aws_ecr Resource
WARNING: This resource is deprecated. Please use one of the following resources instead.
aws_ecr_image
aws_ecr_images
aws_ecr_repository
aws_ecr_repositories
Use the aws_ecr
InSpec audit resource to test properties of a single AWS Elastic Container Registry.
Installation
This resource is available in the Chef InSpec AWS resource pack.
See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.
Syntax
An aws_ecr
resource block declares the tests for a single AWS ECR by repository name.
describe aws_ecr(repository_name: aws_ecr_name) do
it { should exist }
its ('repository_name') { should eq aws_ecr_name }
end
Parameters
The ECR repository_name must be provided.
repository_name
(required)The name of the repository This can be passed either as a string or as an
repository_name: 'value'
key-value entry in a hash.
Properties
registry_id
- The AWS account ID associated with the registry.
repository_arn
- The Amazon Resource Name of the repository.
repository_name
- The name of the repository.
repository_uri
- The uri of the repository.
image_tags
- The tags associated with the image.
image_digest
- A sha256 hash of the image.
image_size_in_bytes
- The size of the image in bytes.
image_pushed_at
- The datetime as a string when the image was uploaded. ‘yyyy-mm-dd hh:mm:ss tz’.
image_uploaded_date
- The date as a string when the image was uploaded. ‘yyyy-mm-dd’.
Examples
Test that an ECR has the correct image properties.
describe aws_ecr(repository_name: aws_ecr_name).images do
its ('image_tags') { should include 'latest'}
its ('image_digest') { should eq 'sha256:6dce4a9c1635c4c9b6a2b645e6613fa0238182fe13929808ee2258370d0f3497'}
its ('image_size_in_bytes') { should eq 764234}
its ('image_uploaded_date') { should eq '2019-06-11'}
its ('image_pushed_at') { should eq '2019-06-11 15:08:29 +0100'}
end
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
it { should exist }
it { should_not exist }
AWS Permissions
Your Principal will need the ECR:Client:DescribeRepositoriesResponse
and ECR:Client:DescribeImagesResponse
actions set to allow..
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon ECR, and Actions, Resources, and Condition Keys for Identity And Access Management.