This module creates an AWS Elastic Container Registry (ECR) repository with enhanced security features, including encryption, restricted access policies, and optimized lifecycle rules.
- 1.0.0 (May 2025): Added encryption support, restricted access policies, expanded lifecycle rules, pipeline actions and security improvements
- 0.0.1: Initial release with basic functionality
- ECR repository with configurable encryption (AES256 or KMS)
- Secure repository policy with restricted access
- Image scanning on push
- Configurable lifecycle policies for managing image retention
- Cross-region replication for high availability
- Image tag immutability option for enhanced security
- Pull-through cache support for external registries
- Comprehensive tagging for better resource management
ecr_repo: Name of repository to createmantainer: Maintainer operatorproject: Name or code project
environment: Environment name (default: "dev")scan_on_push: Scan image on push before ECR upload (default: true)encryption_type: Type of encryption (AES256 or KMS) (default: "AES256")kms_key_id: KMS key ARN to use when encryption_type is KMS (default: null)allowed_account_ids: List of AWS account IDs allowed to access the repository (default: [])expire_days: Expire untagged images older than X days (default: 7)keep_days: Keep last X tagged images (default: 10)use_custom_policy: Whether to use a custom policy (default: false)custom_policy: Custom policy to use if use_custom_policy is true (default: null)image_tag_mutability: The tag mutability setting for the repository (MUTABLE or IMMUTABLE) (default: "MUTABLE")enable_replication: Enable cross-region replication (default: false)replication_destinations: List of destination repositories for replication (default: [])create_pull_through_cache: Whether to create a pull through cache rule (default: false)pull_through_cache_prefix: Repository name prefix for pull through cache (default: "")upstream_registry_url: Upstream registry URL for pull through cache (default: "public.ecr.aws")
module "ecr" {
source = "git::https://github.com/mrexojo/terraform-aws-ecr.git?ref=v1.0.0"
ecr_repo = "my-application"
mantainer = "DevOps Team"
project = "WebApp"
}module "ecr" {
source = "git::https://github.com/mrexojo/terraform-aws-ecr.git?ref=v1.0.0"
ecr_repo = "production-app"
mantainer = "Platform Team"
project = "E-commerce"
environment = "prod"
encryption_type = "KMS"
kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
allowed_account_ids = ["111122223333", "444455556666"]
expire_days = 14
keep_days = 20
image_tag_mutability = "IMMUTABLE"
}module "ecr" {
source = "git::https://github.com/mrexojo/terraform-aws-ecr.git?ref=v1.0.0"
ecr_repo = "replicated-app"
mantainer = "Platform Team"
project = "Global Application"
enable_replication = true
replication_destinations = [
{
region = "eu-west-1"
registry_id = "111122223333"
},
{
region = "us-east-1"
registry_id = "111122223333"
}
]
}module "ecr" {
source = "git::https://github.com/mrexojo/terraform-aws-ecr.git?ref=v1.0.0"
ecr_repo = "cache-app"
mantainer = "DevOps Team"
project = "Container Platform"
create_pull_through_cache = true
pull_through_cache_prefix = "docker-hub"
upstream_registry_url = "docker.io"
}ecr_repository_url: The URL of the repositoryecr_repository_arn: The ARN of the repositoryecr_repository_name: The name of the repositoryecr_repository_registry_id: The registry ID where the repository was created
This module follows AWS security best practices:
- Restricts repository access to specific AWS accounts
- Limits the permissions granted to necessary actions only
- Enables image scanning by default
- Supports repository encryption
- Implements lifecycle policies to manage image retention
MIT License
Copyright (c) 2025 Miguel Ramirez Exojo
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
This module includes automated CI/CD pipeline configurations for:
- Terraform Validation: Ensures the module is syntactically correct and internally consistent
- Static Code Analysis: Scans for security vulnerabilities and compliance issues using tfsec
- Unit Tests: Validates expected behavior of resources using terratest
- Integration Tests: Verifies integration with AWS services in a controlled environment
| Action | Status |
|---|---|
| Terraform Format |  |
| Terraform Validation | |
| Security Scan |  |
| Unit Tests | |
| Integration Tests | |
This module has been assessed for security vulnerabilities and best practices:
| Security Check | Status | Notes |
|---|---|---|
| IAM Policy Restrictions |  |
Restricts access to specific AWS accounts |
| Encryption | |
Supports both AES256 and KMS encryption |
| Image Scanning | |
Enabled by default |
| Action Permissions | |
Follows least privilege principle |
| Lifecycle Management | |
Prevents repository clutter |
| CIS AWS Benchmarks |  |
Complies with CIS AWS Foundations benchmark |
- Miguel Ramirez Exojo (@mrexojo)