feat(ecr-registry): support aws v6

posquit0 · posquit0 · commit 0d6a553c5b0d · 2025-11-14T17:05:28.000+09:00
diff --git a/modules/ecr-registry/README.md b/modules/ecr-registry/README.md
@@ -4,23 +4,23 @@ This module creates following resources.
 
 - `aws_ecr_account_setting`
 - `aws_ecr_registry_policy` (optional)
+- `aws_ecr_registry_scanning_configuration`
 - `aws_ecr_replication_configuration` (optional)
 - `aws_ecr_pull_through_cache_rule` (optional)
-- `aws_ecr_registry_scanning_configuration`
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.10 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.83 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.12 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.91.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.21.0 |
 
 ## Modules
 
@@ -49,11 +49,12 @@ No modules.
 | <a name="input_policy"></a> [policy](#input\_policy) | (Optional) The policy document for ECR registry. This is a JSON formatted string. | `string` | `null` | no |
 | <a name="input_policy_version"></a> [policy\_version](#input\_policy\_version) | (Optional) The policy version of ECR registry. Valid values are `V1` or `V2`. Defaults to `V2`.<br/>    `V1` - Only support three actions: `ReplicateImage`, `BatchImportUpstreamImage`, and `CreateRepository`<br/>    `V2` - Support all ECR actions in the policy and enforce the registry policy in all ECR requests | `string` | `"V2"` | no |
 | <a name="input_pull_through_cache_policies"></a> [pull\_through\_cache\_policies](#input\_pull\_through\_cache\_policies) | (Optional) A list of ECR Registry Policies for Pull Through Cache. Each block of `pull_through_cache_policies` as defined below.<br/>    (Required) `iam_entities` - One or more IAM principals to grant permission. Support the ARN of IAM entities, or AWS account ID.<br/>    (Optional) `allow_create_repository` - Whether to auto-create the cached repositories with the same name within the current registry. Defaults to `false`.<br/>    (Required) `repositories` - A list of target repositories. Support glob expressions for `repositories` like `*`. | <pre>list(object({<br/>    iam_entities            = list(string)<br/>    allow_create_repository = optional(bool, false)<br/>    repositories            = list(string)<br/>  }))</pre> | `[]` | no |
-| <a name="input_pull_through_cache_rules"></a> [pull\_through\_cache\_rules](#input\_pull\_through\_cache\_rules) | (Optional) A list of Pull Through Cache Rules for ECR registry. A `pull_through_cache_rules` block as defined below.<br/>    (Required) `upstream_url` - The registry URL of the upstream public registry to use as the source.<br/>    (Optional) `namespace` - The repository name prefix to use when caching images from the source registry. Default value is used if not provided.<br/>    (Optional) `credential` - The configuration for credential to use to authenticate against the registry. A `credential` block as defined below.<br/>      (Required) `secretsmanager_secret` - The ARN of the Secrets Manager secret to use for authentication. | <pre>list(object({<br/>    upstream_url = string<br/>    namespace    = optional(string)<br/>    credential = optional(object({<br/>      secretsmanager_secret = string<br/>    }))<br/>  }))</pre> | `[]` | no |
+| <a name="input_pull_through_cache_rules"></a> [pull\_through\_cache\_rules](#input\_pull\_through\_cache\_rules) | (Optional) A list of Pull Through Cache Rules for ECR registry. A `pull_through_cache_rules` block as defined below.<br/>    (Required) `upstream_url` - The registry URL of the upstream registry to use as the source.<br/>    (Optional) `upstream_prefix` - The upstream repository prefix associated with the pull through cache rule. Used if the upstream registry is an ECR private registry. Defaults to `ROOT`.<br/>    (Optional) `namespace` - The repository name prefix to use when caching images from the source registry. Default value is used if not provided.<br/>    (Optional) `credential` - The configuration for credential to use to authenticate against the registry. A `credential` block as defined below.<br/>      (Required) `secretsmanager_secret` - The ARN of the Secrets Manager secret to use for authentication.<br/>      (Optional) `iam_role` - The ARN of the IAM role associated with the pull through cache rule. Must be specified if the upstream registry is a cross-account ECR private registry. | <pre>list(object({<br/>    upstream_url    = string<br/>    upstream_prefix = optional(string, "ROOT")<br/>    namespace       = optional(string)<br/>    credential = optional(object({<br/>      secretsmanager_secret = string<br/>      iam_role              = optional(string)<br/>    }))<br/>  }))</pre> | `[]` | no |
+| <a name="input_region"></a> [region](#input\_region) | (Optional) The region in which to create the module resources. If not provided, the module resources will be created in the provider's configured region. | `string` | `null` | no |
