https://github.com/lgallard/terraform-aws-ecr
Terraform module to create AWS ECR (Elastic Container Registry)
https://github.com/lgallard/terraform-aws-ecr
aws aws-ecr aws-ecr-terraform ecr-registry terraform terraform-module terraform-modules
Last synced: 6 months ago
JSON representation
Terraform module to create AWS ECR (Elastic Container Registry)
- Host: GitHub
- URL: https://github.com/lgallard/terraform-aws-ecr
- Owner: lgallard
- License: apache-2.0
- Created: 2020-04-30T19:59:34.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2025-07-20T00:48:36.000Z (11 months ago)
- Last Synced: 2025-07-20T05:24:57.988Z (11 months ago)
- Topics: aws, aws-ecr, aws-ecr-terraform, ecr-registry, terraform, terraform-module, terraform-modules
- Language: HCL
- Homepage:
- Size: 26.1 MB
- Stars: 11
- Watchers: 2
- Forks: 20
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
README
# terraform-aws-ecr
Terraform module to create [AWS ECR](https://aws.amazon.com/ecr/) (Elastic Container Registry) which is a fully-managed Docker container registry.
[](https://github.com/lgallard/terraform-aws-ecr/actions/workflows/test.yml)
## Architecture
The terraform-aws-ecr module enables several common architectures for container image management.
### Basic ECR Architecture
```
┌──────────────┐ ┌───────────────────────┐ ┌─────────────────┐
│ │ │ │ │ │
│ Developer │────▶│ AWS ECR Registry │◀────│ CI/CD Pipeline │
│ Workstation │ │ │ │ │
│ │ └───────────────────────┘ └─────────────────┘
└──────────────┘ │ ▲
│ │
▼ │
┌─────────────────┐
│ │
│ ECS / EKS │
│ Services │
│ │
└─────────────────┘
```
For more detailed architecture diagrams including CI/CD integration, multi-region deployments, and security controls, see [docs/diagrams.md](docs/diagrams.md).
## Submodules
This module is organized with specialized submodules for better maintainability and reusability:
### KMS Module (`modules/kms/`)
Manages KMS encryption keys for ECR repositories with advanced key policies, rotation, and access control.
### Pull-Through Cache Module (`modules/pull-through-cache/`)
Manages pull-through cache rules and associated IAM resources for upstream registry integration. Supports multiple upstream registries including Docker Hub, Quay.io, GitHub Container Registry, and Amazon ECR Public.
**Key Benefits of Submodule Architecture:**
- **Separation of Concerns** - Each submodule focuses on a specific functionality
- **Optional Components** - Use only the features you need
- **Easier Maintenance** - Isolated testing and development
- **Reusability** - Submodules can be used independently in other projects
## Versioning
This module follows [Semantic Versioning](https://semver.org/) principles. For full details on the versioning scheme, release process, and compatibility guarantees, see the following documentation:
- [VERSIONING.md](VERSIONING.md) - Details on the semantic versioning scheme and release process
- [VERSION_COMPATIBILITY.md](VERSION_COMPATIBILITY.md) - Terraform and AWS provider compatibility matrix
## Usage
You can use this module to create an ECR registry using few parameters (simple example) or define in detail every aspect of the registry (complete example).
Check the [examples](examples/) directory for examples including:
- **Simple** - Basic ECR repository with minimal configuration
- **Complete** - Full-featured ECR repository with all options
- **Protected** - Repository with deletion protection
- **With ECS Integration** - ECR configured for use with ECS
- **Multi-Region** - Repository configured for cross-region replication (manual and automatic approaches)
- **Replication** - ECR repository with built-in cross-region replication support
- **Advanced Tagging** - Comprehensive tagging strategies with templates, validation, and normalization
- **Enhanced Security** - Advanced security features with scanning and compliance
- **Lifecycle Policies** - Image lifecycle management with predefined templates
- **Pull Request Rules** - Governance and approval workflows for container images
- **Enhanced KMS** - Advanced KMS key configuration with custom policies and access control
- **Pull-Through Cache** - Cached access to upstream registries (Docker Hub, Quay, GitHub, etc.)
### Simple example
This example creates an ECR registry using few parameters
```hcl
module "ecr" {
source = "lgallard/ecr/aws"
name = "ecr-repo-dev"
# Tags
tags = {
Owner = "DevOps team"
Environment = "dev"
Terraform = true
}
}
```
### Complete example with logging
In this example, the registry is defined in detail including CloudWatch logging:
```hcl
module "ecr" {
source = "lgallard/ecr/aws"
name = "ecr-repo-dev"
scan_on_push = true
image_tag_mutability = "IMMUTABLE"
encryption_type = "KMS"
# Enable CloudWatch logging
enable_logging = true
log_retention_days = 14
// ...rest of configuration...
