Skip to content
/ ecr-pull-through Public

ECR pull-through cache implementation for Docker Hub rate limits mitigation

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Perun-Engineering/ecr-pull-through

BranchesTags

Repository files navigation

ECR pull-through cache implementation

Starting from April 1, 2025 Docker Hub introduces new rate limits

This was made to create ECR pull-through cache for other registries (both public and private) and can be used to:

  • caching public and private images in your private ECR registry
  • speedup pulling from private ECR to your local services (ECS, EKS, Lambdas, etc.)
  • define lifecycle policy to keep only the required number of the latest tags
  • security scanning of images during pull
  • a single place to update your token in case of rotation or expiration (e.g. Gitlab do not allow you to create tokens with an expiration date longer than one year). Just imagine you need to go through all your credentials in all K8s clusters one per year to update tokens.
# direct pull from Docker Hub
docker pull timberio/vector:0.45.0-alpine
# pull through ECR
docker pull 123456789012.dkr.ecr.us-east-1.amazonaws.com/dockerhub/timberio/vector:0.45.0-alpine

If in YAML not specified lifecycle_policy module applies following default lifecycle policy to each created template:

lifecycle_policy:
    rules:
        - rulePriority: 1
            description: "Keep last 3 images"
            selection:
            tagStatus: "any"
            countType: "imageCountMoreThan"
            countNumber: 3
            action:
            type: "expire"

More details about this module in blog post

Requirements

Name Version
terraform >= 1.5.4
aws >=5.75.0

Providers

Name Version
aws 5.89.0

Modules

Name Source Version
pull_through_cache_repository_template terraform-aws-modules/ecr/aws//modules/repository-template 2.3.1
secrets_manager_credentials terraform-aws-modules/secrets-manager/aws 1.3.1

Resources

Name Type
aws_caller_identity.current data source
aws_partition.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
region AWS region where we are creating rules string "" no
registries List of registries to create rules for 
map(object({
    registry                    = string
    username                    = optional(string)
    accessToken                 = optional(string)
    repository_read_access_arns = optional(list(string))
    image_tag_mutability        = optional(string)
    lifecycle_policy = optional(object({
      rules = list(object({
        rulePriority = number
        description  = string
        selection = object({
          tagStatus   = string
          countType   = string
          countNumber = number
        })
        action = object({
          type = string
        })
      }))
    }))
  }))
 n/a yes
tags Tags that will be assigned to all resources map(string) {} no

Outputs

Name Description
pull_through_cache_urls List of ECR pull-through cache URLs for your images

About

ECR pull-through cache implementation for Docker Hub rate limits mitigation

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

5 tags

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages