AWS::ECR::PullThroughCacheRule - AWS CloudFormation

AWS::ECR::PullThroughCacheRule

The AWS::ECR::PullThroughCacheRule resource creates or updates a pull through cache rule. A pull through cache rule provides a way to cache images from an upstream registry in your Amazon ECR private registry.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::ECR::PullThroughCacheRule", "Properties" : { "CredentialArn" : String, "EcrRepositoryPrefix" : String, "UpstreamRegistry" : String, "UpstreamRegistryUrl" : String } }

YAML

Type: AWS::ECR::PullThroughCacheRule Properties: CredentialArn: String EcrRepositoryPrefix: String UpstreamRegistry: String UpstreamRegistryUrl: String

Properties

CredentialArn

The ARN of the Secrets Manager secret associated with the pull through cache rule.

Required: No

Type: String

Pattern: ^arn:aws:secretsmanager:[a-zA-Z0-9-:]+:secret:ecr\-pullthroughcache\/[a-zA-Z0-9\/_+=.@-]+$

Minimum: 50

Maximum: 612

Update requires: Replacement

EcrRepositoryPrefix

The Amazon ECR repository prefix associated with the pull through cache rule.

Required: No

Type: String

Pattern: (?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*

Minimum: 2

Maximum: 30

Update requires: Replacement

UpstreamRegistry

The name of the upstream source registry associated with the pull through cache rule.

Required: No

Type: String

Allowed values: ecr-public | quay | k8s | docker-hub | github-container-registry | azure-container-registry | gitlab-container-registry

Update requires: Replacement

UpstreamRegistryUrl

The upstream registry URL associated with the pull through cache rule.

Required: No

Type: String

Update requires: Replacement

Examples

The following resource examples show how to create a pull through cache rule for a private registry.

Create a pull through cache rule for an upstream registry that requires authentication

The following example creates a pull through cache rule for the upstream registry Docker Hub, which requires authentication. The authentication credentials for the upstream registry must be stored in a Secrets Manager secret with a secret name with a ecr-pullthroughcache/ prefix. You specify the full Amazon Resource Name (ARN) of the secret. When the pull through cache rule is used to pull images from the upstream registry, Amazon ECR will create repositories in your private registry on your behalf with the docker-hub prefix.

JSON

{ "Resources": { "MyECRPullThroughCacheRule": { "Type": "AWS::ECR::PullThroughCacheRule", "Properties": { "EcrRepositoryPrefix": "docker-hub", "UpstreamRegistryUrl": "registry-1.docker.io", "CredentialArn": "arn:aws:secretsmanager:us-east-2:111122223333:secret:ecr-pullthroughcache/example1234" } } } }

YAML

Resources: MyECRPullThroughCacheRule: Type: 'AWS::ECR::PullThroughCacheRule' Properties: EcrRepositoryPrefix: 'docker-hub' UpstreamRegistryUrl: 'registry-1.docker.io' CredentialArn: 'arn:aws:secretsmanager:us-east-2:111122223333:secret:ecr-pullthroughcache/example1234' UpstreamRegistry: 'docker-hub'

Create a pull through cache rule for an upstream registry that does not require authentication

The following example creates a pull through cache rule that caches repositories with the name prefix ecr-public from the Amazon ECR Public registry into your private registry.

JSON

{ "Resources": { "MyECRPullThroughCacheRule": { "Type": "AWS::ECR::PullThroughCacheRule", "Properties": { "EcrRepositoryPrefix": "ecr-public", "UpstreamRegistryUrl": "public.ecr.aws" } } } }

YAML

Resources: MyECRPullThroughCacheRule: Type: 'AWS::ECR::PullThroughCacheRule' Properties: EcrRepositoryPrefix: 'ecr-public' UpstreamRegistryUrl: 'public.ecr.aws' UpstreamRegistry: 'ecr-public'