This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # Amazon ECR **Resource types** + [AWS::ECR::PublicRepository](aws-resource-ecr-publicrepository.md) + [AWS::ECR::PullThroughCacheRule](aws-resource-ecr-pullthroughcacherule.md) + [AWS::ECR::PullTimeUpdateExclusion](aws-resource-ecr-pulltimeupdateexclusion.md) + [AWS::ECR::RegistryPolicy](aws-resource-ecr-registrypolicy.md) + [AWS::ECR::RegistryScanningConfiguration](aws-resource-ecr-registryscanningconfiguration.md) + [AWS::ECR::ReplicationConfiguration](aws-resource-ecr-replicationconfiguration.md) + [AWS::ECR::Repository](aws-resource-ecr-repository.md) + [AWS::ECR::RepositoryCreationTemplate](aws-resource-ecr-repositorycreationtemplate.md) + [AWS::ECR::SigningConfiguration](aws-resource-ecr-signingconfiguration.md) # AWS::ECR::PublicRepository The `AWS::ECR::PublicRepository` resource specifies an Amazon Elastic Container Registry Public (Amazon ECR Public) repository, where users can push and pull Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts. For more information, see [Amazon ECR public repositories](https://docs.aws.amazon.com/AmazonECR/latest/public/public-repositories.html) in the *Amazon ECR Public User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::ECR::PublicRepository", "Properties" : { "[RepositoryCatalogData](#cfn-ecr-publicrepository-repositorycatalogdata)" : RepositoryCatalogData, "[RepositoryName](#cfn-ecr-publicrepository-repositoryname)" : String, "[RepositoryPolicyText](#cfn-ecr-publicrepository-repositorypolicytext)" : Json, "[Tags](#cfn-ecr-publicrepository-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::ECR::PublicRepository Properties: [RepositoryCatalogData](#cfn-ecr-publicrepository-repositorycatalogdata): RepositoryCatalogData [RepositoryName](#cfn-ecr-publicrepository-repositoryname): String [RepositoryPolicyText](#cfn-ecr-publicrepository-repositorypolicytext): Json [Tags](#cfn-ecr-publicrepository-tags): - Tag ``` ## Properties `RepositoryCatalogData` The details about the repository that are publicly visible in the Amazon ECR Public Gallery. For more information, see [Amazon ECR Public repository catalog data](https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-catalog-data.html) in the *Amazon ECR Public User Guide*. *Required*: No *Type*: [RepositoryCatalogData](aws-properties-ecr-publicrepository-repositorycatalogdata.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RepositoryName` The name to use for the public repository. The repository name may be specified on its own (such as `nginx-web-app`) or it can be prepended with a namespace to group the repository into a category (such as `project-a/nginx-web-app`). If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the repository name. For more information, see [Name Type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html). If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. *Required*: No *Type*: String *Pattern*: `^(?=.{2,256}$)((?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*)$` *Minimum*: `2` *Maximum*: `256` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `RepositoryPolicyText` The JSON repository policy text to apply to the public repository. For more information, see [Amazon ECR Public repository policies](https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-policies.html) in the *Amazon ECR Public User Guide*. *Required*: No *Type*: Json *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` An array of key-value pairs to apply to this resource. *Required*: No *Type*: Array of [Tag](aws-properties-ecr-publicrepository-tag.md) *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the resource name, such as `test-repository`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` Returns the Amazon Resource Name (ARN) for the specified `AWS::ECR::PublicRepository` resource. For example, `arn:aws:ecr-public::123456789012:repository/test-repository`. ## Examples ### Specify a public repository The following example specifies a public repository named `test-repository`. The repository catalog data appears publicly on the Amazon ECR Public Gallery. #### JSON ``` "MyPublicRepository": { "Type": "AWS::ECR::PublicRepository", "Properties": { "RepositoryName" : "test-repository", "RepositoryCatalogData" : { "UsageText": "This is a sample usage text.", "AboutText": "This is a sample about text.", "OperatingSystems": [ "Linux", "Windows" ], "Architectures": [ "x86", "ARM" ], "RepositoryDescription": "This is a sample repository description." } } } ``` #### YAML ``` Resources: MyPublicRepositry: Type: AWS::ECR::PublicRepository Properties: RepositoryName: "test-repository" RepositoryCatalogData: UsageText: "This is a sample usage text." AboutText: "This is a sample about text." OperatingSystems: - "Linux" - "Windows" Architectures: - "x86" - "ARM" RepositoryDescription: "This is a sample repository description." ``` # AWS::ECR::PublicRepository RepositoryCatalogData The details about the repository that are publicly visible in the Amazon ECR Public Gallery. For more information, see [Amazon ECR Public repository catalog data](https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-catalog-data.html) in the *Amazon ECR Public User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AboutText](#cfn-ecr-publicrepository-repositorycatalogdata-abouttext)" : String, "[Architectures](#cfn-ecr-publicrepository-repositorycatalogdata-architectures)" : [ String, ... ], "[OperatingSystems](#cfn-ecr-publicrepository-repositorycatalogdata-operatingsystems)" : [ String, ... ], "[RepositoryDescription](#cfn-ecr-publicrepository-repositorycatalogdata-repositorydescription)" : String, "[UsageText](#cfn-ecr-publicrepository-repositorycatalogdata-usagetext)" : String } ``` ### YAML ``` [AboutText](#cfn-ecr-publicrepository-repositorycatalogdata-abouttext): String [Architectures](#cfn-ecr-publicrepository-repositorycatalogdata-architectures): - String [OperatingSystems](#cfn-ecr-publicrepository-repositorycatalogdata-operatingsystems): - String [RepositoryDescription](#cfn-ecr-publicrepository-repositorycatalogdata-repositorydescription): String [UsageText](#cfn-ecr-publicrepository-repositorycatalogdata-usagetext): String ``` ## Properties `AboutText` The longform description of the contents of the repository. This text appears in the repository details on the Amazon ECR Public Gallery. *Required*: No *Type*: String *Maximum*: `10240` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Architectures` The architecture tags that are associated with the repository. *Required*: No *Type*: Array of String *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OperatingSystems` The operating system tags that are associated with the repository. *Required*: No *Type*: Array of String *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RepositoryDescription` The short description of the repository. *Required*: No *Type*: String *Maximum*: `1024` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UsageText` The longform usage details of the contents of the repository. The usage text provides context for users of the repository. *Required*: No *Type*: String *Maximum*: `10240` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::ECR::PublicRepository Tag The metadata to apply to a resource to help you categorize and organize them. Each tag consists of a key and a value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-ecr-publicrepository-tag-key)" : String, "[Value](#cfn-ecr-publicrepository-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-ecr-publicrepository-tag-key): String [Value](#cfn-ecr-publicrepository-tag-value): String ``` ## Properties `Key` One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `127` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` A `value` acts as a descriptor within a tag category (key). *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::ECR::PullThroughCacheRule The `AWS::ECR::PullThroughCacheRule` resource creates or updates a pull through cache rule. A pull through cache rule provides a way to cache images from an upstream registry in your Amazon ECR private registry. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::ECR::PullThroughCacheRule", "Properties" : { "[CredentialArn](#cfn-ecr-pullthroughcacherule-credentialarn)" : String, "[CustomRoleArn](#cfn-ecr-pullthroughcacherule-customrolearn)" : String, "[EcrRepositoryPrefix](#cfn-ecr-pullthroughcacherule-ecrrepositoryprefix)" : String, "[UpstreamRegistry](#cfn-ecr-pullthroughcacherule-upstreamregistry)" : String, "[UpstreamRegistryUrl](#cfn-ecr-pullthroughcacherule-upstreamregistryurl)" : String, "[UpstreamRepositoryPrefix](#cfn-ecr-pullthroughcacherule-upstreamrepositoryprefix)" : String } } ``` ### YAML ``` Type: AWS::ECR::PullThroughCacheRule Properties: [CredentialArn](#cfn-ecr-pullthroughcacherule-credentialarn): String [CustomRoleArn](#cfn-ecr-pullthroughcacherule-customrolearn): String [EcrRepositoryPrefix](#cfn-ecr-pullthroughcacherule-ecrrepositoryprefix): String [UpstreamRegistry](#cfn-ecr-pullthroughcacherule-upstreamregistry): String [UpstreamRegistryUrl](#cfn-ecr-pullthroughcacherule-upstreamregistryurl): String [UpstreamRepositoryPrefix](#cfn-ecr-pullthroughcacherule-upstreamrepositoryprefix): String ``` ## Properties `CredentialArn` The ARN of the Secrets Manager secret associated with the pull through cache rule. *Required*: No *Type*: String *Pattern*: `^arn:aws:secretsmanager:[a-zA-Z0-9-:]+:secret:ecr\-pullthroughcache\/[a-zA-Z0-9\/_+=.@-]+$` *Minimum*: `50` *Maximum*: `612` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `CustomRoleArn` The ARN of the IAM role associated with the pull through cache rule. *Required*: No *Type*: String *Maximum*: `2048` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `EcrRepositoryPrefix` The Amazon ECR repository prefix associated with the pull through cache rule. *Required*: No *Type*: String *Pattern*: `^([a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*(\/[a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*)*\/?|ROOT)$` *Minimum*: `2` *Maximum*: `30` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `UpstreamRegistry` The name of the upstream source registry associated with the pull through cache rule. *Required*: No *Type*: String *Allowed values*: `ecr | ecr-public | quay | k8s | docker-hub | github-container-registry | azure-container-registry | gitlab-container-registry | chainguard` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `UpstreamRegistryUrl` The upstream registry URL associated with the pull through cache rule. *Required*: No *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `UpstreamRepositoryPrefix` The upstream repository prefix associated with the pull through cache rule. *Required*: No *Type*: String *Pattern*: `^([a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*(\/[a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*)*\/?|ROOT)$` *Minimum*: `2` *Maximum*: `30` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Examples The following resource examples show how to create a pull through cache rule for a private registry. **Topics** + [Create a pull through cache rule for an upstream registry that requires authentication](#aws-resource-ecr-pullthroughcacherule--examples--Create_a_pull_through_cache_rule_for_an_upstream_registry_that_requires_authentication) + [Create a pull through cache rule for an upstream registry that does not require authentication](#aws-resource-ecr-pullthroughcacherule--examples--Create_a_pull_through_cache_rule_for_an_upstream_registry_that_does_not_require_authentication) ### Create a pull through cache rule for an upstream registry that requires authentication The following example creates a pull through cache rule for the upstream registry Docker Hub, which requires authentication. The authentication credentials for the upstream registry must be stored in a Secrets Manager secret with a secret name with a `ecr-pullthroughcache/` prefix. You specify the full Amazon Resource Name (ARN) of the secret. When the pull through cache rule is used to pull images from the upstream registry, Amazon ECR will create repositories in your private registry on your behalf with the `docker-hub` prefix. #### JSON ``` { "Resources": { "MyECRPullThroughCacheRule": { "Type": "AWS::ECR::PullThroughCacheRule", "Properties": { "EcrRepositoryPrefix": "docker-hub", "UpstreamRegistryUrl": "registry-1.docker.io", "CredentialArn": "arn:aws:secretsmanager:us-east-2:111122223333:secret:ecr-pullthroughcache/example1234" } } } } ``` #### YAML ``` Resources: MyECRPullThroughCacheRule: Type: 'AWS::ECR::PullThroughCacheRule' Properties: EcrRepositoryPrefix: 'docker-hub' UpstreamRegistryUrl: 'registry-1.docker.io' CredentialArn: 'arn:aws:secretsmanager:us-east-2:111122223333:secret:ecr-pullthroughcache/example1234' UpstreamRegistry: 'docker-hub' ``` ### Create a pull through cache rule for an upstream registry that does not require authentication The following example creates a pull through cache rule that caches repositories with the name prefix `ecr-public` from the Amazon ECR Public registry into your private registry. #### JSON ``` { "Resources": { "MyECRPullThroughCacheRule": { "Type": "AWS::ECR::PullThroughCacheRule", "Properties": { "EcrRepositoryPrefix": "ecr-public", "UpstreamRegistryUrl": "public.ecr.aws" } } } } ``` #### YAML ``` Resources: MyECRPullThroughCacheRule: Type: 'AWS::ECR::PullThroughCacheRule' Properties: EcrRepositoryPrefix: 'ecr-public' UpstreamRegistryUrl: 'public.ecr.aws' UpstreamRegistry: 'ecr-public' ``` # AWS::ECR::PullTimeUpdateExclusion The `AWS::ECR::PullTimeUpdateExclusion` resource Property description not available. for ECR. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::ECR::PullTimeUpdateExclusion", "Properties" : { "[PrincipalArn](#cfn-ecr-pulltimeupdateexclusion-principalarn)" : String } } ``` ### YAML ``` Type: AWS::ECR::PullTimeUpdateExclusion Properties: [PrincipalArn](#cfn-ecr-pulltimeupdateexclusion-principalarn): String ``` ## Properties `PrincipalArn` The ARN of the IAM principal to remove from the pull time update exclusion list. *Required*: Yes *Type*: String *Pattern*: `^arn:aws(-[a-z]+)*:iam::[0-9]{12}:(role|user)/[\w+=,.@-]+(/[\w+=,.