【Terraform】Terraform ~ AWS ECR ~

■ はじめに

Amazon Elastic Container Registry (ECR) を、Terraform で作る。

なお、ECRについては、以下の関連記事を参照のこと。

Amazon ECR ~ 入門編 ~
https://dk521123.hatenablog.com/entry/2020/05/22/165711
Amazon ECR ~ 基本編 ~
https://dk521123.hatenablog.com/entry/2020/05/26/142645

目次

【1】公式ドキュメント
 1)Resource: aws_ecr_repository
 2)Resource: aws_ecr_lifecycle_policy
 3)Resource: aws_ecr_pull_through_cache_rule
 4)Resource: aws_ecr_repository_policy
 5)Resource: aws_ecr_registry_policy
【2】サンプル
 例1:Hello world
 例2:ECR repository policy
 例3:AWS ECR Public Gallery + pull through cache
【3】AWS ECR あれこれ
 1)コンテナイメージを push するには

【1】公式ドキュメント

1)Resource: aws_ecr_repository

* ECR リポジトリ作成

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository

2)Resource: aws_ecr_lifecycle_policy

* ECR リポジトリのライフサイクルポリシー

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy

3)Resource: aws_ecr_pull_through_cache_rule

* pull through cache rules の作成

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_pull_through_cache_rule

* pull through cache rules に関する詳細は、以下の関連記事を参照のこと

Amazon ECR ~ pull through cache rules ~
https://dk521123.hatenablog.com/entry/2024/04/09/141310

4)Resource: aws_ecr_repository_policy

* ECRリポジトリポリシーの作成

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_registry_policy

 => ECRリポジトリポリシーについては、以下の関連記事を参照のこと

Amazon ECR ~ 別アカウントのECRにPull/Push ~
https://dk521123.hatenablog.com/entry/2024/05/14/232934

5)Resource: aws_ecr_registry_policy

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_registry_policy

【2】サンプル

例1:Hello world

resource "aws_ecr_repository" "demo_ecr_repository" {
  name = "demo-ecr-repository"
  # The tag mutability setting for the repository. 
  # MUTABLE or IMMUTABLE
  image_tag_mutability = "MUTABLE"

  image_scanning_configuration {
    scan_on_push = true
  }
}

例2:ECR repository policy

# ECR Repository
resource "aws_ecr_repository" "demo_ecr_repository" {
  name = "demo-ecr-repository"
  image_tag_mutability = "MUTABLE"

  image_scanning_configuration {
    scan_on_push = true
  }
}

# For ECR repository policy
data "aws_iam_policy_document" "demo_ecr_iam_policy" {
  statement {
    sid    = "AllowPushPull"
    effect = "Allow"

    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::111111111111:role/your-iam-role"]
    }

    actions = [
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchGetImage",
      "ecr:BatchCheckLayerAvailability",
      "ecr:PutImage",
      "ecr:InitiateLayerUpload",
      "ecr:UploadLayerPart",
      "ecr:CompleteLayerUpload"
    ]
  }
}

resource "aws_ecr_repository_policy" "demo_ecr_repository_policy" {
  repository = aws_ecr_repository.demo_ecr_repository.name
  policy     = data.aws_iam_policy_document.demo_ecr_iam_policy.json
}

例3:AWS ECR Public Gallery + pull through cache

* 以下のサイトが参考になる

https://dev.classmethod.jp/articles/launch-ecs-task-from-public-image-through-vpce/
ecr.tf

# ECR Repository
resource "aws_ecr_repository" "demo_ecr_repository" {
  name = "demo-ecr-repository"
  image_tag_mutability = "MUTABLE"

  image_scanning_configuration {
    scan_on_push = true
  }
}

resource "aws_ecr_pull_through_cache_rule" "ecr_public" {
  ecr_repository_prefix = "ecr-public"
  upstream_registry_url = "public.ecr.aws"
}

iam.tf

resource "aws_iam_policy" "pull_through_cache" {
  name = "PullThroughCachePermission"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = [
          "ecr:BatchImportUpstreamImage",
          "ecr:CreateRepository",
        ]
        Resource = "*"
      }
    ]
  })
}

