Skip to main content

Add tags to ECR repository

This guide demonstrates how to add meaningful tags to your AWS ECR repository using Port's self-service action

Prerequisites​

  1. Port's GitHub app needs to be installed

  2. AWS Access Key and Secret Key pair. Follow AWS guide on creating access keys to create one for your account

  3. AWS AmazonEC2ContainerRegistryFullAccess policy should be enabled on the account to enable necessary permissions to carry out the action

  4. Account ID. Click on the account dropdown settings on the upper right corner in your AWS Console to retrieve it

  5. In your GitHub repository, go to Settings > Secrets and add the following secrets:

  6. Optional - Ingest your AWS ECR Repository into Port using our recommended python script

ECR Repository Python Script

This step is not required for this example, but it will create all the blueprint boilerplate for you, and also update the catalog with your repositories.

  • AWS_REGION - The region where ECR repositories are located. Available regions can be found on the Regions, Availability Zones, and Local Zones page in AWS documentation.
  • AWS_ACCOUNT_ID - AWS account ID from the prerequisites step
  • AWS_ACCESS_KEY_ID - AWS Access Key
  • AWS_SECRET_ACCESS_KEY - AWS Secret Key, also gotten from the access key creation
  • PORT_CLIENT_ID - Port Client ID learn more
  • PORT_CLIENT_SECRET - Port Client Secret learn more

  1. Create an AWS ECR repository blueprint in Port using the blueprint below:
ECR Repository Blueprint
{
  "identifier": "ecrRepository",
  "description": "This blueprint represents an ECR Repository",
  "title": "ECR Repository",
  "icon": "AWS",
  "schema": {
    "properties": {
      "registryId": {
        "type": "string",
        "title": "Registry ID",
        "description": "The ID of the registry"
      },
      "arn": {
        "type": "string",
        "title": "Repository ARN",
        "description": "The ARN of the repository"
      },
      "uri": {
        "type": "string",
        "title": "Repository URI",
        "description": "The URI of the repository"
      },
      "createdAt": {
        "type": "string",
        "title": "Created At",
        "description": "Date and time the repository was created",
        "format": "date-time"
      },
      "imageTagMutability": {
        "type": "string",
        "title": "Image Tag Mutability",
        "description": "The image tag mutability setting for the repository",
        "enum": ["MUTABLE", "IMMUTABLE"],
        "enumColors": {
          "MUTABLE": "green",
          "IMMUTABLE": "darkGray"
        }
      },
      "configurationScanOnPush": {
        "type": "boolean",
        "title": "Configuration Scan on Push",
        "description": "Image scanning configuration when pushing images to this repository"
      },
      "encryptionType": {
        "type": "string",
        "title": "Encryption Type",
        "description": "The encryption type of the repository",
        "enum": ["AES256", "KMS"],
        "enumColors": {
          "AES256": "green",
          "KMS": "blue"
        }
      },
      "kmsKey": {
        "type": "string",
        "title": "KMS Key",
        "description": "The KMS key used for encryption"
      }
    },
    "required": []
  },
  "mirrorProperties": {},
  "calculationProperties": {},
  "aggregationProperties": {},
  "relations": {}
}

GitHub Workflow​

While this step will ensure the ecrRepository blueprint is available, the self-service action supports selecting from the list of ingested repositories instead of having to input the repository name. To allow for this option, follow Port's guide to ingest images and repositories into Port.

This option is way easier but if you do not want this, you can simply type in repository names to tag them.

::: -->


  1. Create the Port action on the ecrRepository blueprint:
    • Head to the self-service page.
    • Click on the + New Action button.
    • Click on the {...} Edit JSON button.
    • Copy and paste the following JSON configuration into the editor:
Port Action: Add Tags to ECR Repository
Modification Required
  • <GITHUB-ORG> - your GitHub organization or user name.
  • <GITHUB-REPO-NAME> - your GitHub repository name.
{
  "identifier": "ecrRepository_add_tags_to_ecr_repository",
  "title": "Add Tags to ECR Repository",
  "icon": "AWS",
  "description": "Add tags to a repository on AWS ECR",
  "trigger": {
    "type": "self-service",
    "operation": "DAY-2",
    "userInputs": {
      "properties": {
        "repository": {
          "icon": "DefaultProperty",
          "title": "Repository",
          "type": "string",
          "blueprint": "ecrRepository",
          "description": "Use if respository has been ingested into Port. If both Repository and Repository Name are specified, Repository takes precedence.",
          "format": "entity"
        },
        "tags": {
          "icon": "DefaultProperty",
          "title": "Tags",
          "type": "object",
          "description": "Tags should be in key-value pairs like so: {\"key\": \"value\"}"
        }
      },
      "required": [
        "tags",
        "repository"
      ],
      "order": [
        "tags",
        "repository"
      ]
    },
    "blueprintIdentifier": "ecrRepository"
  },
  "invocationMethod": {
    "type": "GITHUB",
    "org": "<GITHUB-ORG>",
    "repo": "<GITHUB-REPO-NAME>",
    "workflow": "add-tags-to-ecr-repository.yml",
    "workflowInputs": {
      "{{if (.inputs | has(\"ref\")) then \"ref\" else null end}}": "{{.inputs.\"ref\"}}",
      "{{if (.inputs | has(\"repository\")) then \"repository\" else null end}}": "{{.inputs.\"repository\" | if type == \"array\" then map(.identifier) else .identifier end}}",
      "{{if (.inputs | has(\"tags\")) then \"tags\" else null end}}": "{{.inputs.\"tags\"}}",
      "port_payload": {
        "action": "{{ .action.identifier[(\"ecrRepository_\" | length):] }}",
        "resourceType": "run",
        "status": "TRIGGERED",
        "trigger": "{{ .trigger | {by, origin, at} }}",
        "context": {
          "entity": "{{.entity.identifier}}",
          "blueprint": "{{.action.blueprint}}",
          "runId": "{{.run.id}}"
        },
        "payload": {
          "entity": "{{ (if .entity == {} then null else .entity end) }}",
          "action": {
            "invocationMethod": {
              "type": "GITHUB",
              "org": "<GITHUB-ORG>",
              "repo": "<GITHUB-REPO-NAME>",
              "workflow": "add-tags-to-ecr-repository.yml",
              "omitUserInputs": false,
              "omitPayload": false,
              "reportWorkflowStatus": true
            },
            "trigger": "{{.trigger.operation}}"
          },
          "properties": {
            "{{if (.inputs | has(\"repository\")) then \"repository\" else null end}}": "{{.inputs.\"repository\" | if type == \"array\" then map(.identifier) else .identifier end}}",
            "{{if (.inputs | has(\"tags\")) then \"tags\" else null end}}": "{{.inputs.\"tags\"}}"
          },
          "censoredProperties": "{{.action.encryptedProperties}}"
        }
      }
    },
    "reportWorkflowStatus": true
  },
  "requiredApproval": false,
  "publish": true
}

  1. Create a workflow file under .github/workflows/add-tags-to-ecr-repository.yml with the content below:
GitHub workflow (click to expand)
name: Add tags to ECR repository
on:
  workflow_dispatch:
    inputs:
      repository:
        type: string
        required: true
      tags:
        type: string
        required: true
        description: 'Tags should be in key-value pairs like so: {"key": "value"}'
      port_payload:
        required: true
        description:
          Port's payload, including details for who triggered the action and
          general context (blueprint, run id, etc...)
        type: string
    secrets:
      AWS_REGION:
        required: true
      AWS_ACCOUNT_ID:
        required: true
      AWS_ACCESS_KEY_ID:
        required: true
      AWS_SECRET_ACCESS_KEY:
        required: true
      PORT_CLIENT_ID:
        required: true
      PORT_CLIENT_SECRET:
        required: true
jobs:
  create-entity-in-port-and-update-run:
    runs-on: ubuntu-latest
    steps:
      - name: Create a log message
        uses: port-labs/port-github-action@v1
        with:
          clientId: ${{ secrets.PORT_CLIENT_ID }}
          clientSecret: ${{ secrets.PORT_CLIENT_SECRET }}
          baseUrl: https://api.getport.io
          operation: PATCH_RUN
          runId: ${{fromJson(inputs.port_payload).context.runId}}
          logMessage: Starting request to add tags to ECR repository

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        if: always()
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_REGION }}

      - name: Install jq
        run: sudo apt-get install jq

      - name: Add Tags to ECR repository
        env:
          TAGS_JSON: ${{ inputs.tags }}
        run: |
          # Extract key-value pairs from the JSON object
          # {
          #   "env": "test",
          #   "team": "beta"
          # }

          TAGS=$(echo "${TAGS_JSON}" | jq -r '. | to_entries[] | "Key=\(.key),Value=\(.value)"' | tr '\n' ' ')

          aws ecr tag-resource \
          --resource-arn arn:aws:ecr:${{ secrets.AWS_REGION }}:${{ secrets.AWS_ACCOUNT_ID }}:repository/${{ inputs.repository }} \
          --tags ${TAGS}

      - name: Create a log message
        uses: port-labs/port-github-action@v1
        with:
          clientId: ${{ secrets.PORT_CLIENT_ID }}
          clientSecret: ${{ secrets.PORT_CLIENT_SECRET }}
          baseUrl: https://api.getport.io
          operation: PATCH_RUN
          runId: ${{ fromJson(inputs.port_payload).context.runId }}
          logMessage: Finished adding tags to ECR repository

  1. Trigger the action from Port's Self Serve.
  2. Done! wait for the ECR repository to be tagged.

Congrats 🎉 You've tagged your ECR repository for the first time from Port!