aws.ecr
Filters
cross-account
Filters all EC2 Container Registries (ECR) with cross-account access
- example:
policies:
- name: ecr-cross-account
resource: ecr
filters:
- type: cross-account
whitelist_from:
expr: "accounts.*.accountNumber"
url: accounts_url
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
required:
- type
Permissions - ecr:GetRepositoryPolicy
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
lifecycle-rule
Lifecycle rule filtering
- Example:
policies:
- name: ecr-life
resource: aws.ecr
filters:
- type: lifecycle-rule
state: False
match:
- selection.tagStatus: untagged
- action.type: expire
- type: value
key: selection.countNumber
value: 30
op: less-than
properties:
match:
items:
oneOf:
- $ref: '#/definitions/filters/value'
- maxProperties: 1
minProperties: 1
type: object
type: array
state:
type: boolean
type:
enum:
- lifecycle-rule
required:
- type
Permissions - ecr:GetLifecyclePolicy
Actions
remove-statements
Action to remove policy statements from ECR
- example:
policies:
- name: ecr-remove-cross-accounts
resource: ecr
filters:
- type: cross-account
actions:
- type: remove-statements
statement_ids: matched
properties:
statement_ids:
oneOf:
- enum:
- matched
- '*'
- items:
type: string
type: array
type:
enum:
- remove-statements
required:
- statement_ids
- type
Permissions - ecr:SetRepositoryPolicy, ecr:GetRepositoryPolicy
set-immutability
Parent base class for filters and actions.
properties:
state:
default: true
type: boolean
type:
enum:
- set-immutability
required:
- type
Permissions - ecr:PutImageTagMutability
set-lifecycle
Set the lifecycle policy for ECR repositories.
Note at the moment this is limited to set/delete/replacement of lifecycle policies, not merge.
properties:
rules:
items:
additionalProperties: false
properties:
action:
additionalProperties: false
properties:
type:
enum:
- expire
required:
- type
type: object
description:
type: string
rulePriority:
type: integer
selection:
addtionalProperties: false
properties:
countNumber:
type: integer
countType:
enum:
- imageCountMoreThan
- sinceImagePushed
countUnit:
enum:
- hours
- days
tagPrefixList:
items:
type: string
type: array
tagStatus:
enum:
- tagged
- untagged
- any
required:
- countType
- countNumber
- tagStatus
type: object
required:
- rulePriority
- action
- selection
type: object
type: array
state:
type: boolean
type:
enum:
- set-lifecycle
required:
- type
Permissions - ecr:PutLifecyclePolicy, ecr:DeleteLifecyclePolicy
set-scanning
Parent base class for filters and actions.
properties:
state:
default: true
type: boolean
type:
enum:
- set-scanning
required:
- type
Permissions - ecr:PutImageScanningConfiguration