@-]+)*$` *Maximum*: `200` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref # AWS::ECR::RegistryPolicy The `AWS::ECR::RegistryPolicy` resource creates or updates the permissions policy for a private registry. A private registry policy is used to specify permissions for another AWS account and is used when configuring cross-account replication. For more information, see [Registry permissions](https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry-permissions.html) in the *Amazon Elastic Container Registry User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::ECR::RegistryPolicy", "Properties" : { "[PolicyText](#cfn-ecr-registrypolicy-policytext)" : Json } } ``` ### YAML ``` Type: AWS::ECR::RegistryPolicy Properties: [PolicyText](#cfn-ecr-registrypolicy-policytext): Json ``` ## Properties `PolicyText` The JSON policy text for your registry. *Required*: Yes *Type*: Json *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `RegistryId` The account ID of the private registry the policy is associated with. ## Examples ### Specify a registry policy for a private registry The following example specifies a private registry policy in `us-west-2` that grants permission for account `210987654321` to create repositories and replicate their contents to your private registry. #### JSON ``` "TestRegistryPolicy": { "Type": "AWS::ECR::RegistryPolicy", "Properties": { "PolicyText": { "Version":"2012-10-17", "Statement":[ { "Sid":"ReplicationAccessCrossAccount", "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::210987654321:root" }, "Action":[ "ecr:CreateRepository", "ecr:ReplicateImage" ], "Resource": "arn:aws:ecr:us-west-2:123456789012:repository/*" } ] } } } ``` #### YAML ``` Resources: TestRegistryPolicy: Type: 'AWS::ECR::RegistryPolicy' Properties: PolicyText: Version: 2012-10-17 Statement: - Sid: UpdatedRegistryPolicy Effect: Allow Principal: AWS: 'arn:aws:iam::210987654321:root' Action: - 'ecr:CreateRepository' - 'ecr:ReplicateImage' Resource: 'arn:aws:ecr:us-west-2:123456789012:repository/*' ``` # AWS::ECR::RegistryScanningConfiguration The scanning configuration for a private registry. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::ECR::RegistryScanningConfiguration", "Properties" : { "[Rules](#cfn-ecr-registryscanningconfiguration-rules)" : [ ScanningRule, ... ], "[ScanType](#cfn-ecr-registryscanningconfiguration-scantype)" : String } } ``` ### YAML ``` Type: AWS::ECR::RegistryScanningConfiguration Properties: [Rules](#cfn-ecr-registryscanningconfiguration-rules): - ScanningRule [ScanType](#cfn-ecr-registryscanningconfiguration-scantype): String ``` ## Properties `Rules` The scanning rules associated with the registry. *Required*: Yes *Type*: Array of [ScanningRule](aws-properties-ecr-registryscanningconfiguration-scanningrule.md) *Minimum*: `0` *Maximum*: `2` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ScanType` The type of scanning configured for the registry. *Required*: Yes *Type*: String *Allowed values*: `BASIC | ENHANCED` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref ### Fn::GetAtt #### `RegistryId` The account ID of the destination registry. # AWS::ECR::RegistryScanningConfiguration RepositoryFilter The filter settings used with image replication. Specifying a repository filter to a replication rule provides a method for controlling which repositories in a private registry are replicated. If no filters are added, the contents of all repositories are replicated. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Filter](#cfn-ecr-registryscanningconfiguration-repositoryfilter-filter)" : String, "[FilterType](#cfn-ecr-registryscanningconfiguration-repositoryfilter-filtertype)" : String } ``` ### YAML ``` [Filter](#cfn-ecr-registryscanningconfiguration-repositoryfilter-filter): String [FilterType](#cfn-ecr-registryscanningconfiguration-repositoryfilter-filtertype): String ``` ## Properties `Filter` The filter to use when scanning. *Required*: Yes *Type*: String *Pattern*: `^[a-z0-9*](?:[._\-/a-z0-9*]?[a-z0-9*]+)*$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `FilterType` The type associated with the filter. *Required*: Yes *Type*: String *Allowed values*: `WILDCARD` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::ECR::RegistryScanningConfiguration ScanningRule The scanning rules associated with the registry. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[RepositoryFilters](#cfn-ecr-registryscanningconfiguration-scanningrule-repositoryfilters)" : [ RepositoryFilter, ... ], "[ScanFrequency](#cfn-ecr-registryscanningconfiguration-scanningrule-scanfrequency)" : String } ``` ### YAML ``` [RepositoryFilters](#cfn-ecr-registryscanningconfiguration-scanningrule-repositoryfilters): - RepositoryFilter [ScanFrequency](#cfn-ecr-registryscanningconfiguration-scanningrule-scanfrequency): String ``` ## Properties `RepositoryFilters` The details of a scanning repository filter. For more information on how to use filters, see [Using filters](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html#image-scanning-filters) in the *Amazon Elastic Container Registry User Guide*. *Required*: Yes *Type*: Array of [RepositoryFilter](aws-properties-ecr-registryscanningconfiguration-repositoryfilter.md) *Minimum*: `0` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ScanFrequency` The frequency that scans are performed at for a private registry. When the `ENHANCED` scan type is specified, the supported scan frequencies are `CONTINUOUS_SCAN` and `SCAN_ON_PUSH`. When the `BASIC` scan type is specified, the `SCAN_ON_PUSH` scan frequency is supported. If scan on push is not specified, then the `MANUAL` scan frequency is set by default. *Required*: Yes *Type*: String *Allowed values*: `SCAN_ON_PUSH | CONTINUOUS_SCAN` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::ECR::ReplicationConfiguration The `AWS::ECR::ReplicationConfiguration` resource creates or updates the replication configuration for a private registry. The first time a replication configuration is applied to a private registry, a service-linked IAM role is created in your account for the replication process. For more information, see [Using Service-Linked Roles for Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/userguide/using-service-linked-roles.html) in the *Amazon Elastic Container Registry User Guide*. **Note** When configuring cross-account replication, the destination account must grant the source account permission to replicate. This permission is controlled using a private registry permissions policy. For more information, see `AWS::ECR::RegistryPolicy`. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::ECR::ReplicationConfiguration", "Properties" : { "[ReplicationConfiguration](#cfn-ecr-replicationconfiguration-replicationconfiguration)" : ReplicationConfiguration } } ``` ### YAML ``` Type: AWS::ECR::ReplicationConfiguration Properties: [ReplicationConfiguration](#cfn-ecr-replicationconfiguration-replicationconfiguration): ReplicationConfiguration ``` ## Properties `ReplicationConfiguration` The replication configuration for a registry. *Required*: Yes *Type*: [ReplicationConfiguration](aws-properties-ecr-replicationconfiguration-replicationconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `RegistryId` The account ID of the destination registry. ## Examples ### Specify a replication configuration for a private registry The following example specifies a replication configuration in a source Region for a private registry to replicate the contents to the `us-east-2` and `us-west-1` Regions within the same account. #### JSON ``` "TestReplicationConfiguration": { "Type": "AWS::ECR::ReplicationConfiguration", "Properties": { "ReplicationConfiguration": { "Rules": [ { "Destinations": [ { "Region": "us-east-2", "RegistryId": "123456789012" }, { "Region": "us-west-1", "RegistryId": "123456789012" } ] } ] } } } ``` #### YAML ``` Resources: MyReplicationConfig: Type: AWS::ECR::ReplicationConfiguration Properties: ReplicationConfiguration: Rules: - Destinations: - Region: "us-east-2" RegistryId: "123456789012" - Region: "us-west-1" RegistryId: "123456789012" ``` # AWS::ECR::ReplicationConfiguration ReplicationConfiguration The replication configuration for a registry. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Rules](#cfn-ecr-replicationconfiguration-replicationconfiguration-rules)" : [ ReplicationRule, ... ] } ``` ### YAML ``` [Rules](#cfn-ecr-replicationconfiguration-replicationconfiguration-rules): - ReplicationRule ``` ## Properties `Rules` An array of objects representing the replication destinations and repository filters for a replication configuration. *Required*: Yes *Type*: Array of [ReplicationRule](aws-properties-ecr-replicationconfiguration-replicationrule.md) *Minimum*: `0` *Maximum*: `10` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::ECR::ReplicationConfiguration ReplicationDestination An array of objects representing the destination for a replication rule. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Region](#cfn-ecr-replicationconfiguration-replicationdestination-region)" : String, "[RegistryId](#cfn-ecr-replicationconfiguration-replicationdestination-registryid)" : String } ``` ### YAML ``` [Region](#cfn-ecr-replicationconfiguration-replicationdestination-region): String [RegistryId](#cfn-ecr-replicationconfiguration-replicationdestination-registryid): String ``` ## Properties `Region` The Region to replicate to. *Required*: Yes *Type*: String *Pattern*: `[0-9a-z-]{2,25}` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RegistryId` The AWS account ID of the Amazon ECR private registry to replicate to. When configuring cross-Region replication within your own registry, specify your own account ID. *Required*: Yes *Type*: String *Pattern*: `^[0-9]{12}$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::ECR::ReplicationConfiguration ReplicationRule An array of objects representing the replication destinations and repository filters for a replication configuration. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Destinations](#cfn-ecr-replicationconfiguration-replicationrule-destinations)" : [ ReplicationDestination, ... ], "[RepositoryFilters](#cfn-ecr-replicationconfiguration-replicationrule-repositoryfilters)" : [ RepositoryFilter, ... ] } ``` ### YAML ``` [Destinations](#cfn-ecr-replicationconfiguration-replicationrule-destinations): - ReplicationDestination [RepositoryFilters](#cfn-ecr-replicationconfiguration-replicationrule-repositoryfilters): - RepositoryFilter ``` ## Properties `Destinations` An array of objects representing the destination for a replication rule. *Required*: Yes *Type*: Array of [ReplicationDestination](aws-properties-ecr-replicationconfiguration-replicationdestination.md) *Minimum*: `1` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RepositoryFilters` An array of objects representing the filters for a replication rule. Specifying a repository filter for a replication rule provides a method for controlling which repositories in a private registry are replicated. *Required*: No *Type*: Array of [RepositoryFilter](aws-properties-ecr-replicationconfiguration-repositoryfilter.md) *Minimum*: `0` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::ECR::ReplicationConfiguration RepositoryFilter The filter settings used with image replication. Specifying a repository filter to a replication rule provides a method for controlling which repositories in a private registry are replicated. If no filters are added, the contents of all repositories are replicated. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Filter](#cfn-ecr-replicationconfiguration-repositoryfilter-filter)" : String, "[FilterType](#cfn-ecr-replicationconfiguration-repositoryfilter-filtertype)" : String } ``` ### YAML ``` [Filter](#cfn-ecr-replicationconfiguration-repositoryfilter-filter): String [FilterType](#cfn-ecr-replicationconfiguration-repositoryfilter-filtertype): String ``` ## Properties `Filter` The repository filter details. When the `PREFIX_MATCH` filter type is specified, this value is required and should be the repository name prefix to configure replication for. *Required*: Yes *Type*: String *Pattern*: `^(?:[a-z0-9]+(?:[._-][a-z0-9]*)*/)*[a-z0-9]*(?:[._-][a-z0-9]*)*$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `FilterType` The repository filter type. The only supported value is `PREFIX_MATCH`, which is a repository name prefix specified with the `filter` parameter. *Required*: Yes *Type*: String *Allowed values*: `PREFIX_MATCH` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::ECR::Repository The `AWS::ECR::Repository` resource specifies an Amazon Elastic Container Registry (Amazon ECR) repository, where users can push and pull Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts. For more information, see [Amazon ECR private repositories](https://docs.aws.amazon.com/AmazonECR/latest/userguide/Repositories.html) in the *Amazon ECR User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::ECR::Repository", "Properties" : { "[EmptyOnDelete](#cfn-ecr-repository-emptyondelete)" : Boolean, "[EncryptionConfiguration](#cfn-ecr-repository-encryptionconfiguration)" : EncryptionConfiguration, "[ImageScanningConfiguration](#cfn-ecr-repository-imagescanningconfiguration)" : ImageScanningConfiguration, "[ImageTagMutability](#cfn-ecr-repository-imagetagmutability)" : String, "[ImageTagMutabilityExclusionFilters](#cfn-ecr-repository-imagetagmutabilityexclusionfilters)" : [ ImageTagMutabilityExclusionFilter, ... ], "[LifecyclePolicy](#cfn-ecr-repository-lifecyclepolicy)" : LifecyclePolicy, "[RepositoryName](#cfn-ecr-repository-repositoryname)" : String, "[RepositoryPolicyText](#cfn-ecr-repository-repositorypolicytext)" : Json, "[Tags](#cfn-ecr-repository-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::ECR::Repository Properties: [EmptyOnDelete](#cfn-ecr-repository-emptyondelete): Boolean [EncryptionConfiguration](#cfn-ecr-repository-encryptionconfiguration): EncryptionConfiguration [ImageScanningConfiguration](#cfn-ecr-repository-imagescanningconfiguration): ImageScanningConfiguration [ImageTagMutability](#cfn-ecr-repository-imagetagmutability): String [ImageTagMutabilityExclusionFilters](#cfn-ecr-repository-imagetagmutabilityexclusionfilters): - ImageTagMutabilityExclusionFilter [LifecyclePolicy](#cfn-ecr-repository-lifecyclepolicy): LifecyclePolicy [RepositoryName](#cfn-ecr-repository-repositoryname): String [RepositoryPolicyText](#cfn-ecr-repository-repositorypolicytext): Json [Tags](#cfn-ecr-repository-tags): - Tag ``` ## Properties `EmptyOnDelete` If true, deleting the repository force deletes the contents of the repository. If false, the repository must be empty before attempting to delete it. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EncryptionConfiguration` The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest. *Required*: No *Type*: [EncryptionConfiguration](aws-properties-ecr-repository-encryptionconfiguration.md) *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `ImageScanningConfiguration` The `imageScanningConfiguration` parameter is being deprecated, in favor of specifying the image scanning configuration at the registry level. For more information, see `PutRegistryScanningConfiguration`. The image scanning configuration for the repository. This determines whether images are scanned for known vulnerabilities after being pushed to the repository. *Required*: No *Type*: [ImageScanningConfiguration](aws-properties-ecr-repository-imagescanningconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ImageTagMutability` The tag mutability setting for the repository. If this parameter is omitted, the default setting of `MUTABLE` will be used which will allow image tags to be overwritten. If `IMMUTABLE` is specified, all image tags within the repository will be immutable which will prevent them from being overwritten. *Required*: No *Type*: String *Allowed values*: `MUTABLE | IMMUTABLE | MUTABLE_WITH_EXCLUSION | IMMUTABLE_WITH_EXCLUSION` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ImageTagMutabilityExclusionFilters` A list of filters that specify which image tags are excluded from the repository's image tag mutability setting. *Required*: No *Type*: Array of [ImageTagMutabilityExclusionFilter](aws-properties-ecr-repository-imagetagmutabilityexclusionfilter.md) *Minimum*: `1` *Maximum*: `5` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LifecyclePolicy` Creates or updates a lifecycle policy. For information about lifecycle policy syntax, see [Lifecycle policy template](https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html). *Required*: No *Type*: [LifecyclePolicy](aws-properties-ecr-repository-lifecyclepolicy.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RepositoryName` The name to use for the repository. The repository name may be specified on its own (such as `nginx-web-app`) or it can be prepended with a namespace to group the repository into a category (such as `project-a/nginx-web-app`). If you don't specify a name, AWS CloudFormation generates a unique physical ID and uses that ID for the repository name. For more information, see [Name type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-name.html). The repository name must start with a letter and can only contain lowercase letters, numbers, hyphens, underscores, and forward slashes. If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name. *Required*: No *Type*: String *Pattern*: `^(?=.{2,256}$)([a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*(\/[a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*)*)$` *Minimum*: `2` *Maximum*: `256` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `RepositoryPolicyText` The JSON repository policy text to apply to the repository. For more information, see [Amazon ECR repository policies](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html) in the *Amazon Elastic Container Registry User Guide*. *Required*: No *Type*: Json *Minimum*: `0` *Maximum*: `10240` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` An array of key-value pairs to apply to this resource. *Required*: No *Type*: Array of [Tag](aws-properties-ecr-repository-tag.md) *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the resource name, such as `test-repository`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Arn` Returns the Amazon Resource Name (ARN) for the specified `AWS::ECR::Repository` resource. For example, `arn:aws:ecr:eu-west-1:123456789012:repository/test-repository`. `RepositoryUri` Returns the URI for the specified `AWS::ECR::Repository` resource. For example, `123456789012.dkr.ecr.us-west-2.amazonaws.com/repository`. ## Examples **Topics** + [Specify a repository](#aws-resource-ecr-repository--examples--Specify_a_repository) + [Specify a repository with an image scanning configuration](#aws-resource-ecr-repository--examples--Specify_a_repository_with_an_image_scanning_configuration) + [Specify a repository with a lifecycle policy](#aws-resource-ecr-repository--examples--Specify_a_repository_with_a_lifecycle_policy) ### Specify a repository The following example specifies a repository named `test-repository`. Its policy permits the users `Bob` and `Alice` to push and pull images. Note that the IAM users actually need to exist, or stack creation will fail. #### JSON ``` "MyRepository": { "Type": "AWS::ECR::Repository", "Properties": { "RepositoryName" : "test-repository", "RepositoryPolicyText" : { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPushPull", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::123456789012:user/Bob", "arn:aws:iam::123456789012:user/Alice" ] }, "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload" ] } ] } } } ``` #### YAML ``` MyRepository: Type: AWS::ECR::Repository Properties: RepositoryName: "test-repository" RepositoryPolicyText: Version: "2012-10-17" Statement: - Sid: AllowPushPull Effect: Allow Principal: AWS: - "arn:aws:iam::123456789012:user/Bob" - "arn:aws:iam::123456789012:user/Alice" Action: - "ecr:GetDownloadUrlForLayer" - "ecr:BatchGetImage" - "ecr:BatchCheckLayerAvailability" - "ecr:PutImage" - "ecr:InitiateLayerUpload" - "ecr:UploadLayerPart" - "ecr:CompleteLayerUpload" ``` ### Specify a repository with an image scanning configuration The following example creates a repository named `test-repository` with image scanning enabled. For more information on image scanning, see [Image scanning](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html) in the *Amazon ECR User Guide*. #### JSON ``` "MyRepository": { "Type": "AWS::ECR::Repository", "Properties": { "RepositoryName" : "test-repository", "ImageScanningConfiguration" : { "ScanOnPush": true } } } ``` #### YAML ``` MyRepository: Type: AWS::ECR::Repository Properties: RepositoryName: "test-repository" ImageScanningConfiguration: ScanOnPush: true ``` ### Specify a repository with a lifecycle policy The following example creates a repository with a lifecycle policy. #### JSON ``` { "Parameters": { "lifecyclePolicyText": { "Type": "String" }, "repositoryName": { "Type": "String" }, "registryId": { "Type": "String" } }, "Resources": { "MyRepository": { "Type": "AWS::ECR::Repository", "Properties": { "LifecyclePolicy": { "LifecyclePolicyText": { "Ref": "lifecyclePolicyText" }, "RegistryId": { "Ref": "registryId" } }, "RepositoryName": { "Ref": "repositoryName" } } } }, "Outputs": { "Arn": { "Value": { "Fn::GetAtt": [ "MyRepository", "Arn" ] } } } } ``` #### YAML ``` Parameters: lifecyclePolicyText: Type: String repositoryName: Type: String registryId: Type: String Resources: MyRepository: Type: AWS::ECR::Repository Properties: LifecyclePolicy: LifecyclePolicyText: !Ref lifecyclePolicyText RegistryId: !Ref registryId RepositoryName: !Ref repositoryName Outputs: Arn: Value: !GetAtt MyRepository.Arn ``` ## See also + [Creating a lifecycle policy](https://docs.aws.amazon.com/AmazonECR/latest/userguide/lp_creation.html) in the *Amazon ECR User Guide* + [PutLifecyclePolicy](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_PutLifecyclePolicy.html) in the *Amazon ECR API Reference* # AWS::ECR::Repository EncryptionConfiguration The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest. By default, when no encryption configuration is set or the `AES256` encryption type is used, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts your data at rest using an AES256 encryption algorithm. This does not require any action on your part. For more control over the encryption of the contents of your repository, you can use server-side encryption with AWS Key Management Service key stored in AWS Key Management Service (AWS KMS) to encrypt your images. For more information, see [Amazon ECR encryption at rest](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html) in the *Amazon Elastic Container Registry User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EncryptionType](#cfn-ecr-repository-encryptionconfiguration-encryptiontype)" : String, "[KmsKey](#cfn-ecr-repository-encryptionconfiguration-kmskey)" : String } ``` ### YAML ``` [EncryptionType](#cfn-ecr-repository-encryptionconfiguration-encryptiontype): String [KmsKey](#cfn-ecr-repository-encryptionconfiguration-kmskey): String ``` ## Properties `EncryptionType` The encryption type to use. If you use the `KMS` encryption type, the contents of the repository will be encrypted using server-side encryption with AWS Key Management Service key stored in AWS KMS. When you use AWS KMS to encrypt your data, you can either use the default AWS managed AWS KMS key for Amazon ECR, or specify your own AWS KMS key, which you already created. If you use the `KMS_DSSE` encryption type, the contents of the repository will be encrypted with two layers of encryption using server-side encryption with the AWS KMS Management Service key stored in AWS KMS. Similar to the `KMS` encryption type, you can either use the default AWS managed AWS KMS key for Amazon ECR, or specify your own AWS KMS key, which you've already created. If you use the `AES256` encryption type, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts the images in the repository using an AES256 encryption algorithm. For more information, see [Amazon ECR encryption at rest](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html) in the *Amazon Elastic Container Registry User Guide*. *Required*: Yes *Type*: String *Allowed values*: `AES256 | KMS | KMS_DSSE` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `KmsKey` If you use the `KMS` encryption type, specify the AWS KMS key to use for encryption. The alias, key ID, or full ARN of the AWS KMS key can be specified. The key must exist in the same Region as the repository. If no key is specified, the default AWS managed AWS KMS key for Amazon ECR will be used. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `2048` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) # AWS::ECR::Repository ImageScanningConfiguration The image scanning configuration for a repository. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ScanOnPush](#cfn-ecr-repository-imagescanningconfiguration-scanonpush)" : Boolean } ``` ### YAML ``` [ScanOnPush](#cfn-ecr-repository-imagescanningconfiguration-scanonpush): Boolean ``` ## Properties `ScanOnPush` The setting that determines whether images are scanned after being pushed to a repository. If set to `true`, images will be scanned after being pushed. If this parameter is not specified, it will default to `false` and images will not be scanned unless a scan is manually started. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::ECR::Repository ImageTagMutabilityExclusionFilter A filter that specifies which image tags should be excluded from the repository's image tag mutability setting. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ImageTagMutabilityExclusionFilterType](#cfn-ecr-repository-imagetagmutabilityexclusionfilter-imagetagmutabilityexclusionfiltertype)" : String, "[ImageTagMutabilityExclusionFilterValue](#cfn-ecr-repository-imagetagmutabilityexclusionfilter-imagetagmutabilityexclusionfiltervalue)" : String } ``` ### YAML ``` [ImageTagMutabilityExclusionFilterType](#cfn-ecr-repository-imagetagmutabilityexclusionfilter-imagetagmutabilityexclusionfiltertype): String [ImageTagMutabilityExclusionFilterValue](#cfn-ecr-repository-imagetagmutabilityexclusionfilter-imagetagmutabilityexclusionfiltervalue): String ``` ## Properties `ImageTagMutabilityExclusionFilterType` Property description not available. *Required*: Yes *Type*: String *Allowed values*: `WILDCARD` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ImageTagMutabilityExclusionFilterValue` Property description not available. *Required*: Yes *Type*: String *Pattern*: `^[0-9a-zA-Z._*-]{1,128}` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::ECR::Repository LifecyclePolicy The `LifecyclePolicy` property type specifies a lifecycle policy. For information about lifecycle policy syntax, see [Lifecycle policy template](https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html) in the *Amazon ECR User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[LifecyclePolicyText](#cfn-ecr-repository-lifecyclepolicy-lifecyclepolicytext)" : String, "[RegistryId](#cfn-ecr-repository-lifecyclepolicy-registryid)" : String } ``` ### YAML ``` [LifecyclePolicyText](#cfn-ecr-repository-lifecyclepolicy-lifecyclepolicytext): String [RegistryId](#cfn-ecr-repository-lifecyclepolicy-registryid): String ``` ## Properties `LifecyclePolicyText` The JSON repository policy text to apply to the repository. *Required*: No *Type*: String *Minimum*: `100` *Maximum*: `30720` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RegistryId` The AWS account ID associated with the registry that contains the repository. If you do  not specify a registry, the default registry is assumed. *Required*: No *Type*: String *Pattern*: `^[0-9]{12}$` *Minimum*: `12` *Maximum*: `12` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + [Creating a lifecycle policy](https://docs.aws.amazon.com/AmazonECR/latest/userguide/lp_creation.html) in the *Amazon ECR User Guide* + [PutLifecyclePolicy](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_PutLifecyclePolicy.html) in the *Amazon ECR API Reference* # AWS::ECR::Repository Tag The metadata to apply to a resource to help you categorize and organize them. Each tag consists of a key and a value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-ecr-repository-tag-key)" : String, "[Value](#cfn-ecr-repository-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-ecr-repository-tag-key): String [Value](#cfn-ecr-repository-tag-value): String ``` ## Properties `Key` One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `127` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` A `value` acts as a descriptor within a tag category (key). *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::ECR::RepositoryCreationTemplate The details of the repository creation template associated with the request. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::ECR::RepositoryCreationTemplate", "Properties" : { "[AppliedFor](#cfn-ecr-repositorycreationtemplate-appliedfor)" : [ String, ... ], "[CustomRoleArn](#cfn-ecr-repositorycreationtemplate-customrolearn)" : String, "[Description](#cfn-ecr-repositorycreationtemplate-description)" : String, "[EncryptionConfiguration](#cfn-ecr-repositorycreationtemplate-encryptionconfiguration)" : EncryptionConfiguration, "[ImageTagMutability](#cfn-ecr-repositorycreationtemplate-imagetagmutability)" : String, "[ImageTagMutabilityExclusionFilters](#cfn-ecr-repositorycreationtemplate-imagetagmutabilityexclusionfilters)" : [ ImageTagMutabilityExclusionFilter, ... ], "[LifecyclePolicy](#cfn-ecr-repositorycreationtemplate-lifecyclepolicy)" : String, "[Prefix](#cfn-ecr-repositorycreationtemplate-prefix)" : String, "[RepositoryPolicy](#cfn-ecr-repositorycreationtemplate-repositorypolicy)" : String, "[ResourceTags](#cfn-ecr-repositorycreationtemplate-resourcetags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::ECR::RepositoryCreationTemplate Properties: [AppliedFor](#cfn-ecr-repositorycreationtemplate-appliedfor): - String [CustomRoleArn](#cfn-ecr-repositorycreationtemplate-customrolearn): String [Description](#cfn-ecr-repositorycreationtemplate-description): String [EncryptionConfiguration](#cfn-ecr-repositorycreationtemplate-encryptionconfiguration): EncryptionConfiguration [ImageTagMutability](#cfn-ecr-repositorycreationtemplate-imagetagmutability): String [ImageTagMutabilityExclusionFilters](#cfn-ecr-repositorycreationtemplate-imagetagmutabilityexclusionfilters): - ImageTagMutabilityExclusionFilter [LifecyclePolicy](#cfn-ecr-repositorycreationtemplate-lifecyclepolicy): String [Prefix](#cfn-ecr-repositorycreationtemplate-prefix): String [RepositoryPolicy](#cfn-ecr-repositorycreationtemplate-repositorypolicy): String [ResourceTags](#cfn-ecr-repositorycreationtemplate-resourcetags): - Tag ``` ## Properties `AppliedFor` A list of enumerable Strings representing the repository creation scenarios that this template will apply towards. The supported scenarios are PULL\$1THROUGH\$1CACHE, REPLICATION, and CREATE\$1ON\$1PUSH *Required*: Yes *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `CustomRoleArn` The ARN of the role to be assumed by Amazon ECR. Amazon ECR will assume your supplied role when the customRoleArn is specified. When this field isn't specified, Amazon ECR will use the service-linked role for the repository creation template. *Required*: No *Type*: String *Pattern*: `^arn:aws[-a-z0-9]*:iam::[0-9]{12}:role/[A-Za-z0-9+=,-.@_]*$` *Maximum*: `2048` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` The description associated with the repository creation template. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EncryptionConfiguration` The encryption configuration associated with the repository creation template. *Required*: No *Type*: [EncryptionConfiguration](aws-properties-ecr-repositorycreationtemplate-encryptionconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ImageTagMutability` The tag mutability setting for the repository. If this parameter is omitted, the default setting of `MUTABLE` will be used which will allow image tags to be overwritten. If `IMMUTABLE` is specified, all image tags within the repository will be immutable which will prevent them from being overwritten. *Required*: No *Type*: String *Allowed values*: `MUTABLE | IMMUTABLE | IMMUTABLE_WITH_EXCLUSION | MUTABLE_WITH_EXCLUSION` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ImageTagMutabilityExclusionFilters` A list of filters that specify which image tags are excluded from the repository creation template's image tag mutability setting. *Required*: No *Type*: Array of [ImageTagMutabilityExclusionFilter](aws-properties-ecr-repositorycreationtemplate-imagetagmutabilityexclusionfilter.md) *Minimum*: `1` *Maximum*: `5` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LifecyclePolicy` The lifecycle policy to use for repositories created using the template. *Required*: No *Type*: String *Minimum*: `100` *Maximum*: `30720` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Prefix` The repository namespace prefix associated with the repository creation template. *Required*: Yes *Type*: String *Pattern*: `^([a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*(\/[a-z0-9]+((\.|_|__|-+)[a-z0-9]+)*)*\/?|ROOT)$` *Minimum*: `1` *Maximum*: `256` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `RepositoryPolicy` The repository policy to apply to repositories created using the template. A repository policy is a permissions policy associated with a repository to control access permissions. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `10240` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceTags` The metadata to apply to the repository to help you categorize and organize. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters. *Required*: No *Type*: Array of [Tag](aws-properties-ecr-repositorycreationtemplate-tag.md) *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref ### Fn::GetAtt #### `CreatedAt` The date and time, in JavaScript date format, when the repository creation template was created. `UpdatedAt` The date and time, in JavaScript date format, when the repository creation template was last updated. # AWS::ECR::RepositoryCreationTemplate EncryptionConfiguration The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest. By default, when no encryption configuration is set or the `AES256` encryption type is used, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts your data at rest using an AES256 encryption algorithm. This does not require any action on your part. For more control over the encryption of the contents of your repository, you can use server-side encryption with AWS Key Management Service key stored in AWS Key Management Service (AWS KMS) to encrypt your images. For more information, see [Amazon ECR encryption at rest](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html) in the *Amazon Elastic Container Registry User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[EncryptionType](#cfn-ecr-repositorycreationtemplate-encryptionconfiguration-encryptiontype)" : String, "[KmsKey](#cfn-ecr-repositorycreationtemplate-encryptionconfiguration-kmskey)" : String } ``` ### YAML ``` [EncryptionType](#cfn-ecr-repositorycreationtemplate-encryptionconfiguration-encryptiontype): String [KmsKey](#cfn-ecr-repositorycreationtemplate-encryptionconfiguration-kmskey): String ``` ## Properties `EncryptionType` The encryption type to use. If you use the `KMS` encryption type, the contents of the repository will be encrypted using server-side encryption with AWS Key Management Service key stored in AWS KMS. When you use AWS KMS to encrypt your data, you can either use the default AWS managed AWS KMS key for Amazon ECR, or specify your own AWS KMS key, which you already