Skip to content

chore(deps): update terraform cloudposse/ecr/aws to v1 #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update terraform cloudposse/ecr/aws to v1 #91

wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Sep 22, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
cloudposse/ecr/aws (source) module major 0.34.0 -> 1.0.0

Release Notes

cloudposse/terraform-aws-ecr (cloudposse/ecr/aws)

v1.0.0

Compare Source

Add support for image_tag_mutability_exclusion_filter in ECR repositories @​[copilot-swe-agent[bot]](https://redirect.github.com/apps/copilot-swe-agent) (#​153) This PR implements support for the `image_tag_mutability_exclusion_filter` feature in AWS ECR repositories, allowing fine-grained control over tag mutability settings.

Problem

ECR repositories previously only supported global image_tag_mutability settings (MUTABLE or IMMUTABLE), which applied to all tags uniformly. This created limitations in scenarios where users needed mixed mutability - for example, keeping production tags immutable while allowing development tags like latest, dev-*, or feature-* to be mutable.

Solution

Added comprehensive support for image_tag_mutability_exclusion_filter which allows users to define specific tag patterns that should be excluded from the repository's global mutability setting.

Key Changes

  1. New Variable: Added image_tag_mutability_exclusion_filter variable with proper type definition:

    image_tag_mutability_exclusion_filter = [
  {
    filter      = "latest"
    filter_type = "WILDCARD"
  },
  {
    filter      = "dev-"
    filter_type = "WILDCARD"
  }
]

  2. Dynamic Resource Block: Implemented dynamic block in aws_ecr_repository resource to conditionally apply exclusion filters.

  3. Comprehensive Validation: Added validation rules to ensure:

    • filter_type must be a valid value (WILDCARD)
    • filter values cannot be empty or whitespace-only

  4. Provider Version Update: Updated minimum AWS provider version to >= 6.8.0 to support this feature across all modules and examples.

Usage Example
module "ecr" {
  source = "cloudposse/ecr/aws"
  
  namespace              = "company"
  stage                  = "prod"
  name                   = "api"
  image_tag_mutability   = "IMMUTABLE_WITH_EXCLUSIONS"

### Allow specific tag patterns to be mutable while keeping others immutable
  image_tag_mutability_exclusion_filter = [
    {
      filter      = "latest"
      filter_type = "WILDCARD"
    },
    {
      filter      = "dev-"
      filter_type = "WILDCARD"
    }
  ]
}

This enables scenarios where production tags remain immutable for safety, while development and utility tags maintain flexibility for iterative workflows.

Documentation

Updated README.md with comprehensive documentation including:

  • Advanced usage examples showing real-world scenarios
  • Provider version requirements and migration notes
  • Complete variable reference in the inputs table

Testing

  • ✅ All Terraform validation passes
  • ✅ Formatting checks pass across all modules
  • ✅ Variable validation correctly catches invalid configurations
  • ✅ Examples updated and validated
  • ✅ Backward compatibility maintained

Breaking Changes

This is an additive feature that defaults to an empty list, preserving existing behavior.

HOWEVER the AWS Provider is updated two major versions.

Requirements

  • AWS Provider >= 6.8.0 (updated across all modules and examples)
  • Terraform >= 0.13.0 (unchanged)

[!WARNING]

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • checkpoint-api.hashicorp.com
    • Triggering command: terraform version (dns block)
    • Triggering command: terraform init (dns block)
    • Triggering command: terraform fmt -check (dns block)
  • esm.ubuntu.com
    • Triggering command: /usr/lib/apt/methods/https (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

This pull request was created as a result of the following prompt from Copilot chat.

Implement support for image_tag_mutability_exclusion_filter in the AWS ECR repository resource in main.tf. This entails:

  • Adding a new variable to the module for configuring exclusion filters.
  • Using a dynamic block for image_tag_mutability_exclusion_filter in the resource, referencing the new variable(s).
  • Documenting the new variable(s) in the README.md, with usage examples and a note about the minimum AWS provider version (>= 6.8.0).
  • Updating versions.tf to bump the minimum AWS provider version to 6.8.0.
  • Updating changelog and examples if needed.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

v0.44.0

Compare Source

Support disabling default rules @​Benbentwo (#​149)

what

Adds a variable with defaults to allow disabling the default rules.

why

As part of #​146 we added custom lifecycle policies. Now there's a problem where our default rules conflict or are forced at certain points in certain orders relative to our custom lifecycle policies. We want to be able to disable them if they don't meet our needs.

references

#​146

e.g.

