tessl/npm-pulumi--aws
A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources with infrastructure-as-code.
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
ecr.mddocs/compute/
Amazon ECR (Elastic Container Registry)
Amazon Elastic Container Registry is a fully managed Docker container registry that makes it easy to store, manage, and deploy Docker container images.
Package
import * as aws from "@pulumi/aws";
import * as ecr from "@pulumi/aws/ecr";Key Resources
Repository
Container image repository.
const repository = new aws.ecr.Repository("app-repo", {
name: "my-application",
imageTagMutability: "MUTABLE",
imageScanningConfiguration: {
scanOnPush: true,
},
encryptionConfigurations: [{
encryptionType: "AES256",
}],
tags: {
Application: "my-app",
},
});Repository Policy
Resource-based policy for repository access.
const repositoryPolicy = new aws.ecr.RepositoryPolicy("repo-policy", {
repository: repository.name,
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Sid: "AllowPull",
Effect: "Allow",
Principal: {
AWS: `arn:aws:iam::${accountId}:role/ECSTaskExecutionRole`,
},
Action: [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
],
}],
}),
});Lifecycle Policy
Automatically clean up old images.
const lifecyclePolicy = new aws.ecr.LifecyclePolicy("lifecycle", {
repository: repository.name,
policy: JSON.stringify({
rules: [{
rulePriority: 1,
description: "Keep last 10 images",
selection: {
tagStatus: "any",
countType: "imageCountMoreThan",
countNumber: 10,
},
action: {
type: "expire",
},
}],
}),
});Common Patterns
Cross-Account Access
const crossAccountPolicy = new aws.ecr.RepositoryPolicy("cross-account", {
repository: repository.name,
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Sid: "AllowCrossAccountPull",
Effect: "Allow",
Principal: {
AWS: `arn:aws:iam::${otherAccountId}:root`,
},
Action: [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
],
}],
}),
});KMS Encryption
const kmsKey = new aws.kms.Key("ecr-key", {
description: "ECR repository encryption key",
});
const encryptedRepo = new aws.ecr.Repository("encrypted-repo", {
name: "encrypted-images",
encryptionConfigurations: [{
encryptionType: "KMS",
kmsKey: kmsKey.arn,
}],
});Tag-Based Lifecycle Policy
const tagLifecycle = new aws.ecr.LifecyclePolicy("tag-lifecycle", {
repository: repository.name,
policy: JSON.stringify({
rules: [
{
rulePriority: 1,
description: "Keep production images",
selection: {
tagStatus: "tagged",
tagPrefixList: ["prod"],
countType: "imageCountMoreThan",
countNumber: 50,
},
action: {
type: "expire",
},
},
{
rulePriority: 2,
description: "Expire untagged after 7 days",
selection: {
tagStatus: "untagged",
countType: "sinceImagePushed",
countUnit: "days",
countNumber: 7,
},
action: {
type: "expire",
},
},
],
}),
});Replication Configuration
const replication = new aws.ecr.ReplicationConfiguration("replication", {
replicationConfiguration: {
rules: [{
destinations: [{
region: "us-east-1",
registryId: accountId,
}],
repositoryFilters: [{
filter: "prod-*",
filterType: "PREFIX_MATCH",
}],
}],
},
});Key Properties
Repository Properties
name- Repository nameimageTagMutability- Tag mutability (MUTABLE or IMMUTABLE)imageScanningConfiguration- Image scanning settingsencryptionConfigurations- Encryption configurationtags- Resource tags
Lifecycle Policy Properties
repository- Repository namepolicy- Lifecycle rules JSON
Output Properties
repositoryUrl- Repository URL for docker push/pullarn- Repository ARNregistryId- Registry ID
Use Cases
- Container Storage: Store Docker and OCI images
- CI/CD Pipelines: Integrate with build pipelines
- ECS/EKS Deployments: Container orchestration
- Image Scanning: Security vulnerability scanning
- Multi-Region Replication: Distribute images globally
Related Services
Install with Tessl CLI
npx tessl i tessl/npm-pulumi--aws@7.16.0