created. If you use the `KMS_DSSE` encryption type, the contents of the repository will be encrypted with two layers of encryption using server-side encryption with the AWS KMS Management Service key stored in AWS KMS. Similar to the `KMS` encryption type, you can either use the default AWS managed AWS KMS key for Amazon ECR, or specify your own AWS KMS key, which you've already created. If you use the `AES256` encryption type, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts the images in the repository using an AES256 encryption algorithm. For more information, see [Amazon ECR encryption at rest](https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html) in the *Amazon Elastic Container Registry User Guide*. *Required*: Yes *Type*: String *Allowed values*: `AES256 | KMS | KMS_DSSE` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KmsKey` If you use the `KMS` encryption type, specify the AWS KMS key to use for encryption. The alias, key ID, or full ARN of the AWS KMS key can be specified. The key must exist in the same Region as the repository. If no key is specified, the default AWS managed AWS KMS key for Amazon ECR will be used. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `2048` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::ECR::RepositoryCreationTemplate ImageTagMutabilityExclusionFilter A filter that specifies which image tags should be excluded from the repository's image tag mutability setting. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ImageTagMutabilityExclusionFilterType](#cfn-ecr-repositorycreationtemplate-imagetagmutabilityexclusionfilter-imagetagmutabilityexclusionfiltertype)" : String, "[ImageTagMutabilityExclusionFilterValue](#cfn-ecr-repositorycreationtemplate-imagetagmutabilityexclusionfilter-imagetagmutabilityexclusionfiltervalue)" : String } ``` ### YAML ``` [ImageTagMutabilityExclusionFilterType](#cfn-ecr-repositorycreationtemplate-imagetagmutabilityexclusionfilter-imagetagmutabilityexclusionfiltertype): String [ImageTagMutabilityExclusionFilterValue](#cfn-ecr-repositorycreationtemplate-imagetagmutabilityexclusionfilter-imagetagmutabilityexclusionfiltervalue): String ``` ## Properties `ImageTagMutabilityExclusionFilterType` Property description not available. *Required*: Yes *Type*: String *Allowed values*: `WILDCARD` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ImageTagMutabilityExclusionFilterValue` Property description not available. *Required*: Yes *Type*: String *Pattern*: `^[0-9a-zA-Z._*-]{1,128}` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::ECR::RepositoryCreationTemplate Tag The metadata to apply to a resource to help you categorize and organize them. Each tag consists of a key and a value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-ecr-repositorycreationtemplate-tag-key)" : String, "[Value](#cfn-ecr-repositorycreationtemplate-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-ecr-repositorycreationtemplate-tag-key): String [Value](#cfn-ecr-repositorycreationtemplate-tag-value): String ``` ## Properties `Key` One part of a key-value pair that make up a tag. A `key` is a general label that acts like a category for more specific tag values. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` A `value` acts as a descriptor within a tag category (key). *Required*: Yes *Type*: String *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::ECR::SigningConfiguration The signing configuration for a registry, which specifies rules for automatically signing images when pushed. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::ECR::SigningConfiguration", "Properties" : { "[Rules](#cfn-ecr-signingconfiguration-rules)" : [ Rule, ... ] } } ``` ### YAML ``` Type: AWS::ECR::SigningConfiguration Properties: [Rules](#cfn-ecr-signingconfiguration-rules): - Rule ``` ## Properties `Rules` A list of signing rules. Each rule defines a signing profile and optional repository filters that determine which images are automatically signed. *Required*: Yes *Type*: Array of [Rule](aws-properties-ecr-signingconfiguration-rule.md) *Minimum*: `0` *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `RegistryId` The account ID of the destination registry. # AWS::ECR::SigningConfiguration RepositoryFilter A repository filter used to determine which repositories have their images automatically signed on push. Each filter consists of a filter type and filter value. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Filter](#cfn-ecr-signingconfiguration-repositoryfilter-filter)" : String, "[FilterType](#cfn-ecr-signingconfiguration-repositoryfilter-filtertype)" : String } ``` ### YAML ``` [Filter](#cfn-ecr-signingconfiguration-repositoryfilter-filter): String [FilterType](#cfn-ecr-signingconfiguration-repositoryfilter-filtertype): String ``` ## Properties `Filter` The filter value used to match repository names. When using `WILDCARD_MATCH`, the `*` character matches any sequence of characters. Examples: + `myapp/*` - Matches all repositories starting with `myapp/` + `*/production` - Matches all repositories ending with `/production` + `*prod*` - Matches all repositories containing `prod` *Required*: Yes *Type*: String *Pattern*: `^(?:[a-z0-9*]+(?:[._-][a-z0-9*]+)*/)*[a-z0-9*]+(?:[._-][a-z0-9*]+)*$` *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `FilterType` The type of filter to apply. Currently, only `WILDCARD_MATCH` is supported, which uses wildcard patterns to match repository names. *Required*: Yes *Type*: String *Allowed values*: `WILDCARD_MATCH` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::ECR::SigningConfiguration Rule A signing rule that specifies a signing profile and optional repository filters. When an image is pushed to a matching repository, a signing job is created using the specified profile. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[RepositoryFilters](#cfn-ecr-signingconfiguration-rule-repositoryfilters)" : [ RepositoryFilter, ... ], "[SigningProfileArn](#cfn-ecr-signingconfiguration-rule-signingprofilearn)" : String } ``` ### YAML ``` [RepositoryFilters](#cfn-ecr-signingconfiguration-rule-repositoryfilters): - RepositoryFilter [SigningProfileArn](#cfn-ecr-signingconfiguration-rule-signingprofilearn): String ``` ## Properties `RepositoryFilters` A list of repository filters that determine which repositories have their images signed on push. If no filters are specified, all images pushed to the registry are signed using the rule's signing profile. Maximum of 100 filters per rule. *Required*: No *Type*: Array of [RepositoryFilter](aws-properties-ecr-signingconfiguration-repositoryfilter.md) *Minimum*: `1` *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SigningProfileArn` The ARN of the AWS Signer signing profile to use for signing images that match this rule. For more information about signing profiles, see [Signing profiles](https://docs.aws.amazon.com/signer/latest/developerguide/signing-profiles.html) in the *AWS Signer Developer Guide*. *Required*: Yes *Type*: String *Pattern*: `^arn:aws(-[a-z]+)*:signer:[a-z0-9-]+:[0-9]{12}:\/signing-profiles\/[a-zA-Z0-9_]{2,}$` *Maximum*: `200` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)