 | <a name="input_replication_policies"></a> [replication\_policies](#input\_replication\_policies) | (Optional) A list of replication policies for ECR Registry. Each block of `replication_policies` as defined below.<br/>    (Required) `account` - The AWS account ID of the source registry owner.<br/>    (Optional) `allow_create_repository` - Whether to auto-create the replicated repositories with the same name within the current registry. Defaults to `false`.<br/>    (Required) `repositories` - A list of target repositories. Support glob expressions like `*`. | <pre>list(object({<br/>    account                 = string<br/>    allow_create_repository = optional(bool, false)<br/>    repositories            = list(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_replication_rules"></a> [replication\_rules](#input\_replication\_rules) | (Optional) A list of replication rules for ECR Registry. Each rule represents the replication destinations and repository filters for a replication configuration. Each block of `replication_rules` as defined below.<br/>    (Required) `destinations` - A list of destinations for replication rule. Each block of `destinations` as defined below.<br/>      (Optional) `account` - The AWS account ID of the ECR private registry to replicate to. Only required for cross-account replication.<br/>      (Required) `region` - The Region to replicate to.<br/>    (Optional) `filters` - The filter settings used with image replication. Specifying a repository filter to a replication rule provides a method for controlling which repositories in a private registry are replicated. If no filters are added, the contents of all repositories are replicated. Each block of `filters` as defined below.<br/>      (Optional) `type` - The repository filter type. The only supported value is `PREFIX_MATCH`, which is a repository name prefix. Defaults to `PREFIX_MATCH`.<br/>      (Required) `value` - The repository filter value. | <pre>list(object({<br/>    destinations = list(object({<br/>      account = optional(string)<br/>      region  = string<br/>    }))<br/>    filters = optional(list(object({<br/>      type  = optional(string, "PREFIX_MATCH")<br/>      value = string<br/>    })), [])<br/>  }))</pre> | `[]` | no |
 | <a name="input_scanning_basic_version"></a> [scanning\_basic\_version](#input\_scanning\_basic\_version) | (Optional) The version of basic scanning for the registry. Valid values are `AWS_NATIVE` or `CLAIR`. Defaults to `AWS_NATIVE`. `CLAIR` was deprecated. | `string` | `"AWS_NATIVE"` | no |
-| <a name="input_scanning_rules"></a> [scanning\_rules](#input\_scanning\_rules) | (Optional) A list of scanning rules to determine which repository filters are used and at what frequency scanning will occur. Each block of `scanning_rules` as defined below.<br/>    (Required) `frequency` - The frequency that scans are performed at for a private registry. Valid values are `SCAN_ON_PUSH`, `CONTINUOUS_SCAN`.<br/>    (Optional) `filters` - The configuration of repository filters for image scanning.<br/>      (Optional) `type` - The repository filter type. The only supported value is `WILDCARD`. A filter with no wildcard will match all repository names that contain the filter. A filter with a wildcard (*) matches on any repository name where the wildcard replaces zero or more characters in the repository name. Defaults to `WILDCARD`.<br/>      (Required) `value` - The repository filter value. | <pre>list(object({<br/>    frequency = string<br/>    filters = optional(list(object({<br/>      type  = optional(string, "WILDCARD")<br/>      value = string<br/>    })), [])<br/>  }))</pre> | `[]` | no |
+| <a name="input_scanning_rules"></a> [scanning\_rules](#input\_scanning\_rules) | (Optional) A list of scanning rules to determine which repository filters are used and at what frequency scanning will occur. Each block of `scanning_rules` as defined below.<br/>    (Required) `frequency` - The frequency that scans are performed at for a private registry. Valid values are `SCAN_ON_PUSH`, `CONTINUOUS_SCAN` and `MANUAL`.<br/><br/>      - When the `ENHANCED` scan type is specified, the supported scan frequencies are `CONTINUOUS_SCAN` and `SCAN_ON_PUSH`.<br/>      - When the `BASIC` scan type is specified, the `SCAN_ON_PUSH` scan frequency is supported. If scan on push is not specified, then the `MANUAL` scan frequency is set by default.<br/>    (Optional) `filters` - The configuration of repository filters for image scanning.<br/>      (Optional) `type` - The repository filter type. The only supported value is `WILDCARD`. A filter with no wildcard will match all repository names that contain the filter. A filter with a wildcard (*) matches on any repository name where the wildcard replaces zero or more characters in the repository name. Defaults to `WILDCARD`.<br/>      (Required) `value` - The repository filter value. | <pre>list(object({<br/>    frequency = string<br/>    filters = optional(list(object({<br/>      type  = optional(string, "WILDCARD")<br/>      value = string<br/>    })), [])<br/>  }))</pre> | `[]` | no |
 | <a name="input_scanning_type"></a> [scanning\_type](#input\_scanning\_type) | (Optional) The scanning type to set for the registry. Valid values are `ENHANCED` or `BASIC`. Defaults to `BASIC`. | `string` | `"BASIC"` | no |
 
