Panfactum LogoPanfactum
Infrastructure ModulesDirect ModulesAWSaws_ecr_repos
aws_ecr_repos
Stable
Direct
Source Code Link

AWS ECR Repositories

This module deploys image repositories in the AWS account's ECR. This allows you to push and pull images directly to AWS.

Pulling and Pushing Images Locally

We cover this in the BuildKit guide.

Pulling and Pushing Images Across Accounts

Images can be pulled or pushed by IAM users / roles set up in other AWS accounts by specifying <repo>.additional_pull_account_ids and <repo>.additional_push_account_ids respectively.

This will allow you to have a central image repository that can be used by multiple AWS accounts and allow for promoting image artifacts across environments rather than rebuilding for each environment.

IAM users and roles in other accounts must still have the appropriate permissions to interact with ECR. We provide this automatically for Kubernetes clusters deployed with the aws_eks module.

Image Immutability

By default, immutability is turned on for each repository (<repo>.is_immutable). This means that once an image with a specific tag is pushed, that tag may never be overridden with a new image.

This is a security measure to ensure that once an image is deployed in an environment it's contents can never be changed. Only disable immutability if you will never use the image in a sensitive environment.

Garbage Collecting Images

You might want to periodically remove outdated or unused images to save on storage costs. We provide three means to do so:

  1. We automatically remove untagged images as if an image loses its tag, it is assumed it will never be pulled again.

  2. If set to true, <repo>.expire_all_images will automatically remove an image 14 days after it was created. This can be helpful for images generated during local development that will not be used in production and can be easily regenerated.

  3. We provide a <repo>.expiration_rules field that will allow you to specify custom lifecycle policies for each repository based on the image's tag pattern. See the linked docs for available patterns.

Providers

The following providers are needed by this module:

Required Inputs

The following input variables are required:

ecr_repositories

Description: A mapping of names to configuration of the repositories to create.

Type:

map(object({
    is_immutable      = optional(bool, true)  # Whether immutable tags are enabled
    expire_all_images = optional(bool, false) # Whether all images should be removed after 14 days
    expiration_rules = optional(list(object({
      tag_pattern = string
      days        = number # days since pushed that the image will be removed
    })), [])
    additional_push_account_ids = optional(list(string), []) # The ids of the additional AWS accounts that have push access to the repository
    additional_pull_account_ids = optional(list(string), []) # The ids of the additional AWS accounts that have pull access to the repository
  }))

Optional Inputs

The following input variables are optional (have default values):

Outputs

The following outputs are exported:

aws_account_id

Description: n/a

aws_region

Description: n/a

registry

Description: n/a

repos

Description: n/a

Usage

No notes