posit-dev · ian-flores · Feb 3, 2026 · Feb 2, 2026
@@ -96,7 +96,6 @@ The Go CLI communicates the infrastructure path to Python Pulumi stacks via the
 #### AWS Development
 
 - `just aws-unset`: Unset all AWS environment variables
-- `just latest-images`: Show latest ECR images
 
 ## Contributing
 

@@ -39,34 +39,6 @@ write-kubeconfig cluster_dir=invocation_directory() kubeconfig='./kubeconfig':
 
 # ----------------------------------------------------------------------------
 
-# `just ecr-login` will log you into the ECR repositories that your current AWS context/variables point to
-# this is useful for `docker pull` and `docker push` types of commands, like building custom images, etc.
-ecr-login:
-  #!/bin/bash
-
-  echo "Repositories that exist:"
-  aws ecr describe-repositories | jq -r '.repositories[].repositoryUri' | sed 's/^/  /'
-
-  # just grab the first repo... it should give us the account and region
-  rawRepo=$(aws ecr describe-repositories | jq -r '.repositories[0].repositoryUri')
-
-  echo "Logging in..."
-  # then strip off the image name for actual `docker login`
-  aws ecr get-login-password | docker login --username AWS --password-stdin ${rawRepo//\/*/} | sed 's/^/  /'
-
-skopeo-login:
-  #!/bin/bash
-
-  echo "Repositories that exist:"
-  aws ecr describe-repositories | jq -r '.repositories[].repositoryUri' | sed 's/^/  /'
-
-  # just grab the first repo... it should give us the account and region
-  rawRepo=$(aws ecr describe-repositories | jq -r '.repositories[0].repositoryUri')
-
-  echo "Logging in..."
-  # then strip off the image name for actual `docker login`
-  aws ecr get-login-password | skopeo login --username AWS --password-stdin ${rawRepo//\/*/} | sed 's/^/  /'
-
 # ensure git is set up to use ssh
 git-ssh:
   #!/bin/bash
@@ -83,15 +55,6 @@ aws-unset:
   unset AWS_SECRET_ACCESS_KEY
   unset AWS_ACCESS_KEY_ID
 
-latest-images:
-  #!/usr/bin/env bash
-  for img in $(aws ecr describe-repositories | jq -r '.repositories[].repositoryName'); do
-    echo ""
-    echo "---> < Image list for $img >";
-    aws ecr describe-images --repository-name $img | jq '.imageDetails | sort_by(.imagePushedAt) | reverse | map(.imagePushedAt + " --- " + (.imageTags | join(", ")) ) | .[0:4]'
-    echo "---> </ $img >";
-  done;
-
 ############################################################################
 # Setup and dependencies
 ############################################################################

@@ -606,7 +606,7 @@ All commands follow the Cobra pattern:
 ### Key Libraries
 
 Located in `/lib/`:
-- `aws/` - AWS-specific implementations (credentials, ECR, EKS, IAM, proxy, S3, SSM)
+- `aws/` - AWS-specific implementations (credentials, EKS, IAM, proxy, S3, SSM)
 - `azure/` - Azure-specific implementations (credentials, ACR, AKS, Key Vault, proxy, storage)
 - `steps/` - Deployment step definitions (bootstrap, cluster, helm, images, persistent, workspaces, sites)
 - `types/` - Core type definitions (Target, Credentials, etc.)

@@ -2,12 +2,16 @@ package aws
 
 import (
 	"context"
+	"errors"
 	"fmt"
-	"strings"
 
 	"github.com/posit-dev/ptd/lib/types"
 )
 
+// ErrECRDeprecated is returned when ECR functionality is accessed.
+// ECR has been removed in favor of public Docker Hub images.
+var ErrECRDeprecated = errors.New("ECR functionality has been removed; images are now pulled from public Docker Hub")
+
 type Registry struct {
 	accountID string
 	region    string
@@ -28,33 +32,20 @@ func (r Registry) RegistryURI() string {
 	return fmt.Sprintf("%s.dkr.ecr.%s.amazonaws.com", r.accountID, r.region)
 }
 
+// GetAuthForCredentials is deprecated - ECR is no longer used.
+// Images are now pulled from public Docker Hub.
 func (r Registry) GetAuthForCredentials(ctx context.Context, c types.Credentials) (username string, password string, err error) {
-	awsCreds, err := OnlyAwsCredentials(c)
-	if err != nil {
-		return
-	}
-	authToken, err := GetEcrAuthToken(ctx, awsCreds, r.region)
-	if err != nil {
-		return
-	}
-	username = "AWS"
-	password = strings.TrimPrefix(authToken, "AWS:")
-	return
+	return "", "", ErrECRDeprecated
 }
 
+// GetLatestDigestForRepository is deprecated - ECR is no longer used.
+// Images are now pulled from public Docker Hub.
 func (r Registry) GetLatestDigestForRepository(ctx context.Context, c types.Credentials, repository string) (string, error) {
-	awsCreds, err := OnlyAwsCredentials(c)
-	if err != nil {
-		return "", err
-	}
-	return LatestDigestForRepository(ctx, awsCreds, r.region, repository)
+	return "", ErrECRDeprecated
 }
 