}
```
### CloudWatch Logging
The module supports sending ECR API actions and image push/pull events to CloudWatch Logs. When enabled:
- Creates a CloudWatch Log Group `/aws/ecr/{repository-name}`
- Sets up necessary IAM roles and policies for ECR to write logs
- Configurable log retention period (default: 30 days)
To enable logging:
```hcl
module "ecr" {
source = "lgallard/ecr/aws"
name = "ecr-repo-dev"
enable_logging = true
# Optional: customize retention period (in days)
log_retention_days = 14 # Valid values: 0,1,3,5,7,14,30,60,90,120,150,180,365,400,545,731,1827,3653
}
```
The module outputs logging-related ARNs:
- `cloudwatch_log_group_arn` - The ARN of the CloudWatch Log Group
- `logging_role_arn` - The ARN of the IAM role used for logging
### CloudWatch Monitoring and Alerting
The module provides comprehensive CloudWatch monitoring with metric alarms and SNS notifications for proactive repository management. When enabled:
- Creates CloudWatch metric alarms for key ECR metrics
- Monitors storage usage, API calls, and security findings
- Sends notifications via SNS for alarm state changes
- Provides visibility into repository usage and costs
#### Basic Monitoring Setup
```hcl
module "ecr" {
source = "lgallard/ecr/aws"
name = "monitored-app"
enable_monitoring = true
# Configure monitoring thresholds
monitoring_threshold_storage = 10 # GB
monitoring_threshold_api_calls = 1000 # calls per minute
monitoring_threshold_security_findings = 5 # findings count
# Create SNS topic for notifications
create_sns_topic = true
sns_topic_name = "ecr-alerts"
sns_topic_subscribers = ["admin@company.com", "devops@company.com"]
}
```
#### Monitoring Features
**CloudWatch Alarms Created:**
- **Storage Usage**: Monitors repository size in GB
- **API Call Volume**: Monitors API operations per minute
- **Image Push Count**: Monitors push frequency (10 pushes per 5 minutes)
- **Image Pull Count**: Monitors pull frequency (100 pulls per 5 minutes)
- **Security Findings**: Monitors vulnerability count (requires enhanced scanning)
**SNS Integration:**
- Automatic SNS topic creation with configurable name
- Email subscriptions for immediate notifications
- Alarm and OK state notifications
- Support for existing SNS topics
#### Advanced Monitoring Configuration
```hcl
module "ecr" {
source = "lgallard/ecr/aws"
name = "production-app"
# Enable monitoring with custom thresholds
enable_monitoring = true
monitoring_threshold_storage = 50 # 50 GB threshold
monitoring_threshold_api_calls = 2000 # 2000 calls/minute
monitoring_threshold_security_findings = 0 # Zero tolerance for vulnerabilities
# Use existing SNS topic
create_sns_topic = false
sns_topic_name = "existing-alerts-topic"
# Enable enhanced scanning for security monitoring
enable_registry_scanning = true
registry_scan_type = "ENHANCED"
enable_secret_scanning = true
}
```
**Monitoring Outputs:**
- `monitoring_status` - Complete monitoring configuration status
- `sns_topic_arn` - ARN of the SNS topic (if created)
- `cloudwatch_alarms` - Details of all created CloudWatch alarms
**Cost Considerations:**
- CloudWatch alarms: $0.10 per alarm per month
- SNS notifications: First 1,000 emails free, then $0.75 per 1,000
- No additional charges for metrics collection
### ECR Account Settings
Configure ECR account-level settings, including scan type version and registry policy scope. AWS is migrating from CLAIR-based scanning to AWS Native scanning technology, with CLAIR being deprecated on February 2, 2026.
```hcl
module "ecr" {
source = "lgallard/ecr/aws"
name = "my-app"
# Enable account-level settings management
manage_account_setting = true
basic_scan_type_version = "AWS_NATIVE" # Use new AWS Native scanning (recommended)
registry_policy_scope = "V2" # Enhanced policy scope (recommended)
tags = {
Environment = "production"
Migration = "aws-native-scanning"
}
}
```
**Account Settings Configuration:**
- `manage_account_setting` - Whether to manage account-level ECR settings
- `basic_scan_type_version` - Scanning technology: `AWS_NATIVE` (recommended) or `CLAIR` (deprecated)
- `registry_policy_scope` - Registry policy scope: `V2` (recommended) supports all ECR actions, `V1` (legacy) supports limited actions
**Account Settings Output:**
- `account_setting` - Account setting configuration status and values for both settings
**Important Notes:**
- Requires AWS Provider >= 5.81.0 for `aws_ecr_account_setting` resource
- AWS Native scanning provides improved performance and accuracy
- CLAIR-based scanning will be deprecated on February 2, 2026
- Registry Policy Scope V2 is the default for new registries and provides granular control over all ECR actions
- AWS does not recommend reverting from V2 to V1 policy scope
### Cross-Region Replication
The module now supports automatic cross-region replication for disaster recovery and multi-region deployments. When enabled, images are automatically replicated to specified regions whenever they are pushed to the primary repository.
```hcl
module "ecr" {
source = "lgallard/ecr/aws"
name = "my-application"
# Enable cross-region replication
enable_replication = true
replication_regions = ["us-west-2", "eu-west-1", "ap-southeast-1"]
tags = {
Environment = "production"
Application = "my-app"
}
}
```
**Key Benefits:**
- **Disaster Recovery** - Images remain available if a region becomes unavailable
- **Reduced Latency** - Pull images from the nearest region
- **High Availability** - Improved resilience for multi-region workloads
- **Automatic Sync** - No manual intervention required for replication
**Important Notes:**
- Replication is configured at the registry level (affects all repositories in the account)
- Use immutable tags (`image_tag_mutability = "IMMUTABLE"`) for consistency across regions
- Additional costs apply for cross-region data transfer and storage
- Replication is one-way from the source region to destination regions
The module provides replication-related outputs:
- `replication_status` - Overall replication configuration status
- `replication_regions` - List of destination regions
- `replication_configuration_arn` - ARN of the replication configuration
For more detailed examples, see the [replication example](examples/replication/) and [multi-region example](examples/multi-region/).
### Complete example
In this example the register is defined in detailed.
```
module "ecr" {
source = "lgallard/ecr/aws"
name = "ecr-repo-dev"
scan_on_push = true
image_tag_mutability = "MUTABLE"
