Manage ECR in prod account module

• Status: accepted

• Deciders: @lorenyu @shawnvanderjagt @farrcraft @kyeah

• Date: 2022-10-07

Context and Problem Statement

In a multi-account setup where there is one account per environment, where should the ECR repository live?

Decision Drivers

• Minimize risk that the approach isn't acceptable with the agency given uncertainty around ability to provision accounts with the agency

• Desire an approach that can adapt equally well to a multi-account setup (with an account per environment) as well as to a single-account setup (with one account across all environments) or a two-account setup (with one account for prod and an account for non-prod)

• Desire an approach that can adapt to situations where there is more than one ECR repository i.e. a project with multiple deployable applications

• Simplicity

Considered Options

• Separate dist/build account to contain the ECR repository and build artifacts

• Manage the ECR repository as part of the prod account

• Manage the ECR repository as part of the dev or stage account

Decision Outcome

Manage the ECR repository(ies) as part of the prod account module, or for single-account setups, the single account module. Since there will always be a prod account, this approach should have minimal risk for not working for the agency, and will also work for projects that only have or need a single account.

Discussion of alternative approach

However, if account management and creation was not an issue, it could be more elegant to have the production candidate build artifacts be managed in a separate build account that all environment accounts reference. This approach is described in the following references:

• Medium article: Cross-Account Amazon Elastic Container Registry (ECR) Access for ECS

• AWS whitepaper - Recommended Accounts - Deployments