Skip to content

aws.ecr-repository resource

Description

Repository manages an ECR private repository: the registry entry container images are pushed to, plus the settings ECR writes through their own calls, folded in as fields. The name and the encryption configuration are fixed at create, so a change to either replaces the repository; the tag mutability setting and its exclusion filters, the scan-on-push toggle, the two policy texts, and the tags all reconcile in place.

Source: internal/service/ecr/repository_rsrc.go:32

Example usage:

imports: {
  aws: 'github.com/cloudboss/unobin-library-aws'
}

resources: {
  example: aws.ecr-repository {
    # Set input fields here.
  }
}

Inputs

name

string

required

Name is the repository name, on its own or prefixed with a namespace, such as project-a/nginx-web-app. ECR requires 2 to 256 characters of lowercase letters, digits, and ._-/ separators, which the API enforces.

encryption-configuration

optional(object)
optional(
  object({
    encryption-type: string
    kms-key: optional(string)
  })
)

EncryptionConfiguration fixes the at-rest encryption of the repository's contents. Omitted, ECR encrypts with AES256.

scan-on-push

optional(boolean)

ScanOnPush, when true, scans each image for known vulnerabilities as it is pushed. It backs the image scanning configuration, reconciled by its own PutImageScanningConfiguration call; removing the field sets it back to false, the ECR default.

image-tag-mutability

optional(string)

ImageTagMutability sets whether image tags may be overwritten: MUTABLE, IMMUTABLE, or the MUTABLE_WITH_EXCLUSION and IMMUTABLE_WITH_EXCLUSION variants that exempt the tags the exclusion filters match. Omitted, ECR defaults to MUTABLE, and a later update writes MUTABLE back.

image-tag-mutability-exclusion-filters

list(object)
list(
  object({
    filter: string
    filter-type: string
  })
)

ImageTagMutabilityExclusionFilters lists up to five filters naming the image tags exempt from the mutability setting. The list is only valid with one of the WITH_EXCLUSION mutability modes, and it changes through the same PutImageTagMutability call as the setting itself.

lifecycle-policy

optional(string)

LifecyclePolicy is the JSON lifecycle policy text, which expires images by age or count. It is reconciled by its own PutLifecyclePolicy call, an upsert, so a changed policy updates in place; removing the field deletes the policy. The text is sent as given, so reformatting it reads as a change.

repository-policy

optional(string)

RepositoryPolicy is the JSON repository policy text granting other principals access to the repository. It is reconciled by its own SetRepositoryPolicy call; removing the field deletes the policy. The text is sent as given, so reformatting it reads as a change.

tags

map(string)

Tags are the metadata tags on the repository, reconciled as a set.

force-delete

optional(boolean)

ForceDelete, when true, deletes the repository even when it still holds images. It is a delete-time switch with no presence in the cloud, so it is never sent to create or read.

Input Constraints

Image tag mutability rules

image-tag-mutability must be a valid tag mutability setting.

Rule logic
When
input.image-tag-mutability != null
Require
input.image-tag-mutability == 'MUTABLE'
|| input.image-tag-mutability == 'IMMUTABLE'
|| input.image-tag-mutability == 'MUTABLE_WITH_EXCLUSION'
|| input.image-tag-mutability == 'IMMUTABLE_WITH_EXCLUSION'

Image tag mutability exclusion filters rules

exclusion filters require a WITH_EXCLUSION image-tag-mutability.

Rule logic
When
input.image-tag-mutability-exclusion-filters != null
&& @core.length(input.image-tag-mutability-exclusion-filters) >= 1
Require
input.image-tag-mutability == 'MUTABLE_WITH_EXCLUSION'
|| input.image-tag-mutability == 'IMMUTABLE_WITH_EXCLUSION'

image-tag-mutability-exclusion-filters holds at most 5 filters.

Rule logic
Require
input.image-tag-mutability-exclusion-filters == null
|| @core.length(input.image-tag-mutability-exclusion-filters) <= 5

a filter type must be WILDCARD.

Rule logic
For each
input.image-tag-mutability-exclusion-filters
Require
@each.value.filter-type == 'WILDCARD'

Encryption configuration rules

encryption-type must be AES256, KMS, or KMS_DSSE.

Rule logic
When
input.encryption-configuration.encryption-type != null
Require
input.encryption-configuration.encryption-type == 'AES256'
|| input.encryption-configuration.encryption-type == 'KMS'
|| input.encryption-configuration.encryption-type == 'KMS_DSSE'

Outputs

arn

string

name

string

registry-id

string

repository-uri

string