prevent_destroy = true # Protect repository from accidental deletion
# Note that currently only one policy may be applied to a repository.
policy = <
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
| [archive](#requirement\_archive) | >= 2.0.0 |
| [aws](#requirement\_aws) | >= 5.0.0 |
## Providers
| Name | Version |
|------|---------|
| [archive](#provider\_archive) | >= 2.0.0 |
| [aws](#provider\_aws) | >= 5.0.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| [kms](#module\_kms) | ./modules/kms | n/a |
| [pull\_through\_cache](#module\_pull\_through\_cache) | ./modules/pull-through-cache | n/a |
## Resources
| Name | Type |
|------|------|
| [aws_cloudwatch_event_rule.pull_request_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
| [aws_cloudwatch_event_target.pull_request_rules_sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_cloudwatch_event_target.pull_request_rules_webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_cloudwatch_log_group.ecr_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_cloudwatch_metric_alarm.monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
| [aws_ecr_lifecycle_policy.lifecycle_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
| [aws_ecr_registry_scanning_configuration.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_registry_scanning_configuration) | resource |
| [aws_ecr_replication_configuration.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_replication_configuration) | resource |
| [aws_ecr_repository.repo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
| [aws_ecr_repository.repo_protected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
| [aws_ecr_repository_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy) | resource |
| [aws_iam_role.ecr_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.pull_request_rules_webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy.ecr_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_role_policy_attachment.pull_request_rules_webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_lambda_function.pull_request_rules_webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
| [aws_lambda_permission.pull_request_rules_webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_sns_topic.ecr_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
| [aws_sns_topic.pull_request_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
| [aws_sns_topic_subscription.ecr_monitoring_email](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
| [archive_file.pull_request_rules_webhook](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [create\_sns\_topic](#input\_create\_sns\_topic) | Whether to create an SNS topic for CloudWatch alarm notifications. | `bool` | `false` | no |
| [default\_tags\_cost\_center](#input\_default\_tags\_cost\_center) | Cost center tag value for financial tracking. Null to disable. | `string` | `null` | no |
| [default\_tags\_environment](#input\_default\_tags\_environment) | Environment tag value applied to all resources. Null to disable. | `string` | `null` | no |
| [default\_tags\_owner](#input\_default\_tags\_owner) | Owner tag value applied to all resources. Null to disable. | `string` | `null` | no |
| [default\_tags\_project](#input\_default\_tags\_project) | Project tag value applied to all resources. Null to disable. | `string` | `null` | no |
| [default\_tags\_template](#input\_default\_tags\_template) | Predefined default tag template. Options: basic, cost\_allocation, compliance, sdlc. | `string` | `null` | no |
| [enable\_default\_tags](#input\_enable\_default\_tags) | Whether to enable automatic default tags for all resources. | `bool` | `true` | no |
| [enable\_logging](#input\_enable\_logging) | Whether to enable CloudWatch logging for the repository. | `bool` | `false` | no |
| [enable\_monitoring](#input\_enable\_monitoring) | Whether to enable CloudWatch monitoring and alerting for the ECR repository. | `bool` | `false` | no |
| [enable\_pull\_request\_rules](#input\_enable\_pull\_request\_rules) | Whether to enable pull request rules for enhanced governance and quality control. | `bool` | `false` | no |
| [enable\_pull\_through\_cache](#input\_enable\_pull\_through\_cache) | Whether to create pull-through cache rules. | `bool` | `false` | no |
| [enable\_registry\_scanning](#input\_enable\_registry\_scanning) | Whether to enable enhanced scanning for the ECR registry. | `bool` | `false` | no |
| [enable\_replication](#input\_enable\_replication) | Whether to enable cross-region replication for the ECR registry. | `bool` | `false` | no |
| [enable\_secret\_scanning](#input\_enable\_secret\_scanning) | Whether to enable secret scanning. Detects secrets in container images. | `bool` | `false` | no |
| [enable\_tag\_normalization](#input\_enable\_tag\_normalization) | Whether to enable automatic tag normalization. | `bool` | `true` | no |
| [enable\_tag\_validation](#input\_enable\_tag\_validation) | Whether to enable tag validation to ensure compliance with organizational standards. | `bool` | `false` | no |
| [encryption\_type](#input\_encryption\_type) | Repository encryption type. Either KMS or AES256. | `string` | `"AES256"` | no |
| [force\_delete](#input\_force\_delete) | Whether to delete the repository even if it contains images. Use with caution. | `bool` | `false` | no |
| [image\_scanning\_configuration](#input\_image\_scanning\_configuration) | Image scanning configuration block. Set to null to use scan\_on\_push variable. |
object({
scan_on_push = bool
}) | `null` | no |
| [image\_tag\_mutability](#input\_image\_tag\_mutability) | The tag mutability setting for the repository. Either MUTABLE, IMMUTABLE, IMMUTABLE\_WITH\_EXCLUSION, or MUTABLE\_WITH\_EXCLUSION. | `string` | `"MUTABLE"` | no |
| [kms\_additional\_principals](#input\_kms\_additional\_principals) | List of additional IAM principals (ARNs) to grant KMS key access. | `list(string)` | `[]` | no |
| [kms\_alias\_name](#input\_kms\_alias\_name) | Custom alias name for the KMS key (without 'alias/' prefix). | `string` | `null` | no |
| [kms\_custom\_policy](#input\_kms\_custom\_policy) | Complete custom policy JSON for the KMS key. Use with caution. | `string` | `null` | no |