# 実行ロール(e.g. EC2 の role)にプルスルーキャッシュルールの使用に必要なポリシーを追加
resource "aws_iam_role_policy_attachment" "pull_through_cache" {
  role = "demo-ec2-role"
  policy_arn = aws_iam_policy.pull_through_cache.arn
}

【3】AWS ECR あれこれ

1)コンテナイメージを push するには

https://qiita.com/hayaosato/items/d6049cf68c84a26845d2

の null_resource が使えそう

null_resource
https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource

# パラメータ
locals {
  aws_region= "us-west-2"
  server_name = "xxx.xxx.us-west-2.amazonaws.com"
  image_name = "hello-world-ecr-repository"
  docker_dir = "."
}

# コンテナイメージを push する
resource "null_resource" "default" {

  # Step1: ECRにログインする
  # About "get-login-password", see https://awscli.amazonaws.com/v2/documentation/api/2.0.34/reference/ecr/get-login-password.html
  # About "aws ecr get-login", see https://docs.docker.jp/engine/reference/commandline/build.html
  provisioner "local-exec" {
    command = "$(aws ecr get-login --region ${local.aws_region} | docker login --username AWS --password-stdin  ${local.server_name})"
  }

  # Step2: 作成したDockerfileをビルドする
  # About "docker build", see https://docs.docker.jp/engine/reference/commandline/build.html
  provisioner "local-exec" {
    command = "docker build -t ${local.image_name} ${local.docker_dir}"
  }

  # Step3: タグづけする
  # About "docker tag", see https://docs.docker.jp/engine/reference/commandline/tag.html
  provisioner "local-exec" {
    command = "docker tag ${local.image_name}:latest ${aws_ecr_repository.demo_ecr_repository.repository_url}"
  }

  # Step4: ECRにプッシュする
  # About "docker push", see https://docs.docker.jp/engine/reference/commandline/push.html
  provisioner "local-exec" {
    command = "docker push ${aws_ecr_repository.demo_ecr_repository.repository_url}"
  }
}

参考文献

https://book.st-hakky.com/docs/infra-terraform-aws-ecr/

関連記事

Terraform ~ 環境構築編 ~
https://dk521123.hatenablog.com/entry/2023/04/05/000224
Terraform ~ 入門編 ~
https://dk521123.hatenablog.com/entry/2019/12/09/222057
Terraform ~ 基本編 ~
https://dk521123.hatenablog.com/entry/2023/05/03/000000
Terraform ~ 基本編 / Module ~
https://dk521123.hatenablog.com/entry/2023/05/19/113544
Terraform ~ Terraformあれこれ ~
https://dk521123.hatenablog.com/entry/2023/05/15/205352
Terraform ~ AWS S3 ~
https://dk521123.hatenablog.com/entry/2023/04/09/104204
Terraform ~ AWS IAM ~
https://dk521123.hatenablog.com/entry/2023/04/12/214311
Terraform ~ AWS Glue ~
https://dk521123.hatenablog.com/entry/2023/04/08/220411
Terraform ~ AWS Secrets Manager ~
https://dk521123.hatenablog.com/entry/2023/04/11/152801
Terraform ~ AWS CloudWatch ~
https://dk521123.hatenablog.com/entry/2023/05/17/123335
Terraform ~ AWS EC2 ~
https://dk521123.hatenablog.com/entry/2023/05/21/003048
Amazon ECR ~ 入門編 ~
https://dk521123.hatenablog.com/entry/2020/05/22/165711
Amazon ECR ~ 基本編 ~
https://dk521123.hatenablog.com/entry/2020/05/26/142645
Amazon ECR ~ 別アカウントのECRにPull/Push ~
https://dk521123.hatenablog.com/entry/2024/05/14/232934
Amazon ECR ~ pull through cache rules ~
https://dk521123.hatenablog.com/entry/2024/04/09/141310
Amazon ECR ~ AWS ECR Public Gallery ~
https://dk521123.hatenablog.com/entry/2024/04/08/184035
Amazon ECR でのトラブルシューティング
https://dk521123.hatenablog.com/entry/2020/05/24/000000
Docker ~ 基本編 / レポジトリに関するコマンド ~
https://dk521123.hatenablog.com/entry/2023/01/21/000000