Terraform module which creates Amazon ECR repository template resources.
See examples directory for working examples to reference:
module "ecr-repository-template" {
source = "terraform-aws-modules/ecr/aws//modules/repository-template"
# Template
description = "Pull through cache repository template for Karpenter public ECR artifacts"
prefix = "ecr-public"
create_repository_policy = true
# Pull through cache rule
upstream_registry_url = "public.ecr.aws"
tags = {
Terraform = "true"
Environment = "dev"
}
}module "ecr-repository-template" {
source = "terraform-aws-modules/ecr/aws//modules/repository-template"
# Template
description = "Pull through cache repository template for NGINX Dockerhub artifacts"
prefix = "docker-hub"
# Pull through cache rule
upstream_registry_url = "registry-1.docker.io"
credential_arn = aws_secretsmanager_secret.ecr_pull_through_cache.arn
tags = {
Terraform = "true"
Environment = "dev"
}
}module "ecr" {
source = "terraform-aws-modules/ecr/aws//modules/repository-template"
# Template
description = "Replication repository template for production ECR artifacts"
prefix = "prod"
create_repository_policy = true
lifecycle_policy = jsonencode({
rules = [
{
rulePriority = 1,
description = "Keep last 30 images",
selection = {
tagStatus = "tagged",
tagPrefixList = ["v"],
countType = "imageCountMoreThan",
countNumber = 30
},
action = {
type = "expire"
}
}
]
})
tags = {
Terraform = "true"
Environment = "dev"
}
}Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 5.61 |
| Name | Version |
|---|---|
| aws | >= 5.61 |
No modules.
| Name | Type |
|---|---|
| aws_ecr_pull_through_cache_rule.this | resource |
| aws_ecr_repository_creation_template.this | resource |
| aws_iam_policy.this | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy_attachment.this | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.assume | data source |
| aws_iam_policy_document.repository | data source |
| aws_iam_policy_document.this | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| applied_for | Which features this template applies to. Must contain one or more of PULL_THROUGH_CACHE or REPLICATION. Defaults to PULL_THROUGH_CACHE |
list(string) |
[ |
no |
| create | Determines whether resources will be created (affects all resources) | bool |
true |
no |
| create_iam_role | Determines whether the ECR service IAM role should be created | bool |
true |
no |
| create_pull_through_cache_rule | Determines whether a pull through cache rule will be created | bool |
false |
no |
| create_repository_policy | Determines whether a repository policy will be created | bool |
true |
no |
| credential_arn | ARN of the Secret which will be used to authenticate against the registry to use for the pull through cache rule | string |
null |
no |
| custom_role_arn | A custom IAM role to use for repository creation. Required if using repository tags or KMS encryption | string |
null |
no |
| description | The description for this template | string |
null |
no |
| encryption_type | The type of encryption to use for any created repositories. Must be one of: AES256 or KMS. Defaults to AES256 |
string |
"AES256" |
no |
| iam_role_description | Description of the role | string |
null |
no |
| iam_role_name | Name to use on IAM role created | string |
null |
no |
| iam_role_path | IAM role path | string |
null |
no |
| iam_role_permissions_boundary | ARN of the policy that is used to set the permissions boundary for the IAM role | string |
null |
no |
| iam_role_tags | A map of additional tags to add to the IAM role created | map(string) |
{} |
no |
| iam_role_use_name_prefix | Determines whether the IAM role name (iam_role_name) is used as a prefix |
bool |
true |
no |
| image_tag_mutability | The tag mutability setting for any created repositories. Must be one of: MUTABLE or IMMUTABLE. Defaults to IMMUTABLE |
string |
"IMMUTABLE" |
no |
| kms_key_arn | The ARN of the KMS key used to encrypt the repositories created | string |
null |
no |
| lifecycle_policy | The lifecycle policy document to apply to any created repositories | string |
null |
no |
| prefix | (Required) The repository name prefix to match against. Use ROOT to match any prefix that doesn't explicitly match another template |
string |
"" |
no |
| repository_lambda_read_access_arns | The ARNs of the Lambda service roles that have read access to the repository | list(string) |
[] |
no |
| repository_policy | The JSON policy to apply to the repository. If not specified, uses the default policy | string |
null |
no |
| repository_policy_statements | A map of IAM policy statements for custom permission usage | any |
{} |
no |
| repository_read_access_arns | The ARNs of the IAM users/roles that have read access to the repository | list(string) |
[] |
no |
| repository_read_write_access_arns | The ARNs of the IAM users/roles that have read/write access to the repository | list(string) |
[] |
no |
| resource_tags | A map of tags to assign to any created repositories | map(string) |
{} |
no |
| tags | A map of tags to add to all resources | map(string) |
{} |
no |
| upstream_registry_url | The registry URL of the upstream public registry to use as the source for the pull through cache rule | string |
null |
no |
| Name | Description |
|---|---|
| iam_role_arn | IAM role ARN |
| iam_role_name | IAM role name |
| iam_role_unique_id | Stable and unique string identifying the IAM role |
Apache-2.0 Licensed. See LICENSE.