| [kms\_custom\_policy\_statements](#input\_kms\_custom\_policy\_statements) | List of custom policy statements to add to the KMS key policy. | list(object({
sid = optional(string)
effect = string
principals = optional(object({
type = string
identifiers = list(string)
}))
actions = list(string)
resources = optional(list(string), ["*"])
conditions = optional(list(object({
test = string
variable = string
values = list(string)
})), [])
})) | `[]` | no |
| [kms\_deletion\_window\_in\_days](#input\_kms\_deletion\_window\_in\_days) | Number of days to wait before deleting the KMS key (7-30 days). | `number` | `7` | no |
| [kms\_enable\_key\_rotation](#input\_kms\_enable\_key\_rotation) | Whether to enable automatic key rotation for the KMS key. | `bool` | `true` | no |
| [kms\_key](#input\_kms\_key) | ARN of existing KMS key for repository encryption. If null, a new key is created. | `string` | `null` | no |
| [kms\_key\_administrators](#input\_kms\_key\_administrators) | List of IAM principals (ARNs) who can administer the KMS key. | `list(string)` | `[]` | no |
| [kms\_key\_rotation\_period](#input\_kms\_key\_rotation\_period) | Number of days between automatic key rotations (90-2555 days). | `number` | `null` | no |
| [kms\_key\_users](#input\_kms\_key\_users) | List of IAM principals (ARNs) who can use the KMS key for crypto operations. | `list(string)` | `[]` | no |
| [kms\_multi\_region](#input\_kms\_multi\_region) | Whether to create a multi-region KMS key. | `bool` | `false` | no |
| [kms\_tags](#input\_kms\_tags) | Additional tags specific to KMS resources. | `map(string)` | `{}` | no |
| [lifecycle\_expire\_tagged\_after\_days](#input\_lifecycle\_expire\_tagged\_after\_days) | Number of days after which tagged images expire (1-3650). Use with caution. | `number` | `null` | no |
| [lifecycle\_expire\_untagged\_after\_days](#input\_lifecycle\_expire\_untagged\_after\_days) | Number of days after which untagged images expire (1-3650). Null to disable. | `number` | `null` | no |
| [lifecycle\_keep\_latest\_n\_images](#input\_lifecycle\_keep\_latest\_n\_images) | Number of latest images to keep in the repository (1-10000). Null to disable. | `number` | `null` | no |
| [lifecycle\_policy](#input\_lifecycle\_policy) | JSON string representing the lifecycle policy. Takes precedence over helper variables. | `string` | `null` | no |
| [lifecycle\_policy\_template](#input\_lifecycle\_policy\_template) | Predefined lifecycle policy template. Options: development, production, cost\_optimization, compliance. | `string` | `null` | no |
| [lifecycle\_tag\_prefixes\_to\_keep](#input\_lifecycle\_tag\_prefixes\_to\_keep) | List of tag prefixes for keep-latest rule. Empty list applies to all images. Max 100 prefixes. | `list(string)` | `[]` | no |
| [log\_retention\_days](#input\_log\_retention\_days) | Number of days to retain ECR logs in CloudWatch. | `number` | `30` | no |
| [monitoring\_threshold\_api\_calls](#input\_monitoring\_threshold\_api\_calls) | API call volume threshold per minute to trigger CloudWatch alarm. | `number` | `1000` | no |
| [monitoring\_threshold\_image\_pull](#input\_monitoring\_threshold\_image\_pull) | Image pull frequency threshold per 5-minute period to trigger CloudWatch alarm. | `number` | `100` | no |
| [monitoring\_threshold\_image\_push](#input\_monitoring\_threshold\_image\_push) | Image push frequency threshold per 5-minute period to trigger CloudWatch alarm. | `number` | `10` | no |
| [monitoring\_threshold\_security\_findings](#input\_monitoring\_threshold\_security\_findings) | Security findings threshold to trigger CloudWatch alarm. | `number` | `10` | no |
| [monitoring\_threshold\_storage](#input\_monitoring\_threshold\_storage) | Storage usage threshold in GB to trigger CloudWatch alarm. | `number` | `10` | no |
| [name](#input\_name) | Name of the ECR repository. This name must be unique within the AWS account and region. | `string` | n/a | yes |
| [normalize\_tag\_values](#input\_normalize\_tag\_values) | Whether to normalize tag values by trimming whitespace. | `bool` | `true` | no |
| [policy](#input\_policy) | JSON string representing the repository policy. If null, no policy is created. | `string` | `null` | no |
| [prevent\_destroy](#input\_prevent\_destroy) | Whether to protect the repository from being destroyed via lifecycle prevent\_destroy. | `bool` | `false` | no |
| [pull\_request\_rules](#input\_pull\_request\_rules) | List of pull request rule configurations for enhanced governance. | list(object({
name = string
type = string
enabled = bool
conditions = optional(object({
tag_patterns = optional(list(string), [])
severity_threshold = optional(string, "MEDIUM")
require_scan_completion = optional(bool, true)
allowed_principals = optional(list(string), [])
}), {})
actions = optional(object({
require_approval_count = optional(number, 1)
notification_topic_arn = optional(string)
webhook_url = optional(string)
block_on_failure = optional(bool, true)
approval_timeout_hours = optional(number, 24)
}), {})
})) | `[]` | no |
| [pull\_through\_cache\_rules](#input\_pull\_through\_cache\_rules) | List of pull-through cache rules to create. | list(object({
ecr_repository_prefix = string
upstream_registry_url = string
credential_arn = optional(string)
})) | `[]` | no |
| [registry\_scan\_filters](#input\_registry\_scan\_filters) | List of scan filters for filtering scan results when querying ECR findings. | list(object({
name = string
values = list(string)
})) | `[]` | no |
| [registry\_scan\_type](#input\_registry\_scan\_type) | The type of scanning to configure for the registry. Either BASIC or ENHANCED. | `string` | `"ENHANCED"` | no |
| [replication\_regions](#input\_replication\_regions) | List of AWS regions to replicate ECR images to. | `list(string)` | `[]` | no |
| [required\_tags](#input\_required\_tags) | List of tag keys that are required to be present. Empty list disables validation. | `list(string)` | `[]` | no |
| [scan\_on\_push](#input\_scan\_on\_push) | Whether images should be scanned after being pushed to the repository. | `bool` | `true` | no |
| [scan\_repository\_filters](#input\_scan\_repository\_filters) | List of repository filters to apply for registry scanning. Supports wildcards. | `list(string)` | [
