Amazon ECR Endpoint Terraform module

Terraform module which creates a custom endpoint for Amazon ECR.

Usage

See examples directory for working examples to reference:

module "ecr_endpoint" {
  source = "clowdhaus/ecr-endpoint/aws"

  name        = "Example"
  description = "Example public ECR Endpoint"

  # API
  api_domain_name = "*.myorganization.com"
  api_subdomains  = ["ecr"]

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Examples

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

• Complete

Requirements

Name	Version
terraform	>= 1.3
aws	>= 5.37

Providers

Name	Version
aws	>= 5.37

Modules

Name	Source	Version
api_gateway	terraform-aws-modules/apigateway-v2/aws	5.1.3
lambda_function	terraform-aws-modules/lambda/aws	7.8.1

Resources

Name	Type
aws_caller_identity.current	data source
aws_partition.current	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
api_authorizers	Map of API gateway authorizers to create	map(object({ authorizer_credentials_arn = optional(string) authorizer_payload_format_version = optional(string) authorizer_result_ttl_in_seconds = optional(number) authorizer_type = optional(string, "REQUEST") authorizer_uri = optional(string) enable_simple_responses = optional(bool) identity_sources = optional(list(string)) jwt_configuration = optional(object({ audience = optional(list(string)) issuer = optional(string) }), {}) name = optional(string) }))	{}	no
api_body	An OpenAPI specification that defines the set of routes and integrations to create as part of the HTTP APIs. Supported only for HTTP APIs	string	null	no
api_cors_configuration	The cross-origin resource sharing (CORS) configuration	object({ allow_credentials = optional(bool) allow_headers = optional(list(string)) allow_methods = optional(list(string)) allow_origins = optional(list(string)) expose_headers = optional(list(string), []) max_age = optional(number) })	{}	no
api_credentials_arn	Part of quick create. Specifies any credentials required for the integration. Applicable for HTTP APIs	string	null	no
api_description	The description of the API. Must be less than or equal to 1024 characters in length	string	null	no
api_disable_execute_api_endpoint	Whether clients can invoke the API by using the default execute-api endpoint. By default, clients can invoke the API with the default {api_id}.execute-api.{region}.amazonaws.com endpoint. To require that clients use a custom domain name to invoke the API, disable the default endpoint	bool	null	no
api_domain_name	The domain name to use for API gateway	string	""	no
api_domain_name_certificate_arn	The ARN of an AWS-managed certificate that will be used by the endpoint for the domain name. AWS Certificate Manager is the only supported source	string	null	no
api_domain_name_ownership_verification_certificate_arn	ARN of the AWS-issued certificate used to validate custom domain ownership (when certificate_arn is issued via an ACM Private CA or mutual_tls_authentication is configured with an ACM-imported certificate.)	string	null	no
api_fail_on_warnings	Whether warnings should return an error while API Gateway is creating or updating the resource using an OpenAPI specification. Defaults to false. Applicable for HTTP APIs	bool	null	no
api_mapping_key	The API mapping key	string	null	no
api_name	The name of the API. Must be less than or equal to 128 characters in length	string	""	no
api_route_key	Part of quick create. Specifies any route key	string	null	no
api_route_selection_expression	The route selection expression for the API. Defaults to $request.method $request.path	string	null	no
api_routes	Map of API gateway routes with integrations	any	{ "ANY /{proxy+}": { "integration": {} } }	no
api_stage_access_log_settings	Settings for logging access in this stage. Use the aws_api_gateway_account resource to configure permissions for CloudWatch Logging	object({ create_log_group = optional(bool, true) destination_arn = optional(string) format = optional(string) log_group_name = optional(string) log_group_retention_in_days = optional(number, 30) log_group_kms_key_id = optional(string) log_group_skip_destroy = optional(bool) log_group_class = optional(string) log_group_tags = optional(map(string), {}) })	{}	no
api_stage_default_route_settings	The default route settings for the stage	object({ data_trace_enabled = optional(bool, false) detailed_metrics_enabled = optional(bool, false) logging_level = optional(string) throttling_burst_limit = optional(number, 500) throttling_rate_limit = optional(number, 1000) })	{}	no
api_stage_description	The description for the stage. Must be less than or equal to 1024 characters in length	string	null	no
api_stage_name	The name of the stage. Must be between 1 and 128 characters in length	string	"$default"	no
api_stage_tags	A mapping of tags to assign to the stage resource	map(string)	{}	no
api_stage_variables	A map that defines the stage variables for the stage	map(string)	{}	no
api_subdomains	An optional list of subdomains to use for API gateway	list(string)	[]	no
api_tags	A mapping of tags to assign to the API Gateway resources	map(string)	{}	no
api_target	Part of quick create. Quick create produces an API with an integration, a default catch-all route, and a default stage which is configured to automatically deploy changes. For HTTP integrations, specify a fully qualified URL. For Lambda integrations, specify a function ARN. The type of the integration will be HTTP_PROXY or AWS_PROXY, respectively. Applicable for HTTP APIs	string	null	no
api_version	A version identifier for the API. Must be between 1 and 64 characters in length	string	null	no
api_vpc_link_tags	A map of tags to add to the VPC Links created	map(string)	{}	no
api_vpc_links	Map of VPC Link definitions to create	map(object({ name = optional(string) security_group_ids = optional(list(string)) subnet_ids = optional(list(string)) tags = optional(map(string), {}) }))	{}	no
create	Controls if resources should be created	bool	true	no
create_api	Whether to create API Gateway resource	bool	true	no
create_api_certificate	Whether to create a certificate for the domain	bool	true	no
create_api_domain_name	Whether to create API domain name resource	bool	true	no
create_api_domain_records	Whether to create Route53 records for the domain name	bool	true	no
create_lambda	Whether to create Lambda function resource	bool	true	no
create_lambda_cloudwatch_log_group	Whether to create a CloudWatch log group	bool	true	no
create_lambda_role	Controls whether IAM role for Lambda Function should be created	bool	true	no
description	Common description used across the resources created if a more specific resource description is not provided	string	"ECR custom endpoint"	no
lambda_architectures	The architectures supported by the Lambda function	list(string)	[ "arm64" ]	no
lambda_attach_network_policy	Controls whether VPC/network policy should be added to IAM role for Lambda Function	bool	false	no
lambda_attach_tracing_policy	Controls whether X-Ray tracing policy should be added to IAM role for Lambda Function	bool	false	no
lambda_cloudwatch_logs_kms_key_id	The ARN of the KMS Key to use when encrypting log data.	string	null	no
lambda_cloudwatch_logs_log_group_class	Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT_ACCESS	string	null	no
lambda_cloudwatch_logs_retention_in_days	Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.	number	null	no
lambda_description	The description of the Lambda function	string	""	no
lambda_environment_variables	A mapping of environment variables to assign to the Lambda function	map(string)	{}	no
lambda_kms_key_arn	The ARN of KMS key to use by your Lambda Function	string	null	no
lambda_memory_size	Amount of memory in MB your Lambda Function can use at runtime. Valid value between 128 MB to 10,240 MB (10 GB), in 64 MB increments.	number	256	no
lambda_name	The name of the Lambda function	string	""	no
lambda_provisioned_concurrent_executions	Amount of capacity to allocate. Set to 1 or greater to enable, or set to 0 to disable provisioned concurrency.	number	-1	no
lambda_reserved_concurrent_executions	The amount of reserved concurrent executions for this Lambda Function. A value of 0 disables Lambda Function from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1.	number	-1	no
lambda_role	IAM role ARN attached to the Lambda Function. This governs both who / what can invoke your Lambda Function, as well as what resources our Lambda Function has access to. See Lambda Permission Model for more details.	string	""	no
lambda_role_description	Description of IAM role to use for Lambda Function	string	null	no
lambda_role_maximum_session_duration	Maximum session duration, in seconds, for the IAM role	number	null	no
lambda_role_permissions_boundary	The ARN of the policy that is used to set the permissions boundary for the IAM role used by Lambda Function	string	null	no
lambda_runtime	The runtime environment for the Lambda function	string	"python3.12"	no
lambda_tags	A mapping of tags to assign to the Lambda function	map(string)	{}	no
lambda_timeout	The amount of time your Lambda Function has to run in seconds.	number	3	no
lambda_tracing_mode	Tracing mode of the Lambda Function. Valid value can be either PassThrough or Active	string	null	no
lambda_vpc_security_group_ids	List of security group ids when Lambda Function should run in the VPC.	list(string)	null	no
lambda_vpc_subnet_ids	List of subnet ids when Lambda Function should run in the VPC. Usually private or intra subnets.	list(string)	null	no
name	Common name used across the resources created if a more specific resource name is not provided	string	"ecr-endpoint"	no
tags	A mapping of tags to assign to resources created	map(string)	{}	no

