Artifact Registry Repositories

gcp-artifact-registry

Docker/Maven/npm repos with cleanup policies, remote and virtual repositories, CMEK and reader/writer IAM. Works with Terraform and OpenTofu (>= 1.6), Google provider >= 7.0, < 8.0.

Secure defaults:

• Docker tags immutable by default — a pushed tag can never silently change image (supply-chain hygiene)
• Public members (allUsers, allAuthenticatedUsers) rejected at plan time
• Additive per-repo IAM members (roles/artifactregistry.reader / .writer) — composes safely with IAM managed elsewhere
• Cleanup policies validated plan-time (DELETE/KEEP, exactly one of condition / most_recent_versions per policy); cleanup_policy_dry_run available for safe rollout
• Optional CMEK per repository

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/google >= 7.0, < 8.0

Notes for integrators:

• Virtual upstreams may reference sibling repositories in this module by key (resolved to a full resource path), or any external repo by full path. Terraform creates repos in parallel and the key reference carries no dependency edge — if a first apply races, re-apply or add module-level depends_on in your wrapper.
• CMEK: grant the Artifact Registry service agent (service-PROJECT_NUMBER@gcp-sa-artifactregistry.iam.gserviceaccount.com) roles/cloudkms.cryptoKeyEncrypterDecrypter on the key before enabling.
• Cleanup older_than/newer_than take second-suffixed durations (e.g. "2592000s" = 30 days).
• Migrating from GCR? A DOCKER repo + repository_urls output gives you the *-docker.pkg.dev path to retag against.

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).