Create a variable to override all those permissions or append those perms
- Give
resource_full_accessall the ecr perms usingecr:*
multi region ECR with replication support
Have a question? Please checkout our Slack Community or visit our Slack Archive.
Describe the Feature
Is it good to have multi region(s) ECR creation and replication so that same can be used for DR strategy.
Expected Behavior
Multi Region with replication support
Use Case
If team want to setup full DR it would be nice to have ECR replication feature which will automatically push new ECR changes to DR or other regions. and can be used by local resources reduce the data transfer as well.
Principal ARNs input for ECR Power User
Describe the Feature
Create an input variable for Principal ARNs to provide power user access to ECR.
Expected Behavior
Principal ARNs will be provided with actions that match the policy AmazonEC2ContainerRegistryPowerUser which provides full access to Amazon EC2 Container Registry repositories, but does not allow repository deletion or policy changes.
Use Case
A centrally managed environment where Principal ARNs are allowed to update images in ECR repos but not alter policies or delete repos. This will add a guardrail to prevent unintentional/intentional deletion of repos containing nonrecoverable container images.
Alternatives Considered
Grant the ability create custom policies to attach to either current Principal ARN input.
Add Example Usage
what
- Add example invocation
why
- We need this so we can soon enable automated continuous integration testing of module
Reduce permission to functions only
Found a bug? Maybe our Slack Community can help.
Describe the Bug
Currently CrossAccountPermission permission also being added to the ECR policy when principle_lambda variable is added. which will allow members form other account to use image apart from lambda also. and it is also working without adding that CrossAccountPermission as well
Expected Behavior
- should not allow permission other then lambda functions
- Write only permission feature should be there which will allow user to write image only to the ecr repo. not other features.
{
"Sid": "WriteOnlyAccess",
"Effect": "Allow",
"Principal": {
"AWS": "priniciple_arn"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
Specifying Encryption type "KMS" with a custom KMS key specifies a destroy/create for each new plan
Found a bug? Maybe our Slack Community can help.
Describe the Bug
Specifying Encryption type "KMS" with a custom KMS key specifies a destroy/create of all defined registries for each new Terraform plan
Expected Behavior
No changes should be identified. Works as expected when not configuring a custom KMS key.
Steps to Reproduce
Steps to reproduce the behavior:
See above
Screenshots
Environment (please complete the following information):
- OSX: 11.5.2
- Terraform: v1.0.4
- This module: ~> 0.32
- AWS Provider hashicorp/aws: ~> 3.49
Additional Context
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.