"*"
]
| no |
| [sns\_topic\_name](#input\_sns\_topic\_name) | Name of the SNS topic to create or use for alarm notifications. | `string` | `null` | no |
| [sns\_topic\_subscribers](#input\_sns\_topic\_subscribers) | List of email addresses to subscribe to the SNS topic for alarm notifications. | `list(string)` | `[]` | no |
| [tag\_key\_case](#input\_tag\_key\_case) | Enforce consistent casing for tag keys. Options: PascalCase, camelCase, snake\_case, kebab-case. | `string` | `"PascalCase"` | no |
| [tags](#input\_tags) | A map of tags to assign to all resources created by this module. | `map(string)` | `{}` | no |
| [timeouts](#input\_timeouts) | Timeout configuration for repository operations. Example: { delete = "20m" } | object({
delete = optional(string)
}) | `{}` | no |
## Outputs
| Name | Description |
|------|-------------|
| [applied\_tags](#output\_applied\_tags) | The final set of tags applied to all resources after normalization and default tag application |
| [cloudwatch\_alarms](#output\_cloudwatch\_alarms) | List of CloudWatch alarms created for ECR monitoring |
| [cloudwatch\_log\_group\_arn](#output\_cloudwatch\_log\_group\_arn) | The ARN of the CloudWatch Log Group used for ECR logs (if logging is enabled) |
| [kms\_alias\_arn](#output\_kms\_alias\_arn) | The ARN of the KMS alias (if created by this module). |
| [kms\_configuration](#output\_kms\_configuration) | Complete KMS configuration information. |
| [kms\_key\_arn](#output\_kms\_key\_arn) | The ARN of the KMS key used for repository encryption. |
| [kms\_key\_id](#output\_kms\_key\_id) | The globally unique identifier for the KMS key (if created by this module). |
| [lifecycle\_policy](#output\_lifecycle\_policy) | The lifecycle policy JSON applied to the repository (if any) |
| [logging\_role\_arn](#output\_logging\_role\_arn) | The ARN of the IAM role used for ECR logging (if logging is enabled) |
| [monitoring\_status](#output\_monitoring\_status) | Status of CloudWatch monitoring configuration |
| [pull\_request\_rules](#output\_pull\_request\_rules) | Information about pull request rules configuration |
| [pull\_through\_cache\_role\_arn](#output\_pull\_through\_cache\_role\_arn) | The ARN of the IAM role used for pull-through cache operations (if enabled) |
| [pull\_through\_cache\_rules](#output\_pull\_through\_cache\_rules) | List of pull-through cache rules (if enabled) |
| [registry\_id](#output\_registry\_id) | ID of the ECR registry |
| [registry\_scan\_filters](#output\_registry\_scan\_filters) | The configured scan filters for filtering scan results (e.g., by vulnerability severity) |
| [registry\_scanning\_configuration\_arn](#output\_registry\_scanning\_configuration\_arn) | The ARN of the ECR registry scanning configuration (if enhanced scanning is enabled) |
| [registry\_scanning\_status](#output\_registry\_scanning\_status) | Status of ECR registry scanning configuration |
| [replication\_configuration\_arn](#output\_replication\_configuration\_arn) | The ARN of the ECR replication configuration (if replication is enabled) |
| [replication\_regions](#output\_replication\_regions) | List of regions where ECR images are replicated to (if replication is enabled) |
| [replication\_status](#output\_replication\_status) | Status of ECR replication configuration |
| [repository\_arn](#output\_repository\_arn) | ARN of the ECR repository |
| [repository\_name](#output\_repository\_name) | Name of the ECR repository |
| [repository\_policy\_exists](#output\_repository\_policy\_exists) | Whether a repository policy exists for this ECR repository |
| [repository\_url](#output\_repository\_url) | URL of the ECR repository |
| [security\_status](#output\_security\_status) | Comprehensive security status of the ECR configuration |
| [sns\_topic\_arn](#output\_sns\_topic\_arn) | ARN of the SNS topic used for ECR monitoring alerts (if created) |
| [tag\_compliance\_status](#output\_tag\_compliance\_status) | Tag compliance and validation status |
| [tagging\_strategy](#output\_tagging\_strategy) | Summary of the tagging strategy configuration |
## Automation & Feature Discovery
### Automated Feature Discovery System
This module includes an automated feature discovery system that runs weekly to identify new AWS ECR features, deprecations, and bug fixes from the AWS provider. The system uses Claude Code with MCP (Model Context Protocol) servers to analyze provider documentation and automatically create GitHub issues for new functionality.
#### How It Works
1. **Weekly Scanning**: Every Sunday at 00:00 UTC, the system scans the latest AWS provider documentation
2. **MCP Integration**: Uses Terraform and Context7 MCP servers to access up-to-date provider docs
3. **Intelligent Analysis**: Compares provider capabilities with current module implementation
4. **Automated Issues**: Creates categorized GitHub issues for discovered items:
- 🚀 **New Features** - ECR resources/arguments not yet implemented
- ⚠️ **Deprecations** - Features being phased out requiring action
- 🐛 **Bug Fixes** - Important provider fixes affecting the module
#### Feature Discovery Workflow
The discovery process follows this workflow:
```
┌─────────────────┐ ┌──────────────────────┐ ┌─────────────────────┐
│ │ │ │ │ │
│ Weekly Trigger │───▶│ Claude Code CLI │───▶│ GitHub Issues │
│ (GitHub Action)│ │ + MCP Servers │ │ (Auto-created) │
│ │ │ │ │ │
└─────────────────┘ └──────────────────────┘ └─────────────────────┘
│
▼
┌──────────────────────┐
│ │
│ Feature Tracking │
│ Database │
│ (.github/tracker/) │
│ │
└──────────────────────┘
```
#### Manual Discovery
You can manually trigger feature discovery:
```bash
# Standard discovery
gh workflow run feature-discovery.yml
# Dry run mode (analyze without creating issues)
gh workflow run feature-discovery.yml -f dry_run=true
# Specific provider version
gh workflow run feature-discovery.yml -f provider_version=5.82.0
# Force full scan
gh workflow run feature-discovery.yml -f force_scan=true
```
#### Discovery Categories
The system identifies and categorizes findings as:
**New Features (`enhancement` label):**
- New ECR resources (`aws_ecr_*`)
- New arguments on existing resources
- New data sources (`data.aws_ecr_*`)
- New lifecycle configurations