 ## Outputs
@@ -66,6 +67,7 @@ No modules.
 | <a name="output_policy_version"></a> [policy\_version](#output\_policy\_version) | The policy version of ECR registry. |
 | <a name="output_pull_through_cache_policies"></a> [pull\_through\_cache\_policies](#output\_pull\_through\_cache\_policies) | A list of Pull Through Cache policies for ECR Registry. |
 | <a name="output_pull_through_cache_rules"></a> [pull\_through\_cache\_rules](#output\_pull\_through\_cache\_rules) | A list of Pull Through Cache Rules for ECR registry. |
+| <a name="output_region"></a> [region](#output\_region) | The AWS region this module resources resides in. |
 | <a name="output_replication_policies"></a> [replication\_policies](#output\_replication\_policies) | A list of replication policies for ECR Registry. |
 | <a name="output_replication_rules"></a> [replication\_rules](#output\_replication\_rules) | A list of replication rules for ECR Registry. |
 | <a name="output_scanning_basic_version"></a> [scanning\_basic\_version](#output\_scanning\_basic\_version) | The version of basic scanning for the registry. |
diff --git a/modules/ecr-registry/main.tf b/modules/ecr-registry/main.tf
@@ -15,11 +15,13 @@ locals {
 }
 
 data "aws_caller_identity" "this" {}
-data "aws_region" "this" {}
+data "aws_region" "this" {
+  region = var.region
+}
 
 locals {
   account_id = data.aws_caller_identity.this.id
-  region     = data.aws_region.this.name
+  region     = data.aws_region.this.region
 }
 
 
@@ -28,6 +30,8 @@ locals {
 ###################################################
 
 resource "aws_ecr_account_setting" "registry_policy_scope" {
+  region = var.region
+
   name  = "REGISTRY_POLICY_SCOPE"
   value = var.policy_version
 }
@@ -48,5 +52,7 @@ resource "aws_ecr_registry_policy" "this" {
     var.policy != null,
   ]) ? 1 : 0
 
+  region = var.region
+
   policy = data.aws_iam_policy_document.this.json
 }
diff --git a/modules/ecr-registry/outputs.tf b/modules/ecr-registry/outputs.tf
@@ -1,3 +1,8 @@
+output "region" {
+  description = "The AWS region this module resources resides in."
+  value       = aws_ecr_account_setting.registry_policy_scope.region
+}
+
 output "name" {
   description = "The name of the registry."
   value       = local.metadata.name
diff --git a/modules/ecr-registry/pull-through-cache.tf b/modules/ecr-registry/pull-through-cache.tf
@@ -52,11 +52,21 @@ resource "aws_ecr_pull_through_cache_rule" "this" {
     coalesce(rule.namespace, local.default_namespaces[rule.upstream_url]) => rule
   }
 
+  region = var.region
+
   ecr_repository_prefix = each.key
   upstream_registry_url = each.value.upstream_url
+  upstream_repository_prefix = (endswith(each.value.upstream_url, "amazonaws.com")
+    ? each.value.upstream_prefix
+    : null
+  )
 
   credential_arn = (each.value.credential != null
     ? each.value.credential.secretsmanager_secret
     : null
   )
+  custom_role_arn = (each.value.credential != null
+    ? each.value.credential.iam_role
+    : null
+  )
 }
diff --git a/modules/ecr-registry/replication.tf b/modules/ecr-registry/replication.tf
@@ -39,6 +39,8 @@ data "aws_iam_policy_document" "replication" {
 resource "aws_ecr_replication_configuration" "this" {
   count = length(var.replication_rules) > 0 ? 1 : 0
 
+  region = var.region
+
   replication_configuration {
     dynamic "rule" {
       for_each = var.replication_rules
diff --git a/modules/ecr-registry/scanning.tf b/modules/ecr-registry/scanning.tf
@@ -3,11 +3,15 @@
 ###################################################
 
 resource "aws_ecr_account_setting" "basic_scan_type_version" {
+  region = var.region
+
   name  = "BASIC_SCAN_TYPE_VERSION"
   value = var.scanning_basic_version
 }
 
 resource "aws_ecr_registry_scanning_configuration" "this" {
+  region = var.region
+
   scan_type = var.scanning_type
 
