About

This creates private container image repositories hosted in the AWS Elastic Container Registry (ECR) of your AWS Account using a pulumi program.

For equivalent examples see:

• terraform
• pulumi (aws provider)

Usage (on a Ubuntu Desktop)

Install the dependencies:

• AWS CLI.
• Node.js.
• Pulumi.
• Crane.
• Docker.

Set the AWS Account credentials using SSO:

# set the account credentials.
# see https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-auto-sso
aws configure sso
# dump the configured profile and sso-session.
cat ~/.aws/config
# set the environment variables to use a specific profile.
export AWS_PROFILE=my-profile
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_DEFAULT_REGION
# show the user, user amazon resource name (arn), and the account id, of the
# profile set in the AWS_PROFILE environment variable.
aws sts get-caller-identity

Or, set the account credentials using an access key:

# set the account credentials.
# NB get these from your aws account iam console.
#    see Managing access keys (console) at
#        https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey
export AWS_ACCESS_KEY_ID='TODO'
export AWS_SECRET_ACCESS_KEY='TODO'
# set the default region.
export AWS_DEFAULT_REGION='eu-west-1'
# show the user, user amazon resource name (arn), and the account id.
aws sts get-caller-identity

Review index.ts.

Set the environment:

cat >secrets.sh <<'EOF'
export AWS_PROFILE=my-profile
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_DEFAULT_REGION
aws sts get-caller-identity

export PULUMI_SKIP_UPDATE_CHECK='true'
export PULUMI_BACKEND_URL="file://$PWD" # NB pulumi will create the .pulumi sub-directory.
export PULUMI_CONFIG_PASSPHRASE='password'
pulumi stack select dev
EOF

Provision:

# login.
source secrets.sh
pulumi login
pulumi whoami -v
# create the dev stack.
pulumi stack init dev
pulumi stack select dev
# set the region.
pulumi config set aws-native:region eu-west-1
# provision.
pulumi up
# provision in troubleshooting mode.
# NB for more information see the troubleshooting section in this document.
#pulumi up --logtostderr --logflow -v=9 2>pulumi.log

Display the created resources and outputs:

pulumi stack

Log in the container registry:

NB You are logging in at the registry level. You are not logging in at the repository level.

aws ecr get-login-password \
  --region "$(pulumi stack output registryRegion)" \
  | docker login \
      --username AWS \
      --password-stdin \
      "$(pulumi stack output registryDomain)"

NB This saves the credentials in the ~/.docker/config.json local file.

Inspect the created example container images:

image="$(pulumi stack output --json images | jq -r .example)"
crane manifest "$image" | jq .

Download the created example container image from the created container image repository, and execute it locally:

docker run --rm "$image"

Delete the local copy of the created container image:

docker rmi "$image"

Log out the container registry:

docker logout \
  "$(pulumi stack output registryDomain)"

Delete the example image resource:

# list the stack, and grab the urn of the example Command, and use
# it in the pulumi destroy command.
pulumi stack --show-urns
pulumi destroy --target 'urn:pulumi:dev::pulumi-typescript-aws-native-ecr-example::aws-native:ecr:Repository$command:local:Command::pulumi-typescript-aws-native-ecr-example/example:v1.11.0'

At the ECR AWS Management Console, verify that the example image no longer exists (actually, it's the image index/tag that no longer exists).

Do an pulumi up to verify that it recreates the example image:

pulumi up

Destroy the example:

NB This is currently failing due to #1270. To complete this successfully, you must manually delete all the repository content, and retry the command.

pulumi destroy
pulumi stack rm dev

List this repository dependencies (and which have newer versions):

GITHUB_COM_TOKEN='YOUR_GITHUB_PERSONAL_TOKEN' ./renovate.sh

Notes

• Its not possible to create multiple container image registries.
  • A single registry is automatically created when the AWS Account is created.
  • You have to create a separate repository for each of your container images.
    • A repository name can include several path segments (e.g. hello/world).
• The Pulumi AWS Native Provider:
  • Does not yet support default tags.
  • Uses the AWS CloudFormation API.

References

• Environment variables to configure the AWS CLI
• Token provider configuration with automatic authentication refresh for AWS IAM Identity Center (SSO)
• Managing access keys (console)
• AWS General Reference
  • Amazon Resource Names (ARNs)
• Amazon ECR private registry
  • Private registry authentication
• Pulumi
  • Configuration
  • AWS Native Provider
    • Installation and Configuration
    • Source code
  • Command Provider