- New security/monitoring features
**Deprecations (`deprecation` label):**
- Arguments marked for removal
- Resources being phased out
- Configuration patterns no longer recommended
**Bug Fixes (`bug` label):**
- Provider fixes affecting module functionality
- Performance improvements
- Security patches
#### Issue Templates
Each discovery type uses a structured template:
- **New Features**: Implementation checklist, examples, testing requirements
- **Deprecations**: Migration guidance, timeline, impact assessment
- **Bug Fixes**: Impact analysis, testing strategy, version requirements
#### Feature Tracking
All discoveries are tracked in `.github/feature-tracker/ecr-features.json`:
```json
{
"metadata": {
"last_scan": "2025-01-21T00:00:00Z",
"provider_version": "5.82.0",
"scan_count": 42
},
"current_implementation": {
"resources": {
"aws_ecr_repository": {
"implemented": ["name", "image_tag_mutability", "scan_on_push"],
"pending": ["force_delete"]
}
}
},
"discovered_features": {
"new_resources": {},
"deprecations": {},
"bug_fixes": {}
}
}
```
#### MCP Server Integration
The system leverages Model Context Protocol servers for real-time documentation access:
- **Terraform MCP**: `@modelcontextprotocol/server-terraform@latest`
- AWS provider resource documentation
- Argument specifications and examples
- Version compatibility information
- **Context7 MCP**: `@upstash/context7-mcp@latest`
- Provider changelogs and release notes
- Community discussions and best practices
- Historical change tracking
#### Benefits
- **Stay Current**: Never miss new AWS ECR features
- **Proactive Maintenance**: Identify deprecations before they break
- **Automated Tracking**: Comprehensive feature database
- **Community Value**: Users benefit from latest AWS capabilities
- **Reduced Manual Work**: No need for manual provider monitoring
#### Contributing to Discovery
The system is designed to minimize false positives, but you can help improve accuracy:
1. **Review Auto-Created Issues**: Validate and prioritize discoveries
2. **Update Tracking**: Mark features as implemented when complete
3. **Improve Templates**: Suggest enhancements to issue templates
4. **Report Gaps**: Let us know if the system misses important features
For more details on the discovery system architecture, see `.github/scripts/discovery-prompt.md`.
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
| [archive](#requirement\_archive) | >= 2.0.0 |
| [aws](#requirement\_aws) | >= 5.0.0 |
## Providers
| Name | Version |
|------|---------|
| [archive](#provider\_archive) | >= 2.0.0 |
| [aws](#provider\_aws) | >= 5.0.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| [kms](#module\_kms) | ./modules/kms | n/a |
| [pull\_through\_cache](#module\_pull\_through\_cache) | ./modules/pull-through-cache | n/a |
## Resources
| Name | Type |
|------|------|
| [aws_cloudwatch_event_rule.pull_request_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
| [aws_cloudwatch_event_target.pull_request_rules_sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_cloudwatch_event_target.pull_request_rules_webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_cloudwatch_log_group.ecr_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_cloudwatch_metric_alarm.monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
| [aws_ecr_lifecycle_policy.lifecycle_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource |
| [aws_ecr_registry_scanning_configuration.scanning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_registry_scanning_configuration) | resource |
| [aws_ecr_replication_configuration.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_replication_configuration) | resource |
| [aws_ecr_repository.repo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
| [aws_ecr_repository.repo_protected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource |
| [aws_ecr_repository_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy) | resource |
| [aws_iam_role.ecr_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.pull_request_rules_webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy.ecr_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_role_policy_attachment.pull_request_rules_webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_lambda_function.pull_request_rules_webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
| [aws_lambda_permission.pull_request_rules_webhook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_sns_topic.ecr_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
| [aws_sns_topic.pull_request_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
| [aws_sns_topic_subscription.ecr_monitoring_email](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
| [archive_file.pull_request_rules_webhook](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [create\_sns\_topic](#input\_create\_sns\_topic) | Whether to create an SNS topic for CloudWatch alarm notifications. | `bool` | `false` | no |
| [default\_tags\_cost\_center](#input\_default\_tags\_cost\_center) | Cost center tag value for financial tracking. Null to disable. | `string` | `null` | no |
| [default\_tags\_environment](#input\_default\_tags\_environment) | Environment tag value applied to all resources. Null to disable. | `string` | `null` | no |
| [default\_tags\_owner](#input\_default\_tags\_owner) | Owner tag value applied to all resources. Null to disable. | `string` | `null` | no |
| [default\_tags\_project](#input\_default\_tags\_project) | Project tag value applied to all resources. Null to disable. | `string` | `null` | no |
| [default\_tags\_template](#input\_default\_tags\_template) | Predefined default tag template. Options: basic, cost\_allocation, compliance, sdlc. | `string` | `null` | no |
| [enable\_default\_tags](#input\_enable\_default\_tags) | Whether to enable automatic default tags for all resources. | `bool` | `true` | no |
| [enable\_logging](#input\_enable\_logging) | Whether to enable CloudWatch logging for the repository. | `bool` | `false` | no |
| [enable\_monitoring](#input\_enable\_monitoring) | Whether to enable CloudWatch monitoring and alerting for the ECR repository. | `bool` | `false` | no |
