feat: Support image_tag_mutability_exclusion_filter for aws_ecr_repository_creation_template

README.md

@@ -195,13 +195,13 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.8 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.10 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.8 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.10 |
 
 ## Modules
 

examples/complete/README.md

@@ -28,13 +28,13 @@ Note that this example may create resources which will incur monetary charges on
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.8 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.10 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.8 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.10 |
 
 ## Modules
 

examples/complete/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.8"
+      version = ">= 6.10"
     }
   }
 }

examples/repository-template/README.md

@@ -22,13 +22,13 @@ If you validate the example by using the pull-through cache, you will need to ma
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.8 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.10 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.8 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.10 |
 
 ## Modules
 

examples/repository-template/main.tf

@@ -50,6 +50,22 @@ module "public_ecr_pull_through_cache_repository_template" {
   create_pull_through_cache_rule = true
   upstream_registry_url          = "public.ecr.aws"
 
+  image_tag_mutability = "MUTABLE_WITH_EXCLUSION"
+  image_tag_mutability_exclusion_filter = [
+    {
+      filter      = "latest*"
+      filter_type = "WILDCARD"
+    },
+    {
+      filter      = "dev-*"
+      filter_type = "WILDCARD"
+    },
+    {
+      filter      = "qa-*"
+      filter_type = "WILDCARD"
+    }
+  ]
+
   tags = local.tags
 }
 

examples/repository-template/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.8"
+      version = ">= 6.10"
     }
   }
 }

modules/repository-template/README.md

@@ -98,13 +98,13 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.8 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.10 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.8 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.10 |
 
 ## Modules
 
@@ -145,6 +145,7 @@ No modules.
 | <a name="input_iam_role_tags"></a> [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the IAM role created | `map(string)` | `{}` | no |
 | <a name="input_iam_role_use_name_prefix"></a> [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`iam_role_name`) is used as a prefix | `bool` | `true` | no |
 | <a name="input_image_tag_mutability"></a> [image\_tag\_mutability](#input\_image\_tag\_mutability) | The tag mutability setting for any created repositories. Must be one of: `MUTABLE` or `IMMUTABLE`. Defaults to `IMMUTABLE` | `string` | `"IMMUTABLE"` | no |
+| <a name="input_image_tag_mutability_exclusion_filter"></a> [image\_tag\_mutability\_exclusion\_filter](#input\_image\_tag\_mutability\_exclusion\_filter) | Configuration block that defines filters to specify which image tags can override the default tag mutability setting. Only applicable when image\_tag\_mutability is set to IMMUTABLE\_WITH\_EXCLUSION or MUTABLE\_WITH\_EXCLUSION. | <pre>list(object({<br/>    filter      = string<br/>    filter_type = string<br/>  }))</pre> | `null` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN of the KMS key used to encrypt the repositories created | `string` | `null` | no |
 | <a name="input_lifecycle_policy"></a> [lifecycle\_policy](#input\_lifecycle\_policy) | The lifecycle policy document to apply to any created repositories | `string` | `null` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | (Required) The repository name prefix to match against. Use `ROOT` to match any prefix that doesn't explicitly match another template | `string` | `""` | no |

modules/repository-template/main.tf

@@ -30,6 +30,14 @@ resource "aws_ecr_repository_creation_template" "this" {
     }
   }
 
+  dynamic "image_tag_mutability_exclusion_filter" {
+    for_each = var.image_tag_mutability_exclusion_filter != null ? var.image_tag_mutability_exclusion_filter : []
+    content {
+      filter      = image_tag_mutability_exclusion_filter.value.filter
+      filter_type = image_tag_mutability_exclusion_filter.value.filter_type
+    }
+  }
+
   image_tag_mutability = var.image_tag_mutability
   lifecycle_policy     = var.lifecycle_policy
   prefix               = var.prefix

modules/repository-template/variables.tf

@@ -50,6 +50,15 @@ variable "kms_key_arn" {
   default     = null
 }
 
+variable "image_tag_mutability_exclusion_filter" {
+  description = "Configuration block that defines filters to specify which image tags can override the default tag mutability setting. Only applicable when image_tag_mutability is set to IMMUTABLE_WITH_EXCLUSION or MUTABLE_WITH_EXCLUSION."
+  type = list(object({
+    filter      = string
+    filter_type = string
+  }))
+  default = null
+}
+
 variable "image_tag_mutability" {
   description = "The tag mutability setting for any created repositories. Must be one of: `MUTABLE` or `IMMUTABLE`. Defaults to `IMMUTABLE`"
   type        = string

modules/repository-template/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.8"
+      version = ">= 6.10"
     }
   }
 }

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.8"
+      version = ">= 6.10"
     }
   }
 }