   dynamic "rule" {
diff --git a/modules/ecr-registry/variables.tf b/modules/ecr-registry/variables.tf
@@ -1,3 +1,10 @@
+variable "region" {
+  description = "(Optional) The region in which to create the module resources. If not provided, the module resources will be created in the provider's configured region."
+  type        = string
+  default     = null
+  nullable    = true
+}
+
 variable "policy_version" {
   description = <<EOF
   (Optional) The policy version of ECR registry. Valid values are `V1` or `V2`. Defaults to `V2`.
@@ -91,16 +98,20 @@ variable "pull_through_cache_policies" {
 variable "pull_through_cache_rules" {
   description = <<EOF
   (Optional) A list of Pull Through Cache Rules for ECR registry. A `pull_through_cache_rules` block as defined below.
-    (Required) `upstream_url` - The registry URL of the upstream public registry to use as the source.
+    (Required) `upstream_url` - The registry URL of the upstream registry to use as the source.
+    (Optional) `upstream_prefix` - The upstream repository prefix associated with the pull through cache rule. Used if the upstream registry is an ECR private registry. Defaults to `ROOT`.
     (Optional) `namespace` - The repository name prefix to use when caching images from the source registry. Default value is used if not provided.
     (Optional) `credential` - The configuration for credential to use to authenticate against the registry. A `credential` block as defined below.
       (Required) `secretsmanager_secret` - The ARN of the Secrets Manager secret to use for authentication.
+      (Optional) `iam_role` - The ARN of the IAM role associated with the pull through cache rule. Must be specified if the upstream registry is a cross-account ECR private registry.
   EOF
   type = list(object({
-    upstream_url = string
-    namespace    = optional(string)
+    upstream_url    = string
+    upstream_prefix = optional(string, "ROOT")
+    namespace       = optional(string)
     credential = optional(object({
       secretsmanager_secret = string
+      iam_role              = optional(string)
     }))
   }))
   default  = []
@@ -138,7 +149,10 @@ variable "scanning_basic_version" {
 variable "scanning_rules" {
   description = <<EOF
   (Optional) A list of scanning rules to determine which repository filters are used and at what frequency scanning will occur. Each block of `scanning_rules` as defined below.
-    (Required) `frequency` - The frequency that scans are performed at for a private registry. Valid values are `SCAN_ON_PUSH`, `CONTINUOUS_SCAN`.
+    (Required) `frequency` - The frequency that scans are performed at for a private registry. Valid values are `SCAN_ON_PUSH`, `CONTINUOUS_SCAN` and `MANUAL`.
+
+      - When the `ENHANCED` scan type is specified, the supported scan frequencies are `CONTINUOUS_SCAN` and `SCAN_ON_PUSH`.
+      - When the `BASIC` scan type is specified, the `SCAN_ON_PUSH` scan frequency is supported. If scan on push is not specified, then the `MANUAL` scan frequency is set by default.
     (Optional) `filters` - The configuration of repository filters for image scanning.
       (Optional) `type` - The repository filter type. The only supported value is `WILDCARD`. A filter with no wildcard will match all repository names that contain the filter. A filter with a wildcard (*) matches on any repository name where the wildcard replaces zero or more characters in the repository name. Defaults to `WILDCARD`.
       (Required) `value` - The repository filter value.
@@ -156,9 +170,20 @@ variable "scanning_rules" {
   validation {
     condition = alltrue([
       for rule in var.scanning_rules :
-      contains(["SCAN_ON_PUSH", "CONTINUOUS_SCAN"], rule.frequency)
+      contains(["SCAN_ON_PUSH", "CONTINUOUS_SCAN", "MANUAL"], rule.frequency)
+    ])
+    error_message = "Valid values for `frequency` are `SCAN_ON_PUSH`, `CONTINUOUS_SCAN` and `MANUAL."
+  }
+
+  validation {
+    condition = alltrue([
+      for rule in var.scanning_rules :
+      (
+        (var.scanning_type == "ENHANCED" && contains(["CONTINUOUS_SCAN", "SCAN_ON_PUSH"], rule.frequency)) ||
+        (var.scanning_type == "BASIC" && contains(["SCAN_ON_PUSH", "MANUAL"], rule.frequency))
+      )
     ])
-    error_message = "Valid values for `frequency` are `SCAN_ON_PUSH`, `CONTINUOUS_SCAN`."
+    error_message = "For `ENHANCED` scanning_type, valid frequencies are `CONTINUOUS_SCAN` and `SCAN_ON_PUSH`. For `BASIC` scanning_type, valid frequencies are `SCAN_ON_PUSH` and `MANUAL`."
   }
 
   validation {
diff --git a/modules/ecr-registry/versions.tf b/modules/ecr-registry/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.10"
+  required_version = ">= 1.12"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.83"
+      version = ">= 6.12"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,10 @@`
`1`	`1`	`terraform {`
`2`		`- required_version = ">= 1.10"`
	`2`	`+ required_version = ">= 1.12"`
`3`	`3`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = ">= 5.83"`
	`7`	`+ version = ">= 6.12"`
`8`	`8`	`}`
`9`	`9`	`}`
`10`	`10`	`}`