[ECR] [request]: EventBridge event on new repository creation

[jmkgreen]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request Add a repository-created Event to EventBridge.

Which service(s) is this request for? ECR

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? When colleagues add a new ECR repository they need to remember to run a Lambda that will grant sharing with our test/prod accounts. It would be better if they did not need to know - instead the lambda could be triggered by a new repository event and just set the permissions automatically.

Are you currently working around this issue? Manually run Lambda. Indeed it runs at 8am every day to ensure permissions but it's not ideal.

[wayne-folkes]

@jmkgreen maybe you could have your colleagues invoke a lambda to create the repo and it'll have the appropriate permissions. Or use a cloudformation custom resource to get the same effect.

[rpnguyen]

Thanks for the request @jmkgreen. Would your specific use case (ensuring repositories are created with a specific configuration) be solved by #799 ?

In general this sounds like a useful feature but I'd also love to learn other ways customers might want to use these events.

[wayne-folkes]

@rpnguyen I think #799 would likely help.

Having an EventBridge event could be used to trigger a lambda to create a replica repo in another region.

[jmkgreen]

@rpnguyen I think we have one or two ecr repos that are not shared. I think there's a dynamodb table listing the accounts to share with and which repo names to skip sharing on. Does your template idea cover these circumstances?

[rpnguyen]

@jmkgreen I added some more details in https://github.com/aws/containers-roadmap/issues/799#issuecomment-643571469. It sounds like it would mostly solve this use case except for "repo names to skip sharing on". If there's anything else, we'd love to get more feedback on that proposal.

[wayne-folkes]

Eventbridge to provide an event that you can trigger a lambda with. Below is a snippet from a SAM template where I have function that is setting a resource and lifecycle policy on CreateRepository events

    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub '${ProjectName}-new-repo-baseline-${Stage}'
      Description: "Sets baseline settings for new ECR repos based on CreateRepo events"
      Timeout: 900
      CodeUri: ecr_resource_functions
      Handler: apply_policy/app.lambda_handler
      Runtime: python3.8
      Role: !GetAtt Role.Arn
      Events:
        CreateRepositoryEvent:
          Type: EventBridgeRule
          Properties:
            Pattern:
              source:
                - aws.ecr
              detail-type:
                - AWS API Call via CloudTrail
              detail:
                eventSource:
                  - ecr.amazonaws.com
                eventName:
                  - CreateRepository

[varkey]

To add to the above, this is now supported right? The below EventBridge rule pattern can be used to trigger a lambda.

{
  "source": ["aws.ecr"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["ecr.amazonaws.com"],
    "eventName": ["CreateRepository"]
  }
}

[blakepettersson]

This works for repositories which are created by principals other than ECR itself. So for example if an individual user creates a repo, the Eventbridge rule above works as intended. However, for repositories created by ECR itself (e.g pull-through caches), the rule above doesn't work.

Here's an example event which does not work with Eventbridge (perhaps I'm missing something here?):

{
    "eventVersion": "1.08",
    "userIdentity": {
        "accountId": "xxxxxxxxxxxx",
        "invokedBy": "ecr.amazonaws.com"
    },
    "eventTime": "2022-05-16T11:51:31Z",
    "eventSource": "ecr.amazonaws.com",
    "eventName": "CreateRepository",
    "awsRegion": "eu-north-1",
    "sourceIPAddress": "ecr.amazonaws.com",
    "userAgent": "ecr.amazonaws.com",
    "requestParameters": null,
    "responseElements": null,
    "eventID": "9ae875ab-2870-4b7c-94cc-123656830b15",
    "readOnly": false,
    "resources": [
        {
            "accountId": "xxxxxxxxxxxx",
            "type": "AWS::ECR::Repository",
            "ARN": "arn:aws:ecr:eu-north-1:xxxxxxxxxxxx:repository/ecr-public/docker/library/redis"
        }
    ],
    "eventType": "AwsServiceEvent",
    "managementEvent": true,
    "recipientAccountId": "xxxxxxxxxxxx",
    "serviceEventDetails": {
        "repositoryName": "ecr-public/docker/library/redis",
        "eventType": "CREATE_REPOSITORY"
    },
    "eventCategory": "Management"
}

[sarthakgup7a]

@blakepettersson

I was able to get the following EventBridge pattern to work for repositories created in ECR via pull through cache rules:

Event Source: AWS Services AWS Service: Elastic Container registry (ECR) EventType: All Events

and then edit the pattern to match the following:

{ "source": ["aws.ecr"], "detail": { "eventSource": ["ecr.amazonaws.com"], "eventName": ["CreateRepository"], "eventType": ["AwsServiceEvent"] } }

[blakepettersson]

@sarthakgup7a that works, thanks a lot!