Creating an ECR repository

Introduction

This document will guide you through the creation of an ECR (Elastic Container Registry) repository for your application’s container image.

Creating the registry

You need to have the Cloud Platform CLI tool installed.

1. Clone the environments repo and create a new branch

   $ git clone git@github.com:ministryofjustice/cloud-platform-environments.git
   $ cd cloud-platform-environments
   $ git checkout -b add_ecr
   

2. Navigate to your namespace directory

   $ cd namespaces/live.cloud-platform.service.justice.gov.uk/$your_service
   

3. Use the CLI tool to create your ECR

   $ cloud-platform environment ecr create
   

   This will create a resources/ecr.tf file in your namespace folder.

4. Update github variables

   Ensure you have the below variables added to variables.tf

   variable "github_owner" {
   description = "The GitHub organization or individual user account containing the app's code repo. Used by the Github Terraform provider. See: https://user-guide.cloud-platform.service.justice.gov.uk/documentation/getting-started/ecr-setup.html#accessing-the-credentials"
   default     = "ministryofjustice"
   }
   
   variable "github_token" {
   description = "Required by the Github Terraform provider"
   default     = ""
   }
   

   If you have created your environment using Cloud Platform CLI, this will be already added to the variables.tf

5. Update provider block

   Ensure the provider is added to the required_providers in versions.tf

       github = {
       source = "integrations/github"
       }
   

   Ensure the provider configuration is added to the main.tf

       provider "github" {
       token = var.github_token
       owner = var.github_owner
       }
   

   If you have created your environment using Cloud Platform CLI, this will be already added to the versions.tf

6. git add, commit and push to your branch

7. Raise a PR to have your change approved

Once your pull request has been approved and merged, it will trigger the Apply Pipeline which will create your ECR.

For more information about the terraform module being used, please read the documentation: ECR terraform module

Accessing the credentials

After your ECR has been created, there will be a Kubernetes secret in your namespace, called ecr-repo-[namespace name]

The secret stores the IAM access keys to authenticate with the registry, and the actual repository URL.

Use the Cloud Platform CLI to retrieve the credentials:

cloud-platform decode-secret -n [namespace name] -s ecr-repo-[namespace name]

Look for the access_key_id and secret_access_key values.

GitHub Actions

If you are using GitHub Actions for your application deployment pipeline, the ECR module can automatically manage GitHub Actions Secrets containing the ECR name, and the AWS access/secret keypair required to access it.

In the resources/ecr.tf file, you should see this section:

  # Uncomment and provide repository names to create github actions secrets
  # containing the ECR name, AWS access key, and AWS secret key, for use in
  # github actions CI/CD pipelines
  # github_repositories = ["my-repo"]

To use this feature, uncomment the last line, and set the list of ministryofjustice GitHub organisation repositories in which you want the GitHub Actions Secrets to be created.

e.g. if you have two GitHub repositories in your project, called ministryofjustice/frontend and ministryofjustice/backend, you would change the last line to:

github_repositories = ["frontend", "backend"]

Once your PR is merged, those repositories should have secrets named: ECR_NAME, ECR_AWS_ACCESS_KEY_ID, and ECR_AWS_SECRET_KEY. You can use these secrets in your GitHub Actions pipelines.

See the module documentation for more information.

Managing your ECR repository

There is a maximum number of images per repository for Amazon Elastic Container Registry (ECR). If a new image is created and pushed to ECR on every code change, repositories can quickly fill up with new revisions. So it is important to regularly delete images which are no longer required.

Create lifecycle policies for your ECR repository as shown in this example. This provides a way to automate the cleaning up of your container images by expiring images based on age or count.

You can create custom-alerts to monitor the number of ECR images in your Repository using Prometheus ecr-metrics.

Setting up CircleCI

In your CircleCI project, go to the settings (the cog icon) and select ‘AWS Permissions’ from the left hand menu. Fill in the IAM credentials from the kubernetes secret, and CircleCI will be able to pull images from your ECR. For more information please see the official docs.

Next steps

Try deploying an app with Helm, a Kubernetes package manager, or deploying manually by writing some custom YAML files.

This page was last reviewed on 10 February 2023. It needs to be reviewed again on 10 May 2023 .

This page was set to be reviewed before 10 May 2023. This might mean the content is out of date.