Outputs

Name	Description
api_acm_certificate_arn	The ARN of the certificate
api_arn	The ARN of the API
api_authorizers	Map of API Gateway Authorizer(s) created and their attributes
api_domain_name_api_mapping_selection_expression	The API mapping selection expression for the domain name
api_domain_name_arn	The ARN of the domain name
api_domain_name_configuration	The domain name configuration
api_domain_name_hosted_zone_id	The Amazon Route 53 Hosted Zone ID of the endpoint
api_domain_name_id	The domain name identifier
api_domain_name_target_domain_name	The target domain name
api_endpoint	URI of the API, of the form https://{api-id}.execute-api.{region}.amazonaws.com
api_execution_arn	The ARN prefix to be used in an aws_lambda_permission's source_arn attribute or in an aws_iam_policy to authorize access to the @connections API
api_id	The API identifier
api_integrations	Map of the integrations created and their attributes
api_routes	Map of the routes created and their attributes
api_stage_access_logs_cloudwatch_log_group_arn	Arn of cloudwatch log group created
api_stage_access_logs_cloudwatch_log_group_name	Name of cloudwatch log group created
api_stage_arn	The stage ARN
api_stage_execution_arn	The ARN prefix to be used in an aws_lambda_permission's source_arn attribute or in an aws_iam_policy to authorize access to the @connections API
api_stage_id	The stage identifier
api_stage_invoke_url	The URL to invoke the API pointing to the stage
api_vpc_links	Map of VPC links created and their attributes
lambda_function_arn	The ARN of the Lambda Function
lambda_function_name	The name of the Lambda Function
lambda_function_qualified_arn	The ARN identifying your Lambda Function Version
lambda_role_arn	The ARN of the IAM role created for the Lambda Function
lambda_role_name	The name of the IAM role created for the Lambda Function
lambda_role_unique_id	The unique id of the IAM role created for the Lambda Function

License

Apache-2.0 Licensed. See LICENSE.