~/codewithstu

// open_source

AWS ECR

OpenTofu module for provisioning AWS ECR repositories with image scanning on push, tag immutability, lifecycle policies, and IAM-based push access control

View on GitHub

Overview

This module creates AWS ECR repositories with security best practices including image scanning, tag immutability, and lifecycle policies for automatic image cleanup.

Key Features

  • Image scanning on push enabled by default
  • Immutable image tags by default
  • Configurable image retention with lifecycle policies
  • Optional KMS encryption (defaults to AES256)
  • Push access control via IAM principals
  • Optional AWS Organization-wide access

Usage

module "ecr" {
  source = "git::https://github.com/Im5tu/opentofu-aws-ecr.git?ref=main"
 
  repo_name             = "my-application"
  push_principal_access = ["arn:aws:iam::123456789012:role/github-actions"]
}