ECR Repository

aws-ecr

ECR repository with lifecycle rules, scan-on-push, immutable tags, and cross-account/replication policies — the lifecycle-policy JSON and least-privilege repository policy are generated for you from typed inputs. Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0.

Secure defaults:

• Immutable tags — pushed tags can never be silently overwritten
• Scan on push enabled
• Images always encrypted at rest (AES256, or your CMK via kms_key_arn)
• force_delete = false — Terraform refuses to destroy a repository that still holds images
• Untagged images (superseded layers, failed pushes) expire after 14 days

Lifecycle presets compose into one correctly-prioritized policy:

1. tagged_image_retention — keep-last-N rules per tag-prefix set
2. untagged_expiry_days — age out untagged images
3. max_image_count — hard cap on total images (ECR requires this tagStatus=any rule to carry the highest priority — handled for you)

Cross-account access is least-privilege: pull_principal_arns get exactly the three pull actions, push_principal_arns add the four push actions, and allow_lambda_pull grants the Lambda service principal scoped to functions in your own account. Pass repository_policy / lifecycle_policy JSON to take full manual control.

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).