Manage ECR in prod account module

Status: accepted
Deciders: @lorenyu @shawnvanderjagt @farrcraft @kyeah
Date: 2022-10-07

Context and Problem Statement

In a multi-account setup where there is one account per environment, where should the ECR repository live?

Decision Drivers

Minimize risk that the approach isn't acceptable with the agency given uncertainty around ability to provision accounts with the agency
Desire an approach that can adapt equally well to a multi-account setup (with an account per environment) as well as to a single-account setup (with one account across all environments) or a two-account setup (with one account for prod and an account for non-prod)
Desire an approach that can adapt to situations where there is more than one ECR repository i.e. a project with multiple deployable applications
Simplicity

Considered Options

Separate dist/build account to contain the ECR repository and build artifacts
Manage the ECR repository as part of the prod account
Manage the ECR repository as part of the dev or stage account

Decision Outcome

Manage the ECR repository(ies) as part of the prod account module, or for single-account setups, the single account module. Since there will always be a prod account, this approach should have minimal risk for not working for the agency, and will also work for projects that only have or need a single account.

Discussion of alternative approach

However, if account management and creation was not an issue, it could be more elegant to have the production candidate build artifacts be managed in a separate build account that all environment accounts reference. This approach is described in the following references:

PreviousUse custom implementation of GitHub OIDC NextSeparate terraform backend configs into separate config files

Last updated 1 year ago

Was this helpful?