feat: Support image_tag_mutability_exclusion_filter for aws_ecr_repository_creation_template (#62)

support tag mutability exclusion filter

Author: magreenbaum

README.md

@@ -195,13 +195,13 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.8 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.10 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.8 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.10 |
 
 ## Modules
 

examples/complete/README.md

@@ -28,13 +28,13 @@ Note that this example may create resources which will incur monetary charges on
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.8 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.10 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.8 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.10 |
 
 ## Modules
 

examples/complete/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.8"
+      version = ">= 6.10"
     }
   }
 }

examples/repository-template/README.md

@@ -22,13 +22,13 @@ If you validate the example by using the pull-through cache, you will need to ma
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.8 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.10 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.8 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.10 |
 
 ## Modules
 

examples/repository-template/main.tf

@@ -50,6 +50,22 @@ module "public_ecr_pull_through_cache_repository_template" {
   create_pull_through_cache_rule = true
   upstream_registry_url          = "public.ecr.aws"
 
+  image_tag_mutability = "MUTABLE_WITH_EXCLUSION"
+  image_tag_mutability_exclusion_filter = [
+    {
+      filter      = "latest*"
+      filter_type = "WILDCARD"
+    },
+    {
+      filter      = "dev-*"
+      filter_type = "WILDCARD"
+    },
+    {
+      filter      = "qa-*"
+      filter_type = "WILDCARD"
+    }
+  ]
+
   tags = local.tags
 }
 

examples/repository-template/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.8"
+      version = ">= 6.10"
     }
   }
 }

modules/repository-template/README.md

@@ -98,13 +98,13 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.8 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.10 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.8 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.10 |
 
 ## Modules
 
@@ -145,6 +145,7 @@ No modules.
 | <a name="input_iam_role_tags"></a> [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
 | <a name="input_iam_role_use_name_prefix"></a> [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
 | <a name="input_image_tag_mutability"></a> [image\_tag\_mutability](#input\_image\_tag\_mutability) | The tag mutability setting for any created repositories. Must be one of: `MUTABLE` or `IMMUTABLE`. Defaults to `IMMUTABLE` | `string` | `"IMMUTABLE"` | no |
+| <a name="input_image_tag_mutability_exclusion_filter"></a> [image\_tag\_mutability\_exclusion\_filter](#input\_image\_tag\_mutability\_exclusion\_filter) | Configuration block that defines filters to specify which image tags can override the default tag mutability setting. Only applicable when image\_tag\_mutability is set to IMMUTABLE\_WITH\_EXCLUSION or MUTABLE\_WITH\_EXCLUSION. | <pre>list(object({<br/>    filter      = string<br/>    filter_type = string<br/>  }))</pre> | `null` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN of the KMS key used to encrypt the repositories created | `string` | `null` | no |
 | <a name="input_lifecycle_policy"></a> [lifecycle\_policy](#input\_lifecycle\_policy) | The lifecycle policy document to apply to any created repositories | `string` | `null` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | (Required) The repository name prefix to match against. Use `ROOT` to match any prefix that doesn't explicitly match another template | `string` | `""` | no |

modules/repository-template/main.tf

@@ -30,6 +30,14 @@ resource "aws_ecr_repository_creation_template" "this" {
     }
   }
 
+  dynamic "image_tag_mutability_exclusion_filter" {
+    for_each = var.image_tag_mutability_exclusion_filter != null ? var.image_tag_mutability_exclusion_filter : []
+    content {
+      filter      = image_tag_mutability_exclusion_filter.value.filter
+      filter_type = image_tag_mutability_exclusion_filter.value.filter_type
+    }
+  }
+
   image_tag_mutability = var.image_tag_mutability
   lifecycle_policy     = var.lifecycle_policy
   prefix               = var.prefix

modules/repository-template/variables.tf

@@ -50,6 +50,15 @@ variable "kms_key_arn" {
   default     = null
 }
 
+variable "image_tag_mutability_exclusion_filter" {
+  description = "Configuration block that defines filters to specify which image tags can override the default tag mutability setting. Only applicable when image_tag_mutability is set to IMMUTABLE_WITH_EXCLUSION or MUTABLE_WITH_EXCLUSION."
+  type = list(object({
+    filter      = string
+    filter_type = string
+  }))
+  default = null
+}
+
 variable "image_tag_mutability" {
   description = "The tag mutability setting for any created repositories. Must be one of: `MUTABLE` or `IMMUTABLE`. Defaults to `IMMUTABLE`"
   type        = string

modules/repository-template/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.8"
+      version = ">= 6.10"
     }
   }
 }