+// GetLatestImageForRepository is deprecated - ECR is no longer used.
+// Images are now pulled from public Docker Hub.
 func (r Registry) GetLatestImageForRepository(ctx context.Context, c types.Credentials, repository string) (details types.ImageDetails, err error) {
-	awsCreds, err := OnlyAwsCredentials(c)
-	if err != nil {
-		return
-	}
-
-	return LatestImageForRepository(ctx, awsCreds, r.region, repository)
+	return types.ImageDetails{}, ErrECRDeprecated
 }
@@ -28,9 +28,8 @@ func TestRegistryMethods(t *testing.T) {
 	assert.Equal(t, "111122223333.dkr.ecr.us-east-1.amazonaws.com", registry.RegistryURI())
 }
 
-// This is a simple mock implementation of the GetAuthForCredentials method
-// For a real test, we would need to mock the AWS ECR service
-func TestGetAuthForCredentials_Mock(t *testing.T) {
+// Test that ECR methods return deprecation errors since ECR is no longer used
+func TestGetAuthForCredentials_Deprecated(t *testing.T) {
 	accountID := "123456789012"
 	registry := NewRegistry(accountID, "us-east-1")
 
@@ -42,31 +41,42 @@ func TestGetAuthForCredentials_Mock(t *testing.T) {
 		envVarsVal:   map[string]string{},
 	}
 
-	// We can't actually call the real GetAuthForCredentials since it would try to use AWS
-	// But we can check that the function exists and accepts the right parameters
-	assert.NotPanics(t, func() {
-		// This would normally call the AWS API, but we're not executing it
-		registry.GetAuthForCredentials(context.Background(), creds)
-	})
+	username, password, err := registry.GetAuthForCredentials(context.Background(), creds)
+
+	assert.ErrorIs(t, err, ErrECRDeprecated)
+	assert.Empty(t, username)
+	assert.Empty(t, password)
 }
 
-func TestGetLatestImageForRepository(t *testing.T) {
+func TestGetLatestDigestForRepository_Deprecated(t *testing.T) {
+	accountID := "123456789012"
+	registry := NewRegistry(accountID, "us-west-2")
+
+	creds := &MockCredentials{
+		accountIDVal: accountID,
+		identityVal:  "arn:aws:iam::123456789012:role/test-role",
+	}
+
+	digest, err := registry.GetLatestDigestForRepository(context.Background(), creds, "test-repo")
+
+	assert.ErrorIs(t, err, ErrECRDeprecated)
+	assert.Empty(t, digest)
+}
+
+func TestGetLatestImageForRepository_Deprecated(t *testing.T) {
 	accountID := "123456789012"
 	registry := NewRegistry(accountID, "us-west-2")
 
-	// Create a mock credentials object
 	creds := &MockCredentials{
 		accountIDVal: accountID,
 		identityVal:  "arn:aws:iam::123456789012:role/test-role",
 	}
 
-	// Test that the function doesn't panic
-	assert.NotPanics(t, func() {
-		registry.GetLatestImageForRepository(context.Background(), creds, "test-repo")
-	})
+	details, err := registry.GetLatestImageForRepository(context.Background(), creds, "test-repo")
 
-	// Without mocking the AWS SDK, we can't fully test this function
-	// A full test would verify it correctly calls through to LatestImageForRepository
+	assert.ErrorIs(t, err, ErrECRDeprecated)
+	assert.Empty(t, details.Digest)
+	assert.Nil(t, details.Tags)
 }
 
 // Mock credentials implementation for testing

@@ -279,14 +279,6 @@ class ComponentImages(enum.StrEnum):
     FLIGHTDECK = "ptd-flightdeck"
 
 
-# Deprecated ECR repositories that should be deleted with force_delete=True
-# Remove this list after all workloads have been cleaned up
-DEPRECATED_ECR_REPOS = [
-    "ptd-controller",
-    "ptd-home",
-]
-
-
 class ComponentNames(enum.StrEnum):
     CHRONICLE = "chronicle"
     CHRONICLE_AGENT = "chronicleAgent"

@@ -49,7 +49,6 @@ class AWSControlRoomConfig:
     eks_node_group_min: int = 3
     eks_node_instance_type: str = "m6a.xlarge"
     hosted_zone_id: str | None = None
-    manage_ecr_repositories: bool = True
     protect_persistent_resources: bool = True
     region: str = "us-east-2"
     resource_tags: dict[str, str] = dataclasses.field(default_factory=dict)

@@ -23,8 +23,6 @@
     [
         "ec2",
         "ec2messages",
-        "ecr.api",
-        "ecr.dkr",
         "fsx",
         "kms",
         "s3",
@@ -37,8 +35,6 @@
 STANDARD_VPC_ENDPOINT_SERVICES = (
     "ec2",
     "ec2messages",
-    "ecr.api",
-    "ecr.dkr",
     "kms",
     "s3",
     "ssm",

@@ -44,14 +44,6 @@ def octet_signature(s: str) -> int:
     return sum([ord(c) for c in list(s)]) % 255
 
 
-def ecr_repository_url(aws_account_id: str, repo_name: str, region: str = "us-east-2") -> str:
-    return f"{aws_account_id}.dkr.ecr.{region}.amazonaws.com/{repo_name}"
-
-
-def ecr_repository_arn(aws_account_id: str, repo_name: str, region: str = "us-east-2") -> str:
-    return f"arn:aws:ecr:{region}:{aws_account_id}:repository/{repo_name}"
-
-
 def import_string(import_name: str) -> typing.Any:
     """This function in borrowed and modified from werkzeug.utils.import_string"""
     try: