Welcome to the Standard Platform β a suite of reusable and production-ready Terraform modules purpose-built for AWS environments. Each module encapsulates best practices, security configurations, and sensible defaults to simplify and standardize infrastructure provisioning across projects.
-
π Image Scanning on Push - Automatically scan container images for vulnerabilities when pushed to the repository
-
π·οΈ Tag Mutability with Exclusions - Configure immutable tags with exceptions for specific tag patterns
-
π Lifecycle Policies - Automatically manage image lifecycle to reduce storage costs
-
π KMS Encryption - Encrypt container images using AWS KMS for enhanced security
-
π Registry Replication - Configure cross-region replication for container images
-
π‘οΈ Registry Scanning Configuration - Configure enhanced scanning rules at the registry level
| Name | Version |
|---|---|
| terraform-aws-modules/ecr/aws | 3.1.0 |
ecr_parameters = {
"example" = {
repository_image_scan_on_push = true
repository_image_tag_mutability = "IMMUTABLE"
repository_type = "private"
}
}Enable automatic vulnerability scanning for container images when they are pushed to the ECR repository. This helps identify security issues early in the development lifecycle and ensures only secure images are deployed.
Configuration Code
ecr_parameters = {
"example" = {
repository_image_scan_on_push = true
repository_type = "private"
}
}Use IMMUTABLE_WITH_EXCLUSION to enforce immutable tags while allowing specific tag patterns (like dev-, qa-, latest*) to be overwritten. This provides security for production tags while maintaining flexibility for development workflows.
Configuration Code
ecr_parameters = {
"example" = {
repository_image_tag_mutability = "IMMUTABLE_WITH_EXCLUSION"
repository_image_tag_mutability_exclusion_filter = [
{
filter = "latest*"
filter_type = "WILDCARD"
},
{
filter = "dev-*"
filter_type = "WILDCARD"
},
{
filter = "qa-*"
filter_type = "WILDCARD"
}
]
}
}Configure lifecycle policies to automatically expire old or untagged images based on count, age, or tag patterns. This helps reduce storage costs by keeping only the images you need.
Configuration Code
ecr_parameters = {
"example" = {
create_lifecycle_policy = true
repository_lifecycle_policy = jsonencode({
rules = [
{
rulePriority = 1
description = "Keep last 30 images"
selection = {
tagStatus = "any"
countType = "imageCountMoreThan"
countNumber = 30
}
action = {
type = "expire"
}
},
{
rulePriority = 2
description = "Expire untagged images older than 7 days"
selection = {
tagStatus = "untagged"
countType = "sinceImagePushed"
countUnit = "days"
countNumber = 7
}
action = {
type = "expire"
}
}
]
})
}
}Use AWS KMS to encrypt container images at rest. This provides additional security controls and allows you to manage encryption keys centrally, with support for key rotation and access policies.
Configuration Code
ecr_parameters = {
"example" = {
repository_encryption_type = "KMS"
repository_kms_key = "arn:aws:kms:region:account:key/key-id"
repository_type = "private"
}
}Set up automatic replication of container images across multiple AWS regions. This improves availability, reduces latency for multi-region deployments, and provides disaster recovery capabilities.
Configuration Code
ecr_parameters = {
"example" = {
create_registry_replication_configuration = true
registry_replication_rules = [{
destinations = [
{
region = "us-west-2"
registry_id = "{account_id}"
},
{
region = "eu-west-1"
registry_id = "{account_id}"
}
]
repository_filters = [{
filter = "prod-microservice"
filter_type = "PREFIX_MATCH"
}]
}]
}
}Set up registry-level scanning configuration with custom scan rules based on tag patterns. This allows you to define different scanning frequencies (SCAN_ON_PUSH, CONTINUOUS_SCAN) for different image tags.
