Skip to content

README.md

Latest commit

 

History

History
121 lines (87 loc) · 7.05 KB

README.md

File metadata and controls

121 lines (87 loc) · 7.05 KB

Fixit Cloud ☁️ Module: AWS ECR

Terraform module for managing an AWS ECR Registry and its Repositories.

Table of Contents

Useful Links

⚙️ Module Usage

Usage Examples

Requirements

Name Version
terraform 1.3.2
aws ~> 4.34.0

Providers

Name Version
aws ~> 4.34.0

Modules

No modules.

Resources

Name Type
aws_ecr_registry_policy.list resource
aws_ecr_registry_scanning_configuration.this resource
aws_ecr_repository.map resource
aws_ecr_repository_policy.map resource
aws_iam_policy_document.Repo_Policies_Map data source

Inputs

Name Description Type Default Required
registry_policy_json (Optional) A JSON-encoded ECR Registry Policy. Registry policies set permissions
at the registry level for "ecr:ReplicateImage", "ecr:BatchImportUpstreamImage",
and "ecr:CreateRepository".		 string null no
registry_scanning_config (Optional) Config object for Enhanced image scanning. By default, all
repos will be configured with Basic scanning. If "scan_type" is set to
"ENHANCED", you can provide a map of "repo_scan_rules", in which regex
strings can be supplied as keys to target one or more repos with a
scan-frequency setting, which can be one of "MANUAL", "SCAN_ON_PUSH",
or "CONTINUOUS_SCAN".		 
object({
    scan_type       = string
    repo_scan_rules = optional(map(string))
  })
 
{
  "repo_scan_rules": null,
  "scan_type": "BASIC"
}
 no
repositories Map of ECR Repository names to config objects. For more fine-grained control
over a repo's SSE, an AWS KMS key can be provided - otherwise the ECR default
AES256 encryption will be used instead. "should_image_tags_be_immutabile"
defaults to false if not provided.
Use any of the provided "policy_config" properties to set commonly-used sets of
permissions; for example, principals you provide in "allow_push_and_pull_images"
will be granted all the necessary Allow-permissions necessary to push and pull
images to and from the repo. Alternatively/additionally, any valid IAM policy
state can be provided as a JSON array in "custom_statements_json", and the
provided statements will be merged into any others you've configured.		 
map(
    # map keys: ECR repo names
    object({
      should_image_tags_be_immutabile = optional(bool)
      sse_config = optional(object({
        type        = string
        kms_key_arn = optional(string)
      }))
      tags = optional(map(string))
      policy_config = object({
        allow_push_and_pull_images = optional(object({
          principals = object({
            type        = string
            identifiers = list(string)
          })
          conditions = optional(map(
            # map keys: IAM condition operators (e.g., "StringEquals", "ArnLike")
            object({
              key    = string
              values = list(string)
            })
          ))
        }))
        allow_codebuild_access = optional(object({
          codebuild_project_source_arns = list(string)
          codebuild_account_ids         = list(string)
          custom_conditions = optional(map(
            # map keys: IAM condition operators (e.g., "StringEquals", "ArnLike")
            object({
              key    = string
              values = list(string)
            })
          ))
        }))
        custom_statements_json = optional(string)
      })
    })
  )
 n/a yes

Outputs

Name Description
Registry_Policy The ECR Registry Policy resource object.
Registry_Scanning_Config The ECR Registry Scanning Config resource object.
Repositories Map of ECR Repository resource objects.
Repository_Policies Map of ECR Repo Policy resource objects.

📝 License

All scripts and source code contained herein are for commercial use only by Nerdware, LLC.

See LICENSE for more information.

💬 Contact

Trevor Anderson - @TeeRevTweets - Trevor@Nerdware.cloud

     

Dare Mighty Things.