        default_lifecycle_rules_settings:
          untagged_image_rule:
            enabled: false
          remove_old_image_rule:
            enabled: false

        custom_lifecycle_rules: 
          - selection: 
              tagStatus: "tagged"
              countType: "imageCountMoreThan"
              countNumber: 1000
              tagPrefixList: ["prod-"]
            description: "Expire images older than 1000 for all tags starting with prod-"
            action: 
              type: "expire"
          - selection: 
              tagStatus: "tagged"
              countType: "imageCountMoreThan"
              countNumber: 1000
              tagPrefixList: ["staging-"]
            description: "Expire images older than 1000 for all tags starting with staging-"
            action: 
              type: "expire"
          - selection: 
              tagStatus: "tagged"
              countType: "imageCountMoreThan"
              countNumber: 1000
              tagPrefixList: ["dev-"]
            description: "Expire images older than 1000 for all tags starting with dev-"
            action: 
              type: "expire"

results in just the custom_lifecycle_rules being created. No default behavior change

v0.43.0

Compare Source

bugfix: validation and null countUnit @​Benbentwo (#​148) This pull request refines the handling of custom lifecycle rules in Terraform configurations by improving validation logic and enhancing the selection merging process. The changes aim to make the code more robust and handle edge cases more effectively.
Improvements to selection merging logic:
  • Enhanced null-checks and condition handling in main.tf: The selection merging logic now includes a check to ensure that countUnit is only added if it is not null, and the filtering logic for keys like tagPrefixList and tagPatternList has been updated to handle null values more gracefully. (main.tf, main.tfL140-R152)
Refinements to validation logic:
  • Validation for tagStatus in variables.tf: Updated the condition to use length(coalesce(...)) for checking tagPrefixList and tagPatternList, ensuring proper handling of null or empty lists. (variables.tf, variables.tfL163-R163)
  • Validation for countType in variables.tf: Adjusted the condition to ensure that countUnit is specified when countType is sinceImagePushed, with a clearer error message for improved readability. (variables.tf, variables.tfL193-R195)

v0.42.2

Compare Source

Custom lifecycle policy support @​Benbentwo (#​146)

what

why

Allows supporting Custom Lifecycle Policies for your ECR Repositories

references

🤖 Automatic Updates

Fix go version in tests @​osterman (#​144)

what

  • Update go 1.24

why

  • Error loading shared library libresolv.so.2 in Go 1.20

References

Replace Makefile with atmos.yaml @​osterman (#​142)

what

  • Remove Makefile
  • Add atmos.yaml

why

  • Replace build-harness with atmos for readme genration

References

  • DEV-3229 Migrate from build-harness to atmos

v0.42.1

Compare Source

protected tags keep count @​whereismyjetpack (#​139) - **introduce `protected_tags_keep_count`** - **updates readme**

what

Adds protected_tags_keep_count and defaults it to 999999

why

A user may want to retain release tags for an extended period, but not indefinitely.

🤖 Automatic Updates

Migrate new test account @​osterman (#​138)

what

  • Update .github/settings.yml
  • Update .github/chatops.yml files

why

  • Re-apply .github/settings.yml from org level to get terratest environment
  • Migrate to new test account

References

  • DEV-388 Automate clean up of test account in new organization
  • DEV-387 Update terratest to work on a shared workflow instead of a dispatch action
  • DEV-386 Update terratest to use new testing account with GitHub OIDC
Update .github/settings.yml @​osterman (#​136)

what

  • Update .github/settings.yml
  • Drop .github/auto-release.yml files

why

  • Re-apply .github/settings.yml from org level
  • Use organization level auto-release settings

references

  • DEV-1242 Add protected tags with Repository Rulesets on GitHub
Update .github/settings.yml @​osterman (#​135)

what

  • Update .github/settings.yml
  • Drop .github/auto-release.yml files

why

  • Re-apply .github/settings.yml from org level
  • Use organization level auto-release settings

references

  • DEV-1242 Add protected tags with Repository Rulesets on GitHub

v0.42.0

Compare Source

fix(#​133): have ability to use wildcards in protected_tags variale @​mrdntgrn (#​134)

what

  • the change allows to pass wildcards in protected_tags list

why

  • there are use cases when the protected tags are not only prefix defineable and only wildcard can be used like "*prod" or semversion *.*.*

references

v0.41.1

Compare Source

Add support for time based rotation @​uhlajs (#​132)

what

Add support for countType "sinceImagePushed" ECR Lifepolicy rule.

why

  • Increase flexibility and usefulness of this module.