Configuration Code
ecr_parameters = {
"example" = {
manage_registry_scanning_configuration = true
registry_scan_type = "ENHANCED"
registry_scan_rules = [
{
scan_frequency = "SCAN_ON_PUSH"
filter = [
{
filter = "prod-*"
filter_type = "WILDCARD"
},
{
filter = "release-*"
filter_type = "WILDCARD"
}
]
},
{
scan_frequency = "CONTINUOUS_SCAN"
filter = [
{
filter = "latest"
filter_type = "WILDCARD"
}
]
}
]
}
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| attach_repository_policy | Controls whether to attach a repository policy to the ECR repository | bool |
true |
no |
| create | Controls whether to create the ECR repository and associated resources | bool |
true |
no |
| create_lifecycle_policy | Controls whether to create a lifecycle policy for the repository | bool |
true |
no |
| create_registry_policy | Controls whether to create a registry policy | bool |
false |
no |
| create_registry_replication_configuration | Controls whether to create registry replication configuration | bool |
false |
no |
| create_repository | Controls whether to create the ECR repository | bool |
true |
no |
| create_repository_policy | Controls whether to create a repository policy | bool |
true |
no |
| manage_registry_scanning_configuration | Controls whether to manage registry scanning configuration | bool |
false |
no |
| public_repository_catalog_data | Public repository catalog data configuration | any |
null |
no |
| region | Region where this resource will be managed. Defaults to the Region set in the provider configuration | string |
null |
no |
| registry_policy | Registry policy document | string |
null |
no |
| registry_pull_through_cache_rules | Registry pull through cache rules | map |
{} |
no |
| registry_replication_rules | Registry replication rules | any |
null |
no |
| registry_scan_rules | Registry scan rules | any |
null |
no |
| registry_scan_type | Registry scan type (BASIC or ENHANCED) | string |
"ENHANCED" |
no |
| repository_encryption_type | Encryption type for the repository (AES256 or KMS) | string |
null |
no |
| repository_force_delete | Force delete the repository even if it contains images | bool |
null |
no |
| repository_image_scan_on_push | Enable image scanning on push | bool |
true |
no |
| repository_image_tag_mutability | Tag mutability (MUTABLE or IMMUTABLE) | string |
"IMMUTABLE" |
no |
| repository_image_tag_mutability_exclusion_filter | Tag mutability exclusion filter | list |
null |
no |
| repository_kms_key | KMS key ARN for encryption | string |
null |
no |
| repository_lambda_read_access_arns | Lambda function ARNs with read access | list |
[] |
no |
| repository_lifecycle_policy | Lifecycle policy document | string |
"" |
no |
| repository_name | Name of the ECR repository | string |
"${local.common_name}-${each.key}" |
no |
| repository_policy | Repository policy document | string |
null |
no |
| repository_policy_statements | Repository policy statements | any |
null |
no |
| repository_read_access_arns | ARNs with read access to the repository | list |
[] |
no |
| repository_read_write_access_arns | ARNs with read/write access to the repository | list |
[] |
no |
| repository_type | Repository type (private or public) | string |
"private" |
no |
| tags | A map of tags to assign to resources | map |
{} |
no |
β οΈ Tag Mutability: Once set to IMMUTABLE, tags cannot be overwritten. Use MUTABLE for development environments where you need to reuse tags.β οΈ Image Scanning: Enable image scanning on push to automatically scan images for vulnerabilities.β οΈ Repository Policies: Configure repository policies to control access to your container images.β οΈ Lifecycle Policies: Use lifecycle policies to automatically clean up old images and reduce storage costs.
We welcome contributions! Please see our contributing guidelines for more details.
- π§ Email: info@gocloud.la
We are focused on Cloud Engineering, DevOps, and Infrastructure as Code. We specialize in helping companies design, implement, and operate secure and scalable cloud-native platforms.
- π www.gocloud.la
- βοΈ AWS Advanced Partner (Terraform, DevOps, GenAI)
- π« Contact: info@gocloud.la
This project is licensed under the Apache 2.0 License - see the LICENSE file for details.
![@github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=64&v=4){kind=small}
