terraform-aws-ecr

what

• Add repository ARN to output

why

• Useful if you are adding policies for the registry

what

• Expose variable "regex_replace_chars"

why

• Allow changing label module behavior

what

• Update terraform-null-label to v0.16.0

why

• Since null_resource was dropped in the terraform-null-label module starting version 0.15.0 and the code was completely removed in the recent version 0.16.0, update the terraform-null-label to the latest version

what

• Toggle image scanning on ECR

why

• As of terraform AWS provider 2.34.0 the ECR image repository now has an additional setting to enable image scanning for CVE vulnerabilities.

references

https://www.terraform.io/docs/providers/aws/r/ecr_repository.html

what

• Port module to Terraform 0.12
• Pin all providers
• Add example for testing
• Add bats and terratest for the example
• Add Codefresh badge to point to the test pipeline in terraform-modules project
• Update README

why

• Module currently does not work with 0.12. Much easier syntax
• Better regression control
• Automatically test the example on every commit and pull request
• Provision resources on AWS in the test account and check the outputs for the correct values
• terraform-modules project contains pipelines for all terraform modules

what

• Pass tags to the ECR resource so that the repository is tagged

why

• Add support for tagging of ECR repositories with user provided metadata

What

• Grant permission to access ECR using ECR policy with principal that have access to it. Basically, let ECR describe who can access it, rather than each user/role listing the modules they can access

Why

• To solve IAM limit problem (more scalable strategy and probably the way we should have done it from the get go)

Breaking changes

• Variable roles replaced with principals_full_access or principals_readonly_access and expects list or role\user arns as value
• User should have permissions

data "aws_iam_policy_document" "login" {
  statement {
    sid       = "ECRGetAuthorizationToken"
    effect    = "Allow"
    actions   = ["ecr:GetAuthorizationToken"]
    resources = ["*"]
  }
}

• We removed policies that provide access to the registry. (policy_login_name, policy_login_arn, policy_read_name, policy_read_arn, policy_write_name, policy_write_arn).
  So you do not need to attach the policies to IAM role\user. Please provide IAM role\user arn as variable principals_full_access or principals_readonly_access depend on what type of access to you need.

Example:

module "kops_ecr" {
  source       = "git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.2.11"
  name         = "${var.name}"
  namespace    = "${var.namespace}"
  stage        = "${var.stage}"
  use_fullname = "${var.use_fullname}"

  roles = [
    "${module.kops_metadata.masters_role_name}",
    "${module.kops_metadata.nodes_role_name}",
  ]
}

resource "aws_iam_policy_attachment" "login" {
  count      = "${signum(length(var.users))}"
  name       = "${module.label.id}"
  users      = ["${var.users}"]
  policy_arn = "${module.kops_ecr.policy_login_arn}"
}

now should be

module "kops_ecr" {
  source       = "git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.3.0"
  name         = "${var.name}"
  namespace    = "${var.namespace}"
  stage        = "${var.stage}"
  use_fullname = "${var.use_fullname}"

  principals_readonly_access = [
    "${module.kops_metadata.masters_role_arn}",
    "${module.kops_metadata.nodes_role_arn}",
  ]

  principals_full_access =  [
    "${var.users_arns}"
  ]
}

what

• updated README.yaml file
• add tags and categories
• rebuild README.md file

why

• need to add categories and tags so we can pull them into the documentation

what

• Regenerate README.md

why

• Previous version of build-harness has some typos

What

• Change releases badge link
• Re-render readme

Why

• Badge has wrong url
• Old template has a bug so avatars links were broken

what

• Add README.yaml

why

• Standardize README

what

• Changed resources of aws_iam_policy_document to wildcard

why

• To prevent data races (https://github.com/cloudposse/terraform-aws-ecr/issues/8) due to circular dependencies

Add lifecycle policy

what

• Define aws_ecr_lifecycle_policy

why

• To expunge old images