| [enable\_pull\_request\_rules](#input\_enable\_pull\_request\_rules) | Whether to enable pull request rules for enhanced governance and quality control. | `bool` | `false` | no |
| [enable\_pull\_through\_cache](#input\_enable\_pull\_through\_cache) | Whether to create pull-through cache rules. | `bool` | `false` | no |
| [enable\_registry\_scanning](#input\_enable\_registry\_scanning) | Whether to enable enhanced scanning for the ECR registry. | `bool` | `false` | no |
| [enable\_replication](#input\_enable\_replication) | Whether to enable cross-region replication for the ECR registry. | `bool` | `false` | no |
| [enable\_secret\_scanning](#input\_enable\_secret\_scanning) | Whether to enable secret scanning. Detects secrets in container images. | `bool` | `false` | no |
| [enable\_tag\_normalization](#input\_enable\_tag\_normalization) | Whether to enable automatic tag normalization. | `bool` | `true` | no |
| [enable\_tag\_validation](#input\_enable\_tag\_validation) | Whether to enable tag validation to ensure compliance with organizational standards. | `bool` | `false` | no |
| [encryption\_type](#input\_encryption\_type) | Repository encryption type. Either KMS or AES256. | `string` | `"AES256"` | no |
| [force\_delete](#input\_force\_delete) | Whether to delete the repository even if it contains images. Use with caution. | `bool` | `false` | no |
| [image\_scanning\_configuration](#input\_image\_scanning\_configuration) | Image scanning configuration block. Set to null to use scan\_on\_push variable. |
object({
scan_on_push = bool
}) | `null` | no |
| [image\_tag\_mutability](#input\_image\_tag\_mutability) | The tag mutability setting for the repository. Either MUTABLE, IMMUTABLE, IMMUTABLE\_WITH\_EXCLUSION, or MUTABLE\_WITH\_EXCLUSION. | `string` | `"MUTABLE"` | no |
| [kms\_additional\_principals](#input\_kms\_additional\_principals) | List of additional IAM principals (ARNs) to grant KMS key access. | `list(string)` | `[]` | no |
| [kms\_alias\_name](#input\_kms\_alias\_name) | Custom alias name for the KMS key (without 'alias/' prefix). | `string` | `null` | no |
| [kms\_custom\_policy](#input\_kms\_custom\_policy) | Complete custom policy JSON for the KMS key. Use with caution. | `string` | `null` | no |
| [kms\_custom\_policy\_statements](#input\_kms\_custom\_policy\_statements) | List of custom policy statements to add to the KMS key policy. | list(object({
sid = optional(string)
effect = string
principals = optional(object({
type = string
identifiers = list(string)
}))
actions = list(string)
resources = optional(list(string), ["*"])
conditions = optional(list(object({
test = string
variable = string
values = list(string)
})), [])
})) | `[]` | no |
| [kms\_deletion\_window\_in\_days](#input\_kms\_deletion\_window\_in\_days) | Number of days to wait before deleting the KMS key (7-30 days). | `number` | `7` | no |
| [kms\_enable\_key\_rotation](#input\_kms\_enable\_key\_rotation) | Whether to enable automatic key rotation for the KMS key. | `bool` | `true` | no |
| [kms\_key](#input\_kms\_key) | ARN of existing KMS key for repository encryption. If null, a new key is created. | `string` | `null` | no |
| [kms\_key\_administrators](#input\_kms\_key\_administrators) | List of IAM principals (ARNs) who can administer the KMS key. | `list(string)` | `[]` | no |
| [kms\_key\_rotation\_period](#input\_kms\_key\_rotation\_period) | Number of days between automatic key rotations (90-2555 days). | `number` | `null` | no |
| [kms\_key\_users](#input\_kms\_key\_users) | List of IAM principals (ARNs) who can use the KMS key for crypto operations. | `list(string)` | `[]` | no |
| [kms\_multi\_region](#input\_kms\_multi\_region) | Whether to create a multi-region KMS key. | `bool` | `false` | no |
| [kms\_tags](#input\_kms\_tags) | Additional tags specific to KMS resources. | `map(string)` | `{}` | no |
| [lifecycle\_expire\_tagged\_after\_days](#input\_lifecycle\_expire\_tagged\_after\_days) | Number of days after which tagged images expire (1-3650). Use with caution. | `number` | `null` | no |
| [lifecycle\_expire\_untagged\_after\_days](#input\_lifecycle\_expire\_untagged\_after\_days) | Number of days after which untagged images expire (1-3650). Null to disable. | `number` | `null` | no |
| [lifecycle\_keep\_latest\_n\_images](#input\_lifecycle\_keep\_latest\_n\_images) | Number of latest images to keep in the repository (1-10000). Null to disable. | `number` | `null` | no |
| [lifecycle\_policy](#input\_lifecycle\_policy) | JSON string representing the lifecycle policy. Takes precedence over helper variables. | `string` | `null` | no |
| [lifecycle\_policy\_template](#input\_lifecycle\_policy\_template) | Predefined lifecycle policy template. Options: development, production, cost\_optimization, compliance. | `string` | `null` | no |
| [lifecycle\_tag\_prefixes\_to\_keep](#input\_lifecycle\_tag\_prefixes\_to\_keep) | List of tag prefixes for keep-latest rule. Empty list applies to all images. Max 100 prefixes. | `list(string)` | `[]` | no |
| [log\_retention\_days](#input\_log\_retention\_days) | Number of days to retain ECR logs in CloudWatch. | `number` | `30` | no |
| [monitoring\_threshold\_api\_calls](#input\_monitoring\_threshold\_api\_calls) | API call volume threshold per minute to trigger CloudWatch alarm. | `number` | `1000` | no |
| [monitoring\_threshold\_image\_pull](#input\_monitoring\_threshold\_image\_pull) | Image pull frequency threshold per 5-minute period to trigger CloudWatch alarm. | `number` | `100` | no |
| [monitoring\_threshold\_image\_push](#input\_monitoring\_threshold\_image\_push) | Image push frequency threshold per 5-minute period to trigger CloudWatch alarm. | `number` | `10` | no |
| [monitoring\_threshold\_security\_findings](#input\_monitoring\_threshold\_security\_findings) | Security findings threshold to trigger CloudWatch alarm. | `number` | `10` | no |
| [monitoring\_threshold\_storage](#input\_monitoring\_threshold\_storage) | Storage usage threshold in GB to trigger CloudWatch alarm. | `number` | `10` | no |
| [name](#input\_name) | Name of the ECR repository. This name must be unique within the AWS account and region. | `string` | n/a | yes |
| [normalize\_tag\_values](#input\_normalize\_tag\_values) | Whether to normalize tag values by trimming whitespace. | `bool` | `true` | no |