references

🤖 Automatic Updates

Update .github/settings.yml @​osterman (#​131)

what

  • Update .github/settings.yml
  • Drop .github/auto-release.yml files

why

  • Re-apply .github/settings.yml from org level
  • Use organization level auto-release settings

references

  • DEV-1242 Add protected tags with Repository Rulesets on GitHub
Update release workflow to allow pull-requests: write @​osterman (#​129)

what

  • Update workflow (.github/workflows/release.yaml) to have permission to comment on PR

why

  • So we can support commenting on PRs with a link to the release
Update GitHub Workflows to use shared workflows from '.github' repo @​osterman (#​128)

what

  • Update workflows (.github/workflows) to use shared workflows from .github repo

why

  • Reduce nested levels of reusable workflows
Update GitHub Workflows to Fix ReviewDog TFLint Action @​osterman (#​127)

what

  • Update workflows (.github/workflows) to add issue: write permission needed by ReviewDog tflint action

why

  • The ReviewDog action will comment with line-level suggestions based on linting failures
Update GitHub workflows @​osterman (#​126)

what

  • Update workflows (.github/workflows/settings.yaml)

why

  • Support new readme generation workflow.
  • Generate banners
Use GitHub Action Workflows from `cloudposse/.github` Repo @​osterman (#​125)

what

  • Install latest GitHub Action Workflows

why

  • Use shared workflows from cldouposse/.github repository
  • Simplify management of workflows from centralized hub of configuration
Add GitHub Settings @​osterman (#​123)

what

  • Install a repository config (.github/settings.yaml)

why

  • Programmatically manage GitHub repo settings
Update README.md and docs @​cloudpossebot (#​120)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

Update Scaffolding @​osterman (#​121)

what

  • Reran make readme to rebuild README.md from README.yaml
  • Migrate to square badges
  • Add scaffolding for repo settings and Mergify

why

  • Upstream template changed in the .github repo
  • Work better with repository rulesets
  • Modernize look & feel

v0.41.0

Compare Source

Allow to use ECR replication @​dmitrijn (#​103)

Closes #​99

v0.40.1

Compare Source

Allow cache though enabled repositories to fetch image from upstream @​mfuhrmeisterDM (#​117)

what

Add a principal list (principals_pull_though_access) which are allowed to use specific repositories as pull through cache (import images from upstream). This holds for repositories where one of the strings in prefixes_pull_through_repositories is a prefix of the repository name.

why

We are using ecr-public pull through cache and we want also new images to be downloaded automatically to the cache. Allowed principals for respective repos can use it with the newly introduced variables.

🤖 Automatic Updates

Update README.md and docs @​cloudpossebot (#​116)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

Update README.md and docs @​cloudpossebot (#​115)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

Update README.md and docs @​cloudpossebot (#​114)

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

v0.40.0

Compare Source

feat: support scan_type @​dudymas (#​113)

what

  • add scanning_configuration as child module

why

  • support scan_type settings
  • should be deployed as a per-account global, rather than per-ecr-repo

Notes

v0.39.0

Compare Source

feat: add organizations as readonly access @​dragosmc (#​106)

what

  • Add the ability to have organizations as trustees (read-only) for the ECR repository

why

  • As described in #​82 , it's sometimes useful to allow an entire organization to consume images from a centralized repository

references

v0.38.0

Compare Source

fix: cleans up principals lambda logic to separate policy doc @​Gowiem (#​105)

what

  • Clean up of the logic surrounding the var.principals_lambda policies

why

  • When this was originally implemented it was copy / pastad across multiple policy docs, which isn't necessary and creates a bunch of bloat.

references

v0.37.0

Compare Source

add optional policy allowing push access @​kpankonen (#​98)

what

  • adds the ability to give push-only access to the repository

why

  • full access was more than we wanted in our situation (CI pushing images to the repo) so we added a principals_push_access to give push-only access.

references

  • policy is based on this AWS doc
Sync github @​max-lobur (#​104)

Sync github from the template

v0.36.0

Compare Source

  • No changes

v0.35.0

Compare Source

adding force_delete @​pcartas (#​101)

Hi! im adding "force_delete" parameter, is implemented in aws 4.22.0 for an easier delete of the ecr

references

https://registry.terraform.io/providers/hashicorp/aws/4.22.0/docs/resources/ecr_repository

git.io->cloudposse.tools update @​dylanbannon (#​95)

what and why

Change all references to git.io/build-harness into cloudposse.tools/build-harness, since git.io redirects will stop working on April 29th, 2022.

References

  • DEV-143

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the auto-update This PR was automatically generated label Sep 22, 2025
@renovate renovate bot requested review from a team as code owners September 22, 2025 19:15
@renovate renovate bot added the auto-update This PR was automatically generated label Sep 22, 2025
@renovate renovate bot requested review from joe-niland and nitrocode September 22, 2025 19:15
@mergify
Copy link

mergify bot commented Sep 22, 2025

/terratest

@renovate renovate bot force-pushed the renovate/cloudposse-ecr-aws-1.x branch from d39e249 to 47e4607 Compare October 1, 2025 22:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joe-niland joe-niland Awaiting requested review from joe-niland joe-niland is a code owner automatically assigned from cloudposse/contributors

@nitrocode nitrocode Awaiting requested review from nitrocode nitrocode is a code owner automatically assigned from cloudposse/contributors

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

auto-update This PR was automatically generated

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant