AWSAmazon ECRaws_ecr_repository_policyPro

How to Import an AWS ECR Repository Policy into Terraform

To import an existing AWS ECR Repository Policy into Terraform, scan it with Terraback and run terraback aws import --method bulk. Terraback writes the matching aws_ecr_repository_policy resource block and the Terraform 1.5+ import block for you, so you do not have to run terraform import by hand. The import ID is the ECR repository name (for example, app/api).

Import AWS ECR Repository Policy with Terraback (recommended)

Terraback reverse-engineers your live infrastructure: it reads the Amazon ECR resource with read-only credentials, generates the HCL, and produces the exact import block. Two commands take you from a live AWS ECR Repository Policy to managed Terraform.

1

Scan your AWS account

terraback scan all aws --region us-east-1
2

Generate import blocks and import into state

terraback aws import --method bulk

The Terraform import block

Terraback emits a Terraform 1.5+ import block like the one below. Because the block lives in your configuration, the import is reviewable in a pull request and repeatable across environments.

import {
  to = aws_ecr_repository_policy.api
  id = "app/api"
}

Example aws_ecr_repository_policy configuration

Here is a realistic AWS ECR Repository Policy block. Terraback generates a fuller version from your actual resource attributes; this is a minimal, valid starting point.

resource "aws_ecr_repository_policy" "api" {
  repository = "app/api"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Sid       = "AllowPull"
      Effect    = "Allow"
      Principal = { AWS = "arn:aws:iam::123456789012:root" }
      Action    = ["ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage"]
    }]
  })
}

Gotchas when importing a AWS ECR Repository Policy

  • Import by the repository name; each repository has a single resource policy, so the name is the ID (no ARN, no policy ID).
  • This resource-based policy is distinct from any IAM identity policies; do not duplicate the same grants in both places.
  • It is a sub-resource of aws_ecr_repository and imports separately from the repository and from aws_ecr_lifecycle_policy.
  • The JSON document round-trips through AWS, so expect Principal normalization and whitespace diffs unless your jsonencode matches exactly.

Doing it manually with terraform import

The native approach is to write the aws_ecr_repository_policy block by hand, then run terraform import aws_ecr_repository_policy.example <import-id> for every resource, one at a time. That works for a handful of resources, but it does not scale: you author all the HCL yourself and repeat the command for each item. Terraback generates the HCL and the import blocks for your whole account in one pass.

Import your whole AWS account in minutes

Terraback scans 80+ AWS resource types and emits clean Terraform plus import blocks, running locally with read-only credentials. $499 once, no SaaS.