| [policy](#input\_policy) | JSON string representing the repository policy. If null, no policy is created. | `string` | `null` | no |
| [prevent\_destroy](#input\_prevent\_destroy) | Whether to protect the repository from being destroyed via lifecycle prevent\_destroy. | `bool` | `false` | no |
| [pull\_request\_rules](#input\_pull\_request\_rules) | List of pull request rule configurations for enhanced governance. | list(object({
name = string
type = string
enabled = bool
conditions = optional(object({
tag_patterns = optional(list(string), [])
severity_threshold = optional(string, "MEDIUM")
require_scan_completion = optional(bool, true)
allowed_principals = optional(list(string), [])
}), {})
actions = optional(object({
require_approval_count = optional(number, 1)
notification_topic_arn = optional(string)
webhook_url = optional(string)
block_on_failure = optional(bool, true)
approval_timeout_hours = optional(number, 24)
}), {})
})) | `[]` | no |
| [pull\_through\_cache\_rules](#input\_pull\_through\_cache\_rules) | List of pull-through cache rules to create. | list(object({
ecr_repository_prefix = string
upstream_registry_url = string
credential_arn = optional(string)
})) | `[]` | no |
| [registry\_scan\_filters](#input\_registry\_scan\_filters) | List of scan filters for filtering scan results when querying ECR findings. | list(object({
name = string
values = list(string)
})) | `[]` | no |
| [registry\_scan\_type](#input\_registry\_scan\_type) | The type of scanning to configure for the registry. Either BASIC or ENHANCED. | `string` | `"ENHANCED"` | no |
| [replication\_regions](#input\_replication\_regions) | List of AWS regions to replicate ECR images to. | `list(string)` | `[]` | no |
| [required\_tags](#input\_required\_tags) | List of tag keys that are required to be present. Empty list disables validation. | `list(string)` | `[]` | no |
| [scan\_on\_push](#input\_scan\_on\_push) | Whether images should be scanned after being pushed to the repository. | `bool` | `true` | no |
| [scan\_repository\_filters](#input\_scan\_repository\_filters) | List of repository filters to apply for registry scanning. Supports wildcards. | `list(string)` | [
"*"
]
| no |
| [sns\_topic\_name](#input\_sns\_topic\_name) | Name of the SNS topic to create or use for alarm notifications. | `string` | `null` | no |
| [sns\_topic\_subscribers](#input\_sns\_topic\_subscribers) | List of email addresses to subscribe to the SNS topic for alarm notifications. | `list(string)` | `[]` | no |
| [tag\_key\_case](#input\_tag\_key\_case) | Enforce consistent casing for tag keys. Options: PascalCase, camelCase, snake\_case, kebab-case. | `string` | `"PascalCase"` | no |
| [tags](#input\_tags) | A map of tags to assign to all resources created by this module. | `map(string)` | `{}` | no |
| [timeouts](#input\_timeouts) | Timeout configuration for repository operations. Example: { delete = "20m" } | object({
delete = optional(string)
}) | `{}` | no |
## Outputs
| Name | Description |
|------|-------------|
| [applied\_tags](#output\_applied\_tags) | The final set of tags applied to all resources after normalization and default tag application |
| [cloudwatch\_alarms](#output\_cloudwatch\_alarms) | List of CloudWatch alarms created for ECR monitoring |
| [cloudwatch\_log\_group\_arn](#output\_cloudwatch\_log\_group\_arn) | The ARN of the CloudWatch Log Group used for ECR logs (if logging is enabled) |
| [kms\_alias\_arn](#output\_kms\_alias\_arn) | The ARN of the KMS alias (if created by this module). |
| [kms\_configuration](#output\_kms\_configuration) | Complete KMS configuration information. |
| [kms\_key\_arn](#output\_kms\_key\_arn) | The ARN of the KMS key used for repository encryption. |
| [kms\_key\_id](#output\_kms\_key\_id) | The globally unique identifier for the KMS key (if created by this module). |
| [lifecycle\_policy](#output\_lifecycle\_policy) | The lifecycle policy JSON applied to the repository (if any) |
| [logging\_role\_arn](#output\_logging\_role\_arn) | The ARN of the IAM role used for ECR logging (if logging is enabled) |
| [monitoring\_status](#output\_monitoring\_status) | Status of CloudWatch monitoring configuration |
| [pull\_request\_rules](#output\_pull\_request\_rules) | Information about pull request rules configuration |
| [pull\_through\_cache\_role\_arn](#output\_pull\_through\_cache\_role\_arn) | The ARN of the IAM role used for pull-through cache operations (if enabled) |
| [pull\_through\_cache\_rules](#output\_pull\_through\_cache\_rules) | List of pull-through cache rules (if enabled) |
| [registry\_id](#output\_registry\_id) | ID of the ECR registry |
| [registry\_scan\_filters](#output\_registry\_scan\_filters) | The configured scan filters for filtering scan results (e.g., by vulnerability severity) |
| [registry\_scanning\_configuration\_arn](#output\_registry\_scanning\_configuration\_arn) | The ARN of the ECR registry scanning configuration (if enhanced scanning is enabled) |
| [registry\_scanning\_status](#output\_registry\_scanning\_status) | Status of ECR registry scanning configuration |
| [replication\_configuration\_arn](#output\_replication\_configuration\_arn) | The ARN of the ECR replication configuration (if replication is enabled) |
| [replication\_regions](#output\_replication\_regions) | List of regions where ECR images are replicated to (if replication is enabled) |
| [replication\_status](#output\_replication\_status) | Status of ECR replication configuration |
| [repository\_arn](#output\_repository\_arn) | ARN of the ECR repository |
| [repository\_name](#output\_repository\_name) | Name of the ECR repository |
| [repository\_policy\_exists](#output\_repository\_policy\_exists) | Whether a repository policy exists for this ECR repository |
| [repository\_url](#output\_repository\_url) | URL of the ECR repository |
| [security\_status](#output\_security\_status) | Comprehensive security status of the ECR configuration |
| [sns\_topic\_arn](#output\_sns\_topic\_arn) | ARN of the SNS topic used for ECR monitoring alerts (if created) |
| [tag\_compliance\_status](#output\_tag\_compliance\_status) | Tag compliance and validation status |
| [tagging