aws_ecr_repository resource

[edit on GitHub]

Use the aws_ecr_repository InSpec audit resource to test the properties of a single AWS Elastic Container Registry (ECR) repository. This resource is available in InSpec AWS resource pack version 1.11.0 onwards.

Syntax

An aws_ecr_repository resource block declares the tests for a single AWS ECR repository by repository name.

describe aws_ecr_repository(repository_name: 'my-repo') do
  it { should exist }
end

The value of the repository_name can be provided as a string.

describe aws_ecr_repository('my-repo') do
  it { should exist }
end

Parameters

The repository name must be provided. The registry id is optional.

repository_name (required)

The name of the ECR repository must satisfy the following constraints:

  • Regex pattern (?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*.
  • Minimum 2 and maximum of 256 characters long.

This can be passed either as a string or as a repository_name: 'value' key-value entry in a hash.

registry_id (optional)

The 12-digit ID of the AWS Elastic Container Registry. If not provided, the default registry is assumed.

Properties

Property Description
repository_name The name of the repository.
image_tag_mutability The tag mutability settings for the repository. Valid values are MUTABLE or IMMUTABLE.
registry_id The AWS account ID associated with the registry that contains the repository.
tags An hash with each key-value pair corresponding to a tag associated with the entity.

There are also additional properties available. For a comprehensive list, see the API reference documentation

Examples

Test that image tags are IMMUTABLE in an ECR repository

describe aws_ecr_repository('my-repo') do
  its('image_tag_mutability') { should eq 'IMMUTABLE' }
end

Test that images are scanned for vulnerabilities at a push to repository

describe aws_ecr_repository(repository_name: 'my-repo') do
  its('image_scanning_configuration.scan_on_push') { should eq true}
end

Test that an ECR repository has a certain tag

describe aws_ecr_repository('my-repo') do
  its('tags') { should include('environment' => 'dev') }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

exist

describe aws_ecr_repository(repository_name: 'my-repo') do
    it { should exist }
end

AWS Permissions

Your Principal will need the ecr:DescribeRepositories action set to allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon ECR, and Actions, Resources, and Condition Keys for Identity And Access Management.

© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/inspec/resources/aws_ecr_repository/