aws_ecr_repository Resource
Use the aws_ecr_repository
InSpec audit resource to test the properties of a single AWS Elastic Container Registry (ECR) repository.
This resource is available in InSpec AWS resource pack version 1.11.0 onwards.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
An aws_ecr_repository
resource block declares the tests for a single AWS ECR repository by repository name.
describe aws_ecr_repository(repository_name: 'my-repo') do
it { should exist }
end
The value of the repository_name
can be provided as a string.
describe aws_ecr_repository('my-repo') do
it { should exist }
end
Parameters
The repository name must be provided. The registry id is optional.
repository_name
(required)The name of the ECR repository must satisfy the following constraints:
- Regex pattern
(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*
. - Minimum 2 and maximum of 256 characters long.
- Regex pattern
This can be passed either as a string or as a
repository_name: 'value'
key-value entry in a hash.registry_id
(optional)The 12-digit ID of the AWS Elastic Container Registry. If not provided, the default registry is assumed.
Properties
repository_name
- The name of the repository.
image_tag_mutability
- The tag mutability settings for the repository. Valid values are
MUTABLE
orIMMUTABLE
. registry_id
- The AWS account ID associated with the registry that contains the repository.
tags
- An hash with each key-value pair corresponding to a tag associated with the entity.
There are also additional properties available. For a comprehensive list, see the API reference documentation
Examples
Test that image tags are IMMUTABLE
in an ECR repository.
describe aws_ecr_repository('my-repo') do
its('image_tag_mutability') { should eq 'IMMUTABLE' }
end
Test that images are scanned for vulnerabilities at a push to repository.
describe aws_ecr_repository(repository_name: 'my-repo') do
its('image_scanning_configuration.scan_on_push') { should eq true}
end
Test that an ECR repository has a certain tag.
describe aws_ecr_repository('my-repo') do
its('tags') { should include('environment' => 'dev') }
end
Matchers
For a full list of available matchers, see our Universal Matchers page.This resource has the following special matchers.
exist
describe aws_ecr_repository(repository_name: 'my-repo') do
it { should exist }
end
AWS Permissions
Your Principal will need the ECR:Client:DescribeRepositoriesResponse
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon ECR, and Actions, Resources, and Condition Keys for Identity And Access Management.