Skip to main content

aws_ecr_repository resource

[edit on GitHub]

Use the aws_ecr_repository InSpec audit resource to test the properties of a single AWS Elastic Container Registry (ECR) repository. This resource is available in InSpec AWS resource pack version 1.11.0 onwards.

Syntax

An aws_ecr_repository resource block declares the tests for a single AWS ECR repository by repository name.

describe aws_ecr_repository(repository_name: 'my-repo') do
  it { should exist }
end

The value of the repository_name can be provided as a string.

describe aws_ecr_repository('my-repo') do
  it { should exist }
end

Parameters

The repository name must be provided. The registry id is optional.

repository_name (required)

The name of the ECR repository must satisfy the following constraints:

  • Regex pattern (?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*.
  • Minimum 2 and maximum of 256 characters long.

This can be passed either as a string or as a repository_name: 'value' key-value entry in a hash.

registry_id (optional)

The 12-digit ID of the AWS Elastic Container Registry. If not provided, the default registry is assumed.

Properties

PropertyDescription
repository_nameThe name of the repository.
image_tag_mutabilityThe tag mutability settings for the repository. Valid values are MUTABLE or IMMUTABLE.
registry_idThe AWS account ID associated with the registry that contains the repository.
tagsAn hash with each key-value pair corresponding to a tag associated with the entity.

There are also additional properties available. For a comprehensive list, see the API reference documentation

Examples

Test that image tags are IMMUTABLE in an ECR repository

describe aws_ecr_repository('my-repo') do
  its('image_tag_mutability') { should eq 'IMMUTABLE' }
end

Test that images are scanned for vulnerabilities at a push to repository

describe aws_ecr_repository(repository_name: 'my-repo') do
  its('image_scanning_configuration.scan_on_push') { should eq true}
end

Test that an ECR repository has a certain tag

describe aws_ecr_repository('my-repo') do
  its('tags') { should include('environment' => 'dev') }
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

exist

describe aws_ecr_repository(repository_name: 'my-repo') do
    it { should exist }
end

AWS Permissions

Your Principal will need the ecr:DescribeRepositories action set to allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon ECR, and Actions, Resources, and Condition Keys for Identity And Access Management.

Was this page helpful?