terraform-aws-arc-ecr

Overview

SourceFuse AWS Reference Architecture (ARC) Terraform module for managing the ECR module.

Features

• Complete ECR Management: Support for all ECR resource types
• Conditional Resource Creation: Create only the resources you need
• Security Best Practices: Encryption, scanning, and least-privilege policies
• Multi-Region Replication: Cross-region and cross-account replication support
• Lifecycle Management: Automated image cleanup policies
• Pull-Through Cache: Cache public registry images
• Flexible Tagging: Consistent tagging across all resources
• Production Ready: Follows AWS Well-Architected principles

Usage

module "ecr" {
  source      = "sourcefuse/arc-ecr/aws"
  version     = "0.0.1"

  # Basic Configuration
  repositories = {
    "my-app" = {
      image_tag_mutability = "MUTABLE"
      scan_on_push        = true
      encryption_type     = "KMS"
      kms_key_id         = "alias/ecr-key"
    }
  }

  # Optional Features

  replication_configuration = {
    enabled = true
    rules   = [
      {
        destinations = [
          {
            region      = "us-east-1"
            registry_id = "123456789012"
          }
        ]
        repository_filters = [
          {
            filter      = "my-app"
            filter_type = "PREFIX_MATCH"
          }
        ]
      }
    ]
  }

  # Tagging
  tags = {
    Environment = "production"
    Team        = "platform"
    Project     = "container-registry"
  }
}

Examples

• Basic ECR Repository
• Comprehensive Repository
• ECR with Lifecycle Policy
• ECR with Repository Policy
• ECR with Replication
• ECR with Pull-Through Cache
• ECR with Registry Scanning
• ECR with Repository Creation Template

Requirements

Name	Version
terraform	>= 1.5.0
aws	>= 5.0, < 7.0

Providers

Name	Version
aws	6.15.0

Modules

No modules.

Resources

Name	Type
aws_ecr_account_setting.this	resource
aws_ecr_lifecycle_policy.this	resource
aws_ecr_pull_through_cache_rule.this	resource
aws_ecr_registry_policy.this	resource
aws_ecr_registry_scanning_configuration.this	resource
aws_ecr_replication_configuration.this	resource
aws_ecr_repository.this	resource
aws_ecr_repository_creation_template.this	resource
aws_ecr_repository_policy.this	resource

Inputs

Name	Description	Type	Default	Required
account_setting	ECR account setting	object({ name = string value = string })	{ "name": null, "value": null }	no
pull_through_cache_rules	Pull through cache rules	map(object({ ecr_repository_prefix = string upstream_registry_url = string credential_arn = optional(string) custom_role_arn = optional(string) upstream_repository_prefix = optional(string) }))	{}	no
registry_policy	Registry policy JSON	string	null	no
registry_scanning_configuration	Registry scanning configuration	object({ enabled = bool scan_type = optional(string, "ENHANCED") rules = optional(list(object({ scan_frequency = string repository_filters = list(object({ filter = string filter_type = string })) })), []) })	{ "enabled": false, "rules": [], "scan_type": "ENHANCED" }	no
replication_configuration	Replication configuration for ECR registry	object({ enabled = bool # Enable replication configuration rules = list(object({ destinations = list(object({ region = string registry_id = string })) repository_filters = optional(list(object({ filter = string filter_type = string })), []) })) })	{ "enabled": false, "rules": [] }	no
repositories	Map of ECR repositories to create	map(object({ force_delete = optional(bool, false) image_tag_mutability = optional(string, "MUTABLE") encryption_type = optional(string, "AES256") kms_key = optional(string) scan_on_push = optional(bool, true) lifecycle_policy = optional(string) repository_policy = optional(string) repository_tags = optional(map(string), {}) image_tag_mutability_exclusion_filters = optional(list(object({ filter = string filter_type = string })), []) }))	{}	no
repository_creation_template	Repository creation template configuration	object({ prefix = string applied_for = list(string) custom_role_arn = optional(string) description = optional(string) encryption_type = optional(string, "AES256") kms_key = optional(string) image_tag_mutability = optional(string, "MUTABLE") lifecycle_policy = optional(string) repository_policy = optional(string) resource_tags = optional(map(string), {}) image_tag_mutability_exclusion_filters = optional(list(object({ filter = string filter_type = string })), []) })	null	no
tags	Tags to apply to all resources	map(string)	{}	no

Outputs

Name	Description
pull_through_cache_rule_registry_ids	Registry IDs from pull through cache rules
registry_id	Registry ID
replication_configuration_registry_id	Registry ID from replication configuration
repository_arns	ARNs of the ECR repositories
repository_creation_template_registry_id	Registry ID from repository creation template
repository_names	Names of the ECR repositories
repository_registry_ids	Registry IDs of the ECR repositories
repository_urls	URLs of the ECR repositories

Development

Prerequisites

• terraform
• terraform-docs
• pre-commit
• golang
• golint

Configurations

• Configure pre-commit hooks

  pre-commit install

Versioning

while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch

For Example

git commit -m "your commit message #major"

By specifying this , it will bump the version and if you don't specify this in your commit message then by default it will consider patch and will bump that accordingly

Authors

This project is authored by:

• SourceFuse ARC Team