wrappers/repository-template/main.tf

@@ -3,32 +3,33 @@ module "wrapper" {
 
   for_each = var.items
 
-  applied_for                        = try(each.value.applied_for, var.defaults.applied_for, ["PULL_THROUGH_CACHE"])
-  create                             = try(each.value.create, var.defaults.create, true)
-  create_iam_role                    = try(each.value.create_iam_role, var.defaults.create_iam_role, true)
-  create_pull_through_cache_rule     = try(each.value.create_pull_through_cache_rule, var.defaults.create_pull_through_cache_rule, false)
-  create_repository_policy           = try(each.value.create_repository_policy, var.defaults.create_repository_policy, true)
-  credential_arn                     = try(each.value.credential_arn, var.defaults.credential_arn, null)
-  custom_role_arn                    = try(each.value.custom_role_arn, var.defaults.custom_role_arn, null)
-  description                        = try(each.value.description, var.defaults.description, null)
-  encryption_type                    = try(each.value.encryption_type, var.defaults.encryption_type, "AES256")
-  iam_role_description               = try(each.value.iam_role_description, var.defaults.iam_role_description, null)
-  iam_role_name                      = try(each.value.iam_role_name, var.defaults.iam_role_name, null)
-  iam_role_path                      = try(each.value.iam_role_path, var.defaults.iam_role_path, null)
-  iam_role_permissions_boundary      = try(each.value.iam_role_permissions_boundary, var.defaults.iam_role_permissions_boundary, null)
-  iam_role_tags                      = try(each.value.iam_role_tags, var.defaults.iam_role_tags, {})
-  iam_role_use_name_prefix           = try(each.value.iam_role_use_name_prefix, var.defaults.iam_role_use_name_prefix, true)
-  image_tag_mutability               = try(each.value.image_tag_mutability, var.defaults.image_tag_mutability, "IMMUTABLE")
-  kms_key_arn                        = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null)
-  lifecycle_policy                   = try(each.value.lifecycle_policy, var.defaults.lifecycle_policy, null)
-  prefix                             = try(each.value.prefix, var.defaults.prefix, "")
-  region                             = try(each.value.region, var.defaults.region, null)
-  repository_lambda_read_access_arns = try(each.value.repository_lambda_read_access_arns, var.defaults.repository_lambda_read_access_arns, [])
-  repository_policy                  = try(each.value.repository_policy, var.defaults.repository_policy, null)
-  repository_policy_statements       = try(each.value.repository_policy_statements, var.defaults.repository_policy_statements, null)
-  repository_read_access_arns        = try(each.value.repository_read_access_arns, var.defaults.repository_read_access_arns, [])
-  repository_read_write_access_arns  = try(each.value.repository_read_write_access_arns, var.defaults.repository_read_write_access_arns, [])
-  resource_tags                      = try(each.value.resource_tags, var.defaults.resource_tags, {})
-  tags                               = try(each.value.tags, var.defaults.tags, {})
-  upstream_registry_url              = try(each.value.upstream_registry_url, var.defaults.upstream_registry_url, null)
+  applied_for                           = try(each.value.applied_for, var.defaults.applied_for, ["PULL_THROUGH_CACHE"])
+  create                                = try(each.value.create, var.defaults.create, true)
+  create_iam_role                       = try(each.value.create_iam_role, var.defaults.create_iam_role, true)
+  create_pull_through_cache_rule        = try(each.value.create_pull_through_cache_rule, var.defaults.create_pull_through_cache_rule, false)
+  create_repository_policy              = try(each.value.create_repository_policy, var.defaults.create_repository_policy, true)
+  credential_arn                        = try(each.value.credential_arn, var.defaults.credential_arn, null)
+  custom_role_arn                       = try(each.value.custom_role_arn, var.defaults.custom_role_arn, null)
+  description                           = try(each.value.description, var.defaults.description, null)
+  encryption_type                       = try(each.value.encryption_type, var.defaults.encryption_type, "AES256")
+  iam_role_description                  = try(each.value.iam_role_description, var.defaults.iam_role_description, null)
+  iam_role_name                         = try(each.value.iam_role_name, var.defaults.iam_role_name, null)
+  iam_role_path                         = try(each.value.iam_role_path, var.defaults.iam_role_path, null)
+  iam_role_permissions_boundary         = try(each.value.iam_role_permissions_boundary, var.defaults.iam_role_permissions_boundary, null)
+  iam_role_tags                         = try(each.value.iam_role_tags, var.defaults.iam_role_tags, {})
+  iam_role_use_name_prefix              = try(each.value.iam_role_use_name_prefix, var.defaults.iam_role_use_name_prefix, true)
+  image_tag_mutability                  = try(each.value.image_tag_mutability, var.defaults.image_tag_mutability, "IMMUTABLE")
+  image_tag_mutability_exclusion_filter = try(each.value.image_tag_mutability_exclusion_filter, var.defaults.image_tag_mutability_exclusion_filter, null)
+  kms_key_arn                           = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null)
+  lifecycle_policy                      = try(each.value.lifecycle_policy, var.defaults.lifecycle_policy, null)
+  prefix                                = try(each.value.prefix, var.defaults.prefix, "")
+  region                                = try(each.value.region, var.defaults.region, null)
+  repository_lambda_read_access_arns    = try(each.value.repository_lambda_read_access_arns, var.defaults.repository_lambda_read_access_arns, [])
+  repository_policy                     = try(each.value.repository_policy, var.defaults.repository_policy, null)
+  repository_policy_statements          = try(each.value.repository_policy_statements, var.defaults.repository_policy_statements, null)
+  repository_read_access_arns           = try(each.value.repository_read_access_arns, var.defaults.repository_read_access_arns, [])
+  repository_read_write_access_arns     = try(each.value.repository_read_write_access_arns, var.defaults.repository_read_write_access_arns, [])
+  resource_tags                         = try(each.value.resource_tags, var.defaults.resource_tags, {})
+  tags                                  = try(each.value.tags, var.defaults.tags, {})
+  upstream_registry_url                 = try(each.value.upstream_registry_url, var.defaults.upstream_registry_url, null)
 }

wrappers/repository-template/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.8"
+      version = ">= 6.10"
     }
   }
 }

wrappers/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.8"
+      version = ">= 6.10"
     }
   }
 }