`feature` ECR tag immutability exclusion support #57

Benbentwo · 2025-09-25T19:38:45Z

This pull request introduces support for advanced ECR image tag mutability options, specifically allowing certain tags to remain mutable while others are immutable. It also updates dependencies to ensure compatibility with these new features, and adds comprehensive documentation and tests to demonstrate usage.

ECR image tag mutability enhancements:

Added support for new tag mutability modes (IMMUTABLE_WITH_EXCLUSION, MUTABLE_WITH_EXCLUSION) and a new image_tag_mutability_exclusion_filter variable, allowing specific tags (e.g., latest, dev-) to be excluded from immutability. This is reflected in README.md, README.yaml, src/variables.tf, and src/main.tf. [1] [2] [3] [4]
Updated documentation to describe new mutability options and the exclusion filter, including usage examples and variable descriptions. [1] [2] [3] [4]

Dependency updates:

Upgraded the AWS provider requirement to >= 6.8.0, < 7.0.0 and the cloudposse/ecr/aws module to version 1.0.0 to support the new ECR features. [1] [2] [3]

Testing and validation:

Added a new test case TestImmutabilityExclusions in component_test.go to verify the correct application of the new mutability modes and exclusion filters.
Introduced a new test fixture stack immutability-exclusions.yaml and registered it in the test suite to demonstrate and validate the new functionality. [1] [2]

Summary by CodeRabbit

New Features
- Added support for ECR image tag mutability exclusions, allowing specified tags (e.g., latest, dev-) to remain mutable.
Documentation
- Updated usage examples and inputs to include new mutability options and exclusion filter configuration.
Chores
- Upgraded AWS provider compatibility to >=6.8.0, <7.0.0.
- Bumped ECR module dependency to 1.0.0.
Tests
- Added coverage for immutability with exclusions, including new test fixtures and scenarios.

coderabbitai · 2025-09-25T19:38:53Z

Walkthrough

Introduces ECR image tag mutability exclusions via a new variable and wiring to the upstream module, updates AWS provider constraints, bumps the ECR module to 1.0.0, refreshes documentation, and adds tests plus fixtures for the new immutability-with-exclusions scenario.

Changes

Cohort / File(s)	Summary of changes
Documentation updates `README.md`, `README.yaml`	Document new image_tag_mutability options (…WITH_EXCLUSION), add image_tag_mutability_exclusion_filter examples, and update provider/module version requirements and usage snippets.
Terraform module wiring `src/main.tf`, `src/variables.tf`, `src/versions.tf`	Bump ECR module to 1.0.0; add variable image_tag_mutability_exclusion_filter and pass through to module; update aws provider constraint to >=6.8.0,<7.0.0; extend description for image_tag_mutability.
Tests `test/component_test.go`	Add TestImmutabilityExclusions validating IMMUTABLE_WITH_EXCLUSION behavior, scan-on-push, drift, and cleanup.
Test fixtures `test/fixtures/stacks/.../usecase/immutability-exclusions.yaml`, `test/fixtures/stacks/orgs/default/test/tests.yaml`	Add new fixture defining immutability exclusions use case; include it in test imports.

Sequence Diagram(s)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

Added tests #19 — Adds Terratest-based ECR tests; related by expanding the same test suite that this PR augments with immutability-exclusions coverage.

Suggested labels

needs-test

Suggested reviewers

milldr

Poem

I nudge the tags with gentle paws,
Exclusions set by rabbit laws;
“latest” hops free, “dev-” can play,
While others freeze in place each day.
Providers bloom, modules grow—
Carrots committed, green fields aglow.
(\/)<(^^)>(\_/)

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title directly highlights the primary change—adding support for ECR tag immutability exclusion—which matches the pull request’s main objective of introducing new immutability modes and exclusion filters. Despite the extra backticks around “feature,” it still concisely conveys the core enhancement.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

📝 Generate Docstrings

🧪 Generate unit tests

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch feature/immutability-exclusions

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

mergify · 2025-09-25T19:39:27Z

Important

Title is necessary and should not be empty.

Kindly provide a meaningful title for this Pull Request.

coderabbitai

Actionable comments posted: 3

🧹 Nitpick comments (2)

test/component_test.go (1)
23-55: Capture and assert deployment error; assert non-empty outputs.

Avoid ignoring errors and strengthen the test by checking outputs.
 func (s *ComponentSuite) TestImmutabilityExclusions() {
@@
-    options, _ := s.DeployAtmosComponent(s.T(), component, stack, &inputs)
-    assert.NotNil(s.T(), options)
+    options, err := s.DeployAtmosComponent(s.T(), component, stack, &inputs)
+    assert.NoError(s.T(), err)
+    assert.NotNil(s.T(), options)
@@
-    arnMaps := map[string]string{}
+    arnMaps := map[string]string{}
     atmos.OutputStruct(s.T(), options, "ecr_repo_arn_map", &arnMaps)
+    assert.NotEmpty(s.T(), arnMaps)
src/variables.tf (1)

17-40: Good schema and validations for exclusion filters.

Optional filter_type with default WILDCARD and non-empty filter check are appropriate. Consider documenting/validating that exclusions are only meaningful when using *_WITH_EXCLUSION modes; optional, since upstream may already guard this.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c5c8a22 and b1c82b2.

📒 Files selected for processing (8)

README.md (3 hunks)
README.yaml (1 hunks)
src/main.tf (1 hunks)
src/variables.tf (1 hunks)
src/versions.tf (1 hunks)
test/component_test.go (1 hunks)
test/fixtures/stacks/catalog/usecase/immutability-exclusions.yaml (1 hunks)
test/fixtures/stacks/orgs/default/test/tests.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (7)

src/{main,variables,outputs,providers,versions,context}.tf