Skip to content

amancevice/terraform-aws-custom-ecr-domain

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
.github/workflows
.github/workflows
 
 
bin
bin
 
 
example
example
 
 
src
src
 
 
.gitignore
.gitignore
 
 
.node-version
.node-version
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

Custom DNS for ECR registry

terraform test

Set up a custom DNS entry for a ECR.

Instead of:

docker pull 123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repo

Use API Gateway HTTP APIs and Lambda to alias your registry with DNS:

docker pull ecr.example.com/my-repo

How

This post describes why using a CNAME record alone won't work with a Docker registry.

Instead, we will use a regional API Gateway HTTP API to proxy the request through a Lambda function that responds to ANY request with a 307 temporary redirect, replacing the original request hostname with the configured ECR registry.

The redirect will preserve the method and body of the original request, allowing us to push and pull Docker images with ECR as the backend.

Usage

See the example directory for an example project.

data "aws_acm_certificate" "ssl" {
  domain   = "example.com"
  statuses = ["ISSUED"]
}

data "aws_route53_zone" "zone" {
  name = "example.com."
}

module "custom-ecr-domain" {
  source                 = "amancevice/custom-ecr-domain/aws"
  api_name               = "ecr-proxy"
  domain_name            = "ecr.example.com"
  domain_certificate_arn = data.aws_acm_certificate.ssl.arn
  domain_zone_id         = data.aws_route53_zone.zone.id
  function_name          = "ecr-proxy"
  log_retention_in_days  = 14
}

Authentication

You can use the AWS CLI to generate passwords to pass to docker login, but using a credential helper is a much easier way of using Docker & ECR.

AWS provides a tool to authenticate between Docker and ECR, but this helper requires repositories use the AWS-style 123456789012.dkr.ecr.us-east-1.amazonaws.com registry names.

There is an open ticket (#504) to allow users to configure the offical tool to enale a default registry.

This repo provides a wrapper script that can be used with a custom registry.

To use the credential helper:

  • Clone this repo
  • Copy bin/docker-credential-ecr-custom somewhere on your $PATH (eg, /usr/local/bin)
  • Create the config file ~/.ecr/custom.json with mappings of your custom domains and ECR registries
  • Update your Docker config credHelpers section to use ecr-custom

Example ~/.ecr/custom.json:

{
  "ecr.example.com": "123456789012.dkr.ecr.us-east-1.amazonaws.com"
}

Example ~/.docker/config.json snippet:

{
  "credHelpers": {
    "ecr.example.com": "ecr-custom"
  }
}

About

Set up a custom DNS entry for ECR

Resources

Readme

License

MIT license
Activity

Stars

36 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases 8

v1.1.0 Latest
May 26, 2023
+ 7 releases

Packages

 
 
 

Languages