Open anupwarrier opened 4 years ago
rpnguyen
commented
4 years ago Hi all. We're looking for input on this proposal.
Our current thinking is something similar to ECS Account Settings. ECR repository configuration defaults can be specified for one or all IAM principals. When a repository is created, the configuration default (e.g. scanOnPush=true or repositoryPolicy="{foobar}") is used if not explicitly specified by the customer.
jwenz723
commented
3 years ago It would be useful to be able to have multiple 'defaults' defined and applied to repositories that match a regex or some sort of pattern. This way you could define a repository naming standard per team (like teama-* and teamb-*) and apply a different set of defaults per team.
soapergem
commented
2 years ago Our team would have loved this feature to already be implemented and I'm pretty disappointed that it's been sitting out here as an open Github issue for over a year. We're using one central ECR registry within one AWS account, while we have many applications built and running in multiple other AWS accounts who publish to (and then pull from) this central registry.
I had hoped we could simply codify the cross-account access in Terraform but this is only partially true. We can configure a policy on the registry to allow other AWS account principals to create new repositories, but we can't codify a default repository policy for those newly created ECR repos (to say, pull the images back down that they just published). This is a feature that is sorely missing right now.
So instead, we've built custom tooling into our CI/CD system to apply a policy template any time a new repository is created. But it doesn't feel great having to essentially hard-code policies within CI/CD build tools. It would be much more aligned with all our other codification of infrastructure if we could simply define the default repository permissions through Terraform as well. And as Terraform is just a wrapper for the AWS API, the core feature needs to exist.
MiGrandjean
commented
1 year ago FTR: The mentioned use-case in #1188 is also quite important to us:
Tell us about your request Add support for having global/default lifecycle policies which applies to all the repositories in a region or even better if it supports filters based on repo prefix.
Which service(s) is this request for? ECR
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? Setting up the same policies again and again for each new repository we create feels cumbersome.
Being able to add default or global ECR lifecycle policies would safe us from having to write our own clean-up tooling.
hsejour
commented
1 year ago Hi All, we are working on a feature that would address this. We'll provide an update on the progress at a later date.
brittandeyoung
commented
10 months ago @hsejour Any update on this? is it still a Work in Progress? Being able to set lifecycle settings for all repositories would be very helpful.
ecarmen16
commented
10 months ago Yup - we're looking at deprecating a years old Lambda that does this for ECR policies and it would suck to take a step backwards. Baffling this still doesn't exist.
caretak3r
commented
4 months ago 4 years later and this still hasn't been addressed or talked about...
samkearney
commented
4 months ago @caretak3r It was addressed and talked about 10 months ago: https://github.com/aws/containers-roadmap/issues/799#issuecomment-1611600453
The assignment changed 5 months ago
Community Note
Tell us about your request
Repository configuration defaults (e.g. Turn on scan-on-push by default)
Which service(s) is this request for? ECR
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Since ECR scan on push was announced, customers have been asking their internal teams to enable this feature for new and existing repos, and realizing there are hundreds of opportunities to turn this on, but lacking a good way to guide teams to do this automatically going forward. Could this be an option, to turn on scan-on-push by default?
Are you currently working around this issue?
Can think of a periodic lambda, but not an ideal solution.