ECR Cross-region replication with options to copy repository policy and life-cycle policy

[feng0905]

trafficstars

Request

Add options to replicate repository policy and life-cycle policy with ECR Cross-Region Replication.

Our use case:

As we know, the purpose of Cross-Region replication for ECR is to reduce the network traffic and the time to pull images from a different region. However, for each repository, we have configured repository policy to manage the access permissions for multiple AWS account. Without the replication of reository policy, the replicated images cannot be accessed unless we have setup the same repositories in the destiation region beforehand. We have setup our Concourse pipelines in us-east-1 region, and all images will be pushed from this region. And we have clusters setup in both us-east-1 and us-west-2 in different accounts, which would need pull images from ECR. Therefore, when images are replicated to us-west-2, we would like to copy over the repository policy and life-cycle policy over so that all clusters can access the repository without an issue.

Current solution and problem

Currently, we have setup an CodeBuild job to implement this, but it fails several times due to unkown reason. That's why we need a more reliable solution from AWS to help us resolve this issue.

[rpnguyen]

Would something like Repository Configuration Defaults solve this use case? #799

[stewartcampbell]

Would something like Repository Configuration Defaults solve this use case? #799

Not OP, but this would not work for my current requirements as not all repositories will have the same permissions so can't just use the default.

It would be better to either have the destination repository permissions configurable in the source account, or have a list of policies to choose from in the destination account that could be applied to replicated repositories.

[leungtimothy]

I ran into this when turning on the feature as our other account could not access the images in the new region.

It would have been nice to have the lifecycle/permissions settings synced over when we first turned on this feature if it creates a new repo.

However, maintaining the synchronization of lifecycle/permission settings between regions is probably not reasonable to implement anyway. We'll be creating the target repositories using Terraform before hand so we can apply any changes to all of the regions easily.

[github-actions[bot]]

Greetings! It looks like this issue hasn't been active for a while. Because it has been some time since the last update on this, and in the absence of more information, we will be closing this issue soon. Please feel free to provide a comment to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.

[stewartcampbell]

Bad bot. More info has been provided.

[chenrui333]

Any update on this? I think this should be considered as part of the ECR replication feature, otherwise, that is almost half done work.

[cloudwitch]

Got bit by this today. Would be super nice.

[suraj2410]

this would be a super important feature to save costs and efficiency

[hadavies]

Any update on this?

[popsicleslayer]

Hi! I ran into this problem today, and it would make it easier and nicer to have this option.

[naldrey]

Would be nice to have this. We had an organisation ID change and need to do an automation to edit all replicated repositories among the org

[hsejour]

Hi All, we are working on a feature that would address this. We'll provide an update on the progress at a later date.

[jufemaiz]

How later a date @hsejour? (Working out if I bother hacking something together or wait).

[pkarakal]

Any news on this, or an ETA ?

[wu-json]

Also getting bit by this currently. Is this still something in the works?

[AdamDomagalsky]

May I kindly ask for the update?

[max-gophoto]

Any update?

[made2591]

any update on this?