aws.ecr

Filters

cross-account

Filters all EC2 Container Registries (ECR) with cross-account access

example:

policies:
  - name: ecr-cross-account
    resource: ecr
    filters:
      - type: cross-account
        whitelist_from:
          expr: "accounts.*.accountNumber"
          url: accounts_url
properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - ecr:GetRepositoryPolicy

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

lifecycle-rule

Lifecycle rule filtering

Example:

policies:
 - name: ecr-life
   resource: aws.ecr
   filters:
     - type: lifecycle-rule
       state: False
       match:
         - selection.tagStatus: untagged
         - action.type: expire
         - type: value
           key: selection.countNumber
           value: 30
           op: less-than
properties:
  match:
    items:
      oneOf:
      - $ref: '#/definitions/filters/value'
      - maxProperties: 1
        minProperties: 1
        type: object
    type: array
  state:
    type: boolean
  type:
    enum:
    - lifecycle-rule
required:
- type

Permissions - ecr:GetLifecyclePolicy

Actions

remove-statements

Action to remove policy statements from ECR

example:

policies:
  - name: ecr-remove-cross-accounts
    resource: ecr
    filters:
      - type: cross-account
    actions:
      - type: remove-statements
        statement_ids: matched
properties:
  statement_ids:
    oneOf:
    - enum:
      - matched
      - '*'
    - items:
        type: string
      type: array
  type:
    enum:
    - remove-statements
required:
- statement_ids
- type

Permissions - ecr:SetRepositoryPolicy, ecr:GetRepositoryPolicy

set-immutability

Parent base class for filters and actions.

properties:
  state:
    default: true
    type: boolean
  type:
    enum:
    - set-immutability
required:
- type

Permissions - ecr:PutImageTagMutability

set-lifecycle

Set the lifecycle policy for ECR repositories.

Note at the moment this is limited to set/delete/replacement of lifecycle policies, not merge.

properties:
  rules:
    items:
      additionalProperties: false
      properties:
        action:
          additionalProperties: false
          properties:
            type:
              enum:
              - expire
          required:
          - type
          type: object
        description:
          type: string
        rulePriority:
          type: integer
        selection:
          addtionalProperties: false
          properties:
            countNumber:
              type: integer
            countType:
              enum:
              - imageCountMoreThan
              - sinceImagePushed
            countUnit:
              enum:
              - hours
              - days
            tagPrefixList:
              items:
                type: string
              type: array
            tagStatus:
              enum:
              - tagged
              - untagged
              - any
          required:
          - countType
          - countNumber
          - tagStatus
          type: object
      required:
      - rulePriority
      - action
      - selection
      type: object
    type: array
  state:
    type: boolean
  type:
    enum:
    - set-lifecycle
required:
- type

Permissions - ecr:PutLifecyclePolicy, ecr:DeleteLifecyclePolicy

set-scanning

Parent base class for filters and actions.

properties:
  state:
    default: true
    type: boolean
  type:
    enum:
    - set-scanning
required:
- type

Permissions - ecr:PutImageScanningConfiguration