Skip to main content

Creating an ECR repository

Introduction

This document will guide you through the creation of an ECR (Elastic Container Registry) repository for your application’s container image.

Creating the registry

You need to have the Cloud Platform CLI tool installed.

  1. Clone the environments repo and create a new branch

    $ git clone git@github.com:ministryofjustice/cloud-platform-environments.git
    $ cd cloud-platform-environments
    $ git checkout -b add_ecr
    
  2. Navigate to your namespace directory

    $ cd namespaces/live-1.cloud-platform.service.justice.gov.uk/$your_service
    
  3. Use the CLI tool to create your ECR

    $ cloud-platform environment ecr create
    

    This will create a resources/ecr.tf file in your namespace folder.

  4. Update github variables

    Ensure you have the below variables added to variables.tf

    variable "github_owner" {
    description = "The GitHub organization or individual user account containing the app's code repo. Used by the Github Terraform provider. See: https://user-guide.cloud-platform.service.justice.gov.uk/documentation/getting-started/ecr-setup.html#accessing-the-credentials"
    default     = "ministryofjustice"
    }
    
    variable "github_token" {
    description = "Required by the Github Terraform provider"
    default     = ""
    }
    

    If you have created your environment using Cloud Platform CLI, this will be already added to the variables.tf

  5. Update provider block

    Ensure the provider is added to the required_providers in versions.tf

        github = {
        source = "integrations/github"
        }
    

    Ensure the provider configuration is added to the main.tf

        provider "github" {
        token = var.github_token
        owner = var.github_owner
        }
    

    If you have created your environment using Cloud Platform CLI, this will be already added to the versions.tf

  6. git add, commit and push to your branch

  7. Raise a PR to have your change approved

Once your pull request has been approved and merged, it will trigger the Apply Pipeline which will create your ECR.

For more information about the terraform module being used, please read the documentation: ECR terraform module

Accessing the credentials

After your ECR has been created, there will be a Kubernetes secret in your namespace, called ecr-repo-[namespace name]

The secret stores the IAM access keys to authenticate with the registry, and the actual repository URL.

Use the Cloud Platform CLI to retrieve the credentials:

cloud-platform decode-secret -n [namespace name] -s ecr-repo-[namespace name]

Look for the access_key_id and secret_access_key values.

GitHub Actions

If you are using GitHub Actions for your application deployment pipeline, the ECR module can automatically manage GitHub Actions Secrets containing the ECR name, and the AWS access/secret keypair required to access it.

In the resources/ecr.tf file, you should see this section:

  # Uncomment and provide repository names to create github actions secrets
  # containing the ECR name, AWS access key, and AWS secret key, for use in
  # github actions CI/CD pipelines
  # github_repositories = ["my-repo"]

To use this feature, uncomment the last line, and set the list of repositories in which you want the GitHub Actions Secrets to be created.

e.g. if you have two GitHub repositories in your project, called ministryofjustice/frontend and ministryofjustice/backend, you would change the last line to:

github_repositories = ["frontend", "backend"]

Once your PR is merged, those repositories should have secrets named: ECR_NAME, ECR_AWS_ACCESS_KEY_ID, and ECR_AWS_SECRET_KEY. You can use these secrets in your GitHub Actions pipelines.

See the module documentation for more information.

Managing your ECR repository

There is a maximum number of images per repository for Amazon Elastic Container Registry (ECR). If a new image is created and pushed to ECR on every code change, repositories can quickly fill up with new revisions. So it is important to regularly delete images which are no longer required.

You can delete an image with the AWS CLI using this guide.

You can create custom-alerts to monitor the number of ECR images in your Repository using Prometheus ecr-metrics.

Setting up CircleCI

In your CircleCI project, go to the settings (the cog icon) and select ‘AWS Permissions’ from the left hand menu. Fill in the IAM credentials from the kubernetes secret, and CircleCI will be able to pull images from your ECR. For more information please see the official docs.

Next steps

Try deploying an app with Helm, a Kubernetes package manager, or deploying manually by writing some custom YAML files.

This page was last reviewed on 20 July 2021. It needs to be reviewed again on 20 October 2021 .
This page was set to be reviewed before 20 October 2021. This might mean the content is out of date.