Amazon ECR Construct Library¶---
This package contains constructs for working with Amazon Elastic Container Registry.
Define a repository by creating a new instance of
Repository. A repository
holds multiple verions of a single container image.
repository = ecr.Repository(self, "Repository")
Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. You can manually scan container images stored in Amazon ECR, or you can configure your repositories to scan images when you push them to a repository. To create a new repository to scan on push, simply enable
imageScanOnPush in the properties
repository = ecr.Repository(self, "Repo", image_scan_on_push=True )
To create an
onImageScanCompleted event rule and trigger the event target
# repository: ecr.Repository # target: SomeTarget repository.on_image_scan_completed("ImageScanComplete").add_target(target)
Image tag immutability¶
You can set tag immutability on images in our repository using the
imageTagMutability construct prop.
ecr.Repository(self, "Repo", image_tag_mutability=ecr.TagMutability.IMMUTABLE)
By default, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts your data at rest using an AES-256 encryption algorithm. For more control over the encryption for your Amazon ECR repositories, you can use server-side encryption with KMS keys stored in AWS Key Management Service (AWS KMS). Read more about this feature in the ECR Developer Guide.
When you use AWS KMS to encrypt your data, you can either use the default AWS managed key, which is managed by Amazon ECR, by specifying
RepositoryEncryption.KMS in the
encryption property. Or specify your own customer managed KMS key, by specifying the
encryptionKey is set, the
encryption property must be
KMS or empty.
In the case
encryption is set to
KMS but no
encryptionKey is set, an AWS managed KMS key is used.
ecr.Repository(self, "Repo", encryption=ecr.RepositoryEncryption.KMS )
Otherwise, a customer-managed KMS key is used if
encryptionKey was set and
encryption was optionally set to
import aws_cdk.aws_kms as kms ecr.Repository(self, "Repo", encryption_key=kms.Key(self, "Key") )
Automatically clean up repositories¶
You can set life cycle rules to automatically clean up old images from your repository. The first life cycle rule that matches an image will be applied against that image. For example, the following deletes images older than 30 days, while keeping all images tagged with prod (note that the order is important here):
# repository: ecr.Repository repository.add_lifecycle_rule(tag_prefix_list=["prod"], max_image_count=9999) repository.add_lifecycle_rule(max_image_age=Duration.days(30))