Skip to main content

aws_ecr Resource

[edit on GitHub]

WARNING: This resource is deprecated. Please use one of the following resources instead.

  • aws_ecr_image
  • aws_ecr_images
  • aws_ecr_repository
  • aws_ecr_repositories

Use the aws_ecr InSpec audit resource to test properties of a single AWS Elastic Container Registry.

Installation

This resource is available in the Chef InSpec AWS resource pack.

See the Chef InSpec documentation on cloud platforms for information on configuring your AWS environment for InSpec and creating an InSpec profile that uses the InSpec AWS resource pack.

Syntax

An aws_ecr resource block declares the tests for a single AWS ECR by repository name.

describe aws_ecr(repository_name: aws_ecr_name) do
  it                       { should exist }
  its ('repository_name')  { should eq aws_ecr_name }
end

Parameters

The ECR repository_name must be provided.

repository_name (required)

The name of the repository This can be passed either as a string or as an repository_name: 'value' key-value entry in a hash.

Properties

registry_id
The AWS account ID associated with the registry.
repository_arn
The Amazon Resource Name of the repository.
repository_name
The name of the repository.
repository_uri
The uri of the repository.
image_tags
The tags associated with the image.
image_digest
A sha256 hash of the image.
image_size_in_bytes
The size of the image in bytes.
image_pushed_at
The datetime as a string when the image was uploaded. ‘yyyy-mm-dd hh:mm:ss tz’.
image_uploaded_date
The date as a string when the image was uploaded. ‘yyyy-mm-dd’.

Examples

Test that an ECR has the correct image properties.

describe aws_ecr(repository_name: aws_ecr_name).images do
  its ('image_tags')          { should include 'latest'}
  its ('image_digest')        { should eq 'sha256:6dce4a9c1635c4c9b6a2b645e6613fa0238182fe13929808ee2258370d0f3497'}
  its ('image_size_in_bytes') { should eq 764234}
  its ('image_uploaded_date') { should eq '2019-06-11'}
  its ('image_pushed_at')     { should eq '2019-06-11 15:08:29 +0100'}
end

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

exist

The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

it { should exist }
it { should_not exist }

AWS Permissions

Your Principal will need the ECR:Client:DescribeRepositoriesResponse and ECR:Client:DescribeImagesResponse actions set to allow..

You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon ECR, and Actions, Resources, and Condition Keys for Identity And Access Management.

Was this page helpful?

×









Search Results