■ はじめに
Amazon Elastic Container Registry (ECR) を、Terraform で作る。 なお、ECRについては、以下の関連記事を参照のこと。
Amazon ECR ~ 入門編 ~
https://dk521123.hatenablog.com/entry/2020/05/22/165711
Amazon ECR ~ 基本編 ~
https://dk521123.hatenablog.com/entry/2020/05/26/142645
目次
【1】公式ドキュメント 1)Resource: aws_ecr_repository 2)Resource: aws_ecr_lifecycle_policy 3)Resource: aws_ecr_pull_through_cache_rule 4)Resource: aws_ecr_repository_policy 5)Resource: aws_ecr_registry_policy 【2】サンプル 例1:Hello world 例2:ECR repository policy 例3:AWS ECR Public Gallery + pull through cache 【3】AWS ECR あれこれ 1)コンテナイメージを push するには
【1】公式ドキュメント
1)Resource: aws_ecr_repository
* ECR リポジトリ作成
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
2)Resource: aws_ecr_lifecycle_policy
* ECR リポジトリのライフサイクルポリシー
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy
3)Resource: aws_ecr_pull_through_cache_rule
* pull through cache rules の作成
* pull through cache rules に関する詳細は、以下の関連記事を参照のこと
Amazon ECR ~ pull through cache rules ~
https://dk521123.hatenablog.com/entry/2024/04/09/141310
4)Resource: aws_ecr_repository_policy
* ECRリポジトリポリシーの作成
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_registry_policy
=> ECRリポジトリポリシーについては、以下の関連記事を参照のこと
Amazon ECR ~ 別アカウントのECRにPull/Push ~
https://dk521123.hatenablog.com/entry/2024/05/14/232934
5)Resource: aws_ecr_registry_policy
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_registry_policy
【2】サンプル
例1:Hello world
resource "aws_ecr_repository" "demo_ecr_repository" { name = "demo-ecr-repository" # The tag mutability setting for the repository. # MUTABLE or IMMUTABLE image_tag_mutability = "MUTABLE" image_scanning_configuration { scan_on_push = true } }
例2:ECR repository policy
# ECR Repository resource "aws_ecr_repository" "demo_ecr_repository" { name = "demo-ecr-repository" image_tag_mutability = "MUTABLE" image_scanning_configuration { scan_on_push = true } } # For ECR repository policy data "aws_iam_policy_document" "demo_ecr_iam_policy" { statement { sid = "AllowPushPull" effect = "Allow" principals { type = "AWS" identifiers = ["arn:aws:iam::111111111111:role/your-iam-role"] } actions = [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload" ] } } resource "aws_ecr_repository_policy" "demo_ecr_repository_policy" { repository = aws_ecr_repository.demo_ecr_repository.name policy = data.aws_iam_policy_document.demo_ecr_iam_policy.json }
例3:AWS ECR Public Gallery + pull through cache
* 以下のサイトが参考になる
https://dev.classmethod.jp/articles/launch-ecs-task-from-public-image-through-vpce/
ecr.tf
# ECR Repository resource "aws_ecr_repository" "demo_ecr_repository" { name = "demo-ecr-repository" image_tag_mutability = "MUTABLE" image_scanning_configuration { scan_on_push = true } } resource "aws_ecr_pull_through_cache_rule" "ecr_public" { ecr_repository_prefix = "ecr-public" upstream_registry_url = "public.ecr.aws" }
iam.tf
resource "aws_iam_policy" "pull_through_cache" { name = "PullThroughCachePermission" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = [ "ecr:BatchImportUpstreamImage", "ecr:CreateRepository", ] Resource = "*" } ] }) } # 実行ロール(e.g. EC2 の role)にプルスルーキャッシュルールの使用に必要なポリシーを追加 resource "aws_iam_role_policy_attachment" "pull_through_cache" { role = "demo-ec2-role" policy_arn = aws_iam_policy.pull_through_cache.arn }
【3】AWS ECR あれこれ
1)コンテナイメージを push するには
https://qiita.com/hayaosato/items/d6049cf68c84a26845d2
の null_resource が使えそう
null_resource
https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource
# パラメータ locals { aws_region= "us-west-2" server_name = "xxx.xxx.us-west-2.amazonaws.com" image_name = "hello-world-ecr-repository" docker_dir = "." } # コンテナイメージを push する resource "null_resource" "default" { # Step1: ECRにログインする # About "get-login-password", see https://awscli.amazonaws.com/v2/documentation/api/2.0.34/reference/ecr/get-login-password.html # About "aws ecr get-login", see https://docs.docker.jp/engine/reference/commandline/build.html provisioner "local-exec" { command = "$(aws ecr get-login --region ${local.aws_region} | docker login --username AWS --password-stdin ${local.server_name})" } # Step2: 作成したDockerfileをビルドする # About "docker build", see https://docs.docker.jp/engine/reference/commandline/build.html provisioner "local-exec" { command = "docker build -t ${local.image_name} ${local.docker_dir}" } # Step3: タグづけする # About "docker tag", see https://docs.docker.jp/engine/reference/commandline/tag.html provisioner "local-exec" { command = "docker tag ${local.image_name}:latest ${aws_ecr_repository.demo_ecr_repository.repository_url}" } # Step4: ECRにプッシュする # About "docker push", see https://docs.docker.jp/engine/reference/commandline/push.html provisioner "local-exec" { command = "docker push ${aws_ecr_repository.demo_ecr_repository.repository_url}" } }
参考文献
https://book.st-hakky.com/docs/infra-terraform-aws-ecr/
関連記事
Terraform ~ 環境構築編 ~
https://dk521123.hatenablog.com/entry/2023/04/05/000224
Terraform ~ 入門編 ~
https://dk521123.hatenablog.com/entry/2019/12/09/222057
Terraform ~ 基本編 ~
https://dk521123.hatenablog.com/entry/2023/05/03/000000
Terraform ~ 基本編 / Module ~
https://dk521123.hatenablog.com/entry/2023/05/19/113544
Terraform ~ Terraformあれこれ ~
https://dk521123.hatenablog.com/entry/2023/05/15/205352
Terraform ~ AWS S3 ~
https://dk521123.hatenablog.com/entry/2023/04/09/104204
Terraform ~ AWS IAM ~
https://dk521123.hatenablog.com/entry/2023/04/12/214311
Terraform ~ AWS Glue ~
https://dk521123.hatenablog.com/entry/2023/04/08/220411
Terraform ~ AWS Secrets Manager ~
https://dk521123.hatenablog.com/entry/2023/04/11/152801
Terraform ~ AWS CloudWatch ~
https://dk521123.hatenablog.com/entry/2023/05/17/123335
Terraform ~ AWS EC2 ~
https://dk521123.hatenablog.com/entry/2023/05/21/003048
Amazon ECR ~ 入門編 ~
https://dk521123.hatenablog.com/entry/2020/05/22/165711
Amazon ECR ~ 基本編 ~
https://dk521123.hatenablog.com/entry/2020/05/26/142645
Amazon ECR ~ 別アカウントのECRにPull/Push ~
https://dk521123.hatenablog.com/entry/2024/05/14/232934
Amazon ECR ~ pull through cache rules ~
https://dk521123.hatenablog.com/entry/2024/04/09/141310
Amazon ECR ~ AWS ECR Public Gallery ~
https://dk521123.hatenablog.com/entry/2024/04/08/184035
Amazon ECR でのトラブルシューティング
https://dk521123.hatenablog.com/entry/2020/05/24/000000
Docker ~ 基本編 / レポジトリに関するコマンド ~
https://dk521123.hatenablog.com/entry/2023/01/21/000000
