Back to Initiative Library
Infrastructure Medium complexity

Docker Base Image Registry Migration to AWS ECR

Docker AWS ECR Registry Migration
Run this Initiative Get Demo
✦ Sample Prompt 
Migrate every Docker base image reference from our legacy registry
(`my-org.jfrog.io/docker-prod/...`) to AWS ECR
(`123456789.dkr.ecr.us-east-1.amazonaws.com/...`) using the provided image mapping.

For each repository:
1. Rewrite `FROM` lines in `Dockerfile` and `Dockerfile.*`:
   - Apply the old → new image mapping (CSV provided separately)
   - Preserve the tag and digest exactly
   - Handle multi-stage builds (every `FROM` independently)
2. Update CI workflows in `.github/workflows/*.yml`:
   - Replace `docker login my-org.jfrog.io` steps with `aws-actions/amazon-ecr-login@v2`
   - Update `docker pull` commands referencing the legacy registry
   - Add `permissions: id-token: write` if OIDC-to-ECR is used
3. Update build scripts (`Makefile`, `scripts/build.sh`) that hardcode the registry host.
4. Skip Helm chart `image.repository` values unless `helm/` paths are explicitly included.
5. If an image is not in the mapping, flag the repo for review rather than guessing the new path.

The Problem

Consolidating image hosting onto one registry pays for itself in latency, cost, and auditability, but the migration is painful because the registry domain is hardcoded in every `FROM` line, every CI login step, and occasionally in Helm charts.

Worse, the image paths often change: `my-org.jfrog.io/docker-prod/base/node:20` becomes `123456789.dkr.ecr.us-east-1.amazonaws.com/base-node:20`. Without a mapping, the rewrite has to be done by hand.

What Tidra Does

  1. Scans every FROM line in Dockerfile and Dockerfile.* and every docker pull/docker login in CI workflows
  2. Rewrites the registry host and image path using a mapping you provide (old image → new image)
  3. Updates ECR login steps in .github/workflows/*.yml to use aws-actions/amazon-ecr-login
  4. Leaves Helm chart image.repository fields alone unless explicitly included
  5. Opens one PR per repo with a list of every rewritten reference

Before & After

diff
Dockerfile
@@ -1,3 +1,3 @@
- FROM my-org.jfrog.io/docker-prod/base/node:20
+ FROM 123456789.dkr.ecr.us-east-1.amazonaws.com/base-node:20
WORKDIR /app

Customization Tips

  • Image mapping: Provide a CSV mapping of old-image:tagnew-image:tag. Tidra does not guess paths.
  • Helm coverage: Helm chart image references are opt-in; include the chart directories in the prompt to extend coverage.
  • Login steps: CI login steps need credentials. Tidra updates the action but does not provision IAM roles.

Ready to run this across your repos?

Connect your Git provider and Tidra opens pull requests in every repo that needs them.

Run this Initiative Get Demo