Creating an ECR repository
Introduction
This document will guide you through the creation of an ECR (Elastic Container Registry) repository for your application’s container image.
Creating the registry
You need to have the Cloud Platform CLI tool installed.
Clone the environments repo and create a new branch
$ git clone git@github.com:ministryofjustice/cloud-platform-environments.git $ cd cloud-platform-environments $ git checkout -b add_ecr
Navigate to your namespace directory
$ cd namespaces/live.cloud-platform.service.justice.gov.uk/$your_service
Use the CLI tool to create your ECR
$ cloud-platform environment ecr create
This will create a
resources/ecr.tf
file in your namespace folder.Update github variables
Ensure you have the below variables added to
variables.tf
variable "github_owner" { description = "The GitHub organization or individual user account containing the app's code repo. Used by the Github Terraform provider. See: https://user-guide.cloud-platform.service.justice.gov.uk/documentation/getting-started/ecr-setup.html#accessing-the-credentials" default = "ministryofjustice" } variable "github_token" { description = "Required by the Github Terraform provider" default = "" }
If you have created your environment using Cloud Platform CLI, this will be already added to the
variables.tf
Update provider block
Ensure the provider is added to the required_providers in versions.tf
github = { source = "integrations/github" }
Ensure the provider configuration is added to the main.tf
provider "github" { token = var.github_token owner = var.github_owner }
If you have created your environment using Cloud Platform CLI, this will be already added to the
versions.tf
git add, commit and push to your branch
Raise a PR to have your change approved
Once your pull request has been approved and merged, it will trigger the Apply Pipeline which will create your ECR.
For more information about the terraform module being used, please read the documentation: ECR terraform module
Accessing the credentials
After your ECR has been created, there will be a Kubernetes secret in your namespace, called ecr-repo-[namespace name]
The secret stores the IAM access keys to authenticate with the registry, and the actual repository URL.
Use the Cloud Platform CLI to retrieve the credentials:
cloud-platform decode-secret -n [namespace name] -s ecr-repo-[namespace name]
Look for the access_key_id
and secret_access_key
values.
GitHub Actions
If you are using GitHub Actions for your application deployment pipeline, the ECR module can automatically manage GitHub Actions Secrets containing the ECR name, and the AWS access/secret keypair required to access it.
In the resources/ecr.tf
file, you should see this section:
# Uncomment and provide repository names to create github actions secrets
# containing the ECR name, AWS access key, and AWS secret key, for use in
# github actions CI/CD pipelines
# github_repositories = ["my-repo"]
To use this feature, uncomment the last line, and set the list of ministryofjustice GitHub organisation repositories in which you want the GitHub Actions Secrets to be created.
e.g. if you have two GitHub repositories in your project, called ministryofjustice/frontend
and ministryofjustice/backend
, you would change the last line to:
github_repositories = ["frontend", "backend"]
Once your PR is merged, those repositories should have secrets named: ECR_NAME
, ECR_AWS_ACCESS_KEY_ID
, and ECR_AWS_SECRET_KEY
. You can use these secrets in your GitHub Actions pipelines.
See the module documentation for more information.
Managing your ECR repository
There is a maximum number of images per repository for Amazon Elastic Container Registry (ECR). If a new image is created and pushed to ECR on every code change, repositories can quickly fill up with new revisions. So it is important to regularly delete images which are no longer required.
Create lifecycle policies for your ECR repository as shown in this example. This provides a way to automate the cleaning up of your container images by expiring images based on age or count.
You can create custom-alerts to monitor the number of ECR images in your Repository using Prometheus ecr-metrics.
Setting up CircleCI
In your CircleCI project, go to the settings (the cog icon) and select ‘AWS Permissions’ from the left hand menu. Fill in the IAM credentials from the kubernetes secret, and CircleCI will be able to pull images from your ECR. For more information please see the official docs.
Next steps
Try deploying an app with Helm, a Kubernetes package manager, or deploying manually by writing some custom YAML files.